StigData/Windows-2012R2-DC-2.9.xml

<DISASTIG id="Windows_2012_DC_STIG" version="2.9" created="1/18/2018">
  <AccountPolicyRule dscresourcemodule="SecurityPolicyDsc">
    <Rule id="V-1097" severity="medium" conversionstatus="pass" title="Bad Logon Attempts" dscresource="AccountPolicy">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -le '3' -and '{0}' -ne '0'</OrganizationValueTestString>
      <PolicyName>Account lockout threshold</PolicyName>
      <PolicyValue />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Account Policies -&gt; Account Lockout Policy.
 
If the "Account lockout threshold" is "0" or more than "3" attempts, this is a finding.</rawString>
    </Rule>
    <Rule id="V-1098" severity="medium" conversionstatus="pass" title="Bad Logon Counter Reset" dscresource="AccountPolicy">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -ge '15'</OrganizationValueTestString>
      <PolicyName>Reset account lockout counter after</PolicyName>
      <PolicyValue />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Account Policies &gt;&gt; Account Lockout Policy.
 
If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding.</rawString>
    </Rule>
    <Rule id="V-1099" severity="medium" conversionstatus="pass" title="Lockout Duration" dscresource="AccountPolicy">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -ge '15' -or '{0}' -eq '0'</OrganizationValueTestString>
      <PolicyName>Account lockout duration</PolicyName>
      <PolicyValue />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Account Policies &gt;&gt; Account Lockout Policy.
 
If the "Account lockout duration" is less than "15" minutes (excluding "0"), this is a finding.
 
Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding.</rawString>
    </Rule>
    <Rule id="V-1104" severity="medium" conversionstatus="pass" title="Maximum Password Age " dscresource="AccountPolicy">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -le '60' -and '{0}' -ne '0'</OrganizationValueTestString>
      <PolicyName>Maximum password age</PolicyName>
      <PolicyValue />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Account Policies -&gt; Password Policy.
 
If the value for the "Maximum password age" is greater than "60" days, this is a finding. If the value is set to "0" (never expires), this is a finding.</rawString>
    </Rule>
    <Rule id="V-1105" severity="medium" conversionstatus="pass" title="Minimum Password Age" dscresource="AccountPolicy">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -ne '0'</OrganizationValueTestString>
      <PolicyName>Minimum password age</PolicyName>
      <PolicyValue />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Account Policies -&gt; Password Policy.
 
If the value for the "Minimum password age" is set to "0" days ("Password can be changed immediately."), this is a finding.</rawString>
    </Rule>
    <Rule id="V-1107" severity="medium" conversionstatus="pass" title="Password Uniqueness" dscresource="AccountPolicy">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -ge '24'</OrganizationValueTestString>
      <PolicyName>Enforce password history</PolicyName>
      <PolicyValue />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Account Policies &gt;&gt; Password Policy.
 
If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding.</rawString>
    </Rule>
    <Rule id="V-1150" severity="medium" conversionstatus="pass" title="Microsoft Strong Password Filtering" dscresource="AccountPolicy">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <PolicyName>Password must meet complexity requirements</PolicyName>
      <PolicyValue>Enabled</PolicyValue>
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Account Policies &gt;&gt; Password Policy.
 
If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding.
 
Note: If an external password filter is in use that enforces all 4 character types and requires this setting be set to "Disabled", this would not be considered a finding. If this setting does not affect the use of an external password filter, it must be enabled for fallback purposes.</rawString>
    </Rule>
    <Rule id="V-2372" severity="high" conversionstatus="pass" title="Reversible Password Encryption" dscresource="AccountPolicy">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <PolicyName>Store passwords using reversible encryption</PolicyName>
      <PolicyValue>Disabled</PolicyValue>
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Account Policies -&gt; Password Policy.
 
If the value for "Store password using reversible encryption" is not set to "Disabled", this is a finding.</rawString>
    </Rule>
    <Rule id="V-6836" severity="medium" conversionstatus="pass" title="Minimum Password Length" dscresource="AccountPolicy">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -ge '14'</OrganizationValueTestString>
      <PolicyName>Minimum password length</PolicyName>
      <PolicyValue />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Account Policies -&gt; Password Policy.
 
If the value for the "Minimum password length," is less than "14" characters, this is a finding.</rawString>
    </Rule>
  </AccountPolicyRule>
  <AuditPolicyRule dscresourcemodule="AuditPolicyDsc">
    <Rule id="V-26529" severity="medium" conversionstatus="pass" title="Audit - Credential Validation - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Account Logon -&gt; Credential Validation - Success</rawString>
      <Subcategory>Credential Validation</Subcategory>
    </Rule>
    <Rule id="V-26530" severity="medium" conversionstatus="pass" title="Audit - Credential Validation - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Account Logon -&gt; Credential Validation - Failure</rawString>
      <Subcategory>Credential Validation</Subcategory>
    </Rule>
    <Rule id="V-26531" severity="medium" conversionstatus="pass" title="Audit - Computer Account Management - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Account Management -&gt; Computer Account Management - Success</rawString>
      <Subcategory>Computer Account Management</Subcategory>
    </Rule>
    <Rule id="V-26532" severity="medium" conversionstatus="pass" title="Audit - Computer Account Management - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Account Management -&gt; Computer Account Management - Failure</rawString>
      <Subcategory>Computer Account Management</Subcategory>
    </Rule>
    <Rule id="V-26533" severity="medium" conversionstatus="pass" title="Audit - Other Account Management Events - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Account Management -&gt; Other Account Management Events - Success</rawString>
      <Subcategory>Other Account Management Events</Subcategory>
    </Rule>
    <Rule id="V-26534" severity="medium" conversionstatus="pass" title="Audit - Other Account Management Events - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Account Management -&gt; Other Account Management Events - Failure</rawString>
      <Subcategory>Other Account Management Events</Subcategory>
    </Rule>
    <Rule id="V-26535" severity="medium" conversionstatus="pass" title="Audit - Security Group Management - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Account Management -&gt; Security Group Management - Success</rawString>
      <Subcategory>Security Group Management</Subcategory>
    </Rule>
    <Rule id="V-26536" severity="medium" conversionstatus="pass" title="Audit - Security Group Management - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Account Management -&gt; Security Group Management - Failure</rawString>
      <Subcategory>Security Group Management</Subcategory>
    </Rule>
    <Rule id="V-26537" severity="medium" conversionstatus="pass" title="Audit - User Account Management - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Account Management -&gt; User Account Management - Success</rawString>
      <Subcategory>User Account Management</Subcategory>
    </Rule>
    <Rule id="V-26538" severity="medium" conversionstatus="pass" title="Audit - User Account Management - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Account Management -&gt; User Account Management - Failure</rawString>
      <Subcategory>User Account Management</Subcategory>
    </Rule>
    <Rule id="V-26539" severity="medium" conversionstatus="pass" title="Audit - Process Creation - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Detailed Tracking -&gt; Process Creation - Success</rawString>
      <Subcategory>Process Creation</Subcategory>
    </Rule>
    <Rule id="V-26540" severity="medium" conversionstatus="pass" title="Audit - Logoff - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Logon/Logoff -&gt; Logoff - Success</rawString>
      <Subcategory>Logoff</Subcategory>
    </Rule>
    <Rule id="V-26541" severity="medium" conversionstatus="pass" title="Audit - Logon - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Logon/Logoff -&gt; Logon - Success</rawString>
      <Subcategory>Logon</Subcategory>
    </Rule>
    <Rule id="V-26542" severity="medium" conversionstatus="pass" title="Audit - Logon - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Logon/Logoff -&gt; Logon - Failure</rawString>
      <Subcategory>Logon</Subcategory>
    </Rule>
    <Rule id="V-26543" severity="medium" conversionstatus="pass" title="Audit - Special Logon - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Logon/Logoff -&gt; Special Logon - Success</rawString>
      <Subcategory>Special Logon</Subcategory>
    </Rule>
    <Rule id="V-26546" severity="medium" conversionstatus="pass" title="Audit - Audit Policy Change - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Policy Change -&gt; Audit Policy Change - Success</rawString>
      <Subcategory>Audit Policy Change</Subcategory>
    </Rule>
    <Rule id="V-26547" severity="medium" conversionstatus="pass" title="Audit - Audit Policy Change - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Policy Change -&gt; Audit Policy Change - Failure</rawString>
      <Subcategory>Audit Policy Change</Subcategory>
    </Rule>
    <Rule id="V-26548" severity="medium" conversionstatus="pass" title="Audit - Authentication Policy Change - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Policy Change -&gt; Authentication Policy Change - Success</rawString>
      <Subcategory>Authentication Policy Change</Subcategory>
    </Rule>
    <Rule id="V-26549" severity="medium" conversionstatus="pass" title="Audit - Sensitive Privilege Use - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Privilege Use -&gt; Sensitive Privilege Use - Success</rawString>
      <Subcategory>Sensitive Privilege Use</Subcategory>
    </Rule>
    <Rule id="V-26550" severity="medium" conversionstatus="pass" title="Audit - Sensitive Privilege Use - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Privilege Use -&gt; Sensitive Privilege Use - Failure</rawString>
      <Subcategory>Sensitive Privilege Use</Subcategory>
    </Rule>
    <Rule id="V-26551" severity="medium" conversionstatus="pass" title="Audit - IPSec Driver - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
System -&gt; IPsec Driver - Success</rawString>
      <Subcategory>IPsec Driver</Subcategory>
    </Rule>
    <Rule id="V-26552" severity="medium" conversionstatus="pass" title="Audit - IPSec Driver - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
System -&gt; IPsec Driver - Failure</rawString>
      <Subcategory>IPsec Driver</Subcategory>
    </Rule>
    <Rule id="V-26553" severity="medium" conversionstatus="pass" title="Audit - Security State Change - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
System -&gt; Security State Change - Success</rawString>
      <Subcategory>Security State Change</Subcategory>
    </Rule>
    <Rule id="V-26554" severity="medium" conversionstatus="pass" title="Audit - Security State Change - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
System -&gt; Security State Change - Failure</rawString>
      <Subcategory>Security State Change</Subcategory>
    </Rule>
    <Rule id="V-26555" severity="medium" conversionstatus="pass" title="Audit - Security System Extension - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
System -&gt; Security System Extension - Success</rawString>
      <Subcategory>Security System Extension</Subcategory>
    </Rule>
    <Rule id="V-26556" severity="medium" conversionstatus="pass" title="Audit - Security System Extension - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
System -&gt; Security System Extension - Failure</rawString>
      <Subcategory>Security System Extension</Subcategory>
    </Rule>
    <Rule id="V-26557" severity="medium" conversionstatus="pass" title="Audit - System Integrity - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
System -&gt; System Integrity - Success</rawString>
      <Subcategory>System Integrity</Subcategory>
    </Rule>
    <Rule id="V-26558" severity="medium" conversionstatus="pass" title="Audit - System Integrity - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
System -&gt; System Integrity - Failure</rawString>
      <Subcategory>System Integrity</Subcategory>
    </Rule>
    <Rule id="V-33663" severity="medium" conversionstatus="pass" title="Audit Directory Service Access - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding.
 
DS Access -&gt; Directory Service Access - Success</rawString>
      <Subcategory>Directory Service Access</Subcategory>
    </Rule>
    <Rule id="V-33664" severity="medium" conversionstatus="pass" title="Audit - Directory Service Access - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding.
 
DS Access -&gt; Directory Service Access - Failure</rawString>
      <Subcategory>Directory Service Access</Subcategory>
    </Rule>
    <Rule id="V-33665" severity="medium" conversionstatus="pass" title="Audit - Directory Service Changes - Success" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding.
 
DS Access -&gt; Directory Service Changes - Success</rawString>
      <Subcategory>Directory Service Changes</Subcategory>
    </Rule>
    <Rule id="V-33666" severity="medium" conversionstatus="pass" title="Audit - Directory Service Changes - Failure" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding.
 
DS Access -&gt; Directory Service Changes - Failure</rawString>
      <Subcategory>Directory Service Changes</Subcategory>
    </Rule>
    <Rule id="V-36667" severity="medium" conversionstatus="pass" title="WINAU-000016" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*"
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Object Access &gt;&gt; Removable Storage - Failure
 
Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding.</rawString>
      <Subcategory>Removable Storage</Subcategory>
    </Rule>
    <Rule id="V-36668" severity="medium" conversionstatus="pass" title="WINAU-000017" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*"
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Object Access &gt;&gt; Removable Storage - Success
 
Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding.</rawString>
      <Subcategory>Removable Storage</Subcategory>
    </Rule>
    <Rule id="V-40200" severity="medium" conversionstatus="pass" title="WNAU-000060" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Object Access -&gt; Central Policy Staging - Failure</rawString>
      <Subcategory>Central Policy Staging</Subcategory>
    </Rule>
    <Rule id="V-40202" severity="medium" conversionstatus="pass" title="WNAU-000059" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Object Access -&gt; Central Policy Staging - Success</rawString>
      <Subcategory>Central Policy Staging</Subcategory>
    </Rule>
    <Rule id="V-57633" severity="medium" conversionstatus="pass" title="WINAU-000089" dscresource="AuditPolicySubcategory">
      <AuditFlag>Success</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Policy Change -&gt; Authorization Policy Change - Success</rawString>
      <Subcategory>Authorization Policy Change</Subcategory>
    </Rule>
    <Rule id="V-57635" severity="medium" conversionstatus="pass" title="WINAU-000090" dscresource="AuditPolicySubcategory">
      <AuditFlag>Failure</AuditFlag>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective.
 
Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator").
-Enter "AuditPol /get /category:*".
 
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding.
 
Policy Change -&gt; Authorization Policy Change - Failure</rawString>
      <Subcategory>Authorization Policy Change</Subcategory>
    </Rule>
  </AuditPolicyRule>
  <DocumentRule dscresourcemodule="None">
    <Rule id="V-1112" severity="low" conversionstatus="pass" title="Dormant Accounts" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Run "PowerShell".
 
Member servers and standalone systems:
Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.)
 
"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach {
 $user = ([ADSI]$_.Path)
 $lastLogin = $user.Properties.LastLogin.Value
 $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2
 if ($lastLogin -eq $null) {
 $lastLogin = 'Never'
 }
 Write-Host $user.Name $lastLogin $enabled
}"
 
This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False).
For example: User1 10/31/2015 5:49:56 AM True
 
Domain Controllers:
Enter the following command in PowerShell.
"Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00"
 
This will return accounts that have not been logged on to for 35 days, along with various attributes such as the Enabled status and LastLogonDate.
 
Review the list of accounts returned by the above queries to determine the finding validity for each account reported.
 
Exclude the following accounts:
Built-in administrator account (Renamed, SID ending in 500)
Built-in guest account (Renamed, Disabled, SID ending in 501)
Application accounts
 
If any enabled accounts have not been logged on to within the past 35 days, this is a finding.
 
Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.</rawString>
    </Rule>
    <Rule id="V-1120" severity="medium" conversionstatus="pass" title="Prohibited FTP Logins" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If FTP is not installed on the system, this is NA.
 
Determine the IP address and port number assigned to FTP sites from documentation or configuration.
 
If Microsoft FTP is used, open "Internet Information Services (IIS) Manager".
 
Select "Sites" under the server name.
 
For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed.
 
Open a "Command Prompt".
 
Attempt to log on as the user "anonymous" with the following commands:
 
Note: Returned results may vary depending on the FTP server software.
 
C:\&gt; "ftp"
ftp&gt; "Open IP Address Port"
(Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".)
(Connected to IP Address
220 Microsoft FTP Service)
 
User (IP Address): "anonymous"
(331 Anonymous access allowed, send identity (e-mail name) as password.)
 
Password: "password"
(230 User logged in.)
ftp&gt;
 
If the response indicates that an anonymous FTP login was permitted, this is a finding.
 
If accounts with administrator privileges are used to access FTP, this is a CAT I finding.</rawString>
    </Rule>
    <Rule id="V-1121" severity="high" conversionstatus="pass" title="FTP System File Access" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If FTP is not installed on the system, this is NA.
 
Determine the IP address and port number assigned to FTP sites from documentation or configuration.
 
If Microsoft FTP is used, open "Internet Information Services (IIS) Manager".
 
Select "Sites" under the server name.
 
For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed.
 
Open a "Command Prompt".
 
Access the FTP site and review accessible directories with the following commands:
 
Note: Returned results may vary depending on the FTP server software.
 
C:\&gt; "ftp"
ftp&gt; "Open IP Address Port"
(Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".)
(Connected to IP Address
220 Microsoft FTP Service)
 
User (IP Address): "FTP User"
(Substituting [FTP User] with an account identified that is allowed access. If it was determined that anonymous access was allowed to the site [see V-1120], also review access using "anonymous".)
 (331 Password required)
 
Password: "Password"
(Substituting [Password] with password for the account attempting access.)
(230 User ftpuser logged in.)
 
ftp&gt; "Dir"
 
If the FTP session indicates access to areas of the system other than the specific folder for FTP data, such as the root of the drive, Program Files or Windows directories, this is a finding.</rawString>
    </Rule>
    <Rule id="V-1168" severity="medium" conversionstatus="pass" title="Members of the Backup Operators Group" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If no accounts are members of the Backup Operators group, this is NA.
 
Any accounts that are members of the Backup Operators group, including application accounts, must be documented with the ISSO. If documentation of accounts that are members of the Backup Operators group is not maintained this is a finding.</rawString>
    </Rule>
    <Rule id="V-3289" severity="medium" conversionstatus="pass" title="Intrusion Detection System" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine whether there is a host-based Intrusion Detection System on each server.
 
If the HIPS component of HBSS is installed and active on the host and the Alerts of blocked activity are being logged and monitored, this will meet the requirement of this finding.
 
A HID device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the site ISSO.
 
If a host-based Intrusion Detection System is not installed on the system, this is a finding.</rawString>
    </Rule>
    <Rule id="V-3487" severity="medium" conversionstatus="pass" title="Unnecessary Services" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Required services will vary between organizations, and on the role of the individual system. Organizations will develop their own list of services which will be documented and justified with the ISSO. The site's list will be provided for any security review. Services common to multiple systems can be addressed in one document. Exceptions for individual systems should be identified separately by system.
 
Individual services specifically required to be disabled per the STIG are identified in separate requirements.
 
If the site has not documented the services required for their system(s), this is a finding.
 
The following can be used to view the services on a system:
Run "Services.msc".
 
Services for Windows Server 2012 roles are managed automatically, adding those necessary for a particular role. The following lists the default services for a baseline installation as a reference. This can be used as a basis for documenting the services necessary.
 
Default Installation
Name - Startup Type
Application Experience - Manual (Trigger Start)
Application Identity - Manual (Trigger Start)
Application Information - Manual
Application Layer Gateway Service - Manual
Application Management - Manual
Background Intelligent Transfer Service - Automatic (Delayed Start)
Background Tasks Infrastructure Service - Automatic
Base Filtering Engine - Automatic
Certificate Propagation - Manual
CNG Key Isolation - Manual (Trigger Start)
COM+ Event System - Automatic
COM+ System Application - Manual
Computer Browser - Disabled
Credential Manager - Manual
Cryptographic Services - Automatic
DCOM Server Process Launcher - Automatic
Device Association Service - Manual (Trigger Start)
Device Install Service - Manual (Trigger Start)
Device Setup Manager - Manual (Trigger Start)
DHCP Client - Automatic
Diagnostic Policy Service - Automatic (Delayed Start)
Diagnostic Service Host - Manual
Diagnostic System Host - Manual
Distributed Link Tracking Client - Automatic
Distributed Transaction Coordinator - Automatic (Delayed Start)
DNS Client - Automatic (Trigger Start)
Encrypting File System (EFS) - Manual (Trigger Start)
Extensible Authentication Protocol - Manual
Function Discovery Provider Host - Manual
Function Discovery Resource Publication - Manual
Group Policy Client - Automatic (Trigger Start)
Health Key and Certificate Management - Manual
Human Interface Device Access - Manual (Trigger Start)
Hyper-V Data Exchange Service - Manual (Trigger Start)
Hyper-V Guest Shutdown Service - Manual (Trigger Start)
Hyper-V Heartbeat Service - Manual (Trigger Start)
Hyper-V Remote Desktop Virtualization Service - Manual (Trigger Start)
Hyper-V Time Synchronization Service - Manual (Trigger Start)
Hyper-V Volume Shadow Copy Requestor - Manual (Trigger Start)
IKE and AuthIP IPsec Keying Modules - Manual (Trigger Start)
Interactive Services Detection - Manual
Internet Connection Sharing (ICS) - Disabled
IP Helper - Automatic
IPsec Policy Agent - Manual (Trigger Start)
KDC Proxy Server service (KPS) - Manual
KtmRm for Distributed Transaction Coordinator - Manual (Trigger Start)
Link-Layer Topology Discovery Mapper - Manual
Local Session Manager - Automatic
Microsoft iSCSI Initiator Service - Manual
Microsoft Software Shadow Copy Provider - Manual
Multimedia Class Scheduler - Manual
Net.Tcp Port Sharing Service - Disabled
Netlogon - Manual
Network Access Protection Agent - Manual
Network Connections - Manual
Network Connectivity Assistant - Manual (Trigger Start)
Network List Service - Manual
Network Location Awareness - Automatic
Network Store Interface Service - Automatic
Optimize drives - Manual
Performance Counter DLL Host - Manual
Performance Logs &amp; Alerts - Manual
Plug and Play - Manual
Portable Device Enumerator Service - Manual (Trigger Start)
Power - Automatic
Print Spooler - Automatic
Printer Extensions and Notifications - Manual
Problem Reports and Solutions Control Panel Support - Manual
Remote Access Auto Connection Manager - Manual
Remote Access Connection Manager - Manual
Remote Desktop Configuration - Manual
Remote Desktop Services - Manual
Remote Desktop Services UserMode Port Redirector - Manual
Remote Procedure Call (RPC) - Automatic
Remote Procedure Call (RPC) Locator - Manual
Remote Registry - Automatic (Trigger Start)
Resultant Set of Policy Provider - Manual
Routing and Remote Access - Disabled
RPC Endpoint Mapper - Automatic
Secondary Logon - Manual
Secure Socket Tunneling Protocol Service - Manual
Security Accounts Manager - Automatic
Server - Automatic
Shell Hardware Detection - Automatic
Smart Card - Disabled
Smart Card Removal Policy - Manual
SNMP Trap - Manual
Software Protection - Automatic (Delayed Start, Trigger Start)
Special Administration Console Helper - Manual
Spot Verifier - Manual (Trigger Start)
SSDP Discovery - Disabled
Superfetch - Manual
System Event Notification Service - Automatic
Task Scheduler - Automatic
TCP/IP NetBIOS Helper - Automatic (Trigger Start)
Telephony - Manual
Themes - Automatic
Thread Ordering Server - Manual
UPnP Device Host - Disabled
User Access Logging Service - Automatic (Delayed Start)
User Profile Service - Automatic
Virtual Disk - Manual
Volume Shadow Copy - Manual
Windows All-User Install Agent - Manual (Trigger Start)
Windows Audio - Manual
Windows Audio Endpoint Builder - Manual
Windows Color System - Manual
Windows Driver Foundation - User-mode Driver Framework - Manual (Trigger Start)
Windows Error Reporting Service - Manual (Trigger Start)
Windows Event Collector - Manual
Windows Event Log - Automatic
Windows Firewall - Automatic
Windows Font Cache Service - Automatic
Windows Installer - Manual
Windows Licensing Monitoring Service - Automatic
Windows Management Instrumentation - Automatic
Windows Modules Installer - Manual
Windows Remote Management (WS-Management) - Automatic
Windows Store Service (WSService) - Manual (Trigger Start)
Windows Time - Manual (Trigger Start)
Windows Update - Manual
WinHTTP Web Proxy Auto-Discovery Service - Manual
Wired AutoConfig - Manual
WMI Performance Adapter - Manual
Workstation - Automatic</rawString>
    </Rule>
    <Rule id="V-14783" severity="medium" conversionstatus="pass" title="Replication Encryption – Classification Factor" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>With the assistance of the SA, NSO, or network reviewer as required, review the site network diagram(s) or documentation to determine the level of classification for the network(s) over which replication data is transmitted.
 
Determine the classification level of the Windows domain controller.
 
If the classification level of the Windows domain controller is higher than the level of the networks, review the site network diagram(s) and directory implementation documentation to determine if NSA-approved encryption is used to protect the replication network traffic.
 
If the classification level of the Windows domain controller is higher than the level of the network traversed and NSA-approved encryption is not used, this is a finding.</rawString>
    </Rule>
    <Rule id="V-15823" severity="medium" conversionstatus="pass" title="Software Certificate Installation Files" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Search all drives for *.p12 and *.pfx files.
 
If any files with these extensions exist, this is a finding.
 
This does not apply to server-based applications that have a requirement for .p12 certificate files (e.g., Oracle Wallet Manager). Some applications create files with extensions of .p12 that are NOT certificate installation files. Removal of noncertificate installation files from systems is not required. These must be documented with the ISSO.</rawString>
    </Rule>
    <Rule id="V-26683" severity="high" conversionstatus="pass" title="Directory PKI Certificate Source - Users" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Open "PowerShell" as Administrator.
 
Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled" -AutoSize.
 
Review the User Principal Name (UPN) of user accounts, including administrators.
 
Exclude the built-in accounts such as Administrator and Guest.
 
If the User Principal Name (UPN) is not in the format of an individual's Electronic Data Interchange - Personnel Identifier (EDI-PI) and the appropriate domain suffix, this is a finding.
 
NIPRNET Example:
Name - User Principal Name
User1 - 1234567890@mil
 
See PKE documentation for other network domain suffixes.
 
If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding.</rawString>
    </Rule>
    <Rule id="V-32272" severity="medium" conversionstatus="pass" title="WINPK-000001" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the DoD Root CA certificates are installed as Trusted Root Certification Authorities.
 
Run "PowerShell" as an administrator.
Execute the following command:
Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint
If the following information is not displayed, this is finding.
 
Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561
 
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB
 
Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026
 
Alternately use the Certificates MMC snap-in:
Run "MMC".
Select "File", "Add/Remove Snap-in".
Select "Certificates", click "Add".
Select "Computer account", click "Next".
Select "Local computer: (the computer this console is running on)", click "Finish".
Click "OK".
Expand "Certificates" and navigate to "Trusted Root Certification Authorities &gt;&gt; Certificates".
If there are no entries for "DoD Root CA 2", "DoD Root CA 3", and "DoD Root CA 4", this is a finding.
 
For each of the DoD Root CA certificates noted above:
Right click on the certificate and select "Open".
Select the "Details" Tab.
Scroll to the bottom and select "Thumbprint".
 
If the value for the "Thumbprint" field is not as noted below, this is a finding.
DoD Root CA 2 - 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561
DoD Root CA 3 - D73CA91102A2204A36459ED32213B467D7CE97FB
DoD Root CA 4 - B8269F25DBD937ECAFD4C35A9838571723F2D026
 
The thumbprints referenced apply to unclassified systems; see PKE documentation for other networks.</rawString>
    </Rule>
    <Rule id="V-33673" severity="high" conversionstatus="pass" title="Group Policy Objects Access Control" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the permissions on Group Policy objects.
 
Open "Group Policy Management". (Available from various menus or run "gpmc.msc".)
Navigate to "Group Policy Objects" in the domain being reviewed (Forest &gt; Domains &gt; Domain).
 
For each Group Policy object:
Select the Group Policy object item in the left pane.
Select the Delegation tab in the right pane.
Select the Advanced button.
 
If any standard user accounts or groups have greater than Allow permissions of Read and Apply group policy, this is a finding.
 
Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO.
 
The default permissions noted below meet this requirement.
 
The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next Advanced button, selecting the desired Permission entry, and the Edit button.
 
Authenticated Users - Read, Apply group policy, Special permissions
 
The Special permissions for Authenticated Users are for Read type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.
 
The Special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties.
 
CREATOR OWNER - Special permissions
 
SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions
 
Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions
 
Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions
 
ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
 
The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default group policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created group policy objects.
 
The Anonymous Logon, Guests, or any group that contains those groups (in which users are not uniquely identified and authenticated) must not have any access permissions unless the group and justification is explicitly documented with the ISSO.</rawString>
    </Rule>
    <Rule id="V-36658" severity="medium" conversionstatus="pass" title="WIN00-000005-01" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Review the necessary documentation that identifies the members of the Administrators group. If a list of all users belonging to the Administrators group is not maintained with the ISSO, this is a finding.</rawString>
    </Rule>
    <Rule id="V-39333" severity="high" conversionstatus="pass" title="WINAD-000005-DC" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verifying the permissions on domain defined OUs.
 
Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".)
Ensure Advanced Features is selected in the View menu.
 
For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU:
Right click the OU and select Properties.
Select the Security tab.
 
If the permissions on the OU are not at least as restrictive as those below, this is a finding.
 
The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next Advanced button, selecting the desired Permission entry and the Edit button.
 
Self - Special permissions
 
Authenticated Users - Read, Special permissions
The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.
 
SYSTEM - Full Control
 
Domain Admins - Full Control
 
Enterprise Admins - Full Control
 
Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions
 
Pre-Windows 2000 Compatible Access - Special permissions
The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.
 
ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
 
If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO.</rawString>
    </Rule>
    <Rule id="V-40173" severity="low" conversionstatus="pass" title="WN00-000017" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine whether system-related documentation is backed up in accordance with local recovery time and recovery point objectives. If system-related documentation is not backed up in accordance with local recovery time and recovery point objectives, this is a finding.</rawString>
    </Rule>
  </DocumentRule>
  <ManualRule dscresourcemodule="None">
    <Rule id="V-1070" severity="medium" conversionstatus="pass" title="Physical security" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify servers are located in controlled access areas that are accessible only to authorized personnel. If systems are not adequately protected, this is a finding.</rawString>
    </Rule>
    <Rule id="V-1072" severity="medium" conversionstatus="pass" title="Shared User Accounts" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine whether any shared accounts exist. If no shared accounts exist, this is NA.
If shared accounts exist, this is a finding.</rawString>
    </Rule>
    <Rule id="V-1074" severity="high" conversionstatus="pass" title="WIN00-000100" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify a supported DoD antivirus product has been installed on the system.
 
If McAfee VirusScan Enterprise 8.8 Patch 3 or later is not installed on the system, this is a finding.
 
If another recognized antivirus product is installed, this would still be a finding; however, the severity may be reduced to a CAT III.</rawString>
    </Rule>
    <Rule id="V-1076" severity="low" conversionstatus="pass" title="System Recovery Backups" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine whether system-level information is backed up in accordance with local recovery time and recovery point objectives. If system-level information is not backed up in accordance with local recovery time and recovery point objectives, this is a finding.</rawString>
    </Rule>
    <Rule id="V-1119" severity="medium" conversionstatus="pass" title="Booting into Multiple Operating Systems" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the local system boots directly into Windows.
 
Open Control Panel.
Select "System".
Select the "Advanced System Settings" link.
Select the "Advanced" tab.
Click the "Startup and Recovery" Settings button.
 
If the drop-down list box "Default operating system:" shows any operating system other than Windows Server 2012, this is a finding.</rawString>
    </Rule>
    <Rule id="V-1127" severity="high" conversionstatus="pass" title="Restricted Administrator Group Membership" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Review the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group.
 
Standard user accounts must not be members of the local administrator group.
 
If prohibited accounts are members of the local administrators group, this is a finding.
 
The built-in Administrator account or other required administrative accounts would not be a finding.</rawString>
    </Rule>
    <Rule id="V-1128" severity="low" conversionstatus="pass" title="Security Configuration Tools" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify security configuration tools or equivalent processes are being used to configure Windows systems to meet security requirements. If security configuration tools or equivalent processes are not used, this is a finding.
 
Security configuration tools that are integrated into Windows, such as Group Policies and Security Templates, may be used to configure platforms for security compliance.
 
If an alternate method is used to configure a system (e.g., manually using the DISA Windows Security STIGs, etc.) and the same configured result is achieved, this is acceptable.</rawString>
    </Rule>
    <Rule id="V-1135" severity="low" conversionstatus="pass" title="Printer Share Permissions" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Open "Devices and Printers" in Control Panel or through Search.
If there are no printers configured, this is NA.
 
For each configured printer:
Right click on the printer.
Select "Printer Properties".
Select the "Sharing" tab.
View whether "Share this printer" is checked.
 
For any printers with "Share this printer" selected:
Select the Security tab.
 
If any standard user accounts or groups have permissions other than "Print", this is a finding.
Standard users will typically be given "Print" permission through the Everyone group.
"All APPLICATION PACKAGES" and "CREATOR OWNER" are not considered standard user accounts for this requirement.</rawString>
    </Rule>
    <Rule id="V-2376" severity="medium" conversionstatus="pass" title="Kerberos-User Logon Restrictions" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the following is configured in the Default Domain Policy.
 
Open "Group Policy Management".
Navigate to "Group Policy Objects" in the Domain being reviewed (Forest &gt; Domains &gt; Domain).
Right click on the "Default Domain Policy".
Select Edit.
Navigate to Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Account Policies &gt; Kerberos Policy.
 
If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding.</rawString>
    </Rule>
    <Rule id="V-2377" severity="medium" conversionstatus="pass" title="Kerberos-Service Ticket Lifetime" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the following is configured in the Default Domain Policy.
 
Open "Group Policy Management".
Navigate to "Group Policy Objects" in the Domain being reviewed (Forest &gt; Domains &gt; Domain).
Right click on the "Default Domain Policy".
Select Edit.
Navigate to Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Account Policies &gt; Kerberos Policy.
 
If the value for "Maximum lifetime for service ticket" is 0 or greater than 600 minutes, this is a finding.</rawString>
    </Rule>
    <Rule id="V-2378" severity="medium" conversionstatus="pass" title="Kerberos - User Ticket Lifetime" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the following is configured in the Default Domain Policy.
 
Open "Group Policy Management".
Navigate to "Group Policy Objects" in the Domain being reviewed (Forest &gt; Domains &gt; Domain).
Right click on the "Default Domain Policy".
Select Edit.
Navigate to Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Account Policies &gt; Kerberos Policy.
 
If the value for "Maximum lifetime for user ticket" is 0 or greater than 10 hours, this is a finding.</rawString>
    </Rule>
    <Rule id="V-2379" severity="medium" conversionstatus="pass" title="Kerberos-User Ticket Renewal" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the following is configured in the Default Domain Policy.
 
Open "Group Policy Management".
Navigate to "Group Policy Objects" in the Domain being reviewed (Forest &gt; Domains &gt; Domain).
Right click on the "Default Domain Policy".
Select Edit.
Navigate to Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Account Policies &gt; Kerberos Policy.
 
If the "Maximum lifetime for user ticket renewal" is greater than 7 days, this is a finding.</rawString>
    </Rule>
    <Rule id="V-2380" severity="medium" conversionstatus="pass" title="Kerberos - Computer Clock Sync" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the following is configured in the Default Domain Policy.
 
Open "Group Policy Management".
Navigate to "Group Policy Objects" in the Domain being reviewed (Forest &gt; Domains &gt; Domain).
Right click on the "Default Domain Policy".
Select Edit.
Navigate to Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Account Policies &gt; Kerberos Policy.
 
If the "Maximum tolerance for computer clock synchronization" is greater than 5 minutes, this is a finding.</rawString>
    </Rule>
    <Rule id="V-2907" severity="medium" conversionstatus="pass" title="System File Changes" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine whether the site monitors system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) on servers for unauthorized changes against a baseline on a weekly basis. If system files are not monitored for unauthorized changes, this is a finding.
 
A properly configured HBSS Policy Auditor 5.2 or later File Integrity Monitor (FIM) module will meet the requirement for file integrity checking. The Asset module within HBSS does not meet this requirement.</rawString>
    </Rule>
    <Rule id="V-3245" severity="medium" conversionstatus="pass" title="File share ACLs" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If only system-created shares such as "ADMIN$", "C$", and "IPC$" exist on the system, this is NA.
(System-created shares will display a message that it has been shared for administrative purposes when "Properties" is selected.)
 
Run "Computer Management".
Navigate to System Tools &gt;&gt; Shared Folders &gt;&gt; Shares.
 
Right click any non-system-created shares.
Select "Properties".
Select the "Share Permissions" tab.
 
If the file shares have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding.
 
Select the "Security" tab.
 
If the NTFS permissions have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding.</rawString>
    </Rule>
    <Rule id="V-6840" severity="medium" conversionstatus="pass" title="Password Expiration" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Run the DUMPSEC utility.
Select "Dump Users as Table" from the "Report" menu.
Select the following fields, and click "Add" for each entry:
 
UserName
SID
PswdExpires
AcctDisabled
Groups
 
If any accounts have "No" in the "PswdExpires" column, this is a finding.
 
The following are exempt from this requirement:
Application Accounts
Domain accounts requiring smart card (CAC/PIV)
 
The following PowerShell command may be used on domain controllers to list accounts with the Password Never Expires flag:
Search-ADAccount -PasswordNeverExpires -UsersOnly</rawString>
    </Rule>
    <Rule id="V-7002" severity="high" conversionstatus="pass" title="Password Requirement" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify all accounts require passwords.
 
Run the DUMPSEC utility.
Select "Dump Users as Table" from the "Report" menu.
Select the following fields, and click "Add" for each entry:
 
UserName
SID
PswdRequired
AcctDisabled
Groups
 
If any accounts have "No" in the "PswdRequired" column, this is a finding.
 
Some built-in or application-generated accounts (e.g., Guest, IWAM_, IUSR, etc.) may not have this flag set, even though there are passwords present. It can be set by entering the following on a command line: "Net user &lt;account_name&gt; /passwordreq:yes".</rawString>
    </Rule>
    <Rule id="V-8317" severity="medium" conversionstatus="pass" title="Directory Server Data File Locations" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Refer to the AD database location obtained in check V-8316. Note the logical drive (e.g., C:) on which the files are located.
 
Determine if the server is currently providing file sharing services to users with the following command.
Enter "net share" at a command prompt.
 
Note the logical drive(s) or file system partition for any site-created data shares.
Ignore all system shares (e.g., Windows NETLOGON, SYSVOL, and administrative shares ending in $). User shares that are hidden (ending with $) should not be ignored.
 
If user shares are located on the same logical partition as the directory server data files, this is a finding.</rawString>
    </Rule>
    <Rule id="V-8326" severity="medium" conversionstatus="pass" title="Directory Server Host Dedication" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Review the roles and services the domain controller is running.
Run "services.msc" to display the Services console.
 
Determine if any running services are application components.
 
Examples of services indicating the presence of applications are:
-DHCP Server for DHCP server
-IIS Admin Service for IIS web server
-Microsoft Exchange System Attendant for Exchange
-MSSQLServer for SQL Server.
 
If any application-related components have the "Started" status, this is a finding.
 
Installed roles can be displayed by viewing Server Roles in the Add (or Remove) Roles and Features wizard. (Cancel before any changes are made.)
 
Determine if any additional server roles are installed. A basic domain controller set up will include the following:
-Active Directory Domain Services
-DNS Server
-File and Storage Services
 
If any roles not requiring installation on a domain controller are installed, this is a finding.
 
Supplemental Notes:
A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements.
 
Some directory servers utilize specialized web servers for administrative functions and databases for data management. These web and database servers are permitted as long as they are dedicated to directory server support and only administrative users have access to them.</rawString>
    </Rule>
    <Rule id="V-14225" severity="medium" conversionstatus="pass" title="Administrator Account Password Changes" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine if any system administrators have left the organization within the last year.
 
Run the DUMPSEC utility.
Select "Dump Users as Table" from the "Report" menu.
Select the following fields, and click "Add" for each entry:
 
UserName
SID
PwsdLastSetTime
 
If the built-in Administrator account has a date older than one year in the "PwsdLastSetTime" column, this is a finding.
If any system administrators has left the organization within the last year and the "PwsdLastSetTime" field reflects the built-in Administrator account password was not changed at that time, this is a finding.</rawString>
    </Rule>
    <Rule id="V-14797" severity="low" conversionstatus="pass" title="Anonymous Access to Non-Public Root DSE Data" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>At this time, this is a finding for all Windows domain controllers for sensitive or classified levels as Windows Active Directory Domain Services (AD DS) does not provide a method to restrict anonymous access to the root DSE on domain controllers.
 
The following can be used to verify anonymous access is allowed.
 
Open a command prompt (not elevated).
Run "ldp.exe".
From the Connection menu, select Bind.
Clear the User, Password, and Domain fields.
Select Simple bind for the Bind type, Click OK.
 
RootDSE attributes should display, such as various namingContexts.
 
Confirmation of anonymous access will be displayed at the end:
res = ldap_simple_bind_s
Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'</rawString>
    </Rule>
    <Rule id="V-14798" severity="high" conversionstatus="pass" title="Anonymous Access to Non-Public Data " dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify anonymous access is not allowed to the AD domain naming context.
 
Open a command prompt (not elevated).
Run "ldp.exe".
From the Connection menu, select Bind.
Clear the User, Password, and Domain fields.
Select Simple bind for the Bind type, Click OK.
 
Confirmation of anonymous access will be displayed at the end:
res = ldap_simple_bind_s
Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'
 
From the Browse menu, select Search.
In the Search dialog, enter the DN of the domain naming context (generally something like "dc=disaost,dc=mil") in the Base DN field.
Clear the Attributes field and select Run.
 
Error messages should display related to bind and user not authenticated.
 
If attribute data is displayed, anonymous access is enabled to the domain naming context and this is a finding.</rawString>
    </Rule>
    <Rule id="V-14820" severity="high" conversionstatus="pass" title="Directory PKI Certificate Source - Server" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the source of the domain controller's server certificate.
 
Run "mmc".
Select "Add/Remove Snap-in" from the File menu.
Select "Certificates" in the left pane and click the "Add &gt;" button.
Select "Computer Account", click "Next".
Select the appropriate option for "Select the computer you want this snap-in to manage.", click "Finish".
Click "OK".
Select and expand the Certificates (Local Computer) entry in the left pane.
Select and expand the Personal entry in the left pane.
Select the Certificates entry in the left pane.
In the right pane, examine the Issued By field for the certificate to determine the issuing CA.
 
If the Issued By field of the PKI certificate being used by the domain controller does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, this is a finding.
 
 
There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained:
 
The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil.
 
DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE.
http://iase.disa.mil/pki-pke/function_pages/tools.html</rawString>
    </Rule>
    <Rule id="V-14831" severity="low" conversionstatus="pass" title="Inactive Server Connections" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the value for MaxConnIdleTime.
 
Open an elevated command prompt.
Enter "ntdsutil".
At the "ntdsutil:" prompt, enter "LDAP policies".
At the "ldap policy:" prompt, enter "connections".
At the "server connections:" prompt, enter "connect to server [host-name]".
(Where [host-name] is the computer name of the domain controller.)
At the "server connections:" prompt, enter "q".
At the "ldap policy:" prompt, enter "show values".
 
If the value for MaxConnIdleTime is greater than 300 (the value for five minutes) or it is not specified, this is a finding.
 
Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit.
 
 
Alternately, Dsquery can be used to display MaxConnIdleTime:
 
Open an elevated command prompt.
Enter the following command (on a single line).
dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits
The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil).</rawString>
    </Rule>
    <Rule id="V-15488" severity="medium" conversionstatus="pass" title="PKI Authentication Req" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify active directory user accounts, including administrators, have "Smart card is required for interactive logon" selected.
 
Run "PowerShell".
Enter the following:
"Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | FT Name"
("DistinguishedName" may be substituted for "Name" for more detailed output.)
If any user accounts are listed, this is a finding.
 
Alternately:
To view sample accounts in "Active Directory Users and Computers" (Available from various menus or run "dsa.msc"):
Select the Organizational Unit (OU) where the User accounts are located. (By default this is the Users node; however, accounts may be under other organization-defined OUs.)
Right click the sample User account and select "Properties".
Select the "Account" tab.
If any User accounts do not have "Smart card is required for interactive logon" checked in the "Account Options" area, this is a finding.</rawString>
    </Rule>
    <Rule id="V-21954" severity="medium" conversionstatus="pass" title="Kerberos Encryption Types" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify whether the registry key below exists. If it does not exist or the value is "0", this is not a finding.
If the registry key exists and contains a value other than "0", continue below.
 
The values are determined by the selection of encryption suites in the policy Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Local Policies &gt;&gt; Security Options &gt;&gt; "Network Security: Configure encryption types allowed for Kerberos".
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\
Value Name: SupportedEncryptionTypes
Type: REG_DWORD
 
Due to the number of possible combinations that may include the DES encryption types, it is not possible to include all acceptable values as viewed directly in the registry.
 
If the registry key does exist, the value must be converted to binary to determine configuration of specific bits. This will determine whether this is a finding.
 
Note the value for the registry key.
For example, when all suites, including the DES suites are selected, the value will be "0x7fffffff (2147483647)".
 
Open the Windows calculator (Run/Search for "calc").
Select "View", then "Programmer".
Select "Dword" and either "Hex" or "Dec".
Enter the appropriate form of the value found for the registry key (e.g., Hex - enter 0x7fffffff, Dec - enter 2147483647)
Select "Bin".
The returned value may vary in length, up to 32 characters.
If the either of 2 right most characters are "1", this is a finding.
If the both of 2 right most characters are "0", this is not a finding.</rawString>
    </Rule>
    <Rule id="V-32274" severity="medium" conversionstatus="pass" title="WINPK-000003" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the DoD Interoperability cross-certificates are installed on unclassified systems as Untrusted Certificates.
 
Run "PowerShell" as an administrator.
Execute the following command:
Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint
If the following information is not displayed, this is finding.
 
Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F
 
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13
 
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4
 
Alternately use the Certificates MMC snap-in:
Run "MMC".
Select "File", "Add/Remove Snap-in".
Select "Certificates", click "Add".
Select "Computer account", click "Next".
Select "Local computer: (the computer this console is running on)", click "Finish".
Click "OK".
Expand "Certificates" and navigate to "Untrusted Certificates &gt;&gt; Certificates".
 
For each certificate with "DoD Root CA…" under "Issued To" and "DoD Interoperability Root CA…" under "Issued By":
Right click on the certificate and select "Open".
Select the "Details" Tab.
Scroll to the bottom and select "Thumbprint".
 
If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
 
Issued To - Issued By - Thumbprint
DoD Root CA 2 - DoD Interoperability Root CA 1 - 22BBE981F0694D246CC1472ED2B021DC8540A22F
DoD Root CA 3 - DoD Interoperability Root CA 2 - FFAD03329B9E527A43EEC66A56F9CBB5393E6E13
DoD Root CA 3 - DoD Interoperability Root CA 2 - FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4</rawString>
    </Rule>
    <Rule id="V-36451" severity="high" conversionstatus="pass" title="Accounts with administrative privileges Internet access" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine whether administrative accounts are prevented from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration.
 
The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices.
 
Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet.
 
If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36659" severity="high" conversionstatus="pass" title="WIN00-000005-02" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account.
 
If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36661" severity="medium" conversionstatus="pass" title="WIN00-000010-01" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the site has a policy to ensure passwords for manually managed application/service accounts are at least 15 characters in length. If such a policy does not exist or has not been implemented, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36662" severity="medium" conversionstatus="pass" title="WIN00-000010-02" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine if any system administrators with knowledge of application account passwords have left the organization within the last year.
 
Run the DUMPSEC utility.
Select "Dump Users as Table" from the "Report" menu.
Select the following fields, and click "Add" for each entry:
 
UserName
SID
PwsdLastSetTime
 
If any application accounts listed that are manually managed and have a date older than one year in the "PwsdLastSetTime" column, this is a finding.
If any system administrators with knowledge of application account passwords have left the organization within the last year and the "PwsdLastSetTime" field reflects that application account passwords were not changed at that time, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36666" severity="medium" conversionstatus="pass" title="WIN00-000014" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine whether the site has a policy that requires SAs be trained for all operating systems running on systems under their control. If the site does not have a policy requiring SAs be trained for all operating systems under their control, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36670" severity="medium" conversionstatus="pass" title="WINAU-000100" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine whether audit logs are reviewed on a predetermined schedule. If audit logs are not reviewed on a regular basis, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36671" severity="medium" conversionstatus="pass" title="WINAU-000101" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine whether audit data is retained for at least one year. If the audit data is not retained for at least a year, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36672" severity="medium" conversionstatus="pass" title="WINAU-000102" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine if a process to back up log data to a different system or media than the system being audited has been implemented. If it has not, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36733" severity="low" conversionstatus="pass" title="WINGE-000027" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine whether user-level information is backed up in accordance with local recovery time and recovery point objectives. If user-level information is not backed up in accordance with local recovery time and recovery point objectives, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36734" severity="medium" conversionstatus="pass" title="WINGE-000028" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the operating system employs automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). If it does not, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36735" severity="medium" conversionstatus="pass" title="WINGE-000029" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the organization has an automated process to install security-related software updates. If it does not, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36736" severity="medium" conversionstatus="pass" title="WINGE-000030" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the system has software installed and running that provides certificate validation and revocation checking. If it does not, this is a finding.</rawString>
    </Rule>
    <Rule id="V-39325" severity="medium" conversionstatus="pass" title="WINAU-000207-DC" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the auditing configuration for group policy objects.
 
Open "Group Policy Management". (Available from various menus, or run "gpmc.msc".)
Navigate to "Group Policy Objects" in the domain being reviewed (Forest &gt; Domains &gt; Domain).
 
For each Group Policy object:
Select the Group Policy Object item in the left pane.
Select the Delegation tab in the right pane.
Select the Advanced button.
Select the Advanced button again and then the Auditing tab.
 
If the audit settings for any Group Policy object are not at least as inclusive as those below, this is a finding.
 
Type - Fail
Principal - Everyone
Access - Full Control
Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects
 
The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default.
 
Type - Success
Principal - Everyone
Access - Special
Inherited from - Parent Object
Applies to - Descendant groupPolicyContainer objects
(Access - Special = Permissions: Write all properties, Modify permissions)
 
Two instances with the following summary information will be listed.
Type - Success
Principal - Everyone
Access - (blank)
Inherited from - Parent Object
Applies to - Descendant Organization Unit Objects</rawString>
    </Rule>
    <Rule id="V-39332" severity="high" conversionstatus="pass" title="WINAD-000004-DC" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the permissions on the Domain Controllers OU.
 
Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".)
Select Advanced Features in the View menu if not previously selected.
Navigate to the Domain Controllers OU (folder in folder icon).
Right click the OU and select Properties.
Select the Security tab.
 
If the permissions on the Domain Controllers OU are not at least as restrictive as those below, this is a finding.
 
The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the Advanced button, selecting the desired Permission entry, and the Edit button.
 
SELF - Special permissions
 
Authenticated Users - Read, Special permissions
The Special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.
 
SYSTEM - Full Control
 
Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions
 
Enterprise Admins - Full Control
 
Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions
 
Pre-Windows 2000 Compatible Access - Special permissions
The Special permissions for Pre-Windows 2000 Compatible Access are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.
 
ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions</rawString>
    </Rule>
    <Rule id="V-39334" severity="medium" conversionstatus="pass" title="WINPK-000005-DC" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the domain controller has a PKI server certificate.
 
Run "mmc".
Select "Add/Remove Snap-in" from the File menu.
Select "Certificates" in the left pane and click the "Add &gt;" button.
Select "Computer Account", click "Next".
Select the appropriate option for "Select the computer you want this snap-in to manage.", click "Finish".
Click "OK".
Select and expand the Certificates (Local Computer) entry in the left pane.
Select and expand the Personal entry in the left pane.
Select the Certificates entry in the left pane.
 
If no certificate for the domain controller exists in the right pane, this is a finding.</rawString>
    </Rule>
    <Rule id="V-40172" severity="low" conversionstatus="pass" title="WN00-000016" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine if system-level information backups are protected from destruction and stored in a physically secure location. If they are not, this is a finding.</rawString>
    </Rule>
    <Rule id="V-40175" severity="high" conversionstatus="pass" title="WIN00-000110 " dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>This requirement is NA if McAfee VirusScan Enterprise (VSE) is used. It will be addressed with the corresponding McAfee VSE STIG.
 
Configurations will vary depending on the product.
 
Review the antivirus program signature update configuration.
 
If the antivirus program is not configured to update the signature files on a daily basis, this is a finding.
 
It may not be possible for systems to receive updates on a daily basis due to various factors. If the signature file is more than a week old, this is a finding.</rawString>
    </Rule>
    <Rule id="V-40198" severity="medium" conversionstatus="pass" title="WN00-000009-02" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If no accounts are members of the Backup Operators group, this is NA.
 
Verify users with accounts in the Backup Operators group have a separate user account for backup functions and for performing normal user tasks. If users with accounts in the Backup Operators group do not have separate accounts for backup functions and standard user functions, this is a finding.</rawString>
    </Rule>
    <Rule id="V-40237" severity="medium" conversionstatus="pass" title="WINPK-000004" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the US DoD CCEB Interoperability Root CA cross-certificate is installed on unclassified systems as an Untrusted Certificate.
 
Run "PowerShell" as an administrator.
Execute the following command:
Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint
If the following information is not displayed, this is finding.
 
Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
Issuer: CN=US DoD CCEB Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3
 
Alternately use the Certificates MMC snap-in:
Run "MMC".
Select "File", "Add/Remove Snap-in".
Select "Certificates", click "Add".
Select "Computer account", click "Next".
Select "Local computer: (the computer this console is running on)", click "Finish".
Click "OK".
Expand "Certificates" and navigate to "Untrusted Certificates &gt;&gt; Certificates".
 
For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By":
Right click on the certificate and select "Open".
Select the "Details" Tab.
Scroll to the bottom and select "Thumbprint".
 
If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
 
Issued To - Issued By - Thumbprint
DoD Root CA 2 - US DoD CCEB Interoperability Root CA 1 - DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3</rawString>
    </Rule>
    <Rule id="V-42420" severity="medium" conversionstatus="pass" title="WINFW-000001" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Determine if a host-based firewall is installed and enabled on the system. If a host-based firewall is not installed and enabled on the system, this is a finding.
 
The configuration requirements will be determined by the applicable firewall STIG.</rawString>
    </Rule>
    <Rule id="V-57637" severity="medium" conversionstatus="pass" title="WIN00-000018" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>This is applicable to unclassified systems, for other systems this is NA.
 
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
 
If an application whitelisting program is not in use on the system, this is a finding.
 
Configuration of whitelisting applications will vary by the program.
 
AppLocker is a whitelisting application built into Windows Server 2012. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.
 
If AppLocker is used, perform the following to view the configuration of AppLocker:
Open PowerShell.
 
If the AppLocker PowerShell module has not been previously imported, execute the following first:
Import-Module AppLocker
 
Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system:
Get-AppLockerPolicy -Effective -XML &gt; c:\temp\file.xml
 
This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review.
 
Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" under the Microsoft Windows section of the following link:
 
https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml</rawString>
    </Rule>
    <Rule id="V-57641" severity="medium" conversionstatus="pass" title="WIN00-000019" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPSEC have been implemented. If protection methods have not been implemented, this is a finding.</rawString>
    </Rule>
    <Rule id="V-57645" severity="medium" conversionstatus="pass" title="WIN00-000020" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest. If it does not, this is a finding.</rawString>
    </Rule>
    <Rule id="V-57653" severity="medium" conversionstatus="pass" title="WINGE-000056" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the operating system automatically disables temporary user accounts after 72 hours. If it does not, this is a finding.
 
Determine if temporary user accounts are used and identify any that may be in existence.
For Domain Accounts:
Open PowerShell.
Run the command "Search-ADAccount -AccountExpiring" to determine if account expiration dates have been configured on any temporary accounts.
For any accounts returned, run the command "Get-ADUser -Identity &lt;Name&gt; -Property WhenCreated" to determine when the account was created.
 
Local accounts:
Run "Net user &lt;username&gt;". This will list the account properties, including "Account Expires".</rawString>
    </Rule>
    <Rule id="V-57655" severity="medium" conversionstatus="pass" title="WINGE-000057" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the operating system is configured such that emergency administrator accounts are automatically removed or disabled after the crisis is resolved or within 72 hours. If it is not, this is a finding.
 
Determine if emergency accounts are used and identify any that may be in existence.
For Domain Accounts:
Open PowerShell.
Run the command "Search-ADAccount -AccountExpiring" to determine if account expiration dates have been configured on any emergency accounts.
 
Local accounts:
Run "Net user &lt;username&gt;". This will list the account properties, including "Account Expires".</rawString>
    </Rule>
    <Rule id="V-57719" severity="medium" conversionstatus="pass" title="WINAU-000203" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the operating system, at a minimum, off-loads audit records of interconnected systems in real time and off-loads standalone systems weekly. If it does not, this is a finding.</rawString>
    </Rule>
  </ManualRule>
  <PermissionRule dscresourcemodule="AccessControlDsc">
    <Rule id="V-1152" severity="high" conversionstatus="pass" title="Anonymous Access to the Registry" dscresource="RegistryAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This Key and Subkeys</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Backup Operators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This Key Only</Inheritance>
          <Rights>ReadKey</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>LOCAL SERVICE</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This Key and Subkeys</Inheritance>
          <Rights>ReadKey</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\</Path>
      <rawString>Run "Regedit".
Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\
 
If the key does not exist, this is a finding.
 
Right-click on "winreg" and select "Permissions…".
Select "Advanced".
 
If the permissions are not as restrictive as the defaults listed below, this is a finding.
 
The following are the same for each permission listed:
Type - Allow
Inherited from - None
 
Columns: Principal - Access - Applies to
Administrators - Full Control - This key and subkeys
Backup Operators - Read - This key only
LOCAL SERVICE - Read - This key and subkeys</rawString>
    </Rule>
    <Rule id="V-8316" severity="high" conversionstatus="pass" title="Data File Access Permissions" dscresource="NTFSAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>NT AUTHORITY\SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>BUILTIN\Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>%windir%\NTDS\*.*</Path>
      <rawString>Verify the permissions on the content of the NTDS directory.
 
Open the registry editor (regedit).
Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters.
Note the directory locations in the values for:
Database log files path
DSA Database file
 
By default they will be \Windows\NTDS. If the locations are different, the following will need to be run for each.
 
Open an elevated command prompt (Win+x, Command Prompt (Admin)).
Navigate to the NTDS directory (\Windows\NTDS by default).
Run "icacls *.*".
 
If the permissions on each file are not at least as restrictive as the following, this is a finding.
 
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
 
(I) - permission inherited from parent container
(F) - full access
 
Do not use File Explorer to attempt to view permissions of the NTDS folder. Accessing the folder through File Explorer will change the permissions on the folder.</rawString>
    </Rule>
    <Rule id="V-26070" severity="high" conversionstatus="pass" title="Winlogon Registry Permissions" dscresource="RegistryAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>TrustedInstaller</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This Key and Subkeys</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This Key and Subkeys</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This Key and Subkeys</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Users</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This Key and Subkeys</Inheritance>
          <Rights>ReadKey</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>ALL APPLICATION PACKAGES</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This Key and Subkeys</Inheritance>
          <Rights>ReadKey</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>HKLM:\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Winlogon\</Path>
      <rawString>Run "Regedit".
Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
 
Right-click on "WinLogon" and select "Permissions…".
Select "Advanced".
 
If the permissions are not as restrictive as the defaults listed below, this is a finding.
 
The following are the same for each permission listed:
Type - Allow
Inherited from - MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Applies to - This key and subkeys
 
Columns: Principal - Access
TrustedInstaller - Full Control
SYSTEM - Full Control
Administrators - Full Control
Users - Read
ALL APPLICATION PACKAGES - Read</rawString>
    </Rule>
    <Rule id="V-32282" severity="high" conversionstatus="pass" title="WINRG-000001 Active Setup\Installed Components Registry Permissions" dscresource="RegistryAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>Users</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>ReadKey</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>CREATOR OWNER</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subkeys Only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>ALL APPLICATION PACKAGES</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>ReadKey</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>HKLM:\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\</Path>
      <rawString>Run "Regedit".
Navigate to the following registry keys and review the permissions:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ (64-bit systems)
 
If the default permissions listed below have been changed, this is a finding.
 
Users - Read
Administrators - Full Control
SYSTEM - Full Control
CREATOR OWNER - Full Control (Subkeys only)
ALL APPLICATION PACKAGES - Read</rawString>
    </Rule>
    <Rule id="V-36722" severity="medium" conversionstatus="pass" title="WINAU-000204" dscresource="NTFSAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>Eventlog</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>%windir%\SYSTEM32\WINEVT\LOGS\Application.evtx</Path>
      <rawString>Verify the permissions on the Application event log (Application.evtx). Standard user accounts or groups must not have greater than Read access. The default permissions listed below satisfy this requirement:
 
Eventlog - Full Control
SYSTEM - Full Control
Administrators - Full Control
 
The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder.
 
If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36723" severity="medium" conversionstatus="pass" title="WINAU-000205" dscresource="NTFSAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>Eventlog</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>%windir%\SYSTEM32\WINEVT\LOGS\Security.evtx</Path>
      <rawString>Verify the permissions on the Security event log (Security.evtx). Standard user accounts or groups must not have access. The default permissions listed below satisfy this requirement:
 
Eventlog - Full Control
SYSTEM - Full Control
Administrators - Full Control
 
The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder.
 
If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.</rawString>
    </Rule>
    <Rule id="V-36724" severity="medium" conversionstatus="pass" title="WINAU-000206" dscresource="NTFSAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>Eventlog</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>%windir%\SYSTEM32\WINEVT\LOGS\System.evtx</Path>
      <rawString>Verify the permissions on the System event log (System.evtx). Standard user accounts or groups must not have greater than Read access. The default permissions listed below satisfy this requirement:
 
Eventlog - Full Control
SYSTEM - Full Control
Administrators - Full Control
 
The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder.
 
If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.</rawString>
    </Rule>
    <Rule id="V-39326" severity="medium" conversionstatus="fail" title="WINAU-000208-DC" dscresource="ActiveDirectoryAuditRuleEntry">
      <AccessControlEntry>
        <Entry>
          <Type>Fail</Type>
          <Principal>Everyone</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>Success</Type>
          <Principal>Everyone</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>
          </Rights>
        </Entry>
        <Entry>
          <Type>Success</Type>
          <Principal>Domain Users</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>AllExtendedRights</Rights>
        </Entry>
        <Entry>
          <Type>Success</Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>AllExtendedRights</Rights>
        </Entry>
        <Entry>
          <Type>Success</Type>
          <Principal>Everyone</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>WriteallProperties,ModifyPermissions,ModifyOwner</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>{Domain}</Path>
      <rawString>Verify the auditing configuration for the Domain object.
 
Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".)
Ensure Advanced Features is selected in the View menu.
Select the domain being reviewed in the left pane.
Right click the domain name and select Properties.
Select the Security tab.
Select the Advanced button and then the Auditing tab.
 
If the audit settings on the Domain object are not at least as inclusive as those below, this is a finding.
 
Type - Fail
Principal - Everyone
Access - Full Control
Inherited from - None
Applies to - This object only
 
The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default.
 
Two instances with the following summary information will be listed.
Type - Success
Principal - Everyone
Access - (blank)
Inherited from - None
Applies to - Special
 
Type - Success
Principal - Domain Users
Access - All extended rights
Inherited from - None
Applies to - This object only
 
Type - Success
Principal - Administrators
Access - All extended rights
Inherited from - None
Applies to - This object only
 
Type - Success
Principal - Everyone
Access - Special
Inherited from - None
Applies to - This object only
(Access - Special = Permissions: Write all properties, Modify permissions, Modify owner)</rawString>
    </Rule>
    <Rule id="V-39327" severity="medium" conversionstatus="fail" title="WINAU-000209-DC" dscresource="ActiveDirectoryAuditRuleEntry">
      <AccessControlEntry>
        <Entry>
          <Type>Fail</Type>
          <Principal>Everyone</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>Success</Type>
          <Principal>Everyone</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>WriteallProperties,AllExtendedRights,ChangeInfrastructureMaster</Rights>
        </Entry>
        <Entry>
          <Type>Success</Type>
          <Principal>Everyone</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>
          </Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>CN=Infrastructure,{Domain}</Path>
      <rawString>Verify the auditing configuration for Infrastructure object.
 
Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".)
Ensure Advanced Features is selected in the View menu.
Select the domain being reviewed in the left pane.
Right click the Infrastructure object in the right pane and select Properties.
Select the Security tab.
Select the Advanced button and then the Auditing tab.
 
If the audit settings on the Infrastructure object are not at least as inclusive as those below, this is a finding.
 
Type - Fail
Principal - Everyone
Access - Full Control
Inherited from - None
 
The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default.
 
Type - Success
Principal - Everyone
Access - Special
Inherited from - None
(Access - Special = Permissions: Write all properties, All extended rights, Change infrastructure master)
 
Two instances with the following summary information will be listed.
Type - Success
Principal - Everyone
Access - (blank)
Inherited from - (CN of domain)</rawString>
    </Rule>
    <Rule id="V-39328" severity="medium" conversionstatus="fail" title="WINAU-000210-DC" dscresource="ActiveDirectoryAuditRuleEntry">
      <AccessControlEntry>
        <Entry>
          <Type>Fail</Type>
          <Principal>Everyone</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>Success</Type>
          <Principal>Everyone</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>Createallchildobjects,Delete,ModifyPermissions</Rights>
        </Entry>
        <Entry>
          <Type>Success</Type>
          <Principal>Everyone</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>WriteallProperties</Rights>
        </Entry>
        <Entry>
          <Type>Success</Type>
          <Principal>Everyone</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>
          </Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>OU=Domain Controllers,{Domain}</Path>
      <rawString>Verify the auditing configuration for the Domain Controller OU object.
 
Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".)
Ensure Advanced Features is selected in the View menu.
Select the Domain Controllers OU under the domain being reviewed in the left pane.
Right click the Domain Controllers OU object and select Properties.
Select the Security tab.
Select the Advanced button and then the Auditing tab.
 
If the audit settings on the Domain Controllers OU object are not at least as inclusive as those below, this is a finding.
 
Type - Fail
Principal - Everyone
Access - Full Control
Inherited from - None
Applies to - This object and all descendant objects
 
The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default.
 
Type - Success
Principal - Everyone
Access - Special
Inherited from - None
Applies to - This object only
(Access - Special = Permissions: all create, delete and modify permissions)
 
Type - Success
Principal - Everyone
Access - Write all properties
Inherited from - None
Applies to - This object and all descendant objects
 
Two instances with the following summary information will be listed.
Type - Success
Principal - Everyone
Access - (blank)
Inherited from - (CN of domain)
Applies to - Descendant Organizational Unit objects</rawString>
    </Rule>
    <Rule id="V-39329" severity="medium" conversionstatus="fail" title="WINAU-000211-DC" dscresource="ActiveDirectoryAuditRuleEntry">
      <AccessControlEntry>
        <Entry>
          <Type>Fail</Type>
          <Principal>Everyone</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>Success</Type>
          <Principal>Everyone</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>WriteallProperties,ModifyPermissions,ModifyOwner</Rights>
        </Entry>
        <Entry>
          <Type>Success</Type>
          <Principal>Everyone</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>
          </Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>CN=AdminSDHolder,CN=System,{Domain}</Path>
      <rawString>Verify the auditing configuration for the AdminSDHolder object.
 
Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".)
Ensure Advanced Features is selected in the View menu.
Select System under the domain being reviewed in the left pane.
Right click the AdminSDHolder object in the right pane and select Properties.
Select the Security tab.
Select the Advanced button and then the Auditing tab.
 
If the audit settings on the AdminSDHolder object are not at least as inclusive as those below, this is a finding.
 
Type - Fail
Principal - Everyone
Access - Full Control
Inherited from - None
Applies to - This object only
 
The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default.
 
Type - Success
Principal - Everyone
Access - Special
Inherited from - None
Applies to - This object only
(Access - Special = Write all properties, Modify permissions, Modify owner)
 
Two instances with the following summary information will be listed.
Type - Success
Principal - Everyone
Access - (blank)
Inherited from - (CN of domain)
Applies to - Descendant Organizational Unit objects</rawString>
    </Rule>
    <Rule id="V-39330" severity="medium" conversionstatus="fail" title="WINAU-000212-DC" dscresource="ActiveDirectoryAuditRuleEntry">
      <AccessControlEntry>
        <Entry>
          <Type>Fail</Type>
          <Principal>Everyone</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>Success</Type>
          <Principal>Everyone</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>WriteallProperties,AllExtendedRights,ChangeRIDMaster</Rights>
        </Entry>
        <Entry>
          <Type>Success</Type>
          <Principal>Everyone</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>
          </Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>CN=RID Manager$,CN=System,{Domain}</Path>
      <rawString>Verify the auditing configuration for the RID Manager$ object.
 
Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".)
Ensure Advanced Features is selected in the View menu.
Select System under the domain being reviewed in the left pane.
Right-click the RID Manager$ object in the right pane and select Properties.
Select the Security tab.
Select the Advanced button and then the Auditing tab.
 
If the audit settings on the RID Manager$ object are not at least as inclusive as those below, this is a finding.
 
Type - Fail
Principal - Everyone
Access - Full Control
Inherited from - None
 
The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default.
 
Type - Success
Principal - Everyone
Access - Special
Inherited from - None
 (Access - Special = Write all properties, All extended rights, Change RID master)
 
Two instances with the following summary information will be listed.
Type - Success
Principal - Everyone
Access - (blank)
Inherited from - (CN of domain)</rawString>
    </Rule>
    <Rule id="V-39331" severity="high" conversionstatus="pass" title="WINAD-000002-DC" dscresource="NTFSAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>Allow</Type>
          <Principal>Authenticated Users</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
        <Entry>
          <Type>Allow</Type>
          <Principal>Server Operators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
        <Entry>
          <Type>Allow</Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder only</Inheritance>
          <Rights>AppendData,ChangePermissions,CreateDirectories,CreateFiles,Delete,DeleteSubdirectoriesAndFiles,ExecuteFile,ListDirectory,Modify,Read,ReadAndExecute,ReadAttributes,ReadData,ReadExtendedAttributes,ReadPermissions,Synchronize,TakeOwnership,Traverse,Write,WriteAttributes,WriteData,WriteExtendedAttributes</Rights>
        </Entry>
        <Entry>
          <Type>Allow</Type>
          <Principal>CREATOR OWNER</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>Allow</Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>Allow</Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>%windir%\sysvol</Path>
      <rawString>Verify the permissions on the SYSVOL directory.
 
Open a command prompt.
Run "net share".
Make note of the directory location of the SYSVOL share.
 
By default this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level.
 
Open File Explorer.
Navigate to \Windows\SYSVOL (or the directory noted previously if different).
Right click the directory and select properties.
Select the Security tab.
Click Advanced.
 
If any standard user accounts or groups have greater than read &amp; execute permissions, this is a finding. The default permissions noted below meet this requirement.
 
Type - Allow
Principal - Authenticated Users
Access - Read &amp; execute
Inherited from - None
Applies to - This folder, subfolder and files
 
Type - Allow
Principal - Server Operators
Access - Read &amp; execute
Inherited from - None
Applies to - This folder, subfolder and files
 
Type - Allow
Principal - Administrators
Access - Special
Inherited from - None
Applies to - This folder only
(Access - Special - Basic Permissions: all selected except Full control)
 
Type - Allow
Principal - CREATOR OWNER
Access - Full control
Inherited from - None
Applies to - Subfolders and files only
 
Type - Allow
Principal - Administrators
Access - Full control
Inherited from - None
Applies to - Subfolders and files only
 
Type - Allow
Principal - SYSTEM
Access - Full control
Inherited from - None
Applies to - This folder, subfolders and files
 
 
Alternately, use Icacls.exe to view the permissions of the SYSVOL directory.
Open a command prompt.
Run "icacls c:\Windows\SYSVOL
The following results should be displayed:
 
NT AUTHORITY\Authenticated Users:(RX)
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE)
BUILTIN\Server Operators:(RX)
BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE)
BUILTIN\Administrators:(M,WDAC,WO)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(M,WDAC,WO)
CREATOR OWNER:(OI)(CI)(IO)(F)
 
(RX) - Read &amp; execute
Run "icacls /help" to view definitions of other permission codes.</rawString>
    </Rule>
    <Rule id="V-40177.b" severity="medium" conversionstatus="pass" title="WNGE-000007" dscresource="NTFSAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>TrustedInstaller</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder and subfolders</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder only</Inheritance>
          <Rights>Modify</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder only</Inheritance>
          <Rights>Modify</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Users</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>CREATOR OWNER</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>ALL APPLICATION PACKAGES</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>%ProgramFiles(x86)%</Path>
      <rawString>The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding.
 
Verify the default permissions for the program file directories (Program Files and Program Files (x86)). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read &amp; execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
 
Viewing in File Explorer:
For each folder, view the Properties.
Select the "Security" tab, and the "Advanced" button.
 
Default Permissions:
\Program Files and \Program Files (x86)
Type - "Allow" for all
Inherited from - "None" for all
 
Principal - Access - Applies to
 
TrustedInstaller - Full control - This folder and subfolders
SYSTEM - Modify - This folder only
SYSTEM - Full control - Subfolders and files only
Administrators - Modify - This folder only
Administrators - Full control - Subfolders and files only
Users - Read &amp; execute - This folder, subfolders and files
CREATOR OWNER - Full control - Subfolders and files only
ALL APPLICATION PACKAGES - Read &amp; execute - This folder, subfolders and files
 
Alternately, use Icacls:
 
Open a Command prompt (admin).
Enter icacls followed by the directory:
 
icacls "c:\program files"
icacls "c:\program files (x86)"
 
The following results should be displayed as each is entered:
 
c:\program files
NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(M)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(M)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
BUILTIN\Users:(RX)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files</rawString>
    </Rule>
    <Rule id="V-40177.a" severity="medium" conversionstatus="pass" title="WNGE-000007" dscresource="NTFSAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>TrustedInstaller</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder and subfolders</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder only</Inheritance>
          <Rights>Modify</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder only</Inheritance>
          <Rights>Modify</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Users</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>CREATOR OWNER</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>ALL APPLICATION PACKAGES</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>%ProgramFiles%</Path>
      <rawString>The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding.
 
Verify the default permissions for the program file directories (Program Files and Program Files (x86)). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read &amp; execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
 
Viewing in File Explorer:
For each folder, view the Properties.
Select the "Security" tab, and the "Advanced" button.
 
Default Permissions:
\Program Files and \Program Files (x86)
Type - "Allow" for all
Inherited from - "None" for all
 
Principal - Access - Applies to
 
TrustedInstaller - Full control - This folder and subfolders
SYSTEM - Modify - This folder only
SYSTEM - Full control - Subfolders and files only
Administrators - Modify - This folder only
Administrators - Full control - Subfolders and files only
Users - Read &amp; execute - This folder, subfolders and files
CREATOR OWNER - Full control - Subfolders and files only
ALL APPLICATION PACKAGES - Read &amp; execute - This folder, subfolders and files
 
Alternately, use Icacls:
 
Open a Command prompt (admin).
Enter icacls followed by the directory:
 
icacls "c:\program files"
icacls "c:\program files (x86)"
 
The following results should be displayed as each is entered:
 
c:\program files
NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(M)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(M)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
BUILTIN\Users:(RX)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files</rawString>
    </Rule>
    <Rule id="V-40178" severity="medium" conversionstatus="pass" title="WNGE-000006" dscresource="NTFSAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Users</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Users</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder and subfolders</Inheritance>
          <Rights>CreateDirectories,AppendData</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Users</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders only</Inheritance>
          <Rights>CreateFiles,WriteData</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>CREATOR OWNER</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>%SystemDrive%\</Path>
      <rawString>The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding.
 
Verify the default permissions for the system drive's root directory (usually C:\). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read &amp; execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
 
Viewing in File Explorer:
View the Properties of system drive root directory.
Select the "Security" tab, and the "Advanced" button.
 
C:\
Type - "Allow" for all
Inherited from - "None" for all
 
Principal - Access - Applies to
 
SYSTEM - Full control - This folder, subfolders and files
Administrators - Full control - This folder, subfolders and files
Users - Read &amp; execute - This folder, subfolders and files
Users - Create folders / append data - This folder and subfolders
Users - Create files / write data - Subfolders only
CREATOR OWNER - Full Control - Subfolders and files only
 
Alternately, use Icacls:
 
Open a Command prompt (admin).
Enter icacls followed by the directory:
 
icacls c:\
 
The following results should be displayed:
 
c:\
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
BUILTIN\Users:(OI)(CI)(RX)
BUILTIN\Users:(CI)(AD)
BUILTIN\Users:(CI)(IO)(WD)
CREATOR OWNER:(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files</rawString>
    </Rule>
    <Rule id="V-40179" severity="medium" conversionstatus="pass" title="WNGE-000008" dscresource="NTFSAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>TrustedInstaller</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder and subfolders</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder only</Inheritance>
          <Rights>Modify</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder only</Inheritance>
          <Rights>Modify</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Users</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>CREATOR OWNER</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>Subfolders and files only</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>ALL APPLICATION PACKAGES</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>%windir%</Path>
      <rawString>The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding.
 
Verify the default permissions for the Windows installation directory (usually C:\Windows). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read &amp; execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
 
Viewing in File Explorer:
View the Properties of the folder.
Select the "Security" tab, and the "Advanced" button.
 
Default Permissions:
\Windows
Type - "Allow" for all
Inherited from - "None" for all
 
Principal - Access - Applies to
 
TrustedInstaller - Full control - This folder and subfolders
SYSTEM - Modify - This folder only
SYSTEM - Full control - Subfolders and files only
Administrators - Modify - This folder only
Administrators - Full control - Subfolders and files only
Users - Read &amp; execute - This folder, subfolders and files
CREATOR OWNER - Full control - Subfolders and files only
ALL APPLICATION PACKAGES - Read &amp; execute - This folder, subfolders and files
 
Alternately, use Icacls:
 
Open a Command prompt (admin).
Enter icacls followed by the directory:
 
icacls c:\windows
 
The following results should be displayed:
 
c:\windows
NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(M)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(M)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
BUILTIN\Users:(RX)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files</rawString>
    </Rule>
    <Rule id="V-57721" severity="medium" conversionstatus="pass" title="WINAU-000213" dscresource="NTFSAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>TrustedInstaller</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Users</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>ALL APPLICATION PACKAGES</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>ReadAndExecute</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>%windir%\SYSTEM32\eventvwr.exe</Path>
      <rawString>Verify the permissions on Event Viewer only allow TrustedInstaller permissions to change or modify. If any groups or accounts other than TrustedInstaller have Full control or Modify, this is a finding.
 
Navigate to "%SystemRoot%\SYSTEM32".
View the permissions on "Eventvwr.exe".
 
The default permissions below satisfy this requirement.
TrustedInstaller - Full Control
Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES - Read &amp; Execute</rawString>
    </Rule>
  </PermissionRule>
  <RegistryRule dscresourcemodule="PSDesiredStateConfiguration">
    <Rule id="V-1075" severity="low" conversionstatus="pass" title="Display Shutdown Button" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: ShutdownWithoutLogon
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>ShutdownWithoutLogon</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1089" severity="medium" conversionstatus="pass" title="Legal Notice Display" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: LegalNoticeText
 
Value Type: REG_SZ
Value: See message text below
 
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
 
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
 
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
 
-At any time, the USG may inspect and seize data stored on this IS.
 
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
 
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
 
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
 
Any OS versions that do not support the full text version must state the following:
"I've read &amp; consent to terms in IS user agreem't."
 
Deviations are not permitted except as authorized by the Deputy Assistant Secretary of Defense for Information and Identity Assurance.</rawString>
      <ValueData>You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.</ValueData>
      <ValueName>LegalNoticeText</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-1090" severity="low" conversionstatus="pass" title="Caching of logon credentials" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -le '4'</OrganizationValueTestString>
      <rawString>If the system is not a member of a domain, this is NA.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
 
Value Name: CachedLogonsCount
 
Value Type: REG_SZ
Value: 4 (or less)</rawString>
      <ValueData />
      <ValueName>CachedLogonsCount</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-1093" severity="high" conversionstatus="pass" title="Anonymous shares are not restricted" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: RestrictAnonymous
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>RestrictAnonymous</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1136" severity="low" conversionstatus="pass" title="Forcibly Disconnect when Logon Hours Expire" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\
 
Value Name: EnableForcedLogoff
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>EnableForcedLogoff</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1141" severity="medium" conversionstatus="pass" title="Unencrypted Password is Sent to SMB Server." dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\
 
Value Name: EnablePlainTextPassword
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnablePlainTextPassword</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1145" severity="medium" conversionstatus="pass" title="Disable Automatic Logon" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
 
Value Name: AutoAdminLogon
 
Type: REG_SZ
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AutoAdminLogon</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-1151" severity="low" conversionstatus="pass" title="Secure Print Driver Installation" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\
 
Value Name: AddPrinterDrivers
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>AddPrinterDrivers</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1153" severity="high" conversionstatus="pass" title="LanMan Authentication Level" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: LmCompatibilityLevel
 
Value Type: REG_DWORD
Value: 5</rawString>
      <ValueData>5</ValueData>
      <ValueName>LmCompatibilityLevel</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1154" severity="medium" conversionstatus="pass" title="Ctrl+Alt+Del Security Attention Sequence" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: DisableCAD
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>DisableCAD</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1157" severity="medium" conversionstatus="pass" title="Smart Card Removal Option " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -match '1|2'</OrganizationValueTestString>
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
  
Value Name: SCRemoveOption
 
Value Type: REG_SZ
Value: 1 (Lock Workstation) or 2 (Force Logoff)
 
If configuring this on servers causes issues such as terminating users' remote sessions and the site has a policy in place that any other sessions on the servers such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO.</rawString>
      <ValueData />
      <ValueName>SCRemoveOption</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-1162" severity="medium" conversionstatus="pass" title="SMB Server Packet Signing (if client agrees)" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\
 
Value Name: EnableSecuritySignature
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>EnableSecuritySignature</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1163" severity="medium" conversionstatus="pass" title="Encryption of Secure Channel Traffic" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\
 
Value Name: SealSecureChannel
 
Value Type: REG_DWORD
Value: 1
 
If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this can be NA (see V-6831).</rawString>
      <ValueData>1</ValueData>
      <ValueName>SealSecureChannel</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1164" severity="medium" conversionstatus="pass" title="Signing of Secure Channel Traffic" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\
 
Value Name: SignSecureChannel
 
Value Type: REG_DWORD
Value: 1
 
If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this can be NA (see V-6831).</rawString>
      <ValueData>1</ValueData>
      <ValueName>SignSecureChannel</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1165" severity="low" conversionstatus="pass" title="Computer Account Password Reset" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\
 
Value Name: DisablePasswordChange
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>DisablePasswordChange</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1166" severity="medium" conversionstatus="pass" title="SMB Client Packet Signing (if server agrees)" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\
 
Value Name: EnableSecuritySignature
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>EnableSecuritySignature</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1171" severity="medium" conversionstatus="pass" title="Format and Eject Removable Media" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
 
Value Name: AllocateDASD
 
Value Type: REG_SZ
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllocateDASD</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-1172" severity="low" conversionstatus="pass" title="Password Expiration Warning" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -ge '14'</OrganizationValueTestString>
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
 
Value Name: PasswordExpiryWarning
 
Value Type: REG_DWORD
Value: 14 (or greater)</rawString>
      <ValueData />
      <ValueName>PasswordExpiryWarning</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1173" severity="low" conversionstatus="pass" title="Global System Objects Permission Strength" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Session Manager\
 
Value Name: ProtectionMode
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>ProtectionMode</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-1174" severity="low" conversionstatus="pass" title="Idle Time Before Suspending a Session." dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -le '15'</OrganizationValueTestString>
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\
 
Value Name: autodisconnect
 
Value Type: REG_DWORD
Value: 0x0000000f (15) (or less)</rawString>
      <ValueData />
      <ValueName>autodisconnect</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-2374" severity="high" conversionstatus="pass" title="Disable Media Autoplay" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
 
Value Name: NoDriveTypeAutoRun
 
Type: REG_DWORD
Value: 0x000000ff (255)</rawString>
      <ValueData>255</ValueData>
      <ValueName>NoDriveTypeAutoRun</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3338" severity="high" conversionstatus="pass" title="Anonymous Access to Named Pipes" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\
 
Value Name: NullSessionPipes
 
Value Type: REG_MULTI_SZ
Value: netlogon, samr, lsarpc
 
The default configuration of systems promoted to domain controllers may include a blank entry in the first line prior to "netlogon", "samr", and "lsarpc". This will appear in the registry as a blank entry when viewing the registry key summary; however the value data for "NullSessionPipes" will contain the default entries.
 
Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions.</rawString>
      <ValueData>netlogon;samr;lsarpc</ValueData>
      <ValueName>NullSessionPipes</ValueName>
      <ValueType>MultiString</ValueType>
    </Rule>
    <Rule id="V-3339" severity="high" conversionstatus="pass" title="Remotely Accessible Registry Paths" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\
 
Value Name: Machine
 
Value Type: REG_MULTI_SZ
Value: see below
 
System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion
 
Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions.</rawString>
      <ValueData>System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion</ValueData>
      <ValueName>Machine</ValueName>
      <ValueType>MultiString</ValueType>
    </Rule>
    <Rule id="V-3340" severity="high" conversionstatus="pass" title="Anonymous Access to Network Shares" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>True</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist, this is not a finding:
 
If the following registry value does exist and is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\
 
Value Name: NullSessionShares
 
Value Type: REG_MULTI_SZ
Value: (Blank)</rawString>
      <ValueData></ValueData>
      <ValueName>NullSessionShares</ValueName>
      <ValueType>MultiString</ValueType>
    </Rule>
    <Rule id="V-3343" severity="high" conversionstatus="pass" title="Remote Assistance - Solicit Remote Assistance" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: fAllowToGetHelp
  
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>fAllowToGetHelp</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3344" severity="high" conversionstatus="pass" title="Limit Blank Passwords" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: LimitBlankPasswordUse
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>LimitBlankPasswordUse</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3373" severity="low" conversionstatus="pass" title="Maximum Machine Account Password Age" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -le '30' -and {0} -gt '0'</OrganizationValueTestString>
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\
 
Value Name: MaximumPasswordAge
 
Value Type: REG_DWORD
Value: 30 (or less, but not 0)</rawString>
      <ValueData />
      <ValueName>MaximumPasswordAge</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3374" severity="medium" conversionstatus="pass" title="Strong Session Key" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\
 
Value Name: RequireStrongKey
 
Value Type: REG_DWORD
Value: 1
  
This setting may prevent a system from being joined to a domain if not configured consistently between systems.</rawString>
      <ValueData>1</ValueData>
      <ValueName>RequireStrongKey</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3376" severity="medium" conversionstatus="pass" title="Storage of Passwords and Credentials" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: DisableDomainCreds
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableDomainCreds</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3377" severity="medium" conversionstatus="pass" title="Everyone Anonymous rights" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: EveryoneIncludesAnonymous
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EveryoneIncludesAnonymous</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3378" severity="medium" conversionstatus="pass" title="Sharing and Security Model for Local Accounts" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: ForceGuest
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>ForceGuest</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3379" severity="high" conversionstatus="pass" title="LAN Manager Hash stored" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: NoLMHash
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NoLMHash</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3381" severity="medium" conversionstatus="pass" title="LDAP Client Signing" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LDAP\
 
Value Name: LDAPClientIntegrity
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>LDAPClientIntegrity</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3382" severity="medium" conversionstatus="pass" title="Session Security for NTLM SSP Based Clients" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\
 
Value Name: NTLMMinClientSec
 
Value Type: REG_DWORD
Value: 0x20080000 (537395200)</rawString>
      <ValueData>537395200</ValueData>
      <ValueName>NTLMMinClientSec</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3383" severity="medium" conversionstatus="pass" title="FIPS Compliant Algorithms " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\
 
Value Name: Enabled
 
Value Type: REG_DWORD
Value: 1
  
Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS, or the browser will not be able to connect to a secure site.</rawString>
      <ValueData>1</ValueData>
      <ValueName>Enabled</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3385" severity="medium" conversionstatus="pass" title="Case Insensitivity for Non-Windows" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Session Manager\Kernel\
 
Value Name: ObCaseInsensitive
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>ObCaseInsensitive</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3449" severity="medium" conversionstatus="pass" title="TS/RDS - Session Limit" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: fSingleSessionPerUser
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>fSingleSessionPerUser</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3453" severity="medium" conversionstatus="pass" title="TS/RDS - Password Prompting" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: fPromptForPassword
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>fPromptForPassword</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3454" severity="medium" conversionstatus="pass" title="TS/RDS - Set Encryption Level" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: MinEncryptionLevel
 
Type: REG_DWORD
Value: 3</rawString>
      <ValueData>3</ValueData>
      <ValueName>MinEncryptionLevel</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3455" severity="medium" conversionstatus="pass" title="TS/RDS - Do Not Use Temp Folders" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: PerSessionTempDir
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>PerSessionTempDir</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3456" severity="medium" conversionstatus="pass" title="TS/RDS - Delete Temp Folders" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: DeleteTempDirsOnExit
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DeleteTempDirsOnExit</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3469" severity="medium" conversionstatus="pass" title="Group Policy - Do Not Turn off Background Refresh" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Review the registry.
If the following registry value does not exist, this is not a finding (this is the expected result from configuring the policy as outlined in the Fix section.):
If the following registry value exists but is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\system\
 
Value Name: DisableBkGndGroupPolicy
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>DisableBkGndGroupPolicy</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3470" severity="medium" conversionstatus="pass" title="Remote Assistance - Offer Remote Assistance" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: fAllowUnsolicited
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>fAllowUnsolicited</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3472.a" severity="low" conversionstatus="pass" title="Windows Time Service - Configure NTP Client" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\W32time\Parameters</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -match '^(NoSync|NTP|NT5DS|AllSync)$'</OrganizationValueTestString>
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\W32time\Parameters\
Type: REG_SZ
Value Name: Type
Value: Possible values are NoSync, NTP, NT5DS, AllSync</rawString>
      <ValueData />
      <ValueName>Type</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-3472.b" severity="low" conversionstatus="pass" title="Windows Time Service - Configure NTP Client" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\W32time\Parameters</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -notmatch 'time.windows.com'</OrganizationValueTestString>
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\W32time\Parameters\
Type: REG_SZ
Value Name: NTPServer
Value: "address of the time server"</rawString>
      <ValueData />
      <ValueName>NTPServer</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-3479" severity="medium" conversionstatus="pass" title="Safe DLL Search Mode" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Session Manager\
 
Value Name: SafeDllSearchMode
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>SafeDllSearchMode</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3480" severity="medium" conversionstatus="pass" title="Media Player - Disable Automatic Updates" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Windows Media Player is not installed by default. If it is not installed, this is NA.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\
 
Value Name: DisableAutoupdate
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableAutoupdate</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3481" severity="medium" conversionstatus="pass" title="Media Player - Prevent Codec Download" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\
 
Value Name: PreventCodecDownload
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>PreventCodecDownload</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-3666" severity="medium" conversionstatus="pass" title="Session Security for NTLM SSP based Servers" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\
 
Value Name: NTLMMinServerSec
 
Value Type: REG_DWORD
Value: 0x20080000 (537395200)</rawString>
      <ValueData>537395200</ValueData>
      <ValueName>NTLMMinServerSec</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-4108" severity="low" conversionstatus="pass" title="Audit Log Warning Level" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -le '90'</OrganizationValueTestString>
      <rawString>If the system is configured to write to an audit server, or is configured to automatically archive full logs, this is NA.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Eventlog\Security\
 
Value Name: WarningLevel
 
Value Type: REG_DWORD
Value: 90 (or less)</rawString>
      <ValueData />
      <ValueName>WarningLevel</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-4110" severity="low" conversionstatus="pass" title="Disable IP Source Routing" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\
 
Value Name: DisableIPSourceRouting
 
Value Type: REG_DWORD
Value: 2</rawString>
      <ValueData>2</ValueData>
      <ValueName>DisableIPSourceRouting</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-4111" severity="low" conversionstatus="pass" title="Disable ICMP Redirect" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\
 
Value Name: EnableICMPRedirect
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnableICMPRedirect</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-4112" severity="low" conversionstatus="pass" title="Disable Router Discovery" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\
 
Value Name: PerformRouterDiscovery
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>PerformRouterDiscovery</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-4113" severity="low" conversionstatus="pass" title="TCP Connection Keep-Alive Time" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -le '300000'</OrganizationValueTestString>
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\
 
Value Name: KeepAliveTime
 
Value Type: REG_DWORD
Value: 300000 (or less)</rawString>
      <ValueData />
      <ValueName>KeepAliveTime</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-4116" severity="low" conversionstatus="pass" title="Name-Release Attacks" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\
 
Value Name: NoNameReleaseOnDemand
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NoNameReleaseOnDemand</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-4407" severity="medium" conversionstatus="pass" title="LDAP Signing Requirements" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\NTDS\Parameters\
 
Value Name: LDAPServerIntegrity
 
Value Type: REG_DWORD
Value: 2</rawString>
      <ValueData>2</ValueData>
      <ValueName>LDAPServerIntegrity</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-4408" severity="low" conversionstatus="pass" title="Computer Account Password Change" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\
 
Value Name: RefusePasswordChange
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>RefusePasswordChange</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-4438" severity="low" conversionstatus="pass" title="TCP Data Retransmissions" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -le '3'</OrganizationValueTestString>
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
 
Value Name: TcpMaxDataRetransmissions
 
Value Type: REG_DWORD
Value: 3 (or less)</rawString>
      <ValueData />
      <ValueName>TcpMaxDataRetransmissions</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-4442" severity="low" conversionstatus="pass" title="Screen Saver Grace Period" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -le '5'</OrganizationValueTestString>
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
 
Value Name: ScreenSaverGracePeriod
 
Value Type: REG_SZ
Value: 5 (or less)</rawString>
      <ValueData />
      <ValueName>ScreenSaverGracePeriod</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-4443" severity="high" conversionstatus="pass" title="Remotely Accessible Registry Paths and Sub-Paths" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\
 
Value Name: Machine
 
Value Type: REG_MULTI_SZ
Value: see below
 
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Perflib
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
System\CurrentControlSet\Services\Eventlog
System\CurrentControlSet\Services\Sysmonlog
 
Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions.</rawString>
      <ValueData>Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Perflib;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;System\CurrentControlSet\Services\Eventlog;System\CurrentControlSet\Services\Sysmonlog</ValueData>
      <ValueName>Machine</ValueName>
      <ValueType>MultiString</ValueType>
    </Rule>
    <Rule id="V-4445" severity="low" conversionstatus="pass" title="Optional Subsystems" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>True</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Subsystems</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Session Manager\Subsystems\
 
Value Name: Optional
 
Value Type: REG_MULTI_SZ
Value: (Blank)</rawString>
      <ValueData></ValueData>
      <ValueName>Optional</ValueName>
      <ValueType>MultiString</ValueType>
    </Rule>
    <Rule id="V-4447" severity="medium" conversionstatus="pass" title="TS/RDS - Secure RPC Connection." dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: fEncryptRPCTraffic
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>fEncryptRPCTraffic</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-4448" severity="medium" conversionstatus="pass" title="Group Policy - Registry Policy Processing" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\
 
Value Name: NoGPOListChanges
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>NoGPOListChanges</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-6831" severity="medium" conversionstatus="pass" title="Encrypting and Signing of Secure Channel Traffic" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\
 
Value Name: RequireSignOrSeal
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>RequireSignOrSeal</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-6832" severity="medium" conversionstatus="pass" title="SMB Client Packet Signing (Always)" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\
 
Value Name: RequireSecuritySignature
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>RequireSecuritySignature</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-6833" severity="medium" conversionstatus="pass" title="SMB Server Packet Signing (Always)" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\
 
Value Name: RequireSecuritySignature
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>RequireSecuritySignature</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-6834" severity="high" conversionstatus="pass" title="Anonymous Access to Named Pipes and Shares" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\
 
Value Name: RestrictNullSessAccess
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>RestrictNullSessAccess</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-8322.a" severity="medium" conversionstatus="pass" title="Time Synchronization" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\
Type: REG_DWORD
Value Name: Enabled
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>Enabled</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-8322.b" severity="medium" conversionstatus="pass" title="Time Synchronization" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Parameters</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -match '^(NoSync|NTP|NT5DS|AllSync)$'</OrganizationValueTestString>
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\W32Time\Parameters\
Type: REG_SZ
Value Name: Type
Value: NT5DS (preferred), NTP or Allsync</rawString>
      <ValueData />
      <ValueName>Type</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-8324" severity="low" conversionstatus="pass" title="Time Synchronization Source Logging" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Config</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -match '2|3'</OrganizationValueTestString>
      <rawString>Verify logging is configured to capture time source switches.
 
If the Windows Time Service is used, verify the following registry value. If it is not configured as specified, this is a finding.
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\W32Time\Config\
 
Value Name: EventLogFlags
 
Type: REG_DWORD
Value: 2 or 3
 
If another time synchronization tool is used, review the available configuration options and logs. If the tool has time source logging capability and it is not enabled, this is a finding.</rawString>
      <ValueData />
      <ValueName>EventLogFlags</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-11806" severity="low" conversionstatus="pass" title="Display of Last User Name" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: DontDisplayLastUserName
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DontDisplayLastUserName</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14228" severity="medium" conversionstatus="pass" title="Audit Access of Global System Objects" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: AuditBaseObjects
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AuditBaseObjects</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14229" severity="medium" conversionstatus="pass" title="Audit Backup and Restore Privileges" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: FullPrivilegeAuditing
 
Value Type: REG_BINARY
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>FullPrivilegeAuditing</ValueName>
      <ValueType>Binary</ValueType>
    </Rule>
    <Rule id="V-14230" severity="medium" conversionstatus="pass" title="Audit Policy Subcategory Setting" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: SCENoApplyLegacyAuditPolicy
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>SCENoApplyLegacyAuditPolicy</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14232" severity="low" conversionstatus="pass" title="IPSec Exemptions" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\IPSEC\
 
Value Name: NoDefaultExempt
 
Value Type: REG_DWORD
Value: 3</rawString>
      <ValueData>3</ValueData>
      <ValueName>NoDefaultExempt</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14234" severity="medium" conversionstatus="pass" title="UAC - Admin Approval Mode" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>UAC requirements are NA on Server Core installations.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: FilterAdministratorToken
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>FilterAdministratorToken</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14235" severity="medium" conversionstatus="pass" title="UAC - Admin Elevation Prompt" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -le '4'</OrganizationValueTestString>
      <rawString>UAC requirements are NA on Server Core installations.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: ConsentPromptBehaviorAdmin
 
Value Type: REG_DWORD
Value: 4 (Prompt for consent)
3 (Prompt for credentials)
2 (Prompt for consent on the secure desktop)
1 (Prompt for credentials on the secure desktop)</rawString>
      <ValueData />
      <ValueName>ConsentPromptBehaviorAdmin</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14236" severity="medium" conversionstatus="pass" title="UAC - User Elevation Prompt" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>UAC requirements are NA on Server Core installations.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: ConsentPromptBehaviorUser
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>ConsentPromptBehaviorUser</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14237" severity="medium" conversionstatus="pass" title="UAC - Application Installations" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>UAC requirements are NA on Server Core installations.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: EnableInstallerDetection
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>EnableInstallerDetection</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14239" severity="medium" conversionstatus="pass" title="UAC - UIAccess Application Elevation" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>UAC requirements are NA on Server Core installations.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: EnableSecureUIAPaths
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>EnableSecureUIAPaths</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14240" severity="medium" conversionstatus="pass" title="UAC - All Admin Approval Mode" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>UAC requirements are NA on Server Core installations.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: EnableLUA
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>EnableLUA</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14241" severity="medium" conversionstatus="pass" title="UAC - Secure Desktop Mode" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>UAC requirements are NA on Server Core installations.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: PromptOnSecureDesktop
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>PromptOnSecureDesktop</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14242" severity="medium" conversionstatus="pass" title="UAC - Non UAC Compliant Application Virtualization" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>UAC requirements are NA on Server Core installations.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: EnableVirtualization
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>EnableVirtualization</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14243" severity="medium" conversionstatus="pass" title="Enumerate Administrator Accounts on Elevation" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\
 
Value Name: EnumerateAdministrators
 
Type: REG_DWORD
Value: 0x00000000 (0)</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnumerateAdministrators</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14247" severity="medium" conversionstatus="pass" title="TS/RDS - Prevent Password Saving" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: DisablePasswordSaving
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisablePasswordSaving</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14249" severity="medium" conversionstatus="pass" title="TS/RDS - Drive Redirection" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: fDisableCdm
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>fDisableCdm</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14259" severity="medium" conversionstatus="pass" title="Printing Over HTTP" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\
 
Value Name: DisableHTTPPrinting
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableHTTPPrinting</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14260" severity="medium" conversionstatus="pass" title="HTTP Printer Drivers" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\
 
Value Name: DisableWebPnPDownload
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableWebPnPDownload</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14261" severity="medium" conversionstatus="pass" title="Windows Update Device Drive Searching" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\
 
Value Name: DontSearchWindowsUpdate
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DontSearchWindowsUpdate</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14268" severity="medium" conversionstatus="pass" title="Attachment Mgr - Preserve Zone Info" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
 
Value Name: SaveZoneInformation
 
Type: REG_DWORD
Value: 2</rawString>
      <ValueData>2</ValueData>
      <ValueName>SaveZoneInformation</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14269" severity="medium" conversionstatus="pass" title="Attachment Mgr - Hide Mech to Remove Zone Info" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
 
Value Name: HideZoneInfoOnProperties
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>HideZoneInfoOnProperties</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-14270" severity="medium" conversionstatus="pass" title="Attachment Mgr - Scan with Antivirus" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
 
Value Name: ScanWithAntiVirus
 
Type: REG_DWORD
Value: 3</rawString>
      <ValueData>3</ValueData>
      <ValueName>ScanWithAntiVirus</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15666" severity="medium" conversionstatus="pass" title="Windows Peer to Peer Networking " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Peernet\
 
Value Name: Disabled
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>Disabled</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15667" severity="medium" conversionstatus="pass" title="Prohibit Network Bridge" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\
 
Value Name: NC_AllowNetBridge_NLA
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>NC_AllowNetBridge_NLA</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15672" severity="low" conversionstatus="pass" title="Event Viewer Events.asp Links" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EventViewer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\EventViewer\
 
Value Name: MicrosoftEventVwrDisableLinks
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>MicrosoftEventVwrDisableLinks</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15674" severity="medium" conversionstatus="pass" title="Internet File Association Service " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
 
Value Name: NoInternetOpenWith
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NoInternetOpenWith</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15682" severity="medium" conversionstatus="pass" title="RSS Attachment Downloads" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Internet Explorer\Feeds\
 
Value Name: DisableEnclosureDownload
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableEnclosureDownload</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15683" severity="medium" conversionstatus="pass" title="Windows Explorer – Shell Protocol Protected Mode " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
 
Value Name: PreXPSP2ShellProtocolBehavior
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>PreXPSP2ShellProtocolBehavior</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15684" severity="medium" conversionstatus="pass" title="Windows Installer – IE Security Prompt" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Installer\
 
Value Name: SafeForScripting
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>SafeForScripting</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15685" severity="medium" conversionstatus="pass" title="Windows Installer – User Control " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Installer\
 
Value Name: EnableUserControl
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnableUserControl</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15686" severity="low" conversionstatus="pass" title="Windows Installer – Vendor Signed Updates" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Installer\
 
Value Name: DisableLUAPatching
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableLUAPatching</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15687" severity="low" conversionstatus="pass" title="Media Player – First Use Dialog Boxes " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Windows Media Player is not installed by default. If it is not installed, this is NA.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\
 
Value Name: GroupPrivacyAcceptance
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>GroupPrivacyAcceptance</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15696.a" severity="medium" conversionstatus="pass" title="Network – Mapper I/O Driver " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\LLTD\
Type: REG_DWORD
Value Name: AllowLLTDIOOndomain
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowLLTDIOOndomain</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15696.b" severity="medium" conversionstatus="pass" title="Network – Mapper I/O Driver " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\LLTD\
Type: REG_DWORD
Value Name: AllowLLTDIOOnPublicNet
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowLLTDIOOnPublicNet</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15696.c" severity="medium" conversionstatus="pass" title="Network – Mapper I/O Driver " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\LLTD\
Type: REG_DWORD
Value Name: EnableLLTDIO
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnableLLTDIO</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15696.d" severity="medium" conversionstatus="pass" title="Network – Mapper I/O Driver " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\LLTD\
Type: REG_DWORD
Value Name: ProhibitLLTDIOOnPrivateNet
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>ProhibitLLTDIOOnPrivateNet</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15697.a" severity="medium" conversionstatus="pass" title="Network – Responder Driver " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\LLTD\
Type: REG_DWORD
Value Name: AllowRspndrOndomain
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowRspndrOndomain</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15697.b" severity="medium" conversionstatus="pass" title="Network – Responder Driver " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\LLTD\
Type: REG_DWORD
Value Name: AllowRspndrOnPublicNet
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowRspndrOnPublicNet</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15697.c" severity="medium" conversionstatus="pass" title="Network – Responder Driver " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\LLTD\
Type: REG_DWORD
Value Name: EnableRspndr
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnableRspndr</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15697.d" severity="medium" conversionstatus="pass" title="Network – Responder Driver " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\LLTD\
Type: REG_DWORD
Value Name: ProhibitRspndrOnPrivateNet
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>ProhibitRspndrOnPrivateNet</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15698.a" severity="medium" conversionstatus="pass" title="Network – WCN Wireless Configuration " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\
Type: REG_DWORD
Value Name: DisableFlashConfigRegistrar
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>DisableFlashConfigRegistrar</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15698.b" severity="medium" conversionstatus="pass" title="Network – WCN Wireless Configuration " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\
Type: REG_DWORD
Value Name: DisableInBand802DOT11Registrar
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>DisableInBand802DOT11Registrar</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15698.c" severity="medium" conversionstatus="pass" title="Network – WCN Wireless Configuration " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\
Type: REG_DWORD
Value Name: DisableUPnPRegistrar
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>DisableUPnPRegistrar</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15698.d" severity="medium" conversionstatus="pass" title="Network – WCN Wireless Configuration " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\
Type: REG_DWORD
Value Name: DisableWPDRegistrar
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>DisableWPDRegistrar</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15698.e" severity="medium" conversionstatus="pass" title="Network – WCN Wireless Configuration " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\
Type: REG_DWORD
Value Name: EnableRegistrars
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnableRegistrars</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15699" severity="medium" conversionstatus="pass" title="Network – Windows Connect Now Wizards " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WCN\UI\
 
Value Name: DisableWcnUi
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableWcnUi</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15700" severity="medium" conversionstatus="pass" title="Device Install – PnP Interface Remote Access " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\
 
Value Name: AllowRemoteRPC
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowRemoteRPC</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15701" severity="low" conversionstatus="pass" title="Device Install – Drivers System Restore Point" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\
 
Value Name: DisableSystemRestore
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>DisableSystemRestore</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15702" severity="low" conversionstatus="pass" title="Device Install – Generic Driver Error Report" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\
 
Value Name: DisableSendGenericDriverNotFoundToWER
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableSendGenericDriverNotFoundToWER</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15703" severity="low" conversionstatus="pass" title="Driver Install – Device Driver Search Prompt" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\
 
Value Name: DontPromptForWindowsUpdate
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DontPromptForWindowsUpdate</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15704" severity="low" conversionstatus="pass" title="Handwriting Recognition Error Reporting" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\HandwritingErrorReports\
 
Value Name: PreventHandwritingErrorReports
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>PreventHandwritingErrorReports</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15705" severity="medium" conversionstatus="pass" title="Power Mgmt – Password Wake on Battery" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\
 
Value Name: DCSettingIndex
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DCSettingIndex</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15706" severity="medium" conversionstatus="pass" title="Power Mgmt – Password Wake When Plugged In" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\
 
Value Name: ACSettingIndex
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>ACSettingIndex</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15707" severity="low" conversionstatus="pass" title="Remote Assistance – Session Logging" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: LoggingEnabled
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>LoggingEnabled</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15713" severity="medium" conversionstatus="pass" title="Defender – SpyNet Reporting" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -notmatch '1|2'</OrganizationValueTestString>
      <rawString>If the following registry value exists and is set to "1" (Basic) or "2" (Advanced), this is a finding:
 
If the registry value does not exist, this is not a finding.
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\
 
Value Name: SpyNetReporting
 
Type: REG_DWORD
Value: 1 or 2 = a Finding</rawString>
      <ValueData />
      <ValueName>SpyNetReporting</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15718" severity="low" conversionstatus="pass" title="Windows Explorer – Heap Termination" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Explorer\
 
Value Name: NoHeapTerminationOnCorruption
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>NoHeapTerminationOnCorruption</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15722" severity="medium" conversionstatus="pass" title="Media DRM – Internet Access" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WMDRM</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\WMDRM\
 
Value Name: DisableOnline
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableOnline</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15727" severity="medium" conversionstatus="pass" title="User Network Sharing" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
 
Value Name: NoInPlaceSharing
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NoInPlaceSharing</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15991" severity="medium" conversionstatus="pass" title="UAC - UIAccess Secure Desktop" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>UAC requirements are NA on Server Core installations.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: EnableUIADesktopToggle
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnableUIADesktopToggle</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15997" severity="medium" conversionstatus="pass" title="TS/RDS – COM Port Redirection" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: fDisableCcm
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>fDisableCcm</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15998" severity="medium" conversionstatus="pass" title="TS/RDS – LPT Port Redirection" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: fDisableLPT
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>fDisableLPT</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-15999" severity="medium" conversionstatus="pass" title="TS/RDS - PNP Device Redirection" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: fDisablePNPRedir
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>fDisablePNPRedir</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-16000" severity="medium" conversionstatus="pass" title="TS/RDS – Smart Card Device Redirection" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: fEnableSmartCard
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>fEnableSmartCard</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-16008" severity="medium" conversionstatus="pass" title="UAC - Application Elevations" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>UAC requirements are NA on Server Core installations.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: ValidateAdminCodeSignatures
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>ValidateAdminCodeSignatures</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-16020" severity="medium" conversionstatus="pass" title="Windows Customer Experience Improvement Program " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\SQMClient\Windows\
 
Value Name: CEIPEnable
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>CEIPEnable</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-16021" severity="medium" conversionstatus="pass" title="Help Experience Improvement Program " dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Policies\Microsoft\Assistance\Client\1.0\
 
Value Name: NoImplicitFeedback
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NoImplicitFeedback</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-16048" severity="medium" conversionstatus="pass" title="Help Ratings" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Policies\Microsoft\Assistance\Client\1.0\
 
Value Name: NoExplicitFeedback
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NoExplicitFeedback</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21950" severity="medium" conversionstatus="pass" title="SPN Target Name Validation Level" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanmanServer\Parameters\
 
Value Name: SmbServerNameHardeningLevel
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>SmbServerNameHardeningLevel</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21951" severity="medium" conversionstatus="pass" title="Computer Identity Authentication for NTLM" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\LSA\
 
Value Name: UseMachineId
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>UseMachineId</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21952" severity="medium" conversionstatus="pass" title="NTLM NULL Session Fallback" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\MSV1_0</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\LSA\MSV1_0\
 
Value Name: allownullsessionfallback
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>allownullsessionfallback</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21953" severity="medium" conversionstatus="pass" title="PKU2U Online Identities Authentication" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\pku2u</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\LSA\pku2u\
 
Value Name: AllowOnlineID
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowOnlineID</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21955" severity="low" conversionstatus="pass" title="IPv6 Source Routing" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\
 
Value Name: DisableIPSourceRouting
 
Type: REG_DWORD
Value: 2</rawString>
      <ValueData>2</ValueData>
      <ValueName>DisableIPSourceRouting</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21956" severity="low" conversionstatus="pass" title="IPv6 TCP Data Retransmissions" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -le '3'</OrganizationValueTestString>
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\
 
Value Name: TcpMaxDataRetransmissions
 
Value Type: REG_DWORD
Value: 3 (or less)</rawString>
      <ValueData />
      <ValueName>TcpMaxDataRetransmissions</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21960" severity="low" conversionstatus="pass" title="Elevate when setting a network’s location" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\
 
Value Name: NC_StdDomainUserSetLocation
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NC_StdDomainUserSetLocation</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21961" severity="low" conversionstatus="pass" title="Direct Access – Route Through Internal Network" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\
 
Value Name: Force_Tunneling
 
Type: REG_SZ
Value: Enabled</rawString>
      <ValueData>Enabled</ValueData>
      <ValueName>Force_Tunneling</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-21963" severity="low" conversionstatus="pass" title="Windows Update Point and Print Driver Search" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\
 
Value Name: DoNotInstallCompatibleDriverFromWindowsUpdate
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DoNotInstallCompatibleDriverFromWindowsUpdate</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21964" severity="low" conversionstatus="pass" title="Prevent device metadata retrieval from Internet" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Device Metadata\
 
Value Name: PreventDeviceMetadataFromNetwork
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>PreventDeviceMetadataFromNetwork</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21965" severity="low" conversionstatus="pass" title="Prevent Windows Update for device driver search" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\
 
Value Name: SearchOrderConfig
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>SearchOrderConfig</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21967" severity="low" conversionstatus="pass" title="MSDT Interactive Communication" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\
 
Value Name: DisableQueryRemoteServer
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>DisableQueryRemoteServer</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21969" severity="low" conversionstatus="pass" title="Windows Online Troubleshooting Service" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\
 
Value Name: EnableQueryRemoteServer
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnableQueryRemoteServer</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21970" severity="low" conversionstatus="pass" title="Disable PerfTrack" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\
 
Value Name: ScenarioExecutionEnabled
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>ScenarioExecutionEnabled</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21971" severity="low" conversionstatus="pass" title="Application Compatibility Program Inventory" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\AppCompat\
 
Value Name: DisableInventory
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableInventory</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21973" severity="high" conversionstatus="pass" title="Autoplay for non-volume devices" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Explorer\
 
Value Name: NoAutoplayfornonVolume
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NoAutoplayfornonVolume</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-21980" severity="medium" conversionstatus="pass" title="Explorer Data Execution Prevention" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Explorer\
 
Value Name: NoDataExecutionPrevention
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>NoDataExecutionPrevention</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-22692" severity="high" conversionstatus="pass" title="Default Autorun Behavior" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\
 
Value Name: NoAutorun
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NoAutorun</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-26283" severity="high" conversionstatus="pass" title="Restrict Anonymous SAM Enumeration" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\
 
Value Name: RestrictAnonymousSAM
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>RestrictAnonymousSAM</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-26359" severity="low" conversionstatus="pass" title="Legal Banner Dialog Box Title" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'</OrganizationValueTestString>
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: LegalNoticeCaption
 
Value Type: REG_SZ
Value: See message title options below
 
"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or a site-defined equivalent.
 
If a site-defined title is used, it can in no case contravene or modify the language of the banner text required in V-1089.
 
Automated tools may only search for the titles defined above. If a site-defined title is used, a manual review will be required.</rawString>
      <ValueData />
      <ValueName>LegalNoticeCaption</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-26575" severity="medium" conversionstatus="pass" title="6to4 State" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\
 
Value Name: 6to4_State
 
Type: REG_SZ
Value: Disabled</rawString>
      <ValueData>Disabled</ValueData>
      <ValueName>6to4_State</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-26576" severity="medium" conversionstatus="pass" title="IP-HTTPS State" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface\
 
Value Name: IPHTTPS_ClientState
 
Type: REG_DWORD
Value: 3</rawString>
      <ValueData>3</ValueData>
      <ValueName>IPHTTPS_ClientState</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-26577" severity="medium" conversionstatus="pass" title="ISATAP State" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\
 
Value Name: ISATAP_State
 
Type: REG_SZ
Value: Disabled</rawString>
      <ValueData>Disabled</ValueData>
      <ValueName>ISATAP_State</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-26578" severity="medium" conversionstatus="pass" title="Teredo State" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\
 
Value Name: Teredo_State
 
Type: REG_SZ
Value: Disabled</rawString>
      <ValueData>Disabled</ValueData>
      <ValueName>Teredo_State</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-26579" severity="medium" conversionstatus="pass" title="Maximum Log Size - Application" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -ge '32768'</OrganizationValueTestString>
      <rawString>If the system is configured to write events directly to an audit server, this is NA.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\
 
Value Name: MaxSize
 
Type: REG_DWORD
Value: 0x00008000 (32768) (or greater)</rawString>
      <ValueData />
      <ValueName>MaxSize</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-26580" severity="medium" conversionstatus="pass" title="Maximum Log Size - Security" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -ge '196608'</OrganizationValueTestString>
      <rawString>If the system is configured to write events directly to an audit server, this is NA.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\
 
Value Name: MaxSize
 
Type: REG_DWORD
Value: 0x00030000 (196608) (or greater)</rawString>
      <ValueData />
      <ValueName>MaxSize</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-26581" severity="medium" conversionstatus="pass" title="Maximum Log Size - Setup" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -ge '32768'</OrganizationValueTestString>
      <rawString>If the system is configured to write events directly to an audit server, this is NA.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup\
 
Value Name: MaxSize
 
Type: REG_DWORD
Value: 0x00008000 (32768) (or greater)</rawString>
      <ValueData />
      <ValueName>MaxSize</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-26582" severity="medium" conversionstatus="pass" title="Maximum Log Size - System" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -ge '32768'</OrganizationValueTestString>
      <rawString>If the system is configured to write events directly to an audit server, this is NA.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\System\
 
Value Name: MaxSize
 
Type: REG_DWORD
Value: 0x00008000 (32768) (or greater)</rawString>
      <ValueData />
      <ValueName>MaxSize</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-28504" severity="low" conversionstatus="pass" title="Device Install Software Request Error Report" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\
 
Value Name: DisableSendRequestAdditionalSoftwareToWER
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableSendRequestAdditionalSoftwareToWER</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-34974" severity="high" conversionstatus="pass" title="Always Install with Elevated Privileges Disabled" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Installer\
 
Value Name: AlwaysInstallElevated
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AlwaysInstallElevated</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36656" severity="medium" conversionstatus="pass" title="WINUC-000001" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\
 
Value Name: ScreenSaveActive
 
Type: REG_SZ
Value: 1
 
Applications requiring continuous, real-time screen display (e.g., network management products) require the following and must be documented with the ISSO:
  
-The logon session does not have administrator rights.
-The display station (e.g., keyboard, monitor, etc.) is located in a controlled access area.</rawString>
      <ValueData>1</ValueData>
      <ValueName>ScreenSaveActive</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-36657" severity="medium" conversionstatus="pass" title="WINUC-000003" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\
 
Value Name: ScreenSaverIsSecure
 
Type: REG_SZ
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>ScreenSaverIsSecure</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-36673" severity="low" conversionstatus="pass" title="WINCC-000011" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\
 
Value Name: EnableIPAutoConfigurationLimits
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>EnableIPAutoConfigurationLimits</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36677" severity="low" conversionstatus="pass" title="WINCC-000018" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Servicing</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Servicing\
 
Value Name: UseWindowsUpdate
 
Type: REG_DWORD
Value: 2</rawString>
      <ValueData>2</ValueData>
      <ValueName>UseWindowsUpdate</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36678" severity="low" conversionstatus="pass" title="WINCC-000025" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\
 
Value Name: DriverServerSelection
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DriverServerSelection</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36679" severity="medium" conversionstatus="pass" title="WINCC-000027" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Policies\EarlyLaunch\
 
Value Name: DriverLoadPolicy
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DriverLoadPolicy</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36680" severity="medium" conversionstatus="pass" title="WINCC-000030" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\
 
Value Name: NoUseStoreOpenWith
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NoUseStoreOpenWith</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36681" severity="medium" conversionstatus="pass" title="WINCC-000048" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Control Panel\International</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Control Panel\International\
 
Value Name: BlockUserInputMethodsForSignIn
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>BlockUserInputMethodsForSignIn</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36684" severity="medium" conversionstatus="pass" title="WINCC-000051" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\System\
 
Value Name: EnumerateLocalUsers
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnumerateLocalUsers</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36687" severity="medium" conversionstatus="pass" title="WINCC-000052" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\System\
 
Value Name: DisableLockScreenAppNotifications
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableLockScreenAppNotifications</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36696" severity="low" conversionstatus="pass" title="WINCC-000065" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\AppCompat\
 
Value Name: DisablePcaUI
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>DisablePcaUI</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36697" severity="low" conversionstatus="pass" title="WINCC-000070" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\Appx\
 
Value Name: AllowAllTrustedApps
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>AllowAllTrustedApps</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36698" severity="medium" conversionstatus="pass" title="WINCC-000075" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Biometrics\
 
Value Name: Enabled
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>Enabled</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36700" severity="medium" conversionstatus="pass" title="WINCC-000076" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\CredUI\
 
Value Name: DisablePasswordReveal
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisablePasswordReveal</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36707" severity="low" conversionstatus="pass" title="WINCC-000088" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\System\
 
Value Name: EnableSmartScreen
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>EnableSmartScreen</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36708" severity="medium" conversionstatus="pass" title="WINCC-000095" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\LocationAndSensors\
 
Value Name: DisableLocation
 
Type: REG_DWORD
Value: 1 (Enabled)
 
If location services are approved for the system by the organization, this may be set to "Disabled" (0). This must be documented with the ISSO.</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableLocation</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36709" severity="medium" conversionstatus="pass" title="WINCC-000106" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Internet Explorer\Feeds\
 
Value Name: AllowBasicAuthInClear
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowBasicAuthInClear</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36710.a" severity="low" conversionstatus="pass" title="WINCC-000109" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\
Type: REG_DWORD
Value Name: AutoDownload
Value: 0x00000002 (2)</rawString>
      <ValueData>2</ValueData>
      <ValueName>AutoDownload</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36710.b" severity="low" conversionstatus="pass" title="WINCC-000109" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore\WindowsUpdate</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\WindowsUpdate\
Type: REG_DWORD
Value Name: AutoDownload
Value: 0x00000002 (2)</rawString>
      <ValueData>2</ValueData>
      <ValueName>AutoDownload</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36711" severity="medium" conversionstatus="pass" title="WINCC-000110" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA.
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\
 
Value Name: RemoveWindowsStore
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>RemoveWindowsStore</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36712" severity="high" conversionstatus="pass" title="WINCC-000123" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\
 
Value Name: AllowBasic
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowBasic</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36713" severity="medium" conversionstatus="pass" title="WINCC-000124" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\
 
Value Name: AllowUnencryptedTraffic
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowUnencryptedTraffic</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36714" severity="medium" conversionstatus="pass" title="WINCC-000125" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\
 
Value Name: AllowDigest
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowDigest</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36718" severity="high" conversionstatus="pass" title="WINCC-000126" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\
 
Value Name: AllowBasic
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowBasic</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36719" severity="medium" conversionstatus="pass" title="WINCC-000127" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\
 
Value Name: AllowUnencryptedTraffic
 
Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>AllowUnencryptedTraffic</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36720" severity="medium" conversionstatus="pass" title="WINCC-000128" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\
 
Value Name: DisableRunAs
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableRunAs</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36773" severity="medium" conversionstatus="pass" title="WINSO-000021" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -le '900'</OrganizationValueTestString>
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: InactivityTimeoutSecs
 
Value Type: REG_DWORD
Value: 0x00000384 (900) (or less)</rawString>
      <ValueData />
      <ValueName>InactivityTimeoutSecs</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36774" severity="low" conversionstatus="pass" title="WINUC-000002" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\
 
Value Name: SCRNSAVE.EXE
 
Type: REG_SZ
Value: scrnsave.scr</rawString>
      <ValueData>scrnsave.scr</ValueData>
      <ValueName>SCRNSAVE.EXE</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-36775" severity="low" conversionstatus="pass" title="WINUC-000004" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: NoDispScrSavPage
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NoDispScrSavPage</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36776" severity="low" conversionstatus="pass" title="WINUC-000005" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\
 
Value Name: NoCloudApplicationNotification
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NoCloudApplicationNotification</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-36777" severity="low" conversionstatus="pass" title="WINUC-000006" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_CURRENT_USER
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\
 
Value Name: NoToastApplicationNotificationOnLockScreen
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NoToastApplicationNotificationOnLockScreen</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-40204" severity="medium" conversionstatus="pass" title="WNCC-000136" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
 
Value Name: RedirectOnlyDefaultClientPrinter
 
Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>RedirectOnlyDefaultClientPrinter</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-43238" severity="medium" conversionstatus="pass" title="WINCC-000138" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2.
 
Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\
 
Value Name: NoLockScreenSlideshow
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>NoLockScreenSlideshow</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-43239" severity="medium" conversionstatus="pass" title="WINCC-000139" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2.
 
Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\
 
Value Name: ProcessCreationIncludeCmdLine_Enabled
 
Value Type: REG_DWORD
Value: 0</rawString>
      <ValueData>0</ValueData>
      <ValueName>ProcessCreationIncludeCmdLine_Enabled</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-43240" severity="medium" conversionstatus="pass" title="WINCC-000140" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2.
 
Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\
 
Value Name: DontDisplayNetworkSelectionUI
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DontDisplayNetworkSelectionUI</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-43241" severity="low" conversionstatus="pass" title="WINCC-000141" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2.
 
Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
 
Value Name: MSAOptional
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>MSAOptional</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-43245" severity="medium" conversionstatus="pass" title="WINCC-000145" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2.
 
Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
 
Value Name: DisableAutomaticRestartSignOn
 
Value Type: REG_DWORD
Value: 1</rawString>
      <ValueData>1</ValueData>
      <ValueName>DisableAutomaticRestartSignOn</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-57639" severity="medium" conversionstatus="pass" title="WINSO-000092" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\
 
Value Name: ForceKeyProtection
 
Type: REG_DWORD
Value: 2</rawString>
      <ValueData>2</ValueData>
      <ValueName>ForceKeyProtection</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-72753" severity="medium" conversionstatus="pass" title="WINCC-000150" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the following registry value does not exist or is not configured as specified, this is a finding.
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\
 
Value Name: UseLogonCredential
 
Type: REG_DWORD
Value: 0x00000000 (0)
 
Note: Microsoft Security Advisory update 2871997 is required for this setting to be effective on Windows 2012. It is not required for Windows 2012 R2.</rawString>
      <ValueData>0</ValueData>
      <ValueName>UseLogonCredential</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-73519" severity="medium" conversionstatus="pass" title="WIN00-000170" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>This applies to Windows 2012. Windows 2012 R2 uses a different method to disable SMBv1, see WN12-00-000160.
 
If the following registry value does not exist or is not configured as specified, this is a finding:
 
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\
 
Value Name: SMB1
 
Type: REG_DWORD
Value: 0x00000000 (0)</rawString>
      <ValueData>0</ValueData>
      <ValueName>SMB1</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-73523.a" severity="medium" conversionstatus="pass" title="WIN00-000180" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\
Type: REG_MULTI_SZ
Value Name: DependOnService
Value: Bowser MRxSmb20 NSI</rawString>
      <ValueData>Bowser;MRxSmb20;NSI</ValueData>
      <ValueName>DependOnService</ValueName>
      <ValueType>MultiString</ValueType>
    </Rule>
    <Rule id="V-73523.b" severity="medium" conversionstatus="pass" title="WIN00-000180" dscresource="Registry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\mrxsmb10\
Type: REG_DWORD
Value Name: Start
Value: 0x00000004 (4)</rawString>
      <ValueData>4</ValueData>
      <ValueName>Start</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
  </RegistryRule>
  <SecurityOptionRule dscresourcemodule="SecurityPolicyDsc">
    <Rule id="V-1113" severity="medium" conversionstatus="pass" title="Disable Guest Account" dscresource="SecurityOption">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OptionName>Accounts: Guest account status</OptionName>
      <OptionValue>Disabled</OptionValue>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; Security Options.
 
If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding.</rawString>
    </Rule>
    <Rule id="V-1114" severity="medium" conversionstatus="pass" title="Rename Built-in Guest Account" dscresource="SecurityOption">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OptionName>Accounts: Rename guest account</OptionName>
      <OptionValue />
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -ne 'Guest'</OrganizationValueTestString>
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; Security Options.
 
If the value for "Accounts: Rename guest account" is not set to a value other than "Guest", this is a finding.</rawString>
    </Rule>
    <Rule id="V-1115" severity="medium" conversionstatus="pass" title="Rename Built-in Administrator Account" dscresource="SecurityOption">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OptionName>Accounts: Rename administrator account</OptionName>
      <OptionValue />
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -ne 'Administrator'</OrganizationValueTestString>
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; Security Options.
 
If the value for "Accounts: Rename administrator account" is not set to a value other than "Administrator", this is a finding.</rawString>
    </Rule>
    <Rule id="V-3337" severity="high" conversionstatus="pass" title="Anonymous SID/Name Translation" dscresource="SecurityOption">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OptionName>Network access: Allow anonymous SID/Name translation</OptionName>
      <OptionValue>Disabled</OptionValue>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; Security Options.
 
If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding.</rawString>
    </Rule>
    <Rule id="V-3380" severity="medium" conversionstatus="pass" title="Force Logoff When Logon Hours Expire" dscresource="SecurityOption">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OptionName>Network security: Force logoff when logon hours expire</OptionName>
      <OptionValue>Enabled</OptionValue>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; Security Options.
 
If the value for "Network security: Force logoff when logon hours expire" is not set to "Enabled", this is a finding.</rawString>
    </Rule>
  </SecurityOptionRule>
  <ServiceRule dscresourcemodule="xPSDesiredStateConfiguration">
    <Rule id="V-8327.b" severity="medium" conversionstatus="pass" title="Prerequisite OS Services Startup" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Run "services.msc" to display the Services console.
 
Verify the Startup Type for the following Windows services:
- Active Directory Domain Services
- DFS Replication
- DNS Client
- DNS server
- Group Policy Client
- Intersite Messaging
- Kerberos Key Distribution Center
- NetLogon
- Windows Time (not required if another time synchronization tool is implemented to start automatically)
 
If the Startup Type for any of these services is not Automatic, this is a finding.</rawString>
      <ServiceName>DFSR</ServiceName>
      <ServiceState>Running</ServiceState>
      <StartupType>Automatic</StartupType>
    </Rule>
    <Rule id="V-8327.c" severity="medium" conversionstatus="pass" title="Prerequisite OS Services Startup" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Run "services.msc" to display the Services console.
 
Verify the Startup Type for the following Windows services:
- Active Directory Domain Services
- DFS Replication
- DNS Client
- DNS server
- Group Policy Client
- Intersite Messaging
- Kerberos Key Distribution Center
- NetLogon
- Windows Time (not required if another time synchronization tool is implemented to start automatically)
 
If the Startup Type for any of these services is not Automatic, this is a finding.</rawString>
      <ServiceName>Dnscache</ServiceName>
      <ServiceState>Running</ServiceState>
      <StartupType>Automatic</StartupType>
    </Rule>
    <Rule id="V-8327.d" severity="medium" conversionstatus="pass" title="Prerequisite OS Services Startup" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Run "services.msc" to display the Services console.
 
Verify the Startup Type for the following Windows services:
- Active Directory Domain Services
- DFS Replication
- DNS Client
- DNS server
- Group Policy Client
- Intersite Messaging
- Kerberos Key Distribution Center
- NetLogon
- Windows Time (not required if another time synchronization tool is implemented to start automatically)
 
If the Startup Type for any of these services is not Automatic, this is a finding.</rawString>
      <ServiceName>DNS</ServiceName>
      <ServiceState>Running</ServiceState>
      <StartupType>Automatic</StartupType>
    </Rule>
    <Rule id="V-8327.e" severity="medium" conversionstatus="pass" title="Prerequisite OS Services Startup" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Run "services.msc" to display the Services console.
 
Verify the Startup Type for the following Windows services:
- Active Directory Domain Services
- DFS Replication
- DNS Client
- DNS server
- Group Policy Client
- Intersite Messaging
- Kerberos Key Distribution Center
- NetLogon
- Windows Time (not required if another time synchronization tool is implemented to start automatically)
 
If the Startup Type for any of these services is not Automatic, this is a finding.</rawString>
      <ServiceName>gpsvc</ServiceName>
      <ServiceState>Running</ServiceState>
      <StartupType>Automatic</StartupType>
    </Rule>
    <Rule id="V-8327.f" severity="medium" conversionstatus="pass" title="Prerequisite OS Services Startup" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Run "services.msc" to display the Services console.
 
Verify the Startup Type for the following Windows services:
- Active Directory Domain Services
- DFS Replication
- DNS Client
- DNS server
- Group Policy Client
- Intersite Messaging
- Kerberos Key Distribution Center
- NetLogon
- Windows Time (not required if another time synchronization tool is implemented to start automatically)
 
If the Startup Type for any of these services is not Automatic, this is a finding.</rawString>
      <ServiceName>IsmServ</ServiceName>
      <ServiceState>Running</ServiceState>
      <StartupType>Automatic</StartupType>
    </Rule>
    <Rule id="V-8327.g" severity="medium" conversionstatus="pass" title="Prerequisite OS Services Startup" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Run "services.msc" to display the Services console.
 
Verify the Startup Type for the following Windows services:
- Active Directory Domain Services
- DFS Replication
- DNS Client
- DNS server
- Group Policy Client
- Intersite Messaging
- Kerberos Key Distribution Center
- NetLogon
- Windows Time (not required if another time synchronization tool is implemented to start automatically)
 
If the Startup Type for any of these services is not Automatic, this is a finding.</rawString>
      <ServiceName>Kdc</ServiceName>
      <ServiceState>Running</ServiceState>
      <StartupType>Automatic</StartupType>
    </Rule>
    <Rule id="V-8327.h" severity="medium" conversionstatus="pass" title="Prerequisite OS Services Startup" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Run "services.msc" to display the Services console.
 
Verify the Startup Type for the following Windows services:
- Active Directory Domain Services
- DFS Replication
- DNS Client
- DNS server
- Group Policy Client
- Intersite Messaging
- Kerberos Key Distribution Center
- NetLogon
- Windows Time (not required if another time synchronization tool is implemented to start automatically)
 
If the Startup Type for any of these services is not Automatic, this is a finding.</rawString>
      <ServiceName>NetLogon</ServiceName>
      <ServiceState>Running</ServiceState>
      <StartupType>Automatic</StartupType>
    </Rule>
    <Rule id="V-8327.i" severity="medium" conversionstatus="pass" title="Prerequisite OS Services Startup" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Run "services.msc" to display the Services console.
 
Verify the Startup Type for the following Windows services:
- Active Directory Domain Services
- DFS Replication
- DNS Client
- DNS server
- Group Policy Client
- Intersite Messaging
- Kerberos Key Distribution Center
- NetLogon
- Windows Time (not required if another time synchronization tool is implemented to start automatically)
 
If the Startup Type for any of these services is not Automatic, this is a finding.</rawString>
      <ServiceName>W32Time</ServiceName>
      <ServiceState>Running</ServiceState>
      <StartupType>Automatic</StartupType>
    </Rule>
    <Rule id="V-8327.a" severity="medium" conversionstatus="pass" title="Prerequisite OS Services Startup" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Run "services.msc" to display the Services console.
 
Verify the Startup Type for the following Windows services:
- Active Directory Domain Services
- DFS Replication
- DNS Client
- DNS server
- Group Policy Client
- Intersite Messaging
- Kerberos Key Distribution Center
- NetLogon
- Windows Time (not required if another time synchronization tool is implemented to start automatically)
 
If the Startup Type for any of these services is not Automatic, this is a finding.</rawString>
      <ServiceName>NTDS</ServiceName>
      <ServiceState>Running</ServiceState>
      <StartupType>Automatic</StartupType>
    </Rule>
    <Rule id="V-15505" severity="medium" conversionstatus="pass" title="HBSS McAfee Agent" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Run "Services.msc".
 
Verify the McAfee Agent service is running, depending on the version installed.
 
Version - Service Name
McAfee Agent v5.x - McAfee Agent Service
McAfee Agent v4.x - McAfee Framework Service
 
If the service is not listed or does not have a Status of "Started", this is a finding.</rawString>
      <ServiceName>McAfee</ServiceName>
      <ServiceState>Running</ServiceState>
      <StartupType>Automatic</StartupType>
    </Rule>
    <Rule id="V-26600" severity="medium" conversionstatus="pass" title="Fax Service Disabled " dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the Fax (fax) service is not installed or is disabled.
 
Run "Services.msc".
 
If the following is installed and not disabled, this is a finding:
 
Fax (fax)</rawString>
      <ServiceName>fax</ServiceName>
      <ServiceState>Stopped</ServiceState>
      <StartupType>Disabled</StartupType>
    </Rule>
    <Rule id="V-26602" severity="medium" conversionstatus="pass" title="Microsoft FTP Service Disabled" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>If the server has the role of an FTP server, this is NA.
 
Run "Services.msc".
 
If the "Microsoft FTP Service" (Service name: FTPSVC) is installed and not disabled, this is a finding.</rawString>
      <ServiceName>FTPSVC</ServiceName>
      <ServiceState>Stopped</ServiceState>
      <StartupType>Disabled</StartupType>
    </Rule>
    <Rule id="V-26604" severity="medium" conversionstatus="pass" title="Peer Networking Identity Manager Service Disabled" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the Peer Network Identity Manager (p2pimsvc) service is not installed or is disabled.
 
Run "Services.msc".
 
If the following is installed and not disabled, this is a finding:
 
Peer Networking Identity Manager (p2pimsvc)</rawString>
      <ServiceName>p2pimsvc</ServiceName>
      <ServiceState>Stopped</ServiceState>
      <StartupType>Disabled</StartupType>
    </Rule>
    <Rule id="V-26605" severity="medium" conversionstatus="pass" title="Simple TCP/IP Services Disabled" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the Simple TCP/IP (simptcp) service is not installed or is disabled.
 
Run "Services.msc".
 
If the following is installed and not disabled, this is a finding:
 
Simple TCP/IP Services (simptcp)</rawString>
      <ServiceName>simptcp</ServiceName>
      <ServiceState>Stopped</ServiceState>
      <StartupType>Disabled</StartupType>
    </Rule>
    <Rule id="V-26606" severity="medium" conversionstatus="pass" title="Telnet Service Disabled" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the Telnet (tlntsvr) service is not installed or is disabled.
 
Run "Services.msc".
 
If the following is installed and not disabled, this is a finding:
 
Telnet (tlntsvr)</rawString>
      <ServiceName>tlntsvr</ServiceName>
      <ServiceState>Stopped</ServiceState>
      <StartupType>Disabled</StartupType>
    </Rule>
    <Rule id="V-40206" severity="medium" conversionstatus="pass" title="WNSV-000106" dscresource="xService">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the Smart Card Removal Policy service is configured to "Automatic".
 
Run "Services.msc".
 
If the Startup Type for Smart Card Removal Policy is not set to Automatic, this is a finding.</rawString>
      <ServiceName>SCPolicySvc</ServiceName>
      <ServiceState>Running</ServiceState>
      <StartupType>Automatic</StartupType>
    </Rule>
  </ServiceRule>
  <UserRightRule dscresourcemodule="SecurityPolicyDsc">
    <Rule id="V-1102" severity="high" conversionstatus="pass" title="User Right - Act as part of OS" dscresource="UserRightsAssignment">
      <Constant>SeTcbPrivilege</Constant>
      <DisplayName>Act as part of the operating system</DisplayName>
      <Force>True</Force>
      <Identity>NULL</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding.</rawString>
    </Rule>
    <Rule id="V-1155" severity="medium" conversionstatus="pass" title="Deny Access from the Network" dscresource="UserRightsAssignment">
      <Constant>SeDenyNetworkLogonRight</Constant>
      <DisplayName>Deny access to this computer from the network</DisplayName>
      <Force>False</Force>
      <Identity>Guests</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding:
 
Guests Group</rawString>
    </Rule>
    <Rule id="V-12780" severity="high" conversionstatus="pass" title="Synchronize Directory Service Data " dscresource="UserRightsAssignment">
      <Constant>SeSyncAgentPrivilege</Constant>
      <DisplayName>Synchronize directory service data</DisplayName>
      <Force>True</Force>
      <Identity>NULL</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups are granted the "Synchronize directory service data" user right, this is a finding.</rawString>
    </Rule>
    <Rule id="V-18010" severity="high" conversionstatus="pass" title="User Right - Debug Programs" dscresource="UserRightsAssignment">
      <Constant>SeDebugPrivilege</Constant>
      <DisplayName>Debug programs</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Debug programs" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26469" severity="medium" conversionstatus="pass" title="Access Credential Manager as a trusted caller" dscresource="UserRightsAssignment">
      <Constant>SeTrustedCredManAccessPrivilege</Constant>
      <DisplayName>Access Credential Manager as a trusted caller</DisplayName>
      <Force>True</Force>
      <Identity>NULL</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups are granted the "Access Credential Manager as a trusted caller" user right, this is a finding.</rawString>
    </Rule>
    <Rule id="V-26470" severity="medium" conversionstatus="pass" title="Access this computer from the network" dscresource="UserRightsAssignment">
      <Constant>SeNetworkLogonRight</Constant>
      <DisplayName>Access this computer from the network</DisplayName>
      <Force>True</Force>
      <Identity>Administrators,Authenticated Users,Enterprise Domain Controllers</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Access this computer from the network" right, this is a finding:
 
Administrators
Authenticated Users
Enterprise Domain Controllers</rawString>
    </Rule>
    <Rule id="V-26472" severity="medium" conversionstatus="pass" title="Allow log on locally" dscresource="UserRightsAssignment">
      <Constant>SeInteractiveLogonRight</Constant>
      <DisplayName>Allow log on locally</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26473" severity="medium" conversionstatus="pass" title="Allow log on through Remote Desktop Services" dscresource="UserRightsAssignment">
      <Constant>SeRemoteInteractiveLogonRight</Constant>
      <DisplayName>Allow log on through Remote Desktop Services</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Local Policies &gt;&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Allow log on through Remote Desktop Services" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26474" severity="medium" conversionstatus="pass" title="Back up files and directories" dscresource="UserRightsAssignment">
      <Constant>SeBackupPrivilege</Constant>
      <DisplayName>Back up files and directories</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Back up files and directories" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26475" severity="low" conversionstatus="pass" title="Bypass traverse checking" dscresource="UserRightsAssignment">
      <Constant>SeChangeNotifyPrivilege</Constant>
      <DisplayName>Bypass traverse checking</DisplayName>
      <Force>True</Force>
      <Identity>Administrators,Authenticated Users,Local Service,Network Service,Window Manager\Window Manager Group</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Bypass traverse checking" user right, this is a finding:
 
Administrators
Authenticated Users
Local Service
Network Service
Window Manager\Window Manager Group</rawString>
    </Rule>
    <Rule id="V-26476" severity="medium" conversionstatus="pass" title="Change the system time" dscresource="UserRightsAssignment">
      <Constant>SeSystemtimePrivilege</Constant>
      <DisplayName>Change the system time</DisplayName>
      <Force>True</Force>
      <Identity>Administrators,Local Service</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Change the system time" user right, this is a finding:
 
Administrators
Local Service</rawString>
    </Rule>
    <Rule id="V-26477" severity="low" conversionstatus="pass" title="Change the time zone" dscresource="UserRightsAssignment">
      <Constant>SeTimeZonePrivilege</Constant>
      <DisplayName>Change the time zone</DisplayName>
      <Force>True</Force>
      <Identity>Administrators,Local Service</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Change the time zone" user right, this is a finding:
 
Administrators
Local Service</rawString>
    </Rule>
    <Rule id="V-26478" severity="medium" conversionstatus="pass" title="Create a pagefile" dscresource="UserRightsAssignment">
      <Constant>SeCreatePagefilePrivilege</Constant>
      <DisplayName>Create a pagefile</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Create a pagefile" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26479" severity="high" conversionstatus="pass" title="Create a token object" dscresource="UserRightsAssignment">
      <Constant>SeCreateTokenPrivilege</Constant>
      <DisplayName>Create a token object</DisplayName>
      <Force>True</Force>
      <Identity>NULL</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups are granted the "Create a token object" user right, this is a finding.</rawString>
    </Rule>
    <Rule id="V-26480" severity="medium" conversionstatus="pass" title="Create global objects" dscresource="UserRightsAssignment">
      <Constant>SeCreateGlobalPrivilege</Constant>
      <DisplayName>Create global objects</DisplayName>
      <Force>True</Force>
      <Identity>Administrators,Service,Local Service,Network Service</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Create global objects" user right, this is a finding:
 
Administrators
Service
Local Service
Network Service</rawString>
    </Rule>
    <Rule id="V-26481" severity="medium" conversionstatus="pass" title="Create permanent shared objects" dscresource="UserRightsAssignment">
      <Constant>SeCreatePermanentPrivilege</Constant>
      <DisplayName>Create permanent shared objects</DisplayName>
      <Force>True</Force>
      <Identity>NULL</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups are granted the "Create permanent shared objects" user right, this is a finding.</rawString>
    </Rule>
    <Rule id="V-26482" severity="medium" conversionstatus="pass" title="Create symbolic links" dscresource="UserRightsAssignment">
      <Constant>SeCreateSymbolicLinkPrivilege</Constant>
      <DisplayName>Create symbolic links</DisplayName>
      <Force>True</Force>
      <Identity>Administrators,{Hyper-V}</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>'{0}' -match '^(Administrators,NT Virtual Machine\\Virtual Machines|Administrators)$'</OrganizationValueTestString>
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Local Policies &gt;&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Create symbolic links" user right, this is a finding:
 
Administrators
 
Systems that have the Hyper-V role will also have "Virtual Machines" given this user right (this may be displayed as "NT Virtual Machine\Virtual Machines"). This is not a finding.</rawString>
    </Rule>
    <Rule id="V-26483" severity="medium" conversionstatus="pass" title="Deny log on as a batch job" dscresource="UserRightsAssignment">
      <Constant>SeDenyBatchLogonRight</Constant>
      <DisplayName>Deny log on as a batch job</DisplayName>
      <Force>False</Force>
      <Identity>Guests</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If the following accounts or groups are not defined for the "Deny log on as a batch job" user right, this is a finding:
 
Guests Group</rawString>
    </Rule>
    <Rule id="V-26484" severity="medium" conversionstatus="pass" title="Deny log on as service " dscresource="UserRightsAssignment">
      <Constant>SeDenyServiceLogonRight</Constant>
      <DisplayName>Deny log on as a service</DisplayName>
      <Force>True</Force>
      <Identity>NULL</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups are defined for the "Deny log on as a service" user right, this is a finding.</rawString>
    </Rule>
    <Rule id="V-26485" severity="medium" conversionstatus="pass" title="Deny log on locally" dscresource="UserRightsAssignment">
      <Constant>SeDenyInteractiveLogonRight</Constant>
      <DisplayName>Deny log on locally</DisplayName>
      <Force>False</Force>
      <Identity>Guests</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding:
 
Guests Group</rawString>
    </Rule>
    <Rule id="V-26486" severity="medium" conversionstatus="pass" title="Deny log on through Remote Desktop \ Terminal Services" dscresource="UserRightsAssignment">
      <Constant>SeDenyRemoteInteractiveLogonRight</Constant>
      <DisplayName>Deny log on through Remote Desktop Services</DisplayName>
      <Force>False</Force>
      <Identity>Guests</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding:
 
Guests Group</rawString>
    </Rule>
    <Rule id="V-26487" severity="medium" conversionstatus="pass" title="Enable accounts to be trusted for delegation" dscresource="UserRightsAssignment">
      <Constant>SeEnableDelegationPrivilege</Constant>
      <DisplayName>Enable computer and user accounts to be trusted for delegation</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26488" severity="medium" conversionstatus="pass" title="Force shutdown from a remote system" dscresource="UserRightsAssignment">
      <Constant>SeRemoteShutdownPrivilege</Constant>
      <DisplayName>Force shutdown from a remote system</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Force shutdown from a remote system" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26489" severity="medium" conversionstatus="pass" title="Generate security audits" dscresource="UserRightsAssignment">
      <Constant>SeAuditPrivilege</Constant>
      <DisplayName>Generate security audits</DisplayName>
      <Force>True</Force>
      <Identity>Local Service,Network Service</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Generate security audits" user right, this is a finding:
 
Local Service
Network Service</rawString>
    </Rule>
    <Rule id="V-26490" severity="medium" conversionstatus="pass" title="Impersonate a client after authentication" dscresource="UserRightsAssignment">
      <Constant>SeImpersonatePrivilege</Constant>
      <DisplayName>Impersonate a client after authentication</DisplayName>
      <Force>True</Force>
      <Identity>Administrators,Service,Local Service,Network Service</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Impersonate a client after authentication" user right, this is a finding:
 
Administrators
Service
Local Service
Network Service</rawString>
    </Rule>
    <Rule id="V-26492" severity="medium" conversionstatus="pass" title="Increase scheduling priority" dscresource="UserRightsAssignment">
      <Constant>SeIncreaseBasePriorityPrivilege</Constant>
      <DisplayName>Increase scheduling priority</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Increase scheduling priority" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26493" severity="medium" conversionstatus="pass" title="Load and unload device drivers" dscresource="UserRightsAssignment">
      <Constant>SeLoadDriverPrivilege</Constant>
      <DisplayName>Load and unload device drivers</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Load and unload device drivers" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26494" severity="medium" conversionstatus="pass" title="Lock pages in memory" dscresource="UserRightsAssignment">
      <Constant>SeLockMemoryPrivilege</Constant>
      <DisplayName>Lock pages in memory</DisplayName>
      <Force>True</Force>
      <Identity>NULL</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups are granted the "Lock pages in memory" user right, this is a finding.</rawString>
    </Rule>
    <Rule id="V-26496" severity="medium" conversionstatus="pass" title="Manage auditing and security log" dscresource="UserRightsAssignment">
      <Constant>SeSecurityPrivilege</Constant>
      <DisplayName>Manage auditing and security log</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Local Policies &gt;&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding:
 
Administrators
 
If the organization has an Auditors group, the assignment of this group to the user right would not be a finding.
 
If an application requires this user right, this would not be a finding.
Vendor documentation must support the requirement for having the user right.
The requirement must be documented with the ISSO.
The application account must meet requirements for application account passwords, such as length (V-36661) and required changes frequency (V-36662).</rawString>
    </Rule>
    <Rule id="V-26497" severity="medium" conversionstatus="pass" title="Modify an object label" dscresource="UserRightsAssignment">
      <Constant>SeRelabelPrivilege</Constant>
      <DisplayName>Modify an object label</DisplayName>
      <Force>True</Force>
      <Identity>NULL</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups are granted the "Modify an object label" user right, this is a finding.</rawString>
    </Rule>
    <Rule id="V-26498" severity="medium" conversionstatus="pass" title="Modify firmware environment values" dscresource="UserRightsAssignment">
      <Constant>SeSystemEnvironmentPrivilege</Constant>
      <DisplayName>Modify firmware environment values</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Modify firmware environment values" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26499" severity="medium" conversionstatus="pass" title="Perform volume maintenance tasks" dscresource="UserRightsAssignment">
      <Constant>SeManageVolumePrivilege</Constant>
      <DisplayName>Perform volume maintenance tasks</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Perform volume maintenance tasks" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26500" severity="medium" conversionstatus="pass" title="Profile single process" dscresource="UserRightsAssignment">
      <Constant>SeProfileSingleProcessPrivilege</Constant>
      <DisplayName>Profile single process</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Profile single process" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26501" severity="medium" conversionstatus="pass" title="Profile system performance" dscresource="UserRightsAssignment">
      <Constant>SeSystemProfilePrivilege</Constant>
      <DisplayName>Profile system performance</DisplayName>
      <Force>True</Force>
      <Identity>Administrators,NT Service\WdiServiceHost</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Profile system performance" user right, this is a finding:
 
Administrators
NT Service\WdiServiceHost</rawString>
    </Rule>
    <Rule id="V-26503" severity="medium" conversionstatus="pass" title="Replace a process level token" dscresource="UserRightsAssignment">
      <Constant>SeAssignPrimaryTokenPrivilege</Constant>
      <DisplayName>Replace a process level token</DisplayName>
      <Force>True</Force>
      <Identity>Local Service,Network Service</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Replace a process level token" user right, this is a finding:
 
Local Service
Network Service</rawString>
    </Rule>
    <Rule id="V-26504" severity="medium" conversionstatus="pass" title="Restore files and directories" dscresource="UserRightsAssignment">
      <Constant>SeRestorePrivilege</Constant>
      <DisplayName>Restore files and directories</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Restore files and directories" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26505" severity="medium" conversionstatus="pass" title="Shut down the system" dscresource="UserRightsAssignment">
      <Constant>SeShutdownPrivilege</Constant>
      <DisplayName>Shut down the system</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Shut down the system" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-26506" severity="medium" conversionstatus="pass" title="Take ownership of files or other objects" dscresource="UserRightsAssignment">
      <Constant>SeTakeOwnershipPrivilege</Constant>
      <DisplayName>Take ownership of files or other objects</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Take ownership of files or other objects" user right, this is a finding:
 
Administrators</rawString>
    </Rule>
    <Rule id="V-30016" severity="medium" conversionstatus="pass" title="Add workstations to domain" dscresource="UserRightsAssignment">
      <Constant>SeMachineAccountPrivilege</Constant>
      <DisplayName>Add workstations to domain</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
 
Navigate to Local Computer Policy -&gt; Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Local Policies -&gt; User Rights Assignment.
 
If any accounts or groups other than the following are granted the "Add workstations to domain" right, this is a finding:
 
Administrators</rawString>
    </Rule>
  </UserRightRule>
  <WindowsFeatureRule dscresourcemodule="PSDesiredStateConfiguration">
    <Rule id="V-73805" severity="medium" conversionstatus="pass" title="WIN00-000160" dscresource="WindowsFeature">
      <FeatureName>FS-SMB1</FeatureName>
      <InstallState>Absent</InstallState>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <rawString>This applies to Windows 2012 R2. Windows 2012 uses a different method to disable SMBv1, see WN12-00-000170 and WN12-00-000180.
 
Run "Windows PowerShell" with elevated privileges (run as administrator).
Enter the following:
Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol
 
If "State : Enabled" is returned, this is a finding.
 
Alternately:
Search for "Features".
Select "Turn Windows features on or off".
 
If "SMB 1.0/CIFS File Sharing Support" is selected, this is a finding.</rawString>
    </Rule>
  </WindowsFeatureRule>
  <WmiRule dscresourcemodule="PSDesiredStateConfiguration">
    <Rule id="V-1073" severity="high" conversionstatus="pass" title="Unsupported Service Packs" dscresource="Script">
      <Class>Win32_OperatingSystem</Class>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Operator>-ge</Operator>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Property>Version</Property>
      <rawString>Run "winver.exe".
 
If the "About Windows" dialog box does not display
"Microsoft Windows Server
Version 6.2 (Build 9200)"
or greater, this is a finding.
       
No preview versions will be used in a production environment.
 
Unsupported Service Packs/Releases:
Windows 2012 - any release candidates or versions prior to the initial release.</rawString>
      <Value>6.2.9200</Value>
    </Rule>
    <Rule id="V-1081" severity="high" conversionstatus="pass" title="NTFS Requirement" dscresource="Script">
      <Class>Win32_LogicalDisk</Class>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Operator>-match</Operator>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Property>FileSystem</Property>
      <rawString>Open "Computer Management".
 
Select "Disk Management" under "Storage".
 
For each local volume, if the file system does not indicate "NTFS", this is a finding.
 
"ReFS" (Resilient File System) is also acceptable and would not be a finding.
 
This does not apply to system partitions such as the Recovery and EFI System Partition.</rawString>
      <Value>NTFS|ReFS</Value>
    </Rule>
  </WmiRule>
</DISASTIG>