StigData/Processed/Windows-10-Client-1.14.xml
|
<DISASTIG id="Windows_10_STIG" version="1.14" created="11/29/2018"> <AccountPolicyRule dscresourcemodule="SecurityPolicyDsc"> <Rule id="V-63405" severity="medium" conversionstatus="pass" title="WN10-AC-000005" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -ge '15' -or '{0}' -eq '0'</OrganizationValueTestString> <PolicyName>Account lockout duration</PolicyName> <PolicyValue /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. If the "Account lockout duration" is less than "15" minutes (excluding "0"), this is a finding. Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding.</RawString> </Rule> <Rule id="V-63409" severity="medium" conversionstatus="pass" title="WN10-AC-000010" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -le '3' -and '{0}' -ne '0'</OrganizationValueTestString> <PolicyName>Account lockout threshold</PolicyName> <PolicyValue /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. If the "Account lockout threshold" is "0" or more than "3" attempts, this is a finding.</RawString> </Rule> <Rule id="V-63413" severity="medium" conversionstatus="pass" title="WN10-AC-000015" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -ge '15'</OrganizationValueTestString> <PolicyName>Reset account lockout counter after</PolicyName> <PolicyValue /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding.</RawString> </Rule> <Rule id="V-63415" severity="medium" conversionstatus="pass" title="WN10-AC-000020" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -ge '24'</OrganizationValueTestString> <PolicyName>Enforce password history</PolicyName> <PolicyValue /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding.</RawString> </Rule> <Rule id="V-63419" severity="medium" conversionstatus="pass" title="WN10-AC-000025" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -le '60' -and '{0}' -ne '0'</OrganizationValueTestString> <PolicyName>Maximum password age</PolicyName> <PolicyValue /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for the "Maximum password age" is greater than "60" days, this is a finding. If the value is set to "0" (never expires), this is a finding.</RawString> </Rule> <Rule id="V-63421" severity="medium" conversionstatus="pass" title="WN10-AC-000030" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -ge '1'</OrganizationValueTestString> <PolicyName>Minimum password age</PolicyName> <PolicyValue /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for the "Minimum password age" is less than "1" day, this is a finding.</RawString> </Rule> <Rule id="V-63423" severity="medium" conversionstatus="pass" title="WN10-AC-000035" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -ge '14'</OrganizationValueTestString> <PolicyName>Minimum password length</PolicyName> <PolicyValue /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for the "Minimum password length," is less than "14" characters, this is a finding.</RawString> </Rule> <Rule id="V-63427" severity="medium" conversionstatus="pass" title="WN10-AC-000040" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <PolicyName>Password must meet complexity requirements</PolicyName> <PolicyValue>Enabled</PolicyValue> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding. If the site is using a password filter that requires this setting be set to "Disabled" for the filter to be used, this would not be considered a finding.</RawString> </Rule> <Rule id="V-63429" severity="high" conversionstatus="pass" title="WN10-AC-000045" dscresource="AccountPolicy"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <PolicyName>Store passwords using reversible encryption</PolicyName> <PolicyValue>Disabled</PolicyValue> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for "Store password using reversible encryption" is not set to "Disabled", this is a finding.</RawString> </Rule> </AccountPolicyRule> <AuditPolicyRule dscresourcemodule="AuditPolicyDsc"> <Rule id="V-63431" severity="medium" conversionstatus="pass" title="WN10-AU-000005" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Account Logon >> Credential Validation - Failure</RawString> <Subcategory>Credential Validation</Subcategory> </Rule> <Rule id="V-63435" severity="medium" conversionstatus="pass" title="WN10-AU-000010" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Account Logon >> Credential Validation - Success</RawString> <Subcategory>Credential Validation</Subcategory> </Rule> <Rule id="V-63441" severity="medium" conversionstatus="pass" title="WN10-AU-000020" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Account Management >> Other Account Management Events - Success</RawString> <Subcategory>Other Account Management Events</Subcategory> </Rule> <Rule id="V-63445" severity="medium" conversionstatus="pass" title="WN10-AU-000030" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Account Management >> Security Group Management - Success</RawString> <Subcategory>Security Group Management</Subcategory> </Rule> <Rule id="V-63447" severity="medium" conversionstatus="pass" title="WN10-AU-000035" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Account Management >> User Account Management - Failure</RawString> <Subcategory>User Account Management</Subcategory> </Rule> <Rule id="V-63449" severity="medium" conversionstatus="pass" title="WN10-AU-000040" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Account Management >> User Account Management - Success</RawString> <Subcategory>User Account Management</Subcategory> </Rule> <Rule id="V-63451" severity="medium" conversionstatus="pass" title="WN10-AU-000045" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Detailed Tracking >> Plug and Play Events - Success</RawString> <Subcategory>Plug and Play Events</Subcategory> </Rule> <Rule id="V-63453" severity="medium" conversionstatus="pass" title="WN10-AU-000050" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Detailed Tracking >> Process Creation - Success</RawString> <Subcategory>Process Creation</Subcategory> </Rule> <Rule id="V-63455" severity="medium" conversionstatus="pass" title="WN10-AU-000055" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Logon/Logoff >> Account Lockout - Success</RawString> <Subcategory>Account Lockout</Subcategory> </Rule> <Rule id="V-63457" severity="medium" conversionstatus="pass" title="WN10-AU-000060" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Logon/Logoff >> Group Membership - Success</RawString> <Subcategory>Group Membership</Subcategory> </Rule> <Rule id="V-63459" severity="medium" conversionstatus="pass" title="WN10-AU-000065" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Logon/Logoff >> Logoff - Success</RawString> <Subcategory>Logoff</Subcategory> </Rule> <Rule id="V-63463" severity="medium" conversionstatus="pass" title="WN10-AU-000070" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Logon/Logoff >> Logon - Failure</RawString> <Subcategory>Logon</Subcategory> </Rule> <Rule id="V-63467" severity="medium" conversionstatus="pass" title="WN10-AU-000075" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Logon/Logoff >> Logon - Success</RawString> <Subcategory>Logon</Subcategory> </Rule> <Rule id="V-63469" severity="medium" conversionstatus="pass" title="WN10-AU-000080" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Logon/Logoff >> Special Logon - Success</RawString> <Subcategory>Special Logon</Subcategory> </Rule> <Rule id="V-63471" severity="medium" conversionstatus="pass" title="WN10-AU-000085" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Object Access >> Removable Storage - Failure Some virtual machines may generate excessive audit events for access to the virtual hard disk itself when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. This must be documented with the ISSO to include mitigations such as monitoring or restricting any actual removable storage connected to the VM.</RawString> <Subcategory>Removable Storage</Subcategory> </Rule> <Rule id="V-63473" severity="medium" conversionstatus="pass" title="WN10-AU-000090" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Object Access >> Removable Storage - Success Some virtual machines may generate excessive audit events for access to the virtual hard disk itself when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. This must be documented with the ISSO to include mitigations such as monitoring or restricting any actual removable storage connected to the VM.</RawString> <Subcategory>Removable Storage</Subcategory> </Rule> <Rule id="V-63475" severity="medium" conversionstatus="pass" title="WN10-AU-000095" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Policy Change >> Audit Policy Change - Failure</RawString> <Subcategory>Audit Policy Change</Subcategory> </Rule> <Rule id="V-63479" severity="medium" conversionstatus="pass" title="WN10-AU-000100" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Policy Change >> Audit Policy Change - Success</RawString> <Subcategory>Audit Policy Change</Subcategory> </Rule> <Rule id="V-63481" severity="medium" conversionstatus="pass" title="WN10-AU-000105" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Policy Change >> Authentication Policy Change - Success</RawString> <Subcategory>Authentication Policy Change</Subcategory> </Rule> <Rule id="V-63483" severity="medium" conversionstatus="pass" title="WN10-AU-000110" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Privilege Use >> Sensitive Privilege Use - Failure</RawString> <Subcategory>Sensitive Privilege Use</Subcategory> </Rule> <Rule id="V-63487" severity="medium" conversionstatus="pass" title="WN10-AU-000115" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Privilege Use >> Sensitive Privilege Use - Success</RawString> <Subcategory>Sensitive Privilege Use</Subcategory> </Rule> <Rule id="V-63491" severity="medium" conversionstatus="pass" title="WN10-AU-000120" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: System >> IPSec Driver - Failure</RawString> <Subcategory>IPSec Driver</Subcategory> </Rule> <Rule id="V-63495" severity="medium" conversionstatus="pass" title="WN10-AU-000125" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding:" System >> IPSec Driver - Success</RawString> <Subcategory>IPSec Driver</Subcategory> </Rule> <Rule id="V-63499" severity="medium" conversionstatus="pass" title="WN10-AU-000130" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: System >> Other System Events - Success</RawString> <Subcategory>Other System Events</Subcategory> </Rule> <Rule id="V-63503" severity="medium" conversionstatus="pass" title="WN10-AU-000135" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: System >> Other System Events - Failure</RawString> <Subcategory>Other System Events</Subcategory> </Rule> <Rule id="V-63507" severity="medium" conversionstatus="pass" title="WN10-AU-000140" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: System >> Security State Change - Success</RawString> <Subcategory>Security State Change</Subcategory> </Rule> <Rule id="V-63513" severity="medium" conversionstatus="pass" title="WN10-AU-000150" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: System >> Security System Extension - Success</RawString> <Subcategory>Security System Extension</Subcategory> </Rule> <Rule id="V-63515" severity="medium" conversionstatus="pass" title="WN10-AU-000155" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: System >> System Integrity - Failure</RawString> <Subcategory>System Integrity</Subcategory> </Rule> <Rule id="V-63517" severity="medium" conversionstatus="pass" title="WN10-AU-000160" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: System >> System Integrity - Success</RawString> <Subcategory>System Integrity</Subcategory> </Rule> <Rule id="V-71759" severity="medium" conversionstatus="pass" title="WN10-AU-000054" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: Logon/Logoff >> Account Lockout - Failure</RawString> <Subcategory>Account Lockout</Subcategory> </Rule> <Rule id="V-71761" severity="medium" conversionstatus="pass" title="WN10-AU-000107" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Policy Change >> Authorization Policy Change - Success</RawString> <Subcategory>Authorization Policy Change</Subcategory> </Rule> <Rule id="V-74409" severity="medium" conversionstatus="pass" title="WN10-AU-000084" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open PowerShell or a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following: Object Access >> Other Object Access Events - Failure If the system does not audit the above, this is a finding.</RawString> <Subcategory>Other Object Access Events</Subcategory> </Rule> <Rule id="V-74411" severity="medium" conversionstatus="pass" title="WN10-AU-000083" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open PowerShell or a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following: Object Access >> Other Object Access Events - Success If the system does not audit the above, this is a finding.</RawString> <Subcategory>Other Object Access Events</Subcategory> </Rule> <Rule id="V-74721" severity="medium" conversionstatus="pass" title="WN10-AU-000082" dscresource="AuditPolicySubcategory"> <AuditFlag>Success</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open PowerShell or a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following: Object Access >> File Share - Success If the system does not audit the above, this is a finding.</RawString> <Subcategory>File Share</Subcategory> </Rule> <Rule id="V-75027" severity="medium" conversionstatus="pass" title="WN10-AU-000081" dscresource="AuditPolicySubcategory"> <AuditFlag>Failure</AuditFlag> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open PowerShell or a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following: Object Access >> File Share - Failure If the system does not audit the above, this is a finding.</RawString> <Subcategory>File Share</Subcategory> </Rule> </AuditPolicyRule> <DocumentRule dscresourcemodule="None"> <Rule id="V-63359" severity="low" conversionstatus="pass" title="WN10-00-000065" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "PowerShell". Copy the lines below to the PowerShell window and enter. "([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach { $user = ([ADSI]$_.Path) $lastLogin = $user.Properties.LastLogin.Value $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2 if ($lastLogin -eq $null) { $lastLogin = 'Never' } Write-Host $user.Name $lastLogin $enabled }" This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). For example: User1 10/31/2015 5:49:56 AM True Review the list to determine the finding validity for each account reported. Exclude the following accounts: Built-in administrator account (Disabled, SID ending in 500) Built-in guest account (Disabled, SID ending in 501) Built-in DefaultAccount (Disabled, SID ending in 503) Local administrator account If any enabled accounts have not been logged on to within the past 35 days, this is a finding. Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.</RawString> </Rule> <Rule id="V-63393" severity="medium" conversionstatus="pass" title="WN10-00-000130" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Search all drives for *.p12 and *.pfx files. If any files with these extensions exist, this is a finding. This does not apply to server-based applications that have a requirement for .p12 certificate files (e.g., Oracle Wallet Manager). Some applications create files with extensions of .p12 that are NOT certificate installation files. Removal of non-certificate installation files from systems is not required. These must be documented with the ISSO.</RawString> </Rule> <Rule id="V-63579" severity="medium" conversionstatus="pass" title="WN10-PK-000005" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the DoD Root CA certificates are installed as Trusted Root Certification Authorities. The certificates and thumbprints referenced below apply to unclassified systems; see PKE documentation for other networks. Run "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 NotAfter: 12/5/2029 Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB NotAfter: 12/30/2029 Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 NotAfter: 7/25/2032 Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B NotAfter: 6/14/2041 Alternately use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates", click "Add". Select "Computer account", click "Next". Select "Local computer: (the computer this console is running on)", click "Finish". Click "OK". Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". For each of the DoD Root CA certificates noted below: Right-click on the certificate and select "Open". Select the "Details" Tab. Scroll to the bottom and select "Thumbprint". If the DoD Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. DoD Root CA 2 Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 Valid to: Wednesday, December 5, 2029 DoD Root CA 3 Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB Valid to: Sunday, December 30, 2029 DoD Root CA 4 Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 Valid to: Sunday, July 25, 2032 DoD Root CA 5 Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B Valid to: Friday, June 14, 2041</RawString> </Rule> <Rule id="V-72765" severity="medium" conversionstatus="pass" title="WN10-00-000210" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA if the system does not have Bluetooth. Verify the Bluetooth radio is turned off unless approved by the organization. If it is not, this is a finding. Approval must be documented with the ISSO.</RawString> </Rule> </DocumentRule> <ManualRule dscresourcemodule="None"> <Rule id="V-63319" severity="medium" conversionstatus="pass" title="WN10-00-000005" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify domain-joined systems are using Windows 10 Enterprise Edition 64-bit version. For standalone systems, this is NA. Open "Settings". Select "System", then "About". If "Edition" is not "Windows 10 Enterprise", this is a finding. If "System type" is not "64-bit operating system…", this is a finding.</RawString> </Rule> <Rule id="V-63323" severity="low" conversionstatus="pass" title="WN10-00-000010" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify domain-joined systems have a TPM enabled and ready for use. For standalone systems, this is NA. Virtualization based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDI) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop. For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is NA. Verify the system has a TPM and is ready for use. Run "tpm.msc". Review the sections in the center pane. "Status" must indicate it has been configured with a message such as "The TPM is ready for use" or "The TPM is on and ownership has been taken". TPM Manufacturer Information - Specific Version = 2.0 or 1.2 If a TPM is not found or is not ready for use, this is a finding.</RawString> </Rule> <Rule id="V-63337" severity="high" conversionstatus="pass" title="WN10-00-000030" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify mobile systems employ DoD-approved full disk encryption. If full disk encryption is not implemented, this is a finding. If BitLocker is used, verify it is turned on for the operating system drive and any fixed data drives. Open "BitLocker Drive Encryption" from the Control Panel. If the operating system drive or any fixed data drives have "Turn on BitLocker", this is a finding.</RawString> </Rule> <Rule id="V-63343" severity="medium" conversionstatus="pass" title="WN10-00-000025" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine if an approved tool capable of continuous scanning is loaded on the system. The recommended system is the McAfee HBSS. If no such tool is installed on the system, this is a finding.</RawString> </Rule> <Rule id="V-63345" severity="medium" conversionstatus="pass" title="WN10-00-000035" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is applicable to unclassified systems; for other systems this is NA. Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universals apps installed by default on systems. If an application whitelisting program is not in use on the system, this is a finding. Configuration of whitelisting applications will vary by the program. AppLocker is a whitelisting application built into Windows 10 Enterprise. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules. If AppLocker is used, perform the following to view the configuration of AppLocker: Run "PowerShell". Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system: Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review. Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link: https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm</RawString> </Rule> <Rule id="V-63349" severity="high" conversionstatus="pass" title="WN10-00-000040" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "winver.exe". If the "About Windows" dialog box does not display: "Microsoft Windows Version 1607 (OS Build 14393.0)" or greater, this is a finding. Note: Microsoft has extended support for an additional 6 months with supplemental servicing for versions 1607, 1703, and 1709. Supplemental servicing provides critical and important updates for Windows 10 Enterprise only. Currently supported Semi-Annual Channel versions: v1607 - Microsoft support is scheduled to end 9 October 2018. v1703 - Microsoft support is scheduled to end 9 April 2019. v1709 - Microsoft support is scheduled to end 8 October 2019. v1803 - Microsoft support tentatively scheduled to end October 2019. No preview versions will be used in a production environment. Special purpose systems using the Long-Term Servicing Branch\Channel (LTSC\B) must be at "Version 10.0 (OS Build 10240)" or greater. LTSC\B versions at Build 10240 or greater are not a finding. Current LTSC\B versions are v1507 (Build 10240) and v1607 (Build 14393).</RawString> </Rule> <Rule id="V-63351" severity="high" conversionstatus="pass" title="WN10-00-000045" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. If there is no anti-virus solution installed on the system, this is a finding.</RawString> </Rule> <Rule id="V-63355" severity="medium" conversionstatus="pass" title="WN10-00-000055" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the system does not include other operating system installations. Run "Advanced System Settings". Select the "Advanced" tab. Click the "Settings" button in the "Startup and Recovery" section. If the drop-down list box "Default operating system:" shows any operating system other than Windows 10, this is a finding.</RawString> </Rule> <Rule id="V-63357" severity="medium" conversionstatus="pass" title="WN10-00-000060" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Non system-created shares should not typically exist on workstations. If only system-created shares exist on the system this is NA. Run "Computer Management". Navigate to System Tools >> Shared Folders >> Shares. If the only shares listed are "ADMIN$", "C$" and "IPC$", this is NA. (Selecting Properties for system-created shares will display a message that it has been shared for administrative purposes.) Right click any non-system-created shares. Select "Properties". Select the "Share Permissions" tab. Verify the necessity of any shares found. If the file shares have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding. Select the "Security" tab. If the NTFS permissions have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding.</RawString> </Rule> <Rule id="V-63361" severity="high" conversionstatus="pass" title="WN10-00-000070" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "Computer Management". Navigate to System Tools >> Local Users and Groups >> Groups. Review the members of the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. For domain-joined workstations, the Domain Admins group must be replaced by a domain workstation administrator group. Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from this. AD admin platforms may use the Domain Admins group or a domain administrative group created specifically for AD admin platforms (see V-43711 in the Active Directory Domain STIG). Standard user accounts must not be members of the local administrator group. If prohibited accounts are members of the local administrators group, this is a finding. The built-in Administrator account or other required administrative accounts would not be a finding.</RawString> </Rule> <Rule id="V-63363" severity="medium" conversionstatus="pass" title="WN10-00-000075" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "Computer Management". Navigate to System Tools >> Local Users and Groups >> Groups. Review the members of the Backup Operators group. If the group contains no accounts, this is not a finding. If the group contains any accounts, the accounts must be specifically for backup functions. If the group contains any standard user accounts used for performing normal user tasks, this is a finding.</RawString> </Rule> <Rule id="V-63365" severity="medium" conversionstatus="pass" title="WN10-00-000080" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "Computer Management". Navigate to System Tools >> Local Users and Groups >> Groups. Double click on "Hyper-V Administrators". If any groups or user accounts are listed in "Members:", this is a finding. If the workstation has an approved use of Hyper-V, such as being used as a dedicated admin workstation using Hyper-V to separate administration and standard user functions, the account(s) needed to access the virtual machine is not a finding.</RawString> </Rule> <Rule id="V-63367" severity="low" conversionstatus="pass" title="WN10-00-000085" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "Computer Management". Navigate to System Tools >> Local Users and Groups >> Users. If local users other than the accounts listed below exist on a workstation in a domain, this is a finding. Built-in Administrator account (Disabled) Built-in Guest account (Disabled) Built-in DefaultAccount (Disabled) Built-in defaultuser0 (Disabled) Built-in WDAGUtilityAccount (Disabled) Local administrator account(s) All of the built-in accounts may not exist on a system, depending on the Windows 10 version.</RawString> </Rule> <Rule id="V-63371" severity="medium" conversionstatus="pass" title="WN10-00-000090" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "Computer Management". Navigate to System Tools >> Local Users and Groups >> Users. Double click each active account. If "Password never expires" is selected for any account, this is a finding.</RawString> </Rule> <Rule id="V-63399" severity="medium" conversionstatus="pass" title="WN10-00-000135" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine if a host-based firewall is installed and enabled on the system. If a host-based firewall is not installed and enabled on the system, this is a finding. The configuration requirements will be determined by the applicable firewall STIG.</RawString> </Rule> <Rule id="V-63403" severity="medium" conversionstatus="pass" title="WN10-00-000140" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify firewall exceptions to inbound connections on domain workstations include only authorized remote management hosts. If allowed inbound exceptions are not limited to authorized remote management hosts, this is a finding. Review inbound firewall exceptions. Computer Configuration >> Windows Settings >> Security Settings >> Windows Firewall with Advanced Security >> Windows Firewall with Advanced Security >> Inbound Rules (this link will be in the right pane) For any inbound rules that allow connections view the Scope for Remote IP address. This may be defined as an IP address, subnet, or range. The rule must apply to all firewall profiles. If a third-party firewall is used, ensure comparable settings are in place.</RawString> </Rule> <Rule id="V-63583" severity="medium" conversionstatus="pass" title="WN10-PK-000010" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the ECA Root CA certificates are installed on unclassified systems as Trusted Root Certification Authorities. Run "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*ECA*" | FL Subject, Thumbprint, NotAfter If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. Subject: CN=ECA Root CA 2, OU=ECA, O=U.S. Government, C=US Thumbprint: C313F919A6ED4E0E8451AFA930FB419A20F181E4 NotAfter: 3/30/2028 Subject: CN=ECA Root CA 4, OU=ECA, O=U.S. Government, C=US Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582 NotAfter: 12/30/2029 Alternately use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates", click "Add". Select "Computer account", click "Next". Select "Local computer: (the computer this console is running on)", click "Finish". Click "OK". Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". For each of the ECA Root CA certificates noted below: Right-click on the certificate and select "Open". Select the "Details" Tab. Scroll to the bottom and select "Thumbprint". If the ECA Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. ECA Root CA 2 Thumbprint: C313F919A6ED4E0E8451AFA930FB419A20F181E4 Valid to: Thursday, March 30, 2028 ECA Root CA 4 Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582 Valid to: Sunday, December 30, 2029</RawString> </Rule> <Rule id="V-63587" severity="medium" conversionstatus="pass" title="WN10-PK-000015" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the DoD Interoperability cross-certificates are installed on unclassified systems as Untrusted Certificates. Run "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F NotAfter: 9/6/2019 Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13 NotAfter: 9/23/2018 Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4 NotAfter: 2/17/2019 Alternately use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates", click "Add". Select "Computer account", click "Next". Select "Local computer: (the computer this console is running on)", click "Finish". Click "OK". Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". For each certificate with "DoD Root CA…" under "Issued To" and "DoD Interoperability Root CA…" under "Issued By": Right-click on the certificate and select "Open". Select the "Details" Tab. Scroll to the bottom and select "Thumbprint". If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. Issued To: DoD Root CA 2 Issued By: DoD Interoperability Root CA 1 Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F Valid to: Friday, September 6, 2019 Issued To: DoD Root CA 3 Issued By: DoD Interoperability Root CA 2 Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13 Valid to: Sunday, September 23, 2018 Issued To: DoD Root CA 3 Issued By: DoD Interoperability Root CA 2 Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4 Valid to: Sunday, February 17, 2019</RawString> </Rule> <Rule id="V-63589" severity="medium" conversionstatus="pass" title="WN10-PK-000020" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the US DoD CCEB Interoperability Root CA cross-certificate is installed on unclassified systems as an Untrusted Certificate. Run "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3 NotAfter: 3/9/2019 Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E NotAfter: 9/27/2019 Alternately use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates", click "Add". Select "Computer account", click "Next". Select "Local computer: (the computer this console is running on)", click "Finish". Click "OK". Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By": Right-click on the certificate and select "Open". Select the "Details" Tab. Scroll to the bottom and select "Thumbprint". If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. Issued To: DoD Root CA 2 Issued By: US DoD CCEB Interoperability Root CA 1 Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3 Valid to: Saturday, March 9, 2019 Issued To: DoD Root CA 3 Issuer by: US DoD CCEB Interoperability Root CA 2 Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E Valid: Friday, September 27, 2019</RawString> </Rule> <Rule id="V-63685" severity="medium" conversionstatus="pass" title="WN10-CC-000210" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is applicable to unclassified systems, for other systems this is NA. If the following registry values do not exist or are not configured as specified, this is a finding: v1703 and later of Windows 10: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value Type: REG_DWORD Value: 0x00000001 (1) And Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: ShellSmartScreenLevel Value Type: REG_SZ Value: Block v1607 of Windows 10: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value Type: REG_DWORD Value: 0x00000001 (1) v1507 LTSB: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value Type: REG_DWORD Value: 0x00000002 (2)</RawString> </Rule> <Rule id="V-68845" severity="high" conversionstatus="pass" title="WN10-00-000145" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the DEP configuration. Open a command prompt (cmd.exe) or PowerShell with elevated privileges (Run as administrator). Enter "BCDEdit /enum {current}". (If using PowerShell "{current}" must be enclosed in quotes.) If the value for "nx" is not "OptOut", this is a finding. (The more restrictive configuration of "AlwaysOn" would not be a finding.)</RawString> </Rule> <Rule id="V-72767" severity="medium" conversionstatus="pass" title="WN10-00-000220" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA if the system does not have Bluetooth. Verify the organization has a policy to turn off Bluetooth when not in use and personnel are trained. If it does not, this is a finding.</RawString> </Rule> <Rule id="V-72769" severity="medium" conversionstatus="pass" title="WN10-00-000230" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA if the system does not have Bluetooth. Search for "Bluetooth". View Bluetooth Settings. Select "More Bluetooth Options" If "Alert me when a new Bluetooth device wants to connect" is not checked, this is a finding.</RawString> </Rule> <Rule id="V-76505" severity="medium" conversionstatus="pass" title="WN10-00-000190" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review the effective User Rights setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. Review each User Right listed for any unresolved SIDs to determine whether they are valid, such as due to being temporarily disconnected from the domain. (Unresolved SIDs have the format of "*S-1-…".) If any unresolved SIDs exist and are not for currently valid accounts or groups, this is a finding.</RawString> </Rule> <Rule id="V-77083" severity="medium" conversionstatus="pass" title="WN10-00-000015" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the system firmware is configured to run in UEFI mode, not Legacy BIOS. Run "System Information". Under "System Summary", if "BIOS Mode" does not display "UEFI", this is finding.</RawString> </Rule> <Rule id="V-77085" severity="low" conversionstatus="pass" title="WN10-00-000020" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows 10 hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled. Run "System Information". Under "System Summary", if "Secure Boot State" does not display "On", this is finding.</RawString> </Rule> <Rule id="V-78129" severity="high" conversionstatus="pass" title="WN10-00-000240" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine whether administrative accounts are prevented from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding.</RawString> </Rule> </ManualRule> <PermissionRule dscresourcemodule="AccessControlDsc"> <Rule id="V-63373.a" severity="medium" conversionstatus="pass" title="WN10-00-000095" dscresource="NTFSAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Users</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>ReadAndExecute</Rights> </Entry> <Entry> <Type> </Type> <Principal>Authenticated Users</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subfolders and files only</Inheritance> <Rights>Modify</Rights> </Entry> <Entry> <Type> </Type> <Principal>Authenticated Users</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder only</Inheritance> <Rights>CreateDirectories,AppendData</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>%SystemDrive%</Path> <RawString>The default file system permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN10-SO-000160). If the default file system permissions are maintained and the referenced option is set to "Disabled", this is not a finding. Verify the default permissions for the sample directories below. Non-privileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) Viewing in File Explorer: Select the "Security" tab, and the "Advanced" button. C:\ Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Administrators - Full control - This folder, subfolders and files SYSTEM - Full control - This folder, subfolders and files Users - Read & execute - This folder, subfolders and files Authenticated Users - Modify - Subfolders and files only Authenticated Users - Create folders / append data - This folder only Alternately use icacls. </RawString> </Rule> <Rule id="V-63373.b" severity="medium" conversionstatus="pass" title="WN10-00-000095" dscresource="NTFSAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>TrustedInstaller</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder and subfolders</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder only</Inheritance> <Rights>Modify</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subfolders and files only</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder only</Inheritance> <Rights>Modify</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subfolders and files only</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Users</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>ReadAndExecute</Rights> </Entry> <Entry> <Type> </Type> <Principal>CREATOR OWNER</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subfolders and files only</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>ALL APPLICATION PACKAGES</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>ReadAndExecute</Rights> </Entry> <Entry> <Type> </Type> <Principal>ALL RESTRICTED APPLICATION PACKAGES</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>ReadAndExecute</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>%ProgramFiles%</Path> <RawString>The default file system permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN10-SO-000160). If the default file system permissions are maintained and the referenced option is set to "Disabled", this is not a finding. Verify the default permissions for the sample directories below. Non-privileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) Viewing in File Explorer: Select the "Security" tab, and the "Advanced" button. \Program Files Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders and files Alternately use icacls. </RawString> </Rule> <Rule id="V-63373.c" severity="medium" conversionstatus="pass" title="WN10-00-000095" dscresource="NTFSAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>TrustedInstaller</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder and subfolders</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder only</Inheritance> <Rights>Modify</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subfolders and files only</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder only</Inheritance> <Rights>Modify</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subfolders and files only</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Users</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>ReadAndExecute</Rights> </Entry> <Entry> <Type> </Type> <Principal>CREATOR OWNER</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>Subfolders and files only</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>ALL APPLICATION PACKAGES</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>ReadAndExecute</Rights> </Entry> <Entry> <Type> </Type> <Principal>ALL RESTRICTED APPLICATION PACKAGES</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This folder subfolders and files</Inheritance> <Rights>ReadAndExecute</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>%Windir%</Path> <RawString>The default file system permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN10-SO-000160). If the default file system permissions are maintained and the referenced option is set to "Disabled", this is not a finding. Verify the default permissions for the sample directories below. Non-privileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) Viewing in File Explorer: Select the "Security" tab, and the "Advanced" button. \Windows Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders and files Alternately use icacls. </RawString> </Rule> <Rule id="V-63533" severity="medium" conversionstatus="pass" title="WN10-AU-000515" dscresource="NTFSAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>Eventlog</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>%windir%\SYSTEM32\WINEVT\LOGS\Application.evtx</Path> <RawString>Verify the permissions on the Application event log (Application.evtx). Standard user accounts or groups must not have access. The default permissions listed below satisfy this requirement. Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.</RawString> </Rule> <Rule id="V-63537" severity="medium" conversionstatus="pass" title="WN10-AU-000520" dscresource="NTFSAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>Eventlog</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>%windir%\SYSTEM32\WINEVT\LOGS\Security.evtx</Path> <RawString>Verify the permissions on the Security event log (Security.evtx). Standard user accounts or groups must not have access. The default permissions listed below satisfy this requirement. Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.</RawString> </Rule> <Rule id="V-63541" severity="medium" conversionstatus="pass" title="WN10-AU-000525" dscresource="NTFSAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>Eventlog</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance> </Inheritance> <Rights>FullControl</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>%windir%\SYSTEM32\WINEVT\LOGS\System.evtx</Path> <RawString>Verify the permissions on the System event log (System.evtx). Standard user accounts or groups must not have access. The default permissions listed below satisfy this requirement. Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.</RawString> </Rule> <Rule id="V-63593.a" severity="medium" conversionstatus="pass" title="WN10-RG-000005" dscresource="RegistryAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>FullControl</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>HKLM:\SECURITY</Path> <RawString>Verify the default registry permissions for the keys note below of the HKEY_LOCAL_MACHINE hive. If any non-privileged groups such as Everyone, Users or Authenticated Users have greater than Read permission, this is a finding. Run "Regedit". Right click on the registry areas noted below. Select "Permissions..." and the "Advanced" button. HKEY_LOCAL_MACHINE\SECURITY Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full Control - This key and subkeys Administrators - Special - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys ALL APPLICATION PACKAGES - Read - This key and subkeys Other samples under the noted keys may also be sampled. There may be some instances where non-privileged groups have greater than Read permission. If the defaults have not been changed, these are not a finding. </RawString> </Rule> <Rule id="V-63593.b" severity="medium" conversionstatus="pass" title="WN10-RG-000005" dscresource="RegistryAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>Users</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>ReadKey</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>CREATOR OWNER</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>ALL APPLICATION PACKAGES</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>ReadKey</Rights> </Entry> <Entry> <Type> </Type> <Principal>CREATOR OWNER</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>ALL APPLICATION PACKAGES</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>ReadKey</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>HKLM:\SOFTWARE</Path> <RawString>Verify the default registry permissions for the keys note below of the HKEY_LOCAL_MACHINE hive. If any non-privileged groups such as Everyone, Users or Authenticated Users have greater than Read permission, this is a finding. Run "Regedit". Right click on the registry areas noted below. Select "Permissions..." and the "Advanced" button. HKEY_LOCAL_MACHINE\SOFTWARE Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys ALL APPLICATION PACKAGES - Read - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys ALL APPLICATION PACKAGES - Read - This key and subkeys Other samples under the noted keys may also be sampled. There may be some instances where non-privileged groups have greater than Read permission. If the defaults have not been changed, these are not a finding. </RawString> </Rule> <Rule id="V-63593.c" severity="medium" conversionstatus="pass" title="WN10-RG-000005" dscresource="RegistryAccessEntry"> <AccessControlEntry> <Entry> <Type> </Type> <Principal>Users</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>ReadKey</Rights> </Entry> <Entry> <Type> </Type> <Principal>Administrators</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>SYSTEM</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>CREATOR OWNER</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>CREATOR OWNER</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>FullControl</Rights> </Entry> <Entry> <Type> </Type> <Principal>ALL APPLICATION PACKAGES</Principal> <ForcePrincipal>False</ForcePrincipal> <Inheritance>This Key and Subkeys</Inheritance> <Rights>ReadKey</Rights> </Entry> </AccessControlEntry> <Force>True</Force> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Path>HKLM:\SYSTEM</Path> <RawString>Verify the default registry permissions for the keys note below of the HKEY_LOCAL_MACHINE hive. If any non-privileged groups such as Everyone, Users or Authenticated Users have greater than Read permission, this is a finding. Run "Regedit". Right click on the registry areas noted below. Select "Permissions..." and the "Advanced" button. HKEY_LOCAL_MACHINE\SYSTEM Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys ALL APPLICATION PACKAGES - Read - This key and subkeys Other samples under the noted keys may also be sampled. There may be some instances where non-privileged groups have greater than Read permission. If the defaults have not been changed, these are not a finding. </RawString> </Rule> </PermissionRule> <ProcessMitigationRule dscresourcemodule="WindowsDefenderDsc"> <Rule id="V-77091" severity="medium" conversionstatus="pass" title="WN10-EP-000020" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>System</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. The default configuration in Exploit Protection is "On by default" which meets this requirement. The PowerShell query results for this show as "NOTSET". Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -System". If the status of "DEP: Enable" is "OFF", this is a finding. Values that would not be a finding include: ON NOTSET (Default configuration)</RawString> </Rule> <Rule id="V-77095" severity="medium" conversionstatus="pass" title="WN10-EP-000030" dscresource="ProcessMitigation"> <Disable /> <Enable>BottomUp</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>System</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. The default configuration in Exploit Protection is "On by default" which meets this requirement. The PowerShell query results for this show as "NOTSET". Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -System". If the status of "ASLR: BottomUp" is "OFF", this is a finding. Values that would not be a finding include: ON NOTSET (Default configuration)</RawString> </Rule> <Rule id="V-77097" severity="medium" conversionstatus="pass" title="WN10-EP-000040" dscresource="ProcessMitigation"> <Disable /> <Enable>CFG</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>System</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. The default configuration in Exploit Protection is "On by default" which meets this requirement. The PowerShell query results for this show as "NOTSET". Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -System". If the status of "CFG: Enable" is "OFF", this is a finding. Values that would not be a finding include: ON NOTSET (Default configuration)</RawString> </Rule> <Rule id="V-77101" severity="medium" conversionstatus="pass" title="WN10-EP-000050" dscresource="ProcessMitigation"> <Disable /> <Enable>SEHOP</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>System</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. The default configuration in Exploit Protection is "On by default" which meets this requirement. The PowerShell query results for this show as "NOTSET". Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -System". If the status of "SEHOP: Enable" is "OFF", this is a finding. Values that would not be a finding include: ON NOTSET (Default configuration)</RawString> </Rule> <Rule id="V-77103" severity="medium" conversionstatus="pass" title="WN10-EP-000060" dscresource="ProcessMitigation"> <Disable /> <Enable>TerminateOnError</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>System</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. The default configuration in Exploit Protection is "On by default" which meets this requirement. The PowerShell query results for this show as "NOTSET". Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -System". If the status of "Heap: TerminateOnError" is "OFF", this is a finding. Values that would not be a finding include: ON NOTSET (Default configuration)</RawString> </Rule> <Rule id="V-77189" severity="medium" conversionstatus="pass" title="WN10-EP-000070" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,BottomUp,ForceRelocateImages,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>Acrobat.exe</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name Acrobat.exe". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON ASLR: BottomUp: ON ForceRelocateImages: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77191" severity="medium" conversionstatus="pass" title="WN10-EP-000080" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,BottomUp,ForceRelocateImages,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>AcroRd32.exe</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name AcroRd32.exe". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON ASLR: BottomUp: ON ForceRelocateImages: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77195" severity="medium" conversionstatus="pass" title="WN10-EP-000090" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>chrome.exe</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name chrome.exe". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77201" severity="medium" conversionstatus="pass" title="WN10-EP-000100" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,ForceRelocateImages,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>EXCEL.EXE</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name EXCEL.EXE". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON ASLR: ForceRelocateImages: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77205" severity="medium" conversionstatus="pass" title="WN10-EP-000110" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,BottomUp,ForceRelocateImages</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>firefox.exe</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name firefox.exe". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON ASLR: BottomUp: ON ForceRelocateImages: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77209" severity="medium" conversionstatus="pass" title="WN10-EP-000120" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,BlockRemoteImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,DisallowChildProcessCreation</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>FLTLDR.EXE</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name FLTLDR.EXE". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON ImageLoad: BlockRemoteImageLoads: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON Child Process: DisallowChildProcessCreation: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77213" severity="medium" conversionstatus="pass" title="WN10-EP-000130" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,ForceRelocateImages,BlockRemoteImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,DisallowChildProcessCreation</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>GROOVE.EXE</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name GROOVE.EXE". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON ASLR: ForceRelocateImages: ON ImageLoad: BlockRemoteImageLoads: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON Child Process: DisallowChildProcessCreation: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77217" severity="medium" conversionstatus="pass" title="WN10-EP-000140" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,BottomUp,ForceRelocateImages,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>iexplore.exe</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name iexplore.exe". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON ASLR: BottomUp: ON ForceRelocateImages: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77221" severity="medium" conversionstatus="pass" title="WN10-EP-000150" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,ForceRelocateImages,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>INFOPATH.EXE</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name INFOPATH.EXE". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON ASLR: ForceRelocateImages: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77223.a" severity="medium" conversionstatus="pass" title="WN10-EP-000160" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>java.exe</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name [application name]" with each of the following substituted for [application name]: java.exe, javaw.exe, and javaws.exe (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON" for each, this is a finding: DEP: Enable: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77223.b" severity="medium" conversionstatus="pass" title="WN10-EP-000160" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>javaw.exe</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name [application name]" with each of the following substituted for [application name]: java.exe, javaw.exe, and javaws.exe (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON" for each, this is a finding: DEP: Enable: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77223.c" severity="medium" conversionstatus="pass" title="WN10-EP-000160" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>javaws.exe</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name [application name]" with each of the following substituted for [application name]: java.exe, javaw.exe, and javaws.exe (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON" for each, this is a finding: DEP: Enable: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77227" severity="medium" conversionstatus="pass" title="WN10-EP-000170" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,ForceRelocateImages,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>lync.exe</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name lync.exe". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON ASLR: ForceRelocateImages: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77231" severity="medium" conversionstatus="pass" title="WN10-EP-000180" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,ForceRelocateImages,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>MSACCESS.EXE</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name MSACCESS.EXE". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON ASLR: ForceRelocateImages: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77233" severity="medium" conversionstatus="pass" title="WN10-EP-000190" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,ForceRelocateImages,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>MSPUB.EXE</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name MSPUB.EXE". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON ASLR: ForceRelocateImages: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77235" severity="medium" conversionstatus="pass" title="WN10-EP-000210" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,ForceRelocateImages,BlockRemoteImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>OneDrive.exe</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name OneDrive.exe". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON ASLR: ForceRelocateImages: ON ImageLoad: BlockRemoteImageLoads: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77239" severity="medium" conversionstatus="pass" title="WN10-EP-000200" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>OIS.EXE</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name OIS.EXE". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77243" severity="medium" conversionstatus="pass" title="WN10-EP-000220" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,ForceRelocateImages,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>OUTLOOK.EXE</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name OUTLOOK.EXE". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON ASLR: ForceRelocateImages: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77245" severity="medium" conversionstatus="pass" title="WN10-EP-000230" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>plugin-container.exe</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name plugin-container.exe". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77247" severity="medium" conversionstatus="pass" title="WN10-EP-000240" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,ForceRelocateImages,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>POWERPNT.EXE</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name POWERPNT.EXE". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON ASLR: ForceRelocateImages: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77249" severity="medium" conversionstatus="pass" title="WN10-EP-000250" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,ForceRelocateImages,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>PPTVIEW.EXE</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name PPTVIEW.EXE". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON ASLR: ForceRelocateImages: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77255" severity="medium" conversionstatus="pass" title="WN10-EP-000260" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,ForceRelocateImages,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>VISIO.EXE</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name VISIO.EXE". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON ASLR: ForceRelocateImages: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77259" severity="medium" conversionstatus="pass" title="WN10-EP-000270" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,ForceRelocateImages,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>VPREVIEW.EXE</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name VPREVIEW.EXE". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON ASLR: ForceRelocateImages: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77263" severity="medium" conversionstatus="pass" title="WN10-EP-000280" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,ForceRelocateImages,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>WINWORD.EXE</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name WINWORD.EXE". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON ASLR: ForceRelocateImages: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77267" severity="medium" conversionstatus="pass" title="WN10-EP-000290" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>wmplayer.exe</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name wmplayer.exe". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON Payload: EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> <Rule id="V-77269" severity="medium" conversionstatus="pass" title="WN10-EP-000300" dscresource="ProcessMitigation"> <Disable /> <Enable>DEP,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec</Enable> <IsNullOrEmpty>False</IsNullOrEmpty> <MitigationTarget>wordpad.exe</MitigationTarget> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name wordpad.exe". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.</RawString> </Rule> </ProcessMitigationRule> <RegistryRule dscresourcemodule="xPSDesiredStateConfiguration"> <Rule id="V-63321" severity="medium" conversionstatus="pass" title="WN10-CC-000310" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: EnableUserControl Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>EnableUserControl</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63325" severity="high" conversionstatus="pass" title="WN10-CC-000315" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AlwaysInstallElevated</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63329" severity="medium" conversionstatus="pass" title="WN10-CC-000320" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The default behavior is for Internet Explorer to warn users and select whether to allow or refuse installation when a web-based program attempts to install software on the system. If the registry value name below does not exist, this is not a finding. If it exists and is configured with a value of "0", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: SafeForScripting Value Type: REG_DWORD Value: 0 (or if the Value Name does not exist)</RawString> <ValueData>0</ValueData> <ValueName>SafeForScripting</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63333" severity="medium" conversionstatus="pass" title="WN10-CC-000325" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableAutomaticRestartSignOn Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableAutomaticRestartSignOn</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63335" severity="high" conversionstatus="pass" title="WN10-CC-000330" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowBasic Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllowBasic</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63339" severity="medium" conversionstatus="pass" title="WN10-CC-000335" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowUnencryptedTraffic Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllowUnencryptedTraffic</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63341" severity="medium" conversionstatus="pass" title="WN10-CC-000340" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowDigest Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllowDigest</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63347" severity="high" conversionstatus="pass" title="WN10-CC-000345" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowBasic Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllowBasic</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63369" severity="medium" conversionstatus="pass" title="WN10-CC-000350" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowUnencryptedTraffic Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllowUnencryptedTraffic</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63375" severity="medium" conversionstatus="pass" title="WN10-CC-000355" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: DisableRunAs Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableRunAs</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63519" severity="medium" conversionstatus="pass" title="WN10-AU-000500" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -ge '32768'</OrganizationValueTestString> <RawString>If the system is configured to send audit records directly to an audit server, this is NA. This must be documented with the ISSO. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ Value Name: MaxSize Value Type: REG_DWORD Value: 0x00008000 (32768) (or greater)</RawString> <ValueData /> <ValueName>MaxSize</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63523" severity="medium" conversionstatus="pass" title="WN10-AU-000505" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -ge '1024000'</OrganizationValueTestString> <RawString>If the system is configured to send audit records directly to an audit server, this is NA. This must be documented with the ISSO. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ Value Name: MaxSize Value Type: REG_DWORD Value: 0x000fa000 (1024000) (or greater)</RawString> <ValueData /> <ValueName>MaxSize</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63527" severity="medium" conversionstatus="pass" title="WN10-AU-000510" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -ge '32768'</OrganizationValueTestString> <RawString>If the system is configured to send audit records directly to an audit server, this is NA. This must be documented with the ISSO. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ Value Name: MaxSize Value Type: REG_DWORD Value: 0x00008000 (32768) (or greater)</RawString> <ValueData /> <ValueName>MaxSize</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63545" severity="medium" conversionstatus="pass" title="WN10-CC-000005" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the device does not have a camera, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ Value Name: NoLockScreenCamera Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NoLockScreenCamera</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63549" severity="medium" conversionstatus="pass" title="WN10-CC-000010" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ Value Name: NoLockScreenSlideshow Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NoLockScreenSlideshow</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63555" severity="medium" conversionstatus="pass" title="WN10-CC-000020" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ Value Name: DisableIpSourceRouting Value Type: REG_DWORD Value: 2</RawString> <ValueData>2</ValueData> <ValueName>DisableIpSourceRouting</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63559" severity="medium" conversionstatus="pass" title="WN10-CC-000025" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: DisableIPSourceRouting Value Type: REG_DWORD Value: 2</RawString> <ValueData>2</ValueData> <ValueName>DisableIPSourceRouting</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63563" severity="low" conversionstatus="pass" title="WN10-CC-000030" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableICMPRedirect Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>EnableICMPRedirect</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63567" severity="low" conversionstatus="pass" title="WN10-CC-000035" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ Value Name: NoNameReleaseOnDemand Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NoNameReleaseOnDemand</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63569" severity="medium" conversionstatus="pass" title="WN10-CC-000040" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation\ Value Name: AllowInsecureGuestAuth Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllowInsecureGuestAuth</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63577.a" severity="medium" conversionstatus="pass" title="WN10-CC-000050" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\ Value Type: REG_SZ Value Name: \\*\NETLOGON Value: RequireMutualAuthentication=1, RequireIntegrity=1</RawString> <ValueData>RequireMutualAuthentication=1, RequireIntegrity=1</ValueData> <ValueName>\\*\NETLOGON</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-63577.b" severity="medium" conversionstatus="pass" title="WN10-CC-000050" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\ Value Type: REG_SZ Value Name: \\*\SYSVOL Value: RequireMutualAuthentication=1, RequireIntegrity=1</RawString> <ValueData>RequireMutualAuthentication=1, RequireIntegrity=1</ValueData> <ValueName>\\*\SYSVOL</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-63581" severity="medium" conversionstatus="pass" title="WN10-CC-000055" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The default behavior for "Minimize the number of simultaneous connections to the Internet or a Windows Domain" is "Enabled". If the registry value name below does not exist, this is not a finding. If it exists and is configured with a value of "1", this is not a finding. If it exists and is configured with a value of "0", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\ Value Name: fMinimizeConnections Value Type: REG_DWORD Value: 1 (or if the Value Name does not exist)</RawString> <ValueData>1</ValueData> <ValueName>fMinimizeConnections</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63585" severity="medium" conversionstatus="pass" title="WN10-CC-000060" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\ Value Name: fBlockNonDomain Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>fBlockNonDomain</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63591" severity="medium" conversionstatus="pass" title="WN10-CC-000065" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config\ Value Name: AutoConnectAllowedOEM Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AutoConnectAllowedOEM</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63595.a" severity="low" conversionstatus="pass" title="WN10-CC-000070" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Type: REG_DWORD Value Name: EnableVirtualizationBasedSecurity Value: 1</RawString> <ValueData>1</ValueData> <ValueName>EnableVirtualizationBasedSecurity</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63595.b" severity="low" conversionstatus="pass" title="WN10-CC-000070" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -match '1|3'</OrganizationValueTestString> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Type: REG_DWORD Value Name: RequirePlatformSecurityFeatures Value: 1 (Secure Boot only) or 3 (Secure Boot and DMA Protection)</RawString> <ValueData /> <ValueName>RequirePlatformSecurityFeatures</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63597" severity="medium" conversionstatus="pass" title="WN10-CC-000037" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the system is not a member of a domain, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LocalAccountTokenFilterPolicy Value Type: REG_DWORD Value: 0x00000000 (0)</RawString> <ValueData>0</ValueData> <ValueName>LocalAccountTokenFilterPolicy</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63599" severity="low" conversionstatus="pass" title="WN10-CC-000075" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Confirm Credential Guard is running on domain-joined systems. For standalone systems, this is NA. For those devices that support Credential Guard, this feature must be enabled. For devices that do not support it, there is currently an enterprise risk acceptance in effect, thus this check is currently categorized as a CAT III. Organizations need to take the appropriate action to acquire and implement compatible hardware with Credential Guard enabled. Virtualization based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDI) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop. For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is NA. Run "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" If "SecurityServicesRunning" does not include a value of "1" (e.g., "{1, 2}"), this is a finding. Alternately: Run "System Information". Under "System Summary", verify the following: If "Device Guard Security Services Running" does not list "Credential Guard", this is finding. The policy settings referenced in the Fix section will configure the following registry value. However due to hardware requirements, the registry value alone does not ensure proper function. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Name: LsaCfgFlags Value Type: REG_DWORD Value: 0x00000001 (1) (Enabled with UEFI lock)</RawString> <ValueData>1</ValueData> <ValueName>LsaCfgFlags</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63603" severity="low" conversionstatus="pass" title="WN10-CC-000080" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -match '0x00000001|1|0x00000002|2'</OrganizationValueTestString> <RawString>Confirm virtualization-based protection of code integrity. For those devices that support the virtualization based security (VBS) feature for protection of code integrity, this must be enabled. If the system meets the hardware, firmware and compatible device driver dependencies for enabling virtualization based protection of code integrity but it is not enabled, this is a CAT III finding. Virtualization based security currently cannot be implemented in virtual desktop implementations (VDI) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop. For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is NA. Run "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" If "SecurityServicesRunning" does not include a value of "2" (e.g., "{1, 2}"), this is a finding. Alternately: Run "System Information". Under "System Summary", verify the following: If "Device Guard Security Services Running" does not list "Hypervisor enforced Code Integrity", this is finding. The policy settings referenced in the Fix section will configure the following registry value. However due to hardware requirements, the registry value alone does not ensure proper function. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Name: HypervisorEnforcedCodeIntegrity Value Type: REG_DWORD Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled without lock) v1507 LTSB only: This setting is "Enabled Virtualization Based Protection of Code Integrity" (without options) which is the same as "Enabled with UEFI lock".</RawString> <ValueData /> <ValueName>HypervisorEnforcedCodeIntegrity</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63607" severity="medium" conversionstatus="pass" title="WN10-CC-000085" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The default behavior is for Early Launch Antimalware - Boot-Start Driver Initialization policy is to enforce "Good, unknown and bad but critical" (preventing "bad"). If the registry value name below does not exist, this is not a finding. If it exists and is configured with a value of "7", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Policies\EarlyLaunch\ Value Name: DriverLoadPolicy Value Type: REG_DWORD Value: 1, 3, or 8 (or if the Value Name does not exist) Possible values for this setting are: 8 - Good only 1 - Good and unknown 3 - Good, unknown and bad but critical 7 - All (which includes "Bad" and would be a finding)</RawString> <ValueData>1</ValueData> <ValueName>DriverLoadPolicy</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63609" severity="medium" conversionstatus="pass" title="WN10-CC-000090" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} Value Name: NoGPOListChanges Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>NoGPOListChanges</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63615" severity="medium" conversionstatus="pass" title="WN10-CC-000100" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableWebPnPDownload Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableWebPnPDownload</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63617" severity="medium" conversionstatus="pass" title="WN10-SO-000015" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>LimitBlankPasswordUse</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63621" severity="medium" conversionstatus="pass" title="WN10-CC-000105" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoWebServices Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NoWebServices</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63623" severity="medium" conversionstatus="pass" title="WN10-CC-000110" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableHTTPPrinting Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableHTTPPrinting</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63627" severity="medium" conversionstatus="pass" title="WN10-CC-000115" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This requirement is applicable to domain-joined systems, for standalone systems this is NA. The default behavior for "Support device authentication using certificate" is "Automatic". If the registry value name below does not exist, this is not a finding. If it exists and is configured with a value of "1", this is not a finding. If it exists and is configured with a value of "0", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ Value Name: DevicePKInitEnabled Value Type: REG_DWORD Value: 1 (or if the Value Name does not exist)</RawString> <ValueData>1</ValueData> <ValueName>DevicePKInitEnabled</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63629" severity="medium" conversionstatus="pass" title="WN10-CC-000120" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: DontDisplayNetworkSelectionUI Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DontDisplayNetworkSelectionUI</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63633" severity="medium" conversionstatus="pass" title="WN10-CC-000130" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This requirement is applicable to domain-joined systems, for standalone systems this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnumerateLocalUsers Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>EnumerateLocalUsers</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63635" severity="medium" conversionstatus="pass" title="WN10-SO-000030" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>SCENoApplyLegacyAuditPolicy</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63639" severity="medium" conversionstatus="pass" title="WN10-SO-000035" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>RequireSignOrSeal</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63643" severity="medium" conversionstatus="pass" title="WN10-SO-000040" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SealSecureChannel Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>SealSecureChannel</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63645" severity="medium" conversionstatus="pass" title="WN10-CC-000145" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: DCSettingIndex Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DCSettingIndex</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63647" severity="medium" conversionstatus="pass" title="WN10-SO-000045" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SignSecureChannel Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>SignSecureChannel</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63649" severity="medium" conversionstatus="pass" title="WN10-CC-000150" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: ACSettingIndex Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>ACSettingIndex</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63651" severity="high" conversionstatus="pass" title="WN10-CC-000155" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fAllowToGetHelp Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>fAllowToGetHelp</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63653" severity="low" conversionstatus="pass" title="WN10-SO-000050" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>DisablePasswordChange</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63657" severity="medium" conversionstatus="pass" title="WN10-CC-000165" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Rpc\ Value Name: RestrictRemoteClients Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>RestrictRemoteClients</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63659" severity="low" conversionstatus="pass" title="WN10-CC-000170" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: MSAOptional Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>MSAOptional</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63661" severity="low" conversionstatus="pass" title="WN10-SO-000055" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -le '30' -and {0} -gt '0'</OrganizationValueTestString> <RawString>This is the default configuration for this setting (30 days). If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge Value Type: REG_DWORD Value: 0x0000001e (30) (or less, excluding 0)</RawString> <ValueData /> <ValueName>MaximumPasswordAge</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63663" severity="low" conversionstatus="pass" title="WN10-CC-000175" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\AppCompat\ Value Name: DisableInventory Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableInventory</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63665" severity="medium" conversionstatus="pass" title="WN10-SO-000060" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value Type: REG_DWORD Value: 1 Warning: This setting may prevent a system from being joined to a domain if not configured consistently between systems.</RawString> <ValueData>1</ValueData> <ValueName>RequireStrongKey</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63667" severity="high" conversionstatus="pass" title="WN10-CC-000180" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoAutoplayfornonVolume Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NoAutoplayfornonVolume</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63669" severity="medium" conversionstatus="pass" title="WN10-SO-000070" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs Value Type: REG_DWORD Value: 0x00000384 (900)</RawString> <ValueData>900</ValueData> <ValueName>InactivityTimeoutSecs</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63671" severity="high" conversionstatus="pass" title="WN10-CC-000185" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoAutorun Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NoAutorun</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63673" severity="high" conversionstatus="pass" title="WN10-CC-000190" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ Value Name: NoDriveTypeAutoRun Value Type: REG_DWORD Value: 0x000000ff (255) Note: If the value for NoDriveTypeAutorun is entered manually, it must be entered as "ff" when Hexadecimal is selected, or "255" with Decimal selected. Using the policy value specified in the Fix section will enter it correctly.</RawString> <ValueData>255</ValueData> <ValueName>NoDriveTypeAutoRun</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63675" severity="medium" conversionstatus="pass" title="WN10-SO-000075" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeText Value Type: REG_SZ Value: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.</RawString> <ValueData>You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.</ValueData> <ValueName>LegalNoticeText</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-63677" severity="medium" conversionstatus="pass" title="WN10-CC-000195" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures\ Value Name: EnhancedAntiSpoofing Value Type: REG_DWORD Value: 0x00000001 (1)</RawString> <ValueData>1</ValueData> <ValueName>EnhancedAntiSpoofing</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63679" severity="medium" conversionstatus="pass" title="WN10-CC-000200" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\ Value Name: EnumerateAdministrators Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>EnumerateAdministrators</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63681" severity="low" conversionstatus="pass" title="WN10-SO-000080" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeCaption Value Type: REG_SZ Value: See message title above "DoD Notice and Consent Banner", "US Department of Defense Warning Statement" or a site-defined equivalent, this is a finding. If a site-defined title is used, it can in no case contravene or modify the language of the banner text required in WN10-SO-000075.</RawString> <ValueData>DoD Notice and Consent Banner</ValueData> <ValueName>LegalNoticeCaption</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-63683" severity="medium" conversionstatus="pass" title="WN10-CC-000205" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DataCollection\ Value Name: AllowTelemetry Type: REG_DWORD Value: 0x00000000 (0) (Security), 0x00000001 (1) (Basic)</RawString> <ValueData>0</ValueData> <ValueName>AllowTelemetry</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63687" severity="low" conversionstatus="pass" title="WN10-SO-000085" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -le '10'</OrganizationValueTestString> <RawString>This is the default configuration for this setting (10 logons to cache). If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: CachedLogonsCount Value Type: REG_SZ Value: 10 (or less) This setting only applies to domain-joined systems, however, it is configured by default on all systems.</RawString> <ValueData /> <ValueName>CachedLogonsCount</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-63689" severity="medium" conversionstatus="pass" title="WN10-CC-000215" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The default behavior is for data execution prevention to be turned on for file explorer. If the registry value name below does not exist, this is not a finding. If it exists and is configured with a value of "0", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoDataExecutionPrevention Value Type: REG_DWORD Value: 0 (or if the Value Name does not exist)</RawString> <ValueData>0</ValueData> <ValueName>NoDataExecutionPrevention</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63691" severity="low" conversionstatus="pass" title="WN10-CC-000220" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The default behavior is for File Explorer heap termination on corruption to be enabled. If the registry Value Name below does not exist, this is not a finding. If it exists and is configured with a value of "0", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoHeapTerminationOnCorruption Value Type: REG_DWORD Value: 0x00000000 (0) (or if the Value Name does not exist)</RawString> <ValueData>0</ValueData> <ValueName>NoHeapTerminationOnCorruption</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63695" severity="medium" conversionstatus="pass" title="WN10-CC-000225" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The default behavior is for shell protected mode to be turned on for file explorer. If the registry value name below does not exist, this is not a finding. If it exists and is configured with a value of "0", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: PreXPSP2ShellProtocolBehavior Value Type: REG_DWORD Value: 0 (or if the Value Name does not exist)</RawString> <ValueData>0</ValueData> <ValueName>PreXPSP2ShellProtocolBehavior</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63697" severity="medium" conversionstatus="pass" title="WN10-SO-000095" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -match '1|2'</OrganizationValueTestString> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: SCRemoveOption Value Type: REG_SZ Value: 1 (Lock Workstation) or 2 (Force Logoff) This can be left not configured or set to "No action" on workstations with the following conditions. This must be documented with the ISSO. -The setting cannot be configured due to mission needs, or because it interferes with applications. -Policy must be in place that users manually lock workstations when leaving them unattended. -The screen saver is properly configured to lock as required.</RawString> <ValueData /> <ValueName>SCRemoveOption</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-63699" severity="medium" conversionstatus="pass" title="WN10-CC-000230" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is applicable to unclassified systems, for other systems this is NA. Windows 10 LTSC\B versions do not include Microsoft Edge, this is NA for those systems. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter\ Value Name: PreventOverride Type: REG_DWORD Value: 0x00000001 (1)</RawString> <ValueData>1</ValueData> <ValueName>PreventOverride</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63701" severity="medium" conversionstatus="pass" title="WN10-CC-000235" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is applicable to unclassified systems, for other systems this is NA. Windows 10 LTSC\B versions do not include Microsoft Edge, this is NA for those systems. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter\ Value Name: PreventOverrideAppRepUnknown Type: REG_DWORD Value: 0x00000001 (1)</RawString> <ValueData>1</ValueData> <ValueName>PreventOverrideAppRepUnknown</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63703" severity="medium" conversionstatus="pass" title="WN10-SO-000100" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>RequireSecuritySignature</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63705" severity="medium" conversionstatus="pass" title="WN10-CC-000240" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Windows 10 LTSC\B versions do not include Microsoft Edge, this is NA for those systems. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main\ Value Name: AllowInPrivate Type: REG_DWORD Value: 0x00000000 (0)</RawString> <ValueData>0</ValueData> <ValueName>AllowInPrivate</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63707" severity="medium" conversionstatus="pass" title="WN10-SO-000105" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>EnableSecuritySignature</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63709" severity="medium" conversionstatus="pass" title="WN10-CC-000245" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Windows 10 LTSC\B versions do not include Microsoft Edge, this is NA for those systems. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main\ Value Name: FormSuggest Passwords Type: REG_SZ Value: no</RawString> <ValueData>no</ValueData> <ValueName>FormSuggest Passwords</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-63711" severity="medium" conversionstatus="pass" title="WN10-SO-000110" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnablePlainTextPassword Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>EnablePlainTextPassword</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63713" severity="medium" conversionstatus="pass" title="WN10-CC-000250" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is applicable to unclassified systems, for other systems this is NA. Windows 10 LTSC\B versions do not include Microsoft Edge, this is NA for those systems. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter\ Value Name: EnabledV9 Type: REG_DWORD Value: 0x00000001 (1)</RawString> <ValueData>1</ValueData> <ValueName>EnabledV9</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63715" severity="low" conversionstatus="pass" title="WN10-SO-000115" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -le '15'</OrganizationValueTestString> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: autodisconnect Value Type: REG_DWORD Value: 0x0000000f (15) (or less)</RawString> <ValueData /> <ValueName>autodisconnect</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63717" severity="medium" conversionstatus="pass" title="WN10-CC-000255" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Virtual desktop implementations currently may not support the use of TPMs. For virtual desktop implementations where the virtual desktop instance is deleted or refreshed upon logoff, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\PassportForWork\ Value Name: RequireSecurityDevice Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>RequireSecurityDevice</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63719" severity="medium" conversionstatus="pass" title="WN10-SO-000120" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>RequireSecuritySignature</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63721" severity="medium" conversionstatus="pass" title="WN10-CC-000260" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -ge '6'</OrganizationValueTestString> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity\ Value Name: MinimumPINLength Type: REG_DWORD Value: 6 (or greater)</RawString> <ValueData /> <ValueName>MinimumPINLength</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63723" severity="medium" conversionstatus="pass" title="WN10-SO-000125" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>EnableSecuritySignature</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63725" severity="medium" conversionstatus="pass" title="WN10-CC-000265" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\OneDrive\ Value Name: DisableFileSyncNGSC Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableFileSyncNGSC</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63729" severity="medium" conversionstatus="pass" title="WN10-CC-000270" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: DisablePasswordSaving Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisablePasswordSaving</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63731" severity="medium" conversionstatus="pass" title="WN10-CC-000275" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDisableCdm Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>fDisableCdm</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63733" severity="medium" conversionstatus="pass" title="WN10-CC-000280" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fPromptForPassword Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>fPromptForPassword</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63737" severity="medium" conversionstatus="pass" title="WN10-CC-000285" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fEncryptRPCTraffic Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>fEncryptRPCTraffic</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63741" severity="medium" conversionstatus="pass" title="WN10-CC-000290" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: MinEncryptionLevel Value Type: REG_DWORD Value: 3</RawString> <ValueData>3</ValueData> <ValueName>MinEncryptionLevel</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63743" severity="medium" conversionstatus="pass" title="WN10-CC-000295" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: DisableEnclosureDownload Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableEnclosureDownload</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63745" severity="high" conversionstatus="pass" title="WN10-SO-000145" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>RestrictAnonymousSAM</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63747" severity="medium" conversionstatus="pass" title="WN10-CC-000300" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections. If the registry value name below does not exist, this is not a finding. If it exists and is configured with a value of "0", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: AllowBasicAuthInClear Value Type: REG_DWORD Value: 0 (or if the Value Name does not exist)</RawString> <ValueData>0</ValueData> <ValueName>AllowBasicAuthInClear</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63749" severity="high" conversionstatus="pass" title="WN10-SO-000150" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>RestrictAnonymous</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63751" severity="medium" conversionstatus="pass" title="WN10-CC-000305" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Windows Search\ Value Name: AllowIndexingEncryptedStoresOrItems Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllowIndexingEncryptedStoresOrItems</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63753" severity="medium" conversionstatus="pass" title="WN10-SO-000155" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: DisableDomainCreds Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>DisableDomainCreds</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63755" severity="medium" conversionstatus="pass" title="WN10-SO-000160" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>EveryoneIncludesAnonymous</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63759" severity="high" conversionstatus="pass" title="WN10-SO-000165" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>RestrictNullSessAccess</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63763" severity="medium" conversionstatus="pass" title="WN10-SO-000175" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\ Value Name: UseMachineId Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>UseMachineId</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63765" severity="medium" conversionstatus="pass" title="WN10-SO-000180" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\MSV1_0\ Value Name: allownullsessionfallback Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>allownullsessionfallback</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63767" severity="medium" conversionstatus="pass" title="WN10-SO-000185" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\pku2u</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\pku2u\ Value Name: AllowOnlineID Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>AllowOnlineID</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63795" severity="medium" conversionstatus="pass" title="WN10-SO-000190" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ Value Name: SupportedEncryptionTypes Value Type: REG_DWORD Value: 0x7ffffff8 (2147483640)</RawString> <ValueData>2147483640</ValueData> <ValueName>SupportedEncryptionTypes</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63797" severity="high" conversionstatus="pass" title="WN10-SO-000195" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NoLMHash</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63801" severity="high" conversionstatus="pass" title="WN10-SO-000205" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LmCompatibilityLevel Value Type: REG_DWORD Value: 5</RawString> <ValueData>5</ValueData> <ValueName>LmCompatibilityLevel</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63803" severity="medium" conversionstatus="pass" title="WN10-SO-000210" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LDAP</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>LDAPClientIntegrity</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63805" severity="medium" conversionstatus="pass" title="WN10-SO-000215" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec Value Type: REG_DWORD Value: 0x20080000 (537395200)</RawString> <ValueData>537395200</ValueData> <ValueName>NTLMMinClientSec</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63807" severity="medium" conversionstatus="pass" title="WN10-SO-000220" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec Value Type: REG_DWORD Value: 0x20080000 (537395200)</RawString> <ValueData>537395200</ValueData> <ValueName>NTLMMinServerSec</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63811" severity="medium" conversionstatus="pass" title="WN10-SO-000230" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value Type: REG_DWORD Value: 1 Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS otherwise the browser will not be able to connect to a secure site.</RawString> <ValueData>1</ValueData> <ValueName>Enabled</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63815" severity="low" conversionstatus="pass" title="WN10-SO-000240" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\ Value Name: ProtectionMode Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>ProtectionMode</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63817" severity="medium" conversionstatus="pass" title="WN10-SO-000245" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>FilterAdministratorToken</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63819" severity="medium" conversionstatus="pass" title="WN10-SO-000250" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorAdmin Value Type: REG_DWORD Value: 2 (Prompt for consent on the secure desktop)</RawString> <ValueData>2</ValueData> <ValueName>ConsentPromptBehaviorAdmin</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63821" severity="medium" conversionstatus="pass" title="WN10-SO-000255" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser Value Type: REG_DWORD Value: 0</RawString> <ValueData>0</ValueData> <ValueName>ConsentPromptBehaviorUser</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63825" severity="medium" conversionstatus="pass" title="WN10-SO-000260" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>EnableInstallerDetection</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63827" severity="medium" conversionstatus="pass" title="WN10-SO-000265" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>EnableSecureUIAPaths</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63829" severity="medium" conversionstatus="pass" title="WN10-SO-000270" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>EnableLUA</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63831" severity="medium" conversionstatus="pass" title="WN10-SO-000275" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>EnableVirtualization</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63839" severity="low" conversionstatus="pass" title="WN10-UC-000015" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\ Value Name: NoToastApplicationNotificationOnLockScreen Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>NoToastApplicationNotificationOnLockScreen</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-63841" severity="medium" conversionstatus="pass" title="WN10-UC-000020" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The default behavior is for Windows to mark file attachments with their zone information. If the registry Value Name below does not exist, this is not a finding. If it exists and is configured with a value of "2", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_CURRENT_USER Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ Value Name: SaveZoneInformation Value Type: REG_DWORD Value: 0x00000002 (2) (or if the Value Name does not exist)</RawString> <ValueData>2</ValueData> <ValueName>SaveZoneInformation</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-65681.a" severity="low" conversionstatus="pass" title="WN10-CC-000206" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\ Value Type: REG_DWORD Value Name: DODownloadMode Value: 0x00000000 (0) - No peering (HTTP Only)</RawString> <ValueData>0</ValueData> <ValueName>DODownloadMode</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-65681.b" severity="low" conversionstatus="pass" title="WN10-CC-000206" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\ Value Type: REG_DWORD Value Name: DODownloadMode Value: 0x00000000 (0) - Off</RawString> <ValueData>0</ValueData> <ValueName>DODownloadMode</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-68817" severity="medium" conversionstatus="pass" title="WN10-CC-000066" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ Value Name: ProcessCreationIncludeCmdLine_Enabled Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>ProcessCreationIncludeCmdLine_Enabled</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-68819" severity="medium" conversionstatus="pass" title="WN10-CC-000326" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging Value Type: REG_DWORD Value: 1</RawString> <ValueData>1</ValueData> <ValueName>EnableScriptBlockLogging</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-68849" severity="high" conversionstatus="pass" title="WN10-00-000150" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is applicable to Windows 10 prior to v1709. Verify SEHOP is turned on. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\kernel\ Value Name: DisableExceptionChainValidation Value Type: REG_DWORD Value: 0x00000000 (0)</RawString> <ValueData>0</ValueData> <ValueName>DisableExceptionChainValidation</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-71763" severity="medium" conversionstatus="pass" title="WN10-CC-000038" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\ Value Name: UseLogonCredential Type: REG_DWORD Value: 0x00000000 (0)</RawString> <ValueData>0</ValueData> <ValueName>UseLogonCredential</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-71765" severity="medium" conversionstatus="pass" title="WN10-CC-000044" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Network Connections\ Value Name: NC_ShowSharedAccessUI Type: REG_DWORD Value: 0x00000000 (0)</RawString> <ValueData>0</ValueData> <ValueName>NC_ShowSharedAccessUI</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-71769" severity="medium" conversionstatus="pass" title="WN10-SO-000167" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Windows 10 v1507 LTSB version does not include this setting, it is NA for those systems. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictRemoteSAM Value Type: REG_SZ Value: O:BAG:BAD:(A;;RC;;;BA)</RawString> <ValueData>O:BAG:BAD:(A;;RC;;;BA)</ValueData> <ValueName>RestrictRemoteSAM</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-71771" severity="low" conversionstatus="pass" title="WN10-CC-000197" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CloudContent\ Value Name: DisableWindowsConsumerFeatures Type: REG_DWORD Value: 0x00000001 (1)</RawString> <ValueData>1</ValueData> <ValueName>DisableWindowsConsumerFeatures</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-72329.a" severity="medium" conversionstatus="pass" title="WN10-CC-000039" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\runasuser</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE \SOFTWARE\Classes\batfile\shell\runasuser\ Type: REG_DWORD Value Name: SuppressionPolicy Value: 0x00001000 (4096)</RawString> <ValueData>4096</ValueData> <ValueName>SuppressionPolicy</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-72329.b" severity="medium" conversionstatus="pass" title="WN10-CC-000039" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\runasuser</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE \SOFTWARE\Classes\cmdfile\shell\runasuser\ Type: REG_DWORD Value Name: SuppressionPolicy Value: 0x00001000 (4096)</RawString> <ValueData>4096</ValueData> <ValueName>SuppressionPolicy</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-72329.c" severity="medium" conversionstatus="pass" title="WN10-CC-000039" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\runasuser</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE \SOFTWARE\Classes\exefile\shell\runasuser\ Type: REG_DWORD Value Name: SuppressionPolicy Value: 0x00001000 (4096)</RawString> <ValueData>4096</ValueData> <ValueName>SuppressionPolicy</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-72329.d" severity="medium" conversionstatus="pass" title="WN10-CC-000039" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mscfile\shell\runasuser</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Registry Hive: HKEY_LOCAL_MACHINE \SOFTWARE\Classes\mscfile\shell\runasuser\ Type: REG_DWORD Value Name: SuppressionPolicy Value: 0x00001000 (4096)</RawString> <ValueData>4096</ValueData> <ValueName>SuppressionPolicy</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-74413" severity="medium" conversionstatus="pass" title="WN10-CC-000052" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ Cryptography\Configuration\SSL\00010002</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\ Cryptography\Configuration\SSL\00010002\ Value Name: EccCurves Value Type: REG_MULTI_SZ Value: NistP384 NistP256</RawString> <ValueData>NistP384;NistP256</ValueData> <ValueName>EccCurves</ValueName> <ValueType>MultiString</ValueType> </Rule> <Rule id="V-74415" severity="medium" conversionstatus="pass" title="WN10-CC-000228" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ Privacy</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This setting is applicable starting with v1703 of Windows 10, it is NA for prior versions. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\MicrosoftEdge\ Privacy\ Value Name: ClearBrowsingHistoryOnExit Type: REG_DWORD Value: 0x00000000 (0)</RawString> <ValueData>0</ValueData> <ValueName>ClearBrowsingHistoryOnExit</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-74417" severity="medium" conversionstatus="pass" title="WN10-CC-000252" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This setting is applicable starting with v1703 of Windows 10, it is NA for prior versions. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\GameDVR\ Value Name: AllowGameDVR Type: REG_DWORD Value: 0x00000000 (0)</RawString> <ValueData>0</ValueData> <ValueName>AllowGameDVR</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-74699" severity="medium" conversionstatus="pass" title="WN10-CC-000068" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This setting is applicable starting with v1703 of Windows 10, it is NA for prior versions. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\ Value Name: AllowProtectedCreds Type: REG_DWORD Value: 0x00000001 (1)</RawString> <ValueData>1</ValueData> <ValueName>AllowProtectedCreds</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-74723" severity="medium" conversionstatus="pass" title="WN10-00-000165" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Different methods are available to disable SMBv1 on Windows 10, if V-70639 is configured, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ Value Name: SMB1 Type: REG_DWORD Value: 0x00000000 (0)</RawString> <ValueData>0</ValueData> <ValueName>SMB1</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-74725" severity="medium" conversionstatus="pass" title="WN10-00-000170" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Different methods are available to disable SMBv1 on Windows 10, if V-70639 is configured, this is NA. If the following registry value is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\mrxsmb10\ Value Name: Start Type: REG_DWORD Value: 0x00000004 (4)</RawString> <ValueData>4</ValueData> <ValueName>Start</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-77025" severity="medium" conversionstatus="pass" title="WN10-EP-000010" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This is NA prior to v1709 of Windows 10. This is applicable to unclassified systems, for other systems this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection\ Value Name: DisallowExploitProtectionOverride Value Type: REG_DWORD Value: 0x00000001 (1)</RawString> <ValueData>1</ValueData> <ValueName>DisallowExploitProtectionOverride</ValueName> <ValueType>Dword</ValueType> </Rule> </RegistryRule> <SecurityOptionRule dscresourcemodule="SecurityPolicyDsc"> <Rule id="V-63601" severity="medium" conversionstatus="pass" title="WN10-SO-000005" dscresource="SecurityOption"> <IsNullOrEmpty>False</IsNullOrEmpty> <OptionName>Accounts: Administrator account status</OptionName> <OptionValue>Disabled</OptionValue> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. If the value for "Accounts: Administrator account status" is not set to "Disabled", this is a finding.</RawString> </Rule> <Rule id="V-63611" severity="medium" conversionstatus="pass" title="WN10-SO-000010" dscresource="SecurityOption"> <IsNullOrEmpty>False</IsNullOrEmpty> <OptionName>Accounts: Guest account status</OptionName> <OptionValue>Disabled</OptionValue> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding.</RawString> </Rule> <Rule id="V-63619" severity="medium" conversionstatus="pass" title="WN10-SO-000020" dscresource="SecurityOption"> <IsNullOrEmpty>False</IsNullOrEmpty> <OptionName>Accounts: Rename administrator account</OptionName> <OptionValue /> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -ne 'Administrator'</OrganizationValueTestString> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. If the value for "Accounts: Rename administrator account" is set to "Administrator", this is a finding.</RawString> </Rule> <Rule id="V-63625" severity="medium" conversionstatus="pass" title="WN10-SO-000025" dscresource="SecurityOption"> <IsNullOrEmpty>False</IsNullOrEmpty> <OptionName>Accounts: Rename guest account</OptionName> <OptionValue /> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>'{0}' -ne 'Guest'</OrganizationValueTestString> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. If the value for "Accounts: Rename guest account" is set to "Guest", this is a finding.</RawString> </Rule> <Rule id="V-63739" severity="high" conversionstatus="pass" title="WN10-SO-000140" dscresource="SecurityOption"> <IsNullOrEmpty>False</IsNullOrEmpty> <OptionName>Network access: Allow anonymous SID/Name translation</OptionName> <OptionValue>Disabled</OptionValue> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding.</RawString> </Rule> </SecurityOptionRule> <ServiceRule dscresourcemodule="xPSDesiredStateConfiguration"> <Rule id="V-74719" severity="medium" conversionstatus="pass" title="WN10-00-000175" dscresource="xService"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "Services.msc". Locate the "Secondary Logon" service. If the "Startup Type" is not "Disabled", this is a finding.</RawString> <ServiceName>seclogon</ServiceName> <ServiceState>Stopped</ServiceState> <StartupType>Disabled</StartupType> </Rule> </ServiceRule> <UserRightRule dscresourcemodule="SecurityPolicyDsc"> <Rule id="V-63843" severity="medium" conversionstatus="pass" title="WN10-UR-000005" dscresource="UserRightsAssignment"> <Constant>SeTrustedCredManAccessPrivilege</Constant> <DisplayName>Access Credential Manager as a trusted caller</DisplayName> <Force>True</Force> <Identity>NULL</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts are granted the "Access Credential Manager as a trusted caller" user right, this is a finding.</RawString> </Rule> <Rule id="V-63845" severity="medium" conversionstatus="pass" title="WN10-UR-000010" dscresource="UserRightsAssignment"> <Constant>SeNetworkLogonRight</Constant> <DisplayName>Access this computer from the network</DisplayName> <Force>True</Force> <Identity>Administrators,Remote Desktop Users</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Access this computer from the network" user right, this is a finding: Administrators Remote Desktop Users If a domain application account such as for a management tool requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account, managed at the domain level, must meet requirements for application account passwords, such as length and frequency of changes as defined in the Windows server STIGs.</RawString> </Rule> <Rule id="V-63847" severity="high" conversionstatus="pass" title="WN10-UR-000015" dscresource="UserRightsAssignment"> <Constant>SeTcbPrivilege</Constant> <DisplayName>Act as part of the operating system</DisplayName> <Force>True</Force> <Identity>NULL</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding.</RawString> </Rule> <Rule id="V-63851" severity="medium" conversionstatus="pass" title="WN10-UR-000025" dscresource="UserRightsAssignment"> <Constant>SeInteractiveLogonRight</Constant> <DisplayName>Allow log on locally</DisplayName> <Force>True</Force> <Identity>Administrators,Users</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Allow log on locally" user right, this is a finding: Administrators Users Systems dedicated to managing Active Directory (AD admin platforms), must only allow Administrators, removing the Users group.</RawString> </Rule> <Rule id="V-63853" severity="medium" conversionstatus="pass" title="WN10-UR-000030" dscresource="UserRightsAssignment"> <Constant>SeBackupPrivilege</Constant> <DisplayName>Back up files and directories</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Back up files and directories" user right, this is a finding: Administrators</RawString> </Rule> <Rule id="V-63855" severity="medium" conversionstatus="pass" title="WN10-UR-000035" dscresource="UserRightsAssignment"> <Constant>SeSystemtimePrivilege</Constant> <DisplayName>Change the system time</DisplayName> <Force>True</Force> <Identity>Administrators,LOCAL SERVICE</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Change the system time" user right, this is a finding: Administrators LOCAL SERVICE</RawString> </Rule> <Rule id="V-63857" severity="medium" conversionstatus="pass" title="WN10-UR-000040" dscresource="UserRightsAssignment"> <Constant>SeCreatePagefilePrivilege</Constant> <DisplayName>Create a pagefile</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Create a pagefile" user right, this is a finding: Administrators</RawString> </Rule> <Rule id="V-63859" severity="high" conversionstatus="pass" title="WN10-UR-000045" dscresource="UserRightsAssignment"> <Constant>SeCreateTokenPrivilege</Constant> <DisplayName>Create a token object</DisplayName> <Force>True</Force> <Identity>NULL</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts are granted the "Create a token object" user right, this is a finding.</RawString> </Rule> <Rule id="V-63861" severity="medium" conversionstatus="pass" title="WN10-UR-000050" dscresource="UserRightsAssignment"> <Constant>SeCreateGlobalPrivilege</Constant> <DisplayName>Create global objects</DisplayName> <Force>True</Force> <Identity>Administrators,LOCAL SERVICE,NETWORK SERVICE,SERVICE</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Create global objects" user right, this is a finding: Administrators LOCAL SERVICE NETWORK SERVICE SERVICE</RawString> </Rule> <Rule id="V-63863" severity="medium" conversionstatus="pass" title="WN10-UR-000055" dscresource="UserRightsAssignment"> <Constant>SeCreatePermanentPrivilege</Constant> <DisplayName>Create permanent shared objects</DisplayName> <Force>True</Force> <Identity>NULL</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts are granted the "Create permanent shared objects" user right, this is a finding.</RawString> </Rule> <Rule id="V-63865" severity="medium" conversionstatus="pass" title="WN10-UR-000060" dscresource="UserRightsAssignment"> <Constant>SeCreateSymbolicLinkPrivilege</Constant> <DisplayName>Create symbolic links</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Create symbolic links" user right, this is a finding: Administrators If the workstation has an approved use of Hyper-V, such as being used as a dedicated admin workstation using Hyper-V to separate administration and standard user functions, "NT VIRTUAL MACHINES\VIRTUAL MACHINE" may be assigned this user right and is not a finding.</RawString> </Rule> <Rule id="V-63869" severity="high" conversionstatus="pass" title="WN10-UR-000065" dscresource="UserRightsAssignment"> <Constant>SeDebugPrivilege</Constant> <DisplayName>Debug Programs</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Debug Programs" user right, this is a finding: Administrators</RawString> </Rule> <Rule id="V-63871" severity="medium" conversionstatus="pass" title="WN10-UR-000070" dscresource="UserRightsAssignment"> <Constant>SeDenyNetworkLogonRight</Constant> <DisplayName>Deny access to this computer from the network</DisplayName> <Force>False</Force> <Identity>Enterprise Admins,Domain Admins,Local account,Guests</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following groups or accounts are not defined for the "Deny access to this computer from the network" right, this is a finding: Domain Systems Only: Enterprise Admins group Domain Admins group Local account (see Note below) All Systems: Guests group Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from denying the Enterprise Admins and Domain Admins groups. Note: "Local account" is a built-in security group used to assign user rights and permissions to all local accounts.</RawString> </Rule> <Rule id="V-63873" severity="medium" conversionstatus="pass" title="WN10-UR-000075" dscresource="UserRightsAssignment"> <Constant>SeDenyBatchLogonRight</Constant> <DisplayName>Deny log on as a batch job</DisplayName> <Force>False</Force> <Identity>Enterprise Admins,Domain Admins</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This requirement is applicable to domain-joined systems, for standalone systems this is NA. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following groups or accounts are not defined for the "Deny log on as a batch job" right, this is a finding: Domain Systems Only: Enterprise Admin Group Domain Admin Group</RawString> </Rule> <Rule id="V-63875" severity="medium" conversionstatus="pass" title="WN10-UR-000080" dscresource="UserRightsAssignment"> <Constant>SeDenyServiceLogonRight</Constant> <DisplayName>Deny log on as a service</DisplayName> <Force>False</Force> <Identity>Enterprise Admins,Domain Admins</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>This requirement is applicable to domain-joined systems, for standalone systems this is NA. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following groups or accounts are not defined for the "Deny log on as a service" right , this is a finding: Domain Systems Only: Enterprise Admin Group Domain Admin Group</RawString> </Rule> <Rule id="V-63877" severity="medium" conversionstatus="pass" title="WN10-UR-000085" dscresource="UserRightsAssignment"> <Constant>SeDenyInteractiveLogonRight</Constant> <DisplayName>Deny log on locally</DisplayName> <Force>False</Force> <Identity>Enterprise Admins,Domain Admins,Guests</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following groups or accounts are not defined for the "Deny log on locally" right, this is a finding. Domain Systems Only: Enterprise Admins Group Domain Admins Group Workstations dedicated to the management of Active Directory (see V-36436 in the Active Directory Domain STIG) are exempt from this. All Systems: Guests Group</RawString> </Rule> <Rule id="V-63879" severity="medium" conversionstatus="pass" title="WN10-UR-000090" dscresource="UserRightsAssignment"> <Constant>SeDenyRemoteInteractiveLogonRight</Constant> <DisplayName>Deny log on through Remote Desktop Services</DisplayName> <Force>False</Force> <Identity>Enterprise Admins,Domain Admins,Local account,Guests</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following groups or accounts are not defined for the "Deny log on through Remote Desktop Services" right, this is a finding: If Remote Desktop Services is not used by the organization, the Everyone group can replace all of the groups listed below. Domain Systems Only: Enterprise Admin group Domain Admin group Local account (see Note below) All Systems: Guests group Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from denying the Enterprise Admins and Domain Admins groups. Note: "Local account" is a built-in security group used to assign user rights and permissions to all local accounts.</RawString> </Rule> <Rule id="V-63881" severity="medium" conversionstatus="pass" title="WN10-UR-000095" dscresource="UserRightsAssignment"> <Constant>SeEnableDelegationPrivilege</Constant> <DisplayName>Enable computer and user accounts to be trusted for delegation</DisplayName> <Force>True</Force> <Identity>NULL</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding.</RawString> </Rule> <Rule id="V-63883" severity="medium" conversionstatus="pass" title="WN10-UR-000100" dscresource="UserRightsAssignment"> <Constant>SeRemoteShutdownPrivilege</Constant> <DisplayName>Force shutdown from a remote system</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Force shutdown from a remote system" user right, this is a finding: Administrators</RawString> </Rule> <Rule id="V-63887" severity="medium" conversionstatus="pass" title="WN10-UR-000105" dscresource="UserRightsAssignment"> <Constant>SeAuditPrivilege</Constant> <DisplayName>Generate security audits</DisplayName> <Force>True</Force> <Identity>LOCAL SERVICE,NETWORK SERVICE</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Generate security audits" user right, this is a finding: LOCAL SERVICE NETWORK SERVICE</RawString> </Rule> <Rule id="V-63889" severity="medium" conversionstatus="pass" title="WN10-UR-000110" dscresource="UserRightsAssignment"> <Constant>SeImpersonatePrivilege</Constant> <DisplayName>Impersonate a client after authentication</DisplayName> <Force>True</Force> <Identity>Administrators,LOCAL SERVICE,NETWORK SERVICE,SERVICE</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Impersonate a client after authentication" user right, this is a finding: Administrators LOCAL SERVICE NETWORK SERVICE SERVICE</RawString> </Rule> <Rule id="V-63891" severity="medium" conversionstatus="pass" title="WN10-UR-000115" dscresource="UserRightsAssignment"> <Constant>SeIncreaseBasePriorityPrivilege</Constant> <DisplayName>Increase scheduling priority</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Increase scheduling priority" user right, this is a finding: Administrators</RawString> </Rule> <Rule id="V-63917" severity="medium" conversionstatus="pass" title="WN10-UR-000120" dscresource="UserRightsAssignment"> <Constant>SeLoadDriverPrivilege</Constant> <DisplayName>Load and unload device drivers</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Load and unload device drivers" user right, this is a finding: Administrators</RawString> </Rule> <Rule id="V-63925" severity="medium" conversionstatus="pass" title="WN10-UR-000125" dscresource="UserRightsAssignment"> <Constant>SeLockMemoryPrivilege</Constant> <DisplayName>Lock pages in memory</DisplayName> <Force>True</Force> <Identity>NULL</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts are granted the "Lock pages in memory" user right, this is a finding.</RawString> </Rule> <Rule id="V-63927" severity="medium" conversionstatus="pass" title="WN10-UR-000130" dscresource="UserRightsAssignment"> <Constant>SeSecurityPrivilege</Constant> <DisplayName>Manage auditing and security log</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Manage auditing and security log" user right, this is a finding: Administrators If the organization has an "Auditors" group the assignment of this group to the user right would not be a finding.</RawString> </Rule> <Rule id="V-63931" severity="medium" conversionstatus="pass" title="WN10-UR-000140" dscresource="UserRightsAssignment"> <Constant>SeSystemEnvironmentPrivilege</Constant> <DisplayName>Modify firmware environment values</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Modify firmware environment values" user right, this is a finding: Administrators</RawString> </Rule> <Rule id="V-63933" severity="medium" conversionstatus="pass" title="WN10-UR-000145" dscresource="UserRightsAssignment"> <Constant>SeManageVolumePrivilege</Constant> <DisplayName>Perform volume maintenance tasks</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Perform volume maintenance tasks" user right, this is a finding: Administrators</RawString> </Rule> <Rule id="V-63935" severity="medium" conversionstatus="pass" title="WN10-UR-000150" dscresource="UserRightsAssignment"> <Constant>SeProfileSingleProcessPrivilege</Constant> <DisplayName>Profile single process</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Profile single process" user right, this is a finding: Administrators</RawString> </Rule> <Rule id="V-63939" severity="medium" conversionstatus="pass" title="WN10-UR-000160" dscresource="UserRightsAssignment"> <Constant>SeRestorePrivilege</Constant> <DisplayName>Restore files and directories</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Restore files and directories" user right, this is a finding: Administrators</RawString> </Rule> <Rule id="V-63941" severity="medium" conversionstatus="pass" title="WN10-UR-000165" dscresource="UserRightsAssignment"> <Constant>SeTakeOwnershipPrivilege</Constant> <DisplayName>Take ownership of files or other objects</DisplayName> <Force>True</Force> <Identity>Administrators</Identity> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Take ownership of files or other objects" user right, this is a finding: Administrators</RawString> </Rule> </UserRightRule> <WindowsFeatureRule dscresourcemodule="PSDesiredStateConfiguration"> <Rule id="V-63377.a" severity="high" conversionstatus="pass" title="WN10-00-000100" dscresource="WindowsOptionalFeature"> <FeatureName>IIS-HostableWebCore</FeatureName> <InstallState>Absent</InstallState> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>IIS is not installed by default. Verify it has not been installed on the system. Run "Programs and Features". Select "Turn Windows features on or off". If the entries for "Internet Information Services" or "Internet Information Services Hostable Web Core" are selected, this is a finding. If an application requires IIS or a subset to be installed to function, this needs be documented with the ISSO. In addition, any applicable requirements from the IIS STIG must be addressed.</RawString> </Rule> <Rule id="V-63377.b" severity="high" conversionstatus="pass" title="WN10-00-000100" dscresource="WindowsOptionalFeature"> <FeatureName>IIS-WebServer</FeatureName> <InstallState>Absent</InstallState> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>IIS is not installed by default. Verify it has not been installed on the system. Run "Programs and Features". Select "Turn Windows features on or off". If the entries for "Internet Information Services" or "Internet Information Services Hostable Web Core" are selected, this is a finding. If an application requires IIS or a subset to be installed to function, this needs be documented with the ISSO. In addition, any applicable requirements from the IIS STIG must be addressed.</RawString> </Rule> <Rule id="V-63381" severity="medium" conversionstatus="pass" title="WN10-00-000105" dscresource="WindowsOptionalFeature"> <FeatureName>SNMP</FeatureName> <InstallState>Absent</InstallState> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>"SNMP" is not installed by default. Verify it has not been installed. Navigate to the Windows\System32 directory. If the "SNMP" application exists, this is a finding.</RawString> </Rule> <Rule id="V-63383" severity="medium" conversionstatus="pass" title="WN10-00-000110" dscresource="WindowsOptionalFeature"> <FeatureName>SimpleTCP</FeatureName> <InstallState>Absent</InstallState> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>"Simple TCP/IP Services" is not installed by default. Verify it has not been installed. Run "Services.msc". If "Simple TCP/IP Services" is listed, this is a finding.</RawString> </Rule> <Rule id="V-63385" severity="medium" conversionstatus="pass" title="WN10-00-000115" dscresource="WindowsOptionalFeature"> <FeatureName>TelnetClient</FeatureName> <InstallState>Absent</InstallState> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The "Telnet Client" is not installed by default. Verify it has not been installed. Navigate to the Windows\System32 directory. If the "telnet" application exists, this is a finding.</RawString> </Rule> <Rule id="V-63389" severity="medium" conversionstatus="pass" title="WN10-00-000120" dscresource="WindowsOptionalFeature"> <FeatureName>TFTP</FeatureName> <InstallState>Absent</InstallState> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The "TFTP Client" is not installed by default. Verify it has not been installed. Navigate to the Windows\System32 directory. If the "TFTP" application exists, this is a finding.</RawString> </Rule> <Rule id="V-70637.a" severity="medium" conversionstatus="pass" title="WN10-00-000155" dscresource="WindowsOptionalFeature"> <FeatureName>MicrosoftWindowsPowerShellV2</FeatureName> <InstallState>Absent</InstallState> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "Windows PowerShell" with elevated privileges (run as administrator). Enter the following: Get-WindowsOptionalFeature -Online | Where -FeatureName -like *PowerShellv2* If either of the following have a "State" of "Enabled", this is a finding. FeatureName : MicrosoftWindowsPowerShellV2 State : Enabled FeatureName : MicrosoftWindowsPowerShellV2Root State : Enabled Alternately: Search for "Features". Select "Turn Windows features on or off". If "Windows PowerShell 2.0" (whether the subcategory of "Windows PowerShell 2.0 Engine" is selected or not) is selected, this is a finding.</RawString> </Rule> <Rule id="V-70637.b" severity="medium" conversionstatus="pass" title="WN10-00-000155" dscresource="WindowsOptionalFeature"> <FeatureName>MicrosoftWindowsPowerShellV2Root</FeatureName> <InstallState>Absent</InstallState> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run "Windows PowerShell" with elevated privileges (run as administrator). Enter the following: Get-WindowsOptionalFeature -Online | Where -FeatureName -like *PowerShellv2* If either of the following have a "State" of "Enabled", this is a finding. FeatureName : MicrosoftWindowsPowerShellV2 State : Enabled FeatureName : MicrosoftWindowsPowerShellV2Root State : Enabled Alternately: Search for "Features". Select "Turn Windows features on or off". If "Windows PowerShell 2.0" (whether the subcategory of "Windows PowerShell 2.0 Engine" is selected or not) is selected, this is a finding.</RawString> </Rule> <Rule id="V-70639" severity="medium" conversionstatus="pass" title="WN10-00-000160" dscresource="WindowsOptionalFeature"> <FeatureName>SMB1Protocol</FeatureName> <InstallState>Absent</InstallState> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Different methods are available to disable SMBv1 on Windows 10. This is the preferred method, however if V-74723 and V-74725 are configured, this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter the following: Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol If "State : Enabled" is returned, this is a finding. Alternately: Search for "Features". Select "Turn Windows features on or off". If "SMB 1.0/CIFS File Sharing Support" is selected, this is a finding.</RawString> </Rule> </WindowsFeatureRule> <WmiRule dscresourcemodule="PSDesiredStateConfiguration"> <Rule id="V-63353" severity="high" conversionstatus="pass" title="WN10-00-000050" dscresource="Script"> <IsNullOrEmpty>False</IsNullOrEmpty> <Operator>-match</Operator> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <Property>FileSystem</Property> <Query>SELECT * FROM Win32_LogicalDisk WHERE DriveType = '3'</Query> <RawString>Run "Computer Management". Navigate to Storage >> Disk Management. If the "File System" column does not indicate "NTFS" for each volume assigned a drive letter, this is a finding. This does not apply to system partitions such the Recovery and EFI System Partition.</RawString> <Value>NTFS|ReFS</Value> </Rule> </WmiRule> </DISASTIG> |