Professional Documents
Culture Documents
CIS USGCB
Win7 CIS CIS Win7
v1.2.0 Win7 v2.1.0 Win7 v3.0.1 v1.2.0 CCE
Rule # Rule # Rule # ID v5 GPO Folder
1 Computer Configuration
Policies
1.2 Windows Settings
1.2.1 Security Settings
1 1.2.1.4 1 Account Policies
1.2.1.4.2 1.1 Password Policy
1.1.1 1.2.1.4.2.4 1.1.1 CCE-8912-8 Enforce password history
1.1.2 1.2.1.4.2.3 1.1.2 CCE-9193-4 Maximum password age
1.1.3 1.2.1.4.2.5 1.1.3 CCE-9330-2 Minimum password age
1.1.4 1.2.1.4.2.2 1.1.4 CCE-9357-5 Minimum password length
1.1.5 1.2.1.4.2.6 1.1.5 CCE-9370-8 Password must meet complexit
1.1.6 1.2.1.4.2.1 1.1.6 CCE-9260-1 Store passwords using reversib
1.2.1.4.1 1.2 Account Lockout Policy
1.1.7 1.2.1.4.1.1 1.2.1 CCE-9308-8 Account lockout duration
1.1.8 1.2.1.4.1.2 1.2.2 CCE-9136-3 Account lockout threshold
1.1.9 1.2.1.4.1.3 1.2.3 CCE-9400-3 Reset account lockout counter
1.2.1.1 2 Local Policies
1.2 2.1 Audit Policy
1.2.1 Audit account logon events
1.2.2 Audit account management
1.2.3 Audit directory service access
1.2.4 Audit logon events
1.2.5 Audit object access
1.2.6 Audit policy change
1.2.7 Audit privilege use
1.2.8 Audit process tracking
1.2.9 Audit system events
1.8 1.2.1.1.2 2.2 User Rights Assignment
1.8.39 1.2.1.1.2.29 2.2.1 Access Credential Manager as a
Policy
Create a pagefile
Create a token object
Network security: Do not store LAN Manager hash value on next password change
Network security: Force logoff when logon hours expire
Network security: LAN Manager authentication level
Network security: LDAP client signing requirements
Network security: Minimum session security for NTLM SSP based (including secure RP
Network security: Minimum session security for NTLM SSP based (including secure R
Network Security: Restrict NTLM: Add remote server exceptions for NTLM authentication
Network Security: Restrict NTLM: Add server exceptions in this domain
Network Security: Restrict NTLM: Audit Incoming NTLM Traffic
Network Security: Restrict NTLM: Audit NTLM authentication in this domain
Network Security: Restrict NTLM: Incoming NTLM traffic
Network Security: Restrict NTLM: NTLM authentication in this domain
Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and all folders
Shutdown: Allow system to be shut down without having to log on
Shutdown: Clear virtual memory pagefile
System cryptography: Force strong key protection for user keys stored on the compu
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and sig
System objects: Require case insensitivity for non-Windows subsystems
System objects: Strengthen default permissions of internal system objects (e.g. Symbo
System settings: Optional subsystems
System settings: Use Certificate Rules on Windows Executables for Software Restricti
User Account Control: Admin Approval Mode for the Built-in Administrator account
User Account Control: Allow UIAccess applications to prompt for elevation without u
User Account Control: Behavior of the elevation prompt for administrators in Admi
User Account Control: Behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated
User Account Control: Only elevate UIAccess applications that are installed in secure
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for elevation
User Account Control: Virtualize file and registry write failures to per-user locations
Firewall state
Inbound connections
Outbound connections
Firewall settings
Display a notification
Unicast response
Allow unicast response
Rule merging
Apply local firewall rules
Apply local connection security rules
Name
Size limit (KB)
Log dropped packets
Log successful connections
ivate Profile
Firewall state
Inbound connections
Outbound connections
Firewall settings
Display a notification
Unicast response
Allow unicast response
Rule merging
Apply local firewall rules
Apply local connection security rules
Name
Size limit (KB)
Log dropped packets
Log successful connections
Firewall state
Inbound connections
Outbound connections
Firewall settings
Display a notification
Unicast response
Allow unicast response
Rule merging
Apply local firewall rules
Apply local connection security rules
Name
Size limit (KB)
Log dropped packets
Log successful connections
striction Policies
ess Protection NAP Client Configuration
Control Policies
nt Management
Audit Application Group Management
ed Tracking
Audit DPAPI Activity
Audit Logoff
Audit Logon
Audit Registry
Audit SAM
Registry
Language Options
opology Discovery
Turn on Mapper I/O (LLTDIO) driver
Turn on Responder (RSPNDR) driver
er-to-Peer Networking Services
Turn off Microsoft Peer-to-Peer Networking Services
me Resolution Protocol
Prohibit installation and configuration of Network Bridge on your DNS domain network
Require domain users to elevate when setting a network's location
Route all traffic through the internal network
Select from the following states:
ation Settings
sition Technologies
Set 6to4 State
Select from the following states:
Set IP-HTTPS State
Select Interface state from the following options:
Set ISATAP State
Select from the following states:
Set Teredo State
Select from the following states:
ed Assistance
Antimalware
orage Access
ation Infrastructure
adow Copy Agent
adow Copy Provider
Configure registry policy processing
Do not apply during periodic background processing:
Process even if the Group Policy objects have not changed:
Turn off background refresh of Group Policy
mmunication Management
Communication settings
Turn off downloading of print drivers over HTTP
Turn off Event Viewer "Events.asp" links
Turn off handwriting personalization data sharing
Turn off handwriting recognition error reporting
Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com
Turn off Internet download for Web publishing and online ordering wizards
Turn off Internet File Association service
Turn off printing over HTTP
Turn off Registration if URL connection is referring to Microsoft.com
Turn off Search Companion content file updates
Turn off the "Order Prints" picture task
Turn off the "Publish to Web" task for files and folders
Turn off the Windows Messenger Customer Experience Improvement Program
Turn off Windows Customer Experience Improvement Program
Turn off Windows Error Reporting
Turn off Windows Update device driver searching
Control Panel
aver Settings
Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Pan
Boot Performance Diagnostics
Memory Leak Diagnosis
Performance PerfTrack
Enable/Disable PerfTrack
orm Module Services
e Protection
Configure Windows NTP Client
NtpServer
Type
CrossSiteSyncFlags
ResolvePeerBackoffMinutes
ResolvePeerBackoffMaxtimes
SpecialPollInterval
EventLogFlags
Enable Windows NTP Client
Enable Windows NTP Server
Compatibility
Turn off Inventory Collector
ve Encryption
Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R
Select the encryption method:
Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
Choose how BitLocker-protected fixed drives can be recovered
Allow data recovery agent:
Configure user storage of BitLocker recovery information:
ser Interface
Do not display the password reveal button
Enumerate administrator accounts on elevation
Require trusted path for credential entry
on and Preview Builds
Control Event Log behavior when the log file reaches its maximum size
Specify the maximum log file size (KB)
Maximum Log Size (KB)
Control Event Log behavior when the log file reaches its maximum size
Specify the maximum log file size (KB)
Maximum Log Size (KB)
Control Event Log behavior when the log file reaches its maximum size
Specify the maximum log file size (KB)
Maximum Log Size (KB)
Control Event Log behavior when the log file reaches its maximum size
Specify the maximum log file size (KB)
Maximum Log Size (KB)
Turn off Data Execution Prevention for Explorer
Turn off heap termination on corruption
Turn off shell protocol protected mode
rmation Services
rmerly SkyDrive)
Prevent the usage of OneDrive for file storage
Prevent the usage of OneDrive for file storage on Windows 8.1
nchronization
erating System
r Redirection
nnection Broker
te Session Environment
tection Platform
obility Center
15 minute(s)
50 invalid logon attempt(s)
15 or more minute(s)
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No One>
Administrators
Users
<No One>
<not defined>
Administrators
Users
<not defined>
<not defined>
<not defined>
Administrators
LOCAL SERVICE
Administrators
<No One>
<not defined>
<No One>
Administrators
Administrators
Guests
Guests
<not defined>
<No One>
Administrators
LOCAL SERVICE
NETWORK SERVICE
Administrators
LOCAL SERVICE
NETWORK SERVICE
SERVICE
<not defined>
Administrators
Administrators
<No One>
<not defined>
<not defined>
Administrators
<No One>
Administrators
Administrators
<not defined>
Administrators
NT SERVICE\WdiServiceHost
Administrators
Users
LOCAL SERVICE
NETWORK SERVICE
<not defined>
Administrators
Users
Administrators
<not defined>
Disabled
Enabled
any value that does not contain the term "admin"
any value that does not contain the term "guest"
Enabled
Disabled
Enabled
Disabled
<consistent with organization requirements>
<consistent with organization requirements>
2 logons
14 days
Enabled / Disabled
<not defined>
Lock Workstation
Enabled
Enabled
Disabled
15 minutes
Enabled
Enabled
Enabled
<not defined>
Disabled
Enabled
Enabled
etwork authentication
Disabled
<not defined>
<not defined>
<not defined>
<not defined>
<not defined>
Classic - local users authenticate as themselves
<not defined>
<not defined>
Disabled
Enabled
Disabled
<not defined>
<not defined>
<not defined>
Enabled
Disabled
Prompt for credentials
Automatically deny elevation requests
Enabled
Enabled
Enabled
Enabled
Enabled
On
Block
Yes
No
<not defined>
<not defined>
On
Block
Yes
No
<not defined>
<not defined>
On
Block
No
No
No
No
Success
Success
<No auditing>
Success
Success
Success
Success
Success
Success
Success
<No auditing>
<No auditing>
Success
<No auditing>
Success and Failure
Disabled
m crash (recommended except for highly secure environments)
<not defined>
<not defined>
<not defined>
<not defined>
ved (recommended)
<not defined>
<not defined>
<not defined>
<not defined>
omain network
uld normally prompt creation of a restore point
setup classes:
Enabled
TRUE (checked)
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
<not defined>
<not configured>
<not configured>
Enabled
Enabled
<not defined>
<not defined>
<not defined>
Enabled
Authenticated
n Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS)
Enabled
All Drives
ns of Windows
ersions of Windows
<not configured>
<not configured>
Disabled
Enabled
32,768 KB or greater
Disabled
Enabled
81,920 KB or greater
Disabled
Enabled
32,768 KB or greater
Disabled
Enabled
<not configured>
<not configured>
Enabled
Enabled
High Level
<not defined>
Enabled
3 - Auto download and notify for install
15 minute(s)
10 invalid logon attempt(s)
15 or more minute(s)
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No One>
Administrators
Users
<No One>
Administrators
LOCAL SERVICE
NETWORK SERVICE
Administrators
Users
<No One>
Administrators
Administrators
LOCAL SERVICE
NETWORK SERVICE
Users
Administrators
LOCAL SERVICE
Administrators
<No One>
Administrators
LOCAL SERVICE
NETWORK SERVICE
SERVICE
<No One>
Administrators
<No One>
Guests
Guests
Everyone
<No One>
Administrators
LOCAL SERVICE
NETWORK SERVICE
Administrators
LOCAL SERVICE
NETWORK SERVICE
SERVICE
Administrators
LOCAL SERVICE
Administrators
Administrators
<No One>
Administrators
<No One>
Administrators
<No One>
Administrators
Administrators
Administrators
Administrators
NT SERVICE\WdiServiceHost
Administrators
Users
LOCAL SERVICE
NETWORK SERVICE
Administrators
Administrators
Users
Administrators
Disabled
Disabled
Enabled
any value that does not contain the term "admin"
any value that does not contain the term "guest"
Enabled
Disabled
Administrators
Enabled / <not defined>
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
30 days
Enabled
Enabled
Disabled
<consistent with organization requirements>
<consistent with organization requirements>
0 logons / 2 logons
14 days
Enabled / Disabled
Enabled
Lock Workstation
Enabled
Enabled
Disabled
15 minutes
Enabled
Enabled
Enabled
Accept if provided by client
Disabled
Enabled
Enabled
Disabled
<None> (blank)
System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal
Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog
Enabled
<None> (blank)
Classic - local users authenticate as themselves
Enabled
Disabled
Disabled
Enabled
Disabled
Disabled
Disabled
Enabled
Enabled
Disabled
Prompt for credentials
Automatically deny elevation requests
Enabled
Enabled
Enabled
Enabled
Enabled
On
Block
No
No
No
No
On
Block
No
No
No
No
On
Block
No
No
No
No
Success
Success
Success
Failure
Failure
Success
Disabled
Enabled
Highest protection, source routing is completely disabled
Enabled
Highest protection, source routing is completely disabled
Disabled
Enabled
Enabled
300,000 or 5 minutes (recommended)
TRUE (checked)
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Disabled
Enabled
Enabled
Authenticated
Disabled
Enabled
81,920 KB or greater
Disabled
Enabled
32,768 KB or greater
Disabled
Enabled
Enabled
Disabled
Enabled
Enabled
Enabled
High Level
Disabled
Enabled
3 - Auto download and notify for install
Disabled
Disabled
Enabled
CIS Win7 v2.1.0
Value
24 passwords remembered
60 days or less
1 day or greater
14 characters
Enabled
Disabled
15 minute(s) or greater
6 invalid logon attempt(s) or fewer
15 minute(s) or greater
No One
Users
Administrators
No One
Administrators
Local Service
Network Service
Administrators
Users
<consistent with organization requirements>
Administrators
LOCAL SERVICE
NETWORK SERVICE
Users
LOCAL SERVICE
Administrators
LOCAL SERVICE
Administrators
Users
Administrators
<consistent with organization requirements>
Administrators
SERVICE
LOCAL SERVICE
NETWORK SERVICE
<consistent with organization requirements>
<consistent with organization requirements>
Administrators
Guests
Guests
<consistent with organization requirements>
Guests
No One
Administrators
Local Service
Network Service
Administrators
SERVICE
Local Service
Network Service
Administrators
Local Service
Administrators
Administrators
No One
<consistent with organization requirements>
<consistent with organization requirements>
Administrators
<consistent with organization requirements>
Administrators
Administrators
<consistent with organization requirements>
Administrators
NT SERVICE\WdiServiceHost
Administrators
Users
Local Service
Network Service
<consistent with organization requirements>
Administrators
Users
Administrators
Disabled
Disabled
Enabled
Enabled
Enabled
Enabled
Disabled
30 days
Enabled
<consistent with organization requirements>
Enabled
Disabled
<consistent with organization requirements>
<consistent with organization requirements>
2 logons
14 days
Enabled
<consistent with organization requirements>
Lock Workstation
Enabled
Enabled
Disabled
15 minutes
Enabled
Enabled
Enabled
<consistent with organization requirements>
Disabled
Enabled
Enabled
<consistent with organization requirements>
Disabled
<consistent with organization requirements>
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal
Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog
Enabled
<None> (blank)
Classic - local users authenticate as themselves
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
Enabled
<consistent with organization requirements>
Send NTLMv2 response only. Refuse LM & NTLM.
Negotiate signing
Require NTLMv2 session security
Require 128-bit encryption
Require NTLMv2 session security
Require 128-bit encryption
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
Disabled
<consistent with organization requirements>
<consistent with organization requirements>
Disabled
<consistent with organization requirements>
<consistent with organization requirements>
Enabled
Enabled
<consistent with organization requirements>
<consistent with organization requirements>
Enabled
Disabled
Prompt for credentials
Automatically deny elevation requests
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
On (recommended)
Block (default)
Allow (default)
Yes
No
Yes (default)
Yes (default)
On (recommended)
Block (default)
Allow (default)
Yes
No
Yes (default)
Yes (default)
On (recommended)
Block (default)
Allow (default)
No
No
Yes (default)
No
<no auditing>
<no auditing>
<no auditing>
<no auditing>
Success
<no auditing>
<no auditing>
Success
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
Success
<no auditing>
<no auditing>
Success
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
Success
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
Disabled
<consistent with organization requirements>
Enabled
Highest protection, source routing is completely disabled
Enabled
Highest protection, source routing is completely disabled
Enabled
Enabled
0 seconds
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
Enabled
90%
Enabled
FALSE (unchecked)
TRUE (checked)
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Disabled
Enabled
Enabled
Authenticated
Enabled
All Drives
Enabled
AES 256-bit with Diffuser
Disabled
Enabled
1
Do not allow 48-digit recovery password
Do not allow 256-bit recovery key
1
0
Backup recovery passwords and key packages
0
Disabled
Enabled
1
Enabled
Enabled
0
Require 48-digit recovery password
Do not allow 256-bit recovery key
1
1
Store recovery passwords and key packages
1
Enabled
7 characters
Enabled
0
Do not allow TPM
Require startup PIN with TPM
Do not allow startup key with TPM
Do not allow startup key and PIN with TPM
Disabled
Enabled
1
Do not allow 48-digit recovery password
Do not allow 256-bit recovery key
1
0
Backup recovery passwords and key packages
0
Disabled
Enabled
1
Enabled
1
Disabled
<consistent with organization requirements>
Enabled
32,768
Disabled
Enabled
81,920
Disabled
Enabled
32,768
Disabled
Disabled
Enabled
Enabled
High Level
Enabled
Enabled
3 - Auto download and notify for install
Disabled
Disabled
Disabled
Enabled
1 minute
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
CIS Win7 v3.0.1
Level 1 Value
24 or more password(s)
60 or fewer days, but not 0
1 or more day(s)
14 or more character(s)
Enabled
Disabled
15 or more minute(s)
10 or fewer invalid logon attempt(s), but not 0
15 or more minute(s)
<No One>
Administrators
<No One>
Administrators
LOCAL SERVICE
NETWORK SERVICE
Administrators
Users
Administrators
Remote Desktop Users
Administrators
Administrators
LOCAL SERVICE
Administrators
LOCAL SERVICE
Users
Administrators
<No One>
Administrators
LOCAL SERVICE
NETWORK SERVICE
SERVICE
<No One>
Administrators
Administrators
Must include both "Guests" group and
"Local account" at a minimum
Must include "Guests" group at a minimum
Must include "Guests" group at a minimum
Must include "Guests" group at a minimum
Must include both "Guests" group and
"Local account" at a minimum
<No One>
Administrators
LOCAL SERVICE
NETWORK SERVICE
Administrators
LOCAL SERVICE
NETWORK SERVICE
SERVICE
Administrators
Administrators
<No One>
Administrators
<No One>
Administrators
Administrators
Administrators
Administrators
NT SERVICE\WdiServiceHost
LOCAL SERVICE
NETWORK SERVICE
Administrators
Administrators
Users
Administrators
Disabled
Disabled
Enabled
<consistent with organization requirements>
<consistent with organization requirements>
Enabled
Disabled
Enabled
Enabled
Enabled
Disabled
30 or fewer days, but not 0
Enabled
Enabled
Disabled
<non-empty - consistent with organization requirements>
<non-empty - consistent with organization requirements>
System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal
Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog
Enabled
<None> (blank)
Classic - local users authenticate as themselves
Enabled
Disabled
Disabled
RC4_HMAC_MD5
AES128_HMAC_SHA1
AES256_HMAC_SHA1
Future encryption types
Enabled
Enabled
Send NTLMv2 response only. Refuse LM & NTLM
'Negotiate signing' or higher
Require NTLMv2 session security
Require 128-bit encryption
Require NTLMv2 session security
Require 128-bit encryption
Enabled
Enabled
<None> (blank)
Enabled
Disabled
Prompt for consent on the secure desktop
Automatically deny elevation requests
Enabled
Enabled
Enabled
Enabled
Enabled
On (recommended)
Block (default)
Allow (default)
No
Yes (default)
Yes (default)
%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log
16,384 KB or greater
Yes
Yes
On (recommended)
Block (default)
Allow (default)
No
Yes (default)
Yes (default)
%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log
16,384 KB or greater
Yes
Yes
On (recommended)
Block (default)
Allow (default)
Yes
No
No
%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log
16,384 KB or greater
Yes
Yes
Success
Success
Success
Success
Success and Failure
Success
Success
Disabled
Enabled
Highest protection, source routing is completely disabled
Enabled
Highest protection, source routing is completely disabled
Disabled
Enabled
Enabled
Enabled
5 or fewer seconds
Enabled
90% or less
Enabled
Enabled
\\*\NETLOGON RequireMutualAuthentication=1,
RequireIntegrity=1
\\*\SYSVOL RequireMutualAuthentication=1,
RequireIntegrity=1
Enabled
Disabled
Disabled
Disabled
Enabled
Disabled
Disabled
Enabled
Enabled
Authenticated
Enabled
Enabled
Do not execute any autorun commands
Enabled
All Drives
Enabled
AES 256-bit with Diffuser
Disabled
Enabled
1
Allow 48-digit recovery password
Allow 256-bit recovery key
1
0
Backup recovery passwords and key packages
0
Disabled
Enabled
1
Enabled
Enabled
0
Require 48-digit recovery password
Do not allow 256-bit recovery key
1
1
Store recovery passwords and key packages
1
Enabled
7 or more characters
Enabled
0
Do not allow TPM
Require startup PIN with TPM
Do not allow startup key with TPM
Do not allow startup key and PIN with TPM
Disabled
Enabled
1
Do not allow 48-digit recovery password
Do not allow 256-bit recovery key
1
0
Backup recovery passwords and key packages
0
Disabled
Enabled
1
Enabled
0
Enabled
Disabled
Enabled
Enabled
Disabled
Enabled
32,768 KB or greater
Disabled
Enabled
196,608 KB or greater
Disabled
Enabled
32,768 KB or greater
Disabled
Enabled
32,768 KB or greater
Disabled
Disabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
High Level
Disabled
Disabled
Enabled
Disabled
Enabled
Always ask before sending data
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
Disabled
Disabled
Enabled
Enabled
0 - Every day
Disabled
Disabled
Disabled
Enabled
1 minute
CIS Win7 v3.0.1
Level 2 Value
Administrators
<No One>
Enabled
4 or fewer logon(s)
'User is prompted when the key is first used' or higher
Enabled
Enabled
300,000 or 5 minutes (recommended)
Disabled
Enabled
3
Enabled
3
Disabled
Disabled
Enabled
0xff (255)
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Enabled
Disabled
Enabled
AES 256-bit with Diffuser
Disabled
Enabled
1
Allow 48-digit recovery password
Allow 256-bit recovery key
1
0
Backup recovery passwords and key packages
0
Disabled
Enabled
1
Enabled
Enabled
0
Require 48-digit recovery password
Do not allow 256-bit recovery key
1
1
Store recovery passwords and key packages
1
Enabled
7 or more characters
Enabled
0
Do not allow TPM
Require startup PIN with TPM
Do not allow startup key with TPM
Do not allow startup key and PIN with TPM
Disabled
Enabled
1
Do not allow 48-digit recovery password
Do not allow 256-bit recovery key
1
0
Backup recovery passwords and key packages
0
Disabled
Enabled
1
Enabled
0
Enabled
Enabled
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
15 minutes or less
Enabled
1 minute
Disabled
Disabled
Disabled
Disabled
USGCB Win7 v1.2.0
Value Notes
24 passwords remembered
60 days
1 day
12 characters
Enabled
Disabled
15 minute(s)
5 invalid logon attempts
15 minute(s)
Administrators
<No One>
Administrators
LOCAL SERVICE
NETWORK SERVICE
Administrators
Users
Administrators
Remote Desktop Users
Administrators
Administrators
LOCAL SERVICE
NETWORK SERVICE
Users
Administrators
LOCAL SERVICE
Administrators
LOCAL SERVICE
Users
Administrators
<No One>
Administrators
LOCAL SERVICE
NETWORK SERVICE
SERVICE
<No One>
Administrators
Administrators
Guests Vista and 2008 (non-R2) do not support "Local account" (KB
Guests
<No One>
Guests
Guests Vista and 2008 (non-R2) do not support "Local account" (KB
Administrators
LOCAL SERVICE
NETWORK SERVICE
Administrators
LOCAL SERVICE
NETWORK SERVICE
SERVICE
Administrators
LOCAL SERVICE
Administrators
Administrators
<No One>
<No One>
<No One>
Administrators
<No One>
Administrators
Administrators
Administrators
Administrators
NT SERVICE\WdiServiceHost
Administrators
Users
LOCAL SERVICE
NETWORK SERVICE
Administrators
Administrators
Users
Administrators
Disabled
Disabled
Enabled
Renamed_Admin
Renamed_Guest
Disabled
Disabled
Enabled
Disabled
Disabled
Disabled
Enabled
Enabled
Enabled
Disabled
30 days
Enabled
Enabled
Disabled
<non-empty - consistent with organization requirements>
<non-empty - consistent with organization requirements>
2
14 days
Disabled
Lock Workstation
Enabled
Enabled
Disabled
15 minutes
Enabled
Enabled
Enabled
Accept if provided by client
Disabled
Enabled
Enabled
Enabled
Disabled
<None> (blank)
System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal
Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog
Enabled
<None> (blank)
Classic - local users authenticate as themselves
Enabled
Disabled
Disabled
RC4_HMAC_MD5
AES128_HMAC_SHA1
AES256_HMAC_SHA1
Future encryption types
Enabled
Enabled
Send NTLMv2 response only. Refuse LM & NTLM
Negotiate signing
Require NTLMv2 session security
Require 128-bit encryption
Require NTLMv2 session security
Require 128-bit encryption
Disabled
Disabled
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Disabled
Prompt for consent
Prompt for credentials on the secure desktop
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
On (recommended)
Block (default)
Allow (default)
Yes (default)
No
No
No
%SYSTEMROOT%\System32\logfiles\firewall\domainfirewall.log
16,384 KB
Yes
Yes
On (recommended)
Block (default)
Allow (default)
Yes (default)
No
No
No
%SYSTEMROOT%\System32\logfiles\firewall\privatefirewall.log
16,384 KB
Yes
Yes
On (recommended)
Block (default)
Allow (default)
Yes
No
No
No
%SYSTEMROOT%\System32\logfiles\firewall\publicfirewall.log
16,384 KB
Yes
Yes
Enabled - Yes
Enabled - Yes
Success and Failure Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
Success and Failure Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
Success and Failure Advanced Audit Policy Settings can only be applied to Vista
Success and Failure Advanced Audit Policy Settings can only be applied to Vista
Success and Failure Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
Success and Failure Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
Success and Failure Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
Success and Failure Advanced Audit Policy Settings can only be applied to Vista
Success and Failure Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
Success and Failure Advanced Audit Policy Settings can only be applied to Vista
Success and Failure Advanced Audit Policy Settings can only be applied to Vista
Success and Failure Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
Disabled
Disabled
Enabled
Enabled
Enabled New setting in Windows 7 / Server 2008 R2
Enabled
Enabled State
Enabled
Disabled State
Enabled
Disabled State
Enabled
Disabled State
Enabled
Disabled State
Disabled
Enabled
Disabled
This category requires installing the PtH.admx/adml templa
This setting requires installing the PtH.admx/adml template
Does not apply to Windows Vista / Server 2008 - This setting
Disabled
Enabled
Disabled
Enabled
Enabled
Do not search Windows Update
TRUE (checked)
Enabled
Disabled
Enabled New setting in Windows 7 / Server 2008 R2 - This setting req
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
This category requires installing the GroupPolicy.admx/adm
Enabled
1200
Enabled
1200
Disabled
Disabled
Enabled
Enabled
Enabled
Authenticated
Disabled
Disabled
Disabled
Enabled
Local approved server, not "time.windows.com"
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Enabled
Enabled
High Level
Enabled
15 minutes
Enabled
1 minute
Disabled
Disabled
Enabled
This category requires installing the Search.admx/adml tem
Disabled
Disabled
This category requires installing the SearchOCR.admx/adml
Disabled
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Disabled
Enabled
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
the GroupPolicy.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
the lanmanworkstation.admx/adml template files from the Windows 10 Administrative Templates to access
ver 2008 R2
the networkprovider.admx/adml template files from MS15-011 / KB3000483 or the Windows 10 Administrative Templates to access
he networkprovider.admx/adml template files from MS15-011 / KB3000483 or the Windows 10 Administrative Templates to access
he Disable-IPv6-Components-KB929852.adm file in the remediation package. It is documented by MSKB 929852
the appv.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
erver 2012 R2, but retroactively applies to Windows 7 / Server 2008 R2 and above with KB3004375 installed
the deviceguard.admx/adml template files from the Windows 10 Administrative Templates to access
ttp://support.microsoft.com/kb/2516445
ttp://support.microsoft.com/kb/2516445
ttp://support.microsoft.com/kb/2516445
the DeviceRedirection.admx/adml template files from the Windows 7/2008R2, 8/2012, 8.1/2012R2 or 10 Administrative Templates to a
the EnhancedStorage.admx/adml template files from the Windows 7/2008R2, 8/2012, 8.1/2012R2 or 10 Administrative Templates to a
the FileServerVSSAgent.admx/adml template files from the Windows 8/2012, 8.1/2012R2 or 10 Administrative Templates to access
ver 2008 R2 - This setting requires installing the ShapeCollector.admx/adml template files from the Windows 7/2008R2, 8/2012, 8.1/201
the GroupPolicy.admx/adml template files from the Windows 10 Administrative Templates to access
the Power.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
the sdiagschd.admx/adml template files from the Windows 7/2008R2, 8/2012, 8.1/2012R2 or 10 Administrative Templates to access
the WindowsAnytimeUpgrade.admx/adml template files from the Windows 8/2012, 8.1/2012R2 or 10 Administrative Templates to acc
ndows Anytime Upgrade from running." in the "Windows Anytime Upgrade" category
ogram Inventory"
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
the Camera.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
the WirelessDisplay.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
the allowbuildpreview.admx/adml and datacollection.admx/adml template files from the Windows 10 Administrative Templates to ac
the DeliveryOptimization.admx/adml template files from the Windows 10 Administrative Templates to access
the eventlogging.admx/adml template files from the Windows 10 Administrative Templates to access
ver 2008 R2
ver 2008 R2
the microsoftedge.admx/adml template files from the Windows 10 Administrative Templates to access
the microsoftedge.admx/adml template files from the Windows 10 Administrative Templates to access
the Search.admx/adml template files from the Windows Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2 or 10 Administrative Templates to
the SearchOCR.admx/adml template files from the Windows 7/2008R2, 8/2012, 8.1/2012R2 or 10 Administrative Templates to access
the avsvalidationgp.admx/adml template files from the Windows 10 Administrative Templates to access
the WinStoreUI.admx/adml template files from the Windows 8/2012 or 8.1/2012R2 Administrative Templates to access
the textinput.admx/adml template files from the Windows 10 Administrative Templates to access
Microsoft Spynet Reporting"
the gamedvr.admx/adml template files from the Windows 10 Administrative Templates to access
the passport.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
the WindowsInkWorkspace.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
Templates to access
lates to access
ates to access
strative Templates to access
e Templates to access
Master Windows 7 Compliance Analysis - CIS & USGCB - User Settings
By Haemish Edgerton Updated: 2/14/2017 Dark Gray = Setting not listed in this pr
CIS USGCB
Win7 CIS CIS Win7
v1.2.0 Win7 v2.1.0 Win7 v3.0.1 v1.2.0 CCE
Rule # Rule # Rule # ID v5 GPO Folder
2 User Configuration
Policies
2.1 19 Administrative Templates
19.1 Control Panel
19.1.1 Add or Remove Programs
19.1.2 Display
19.1.3 Personalization
1.13.10 2.1.2.1.1 19.1.3.1 CCE-10051-1 Enable screen saver
1.13.8 2.1.2.1.4 19.1.3.2 CCE-9958-0 Force specific screen saver
1.13.8 2.1.2.1.4 19.1.3.2
1.13.7 2.1.2.1.3 19.1.3.3 CCE-9730-3 Password protect the screen saver
1.13.9 2.1.2.1.2 19.1.3.4 CCE-10148-5 Screen saver timeout
1.13.9 2.1.2.1.2 19.1.3.4 CCE-10148-5
19.2 Desktop
19.3 Network
19.4 Shared Folders
19.5 Start Menu and Taskbar
19.5.1 Notifications
19.6 System
1.13.6 Prevent access to registry editing tools
19.6.1 Ctrl+Alt+Del Options
19.6.2 Driver Installation
19.6.3 Folder Redirecton
19.6.4 Group Policy
19.6.5 Internet Communication Management
19.6.5.1 Internet Communication settings
19.6.5.1.1 Turn off Help Experience Improvemen
CCE-10295-4 Turn off Help Ratings
2.1.1 19.7 Windows Components
19.7.1 Add features to Windows 8 / 8.1 / 10
19.7.2 App runtime
19.7.3 Application Compatibility
2.1.1.1 19.7.4 Attachment Manager
1.13.1 2.1.1.1.2 19.7.4.1 CCE-10166-7 Do not preserve zone information in fi
1.13.2 2.1.1.1.1 CCE-9684-2 Hide mechanisms to remove zone info
1.13.3 2.1.1.1.3 19.7.4.2 CCE-10076-8 Notify antivirus programs when openin
19.7.5 AutoPlay Policies
19.7.6 Backup
19.7.7 Cloud Content
19.7.8 Credential User Interface
19.7.9 Data Collection and Preview Builds
19.7.10 Desktop Gadgets
19.7.11 Desktop Window Manager
19.7.12 Digital Locker
19.7.13 Edge UI
19.7.14 File Explorer
1.13.4 Remove CD Burning features
1.13.5 Remove Security tab
19.7.15 File Revocation
19.7.16 IME
19.7.17 Import Video
19.7.18 Instant Search
19.7.19 Internet Explorer
19.7.20 Location and Sensors
19.7.21 Microsoft Edge
19.7.22 Microsoft Management Console
19.7.23 Microsoft User Experience Virtualization
19.7.24 NetMeeting
19.7.25 Network Projector
19.7.26 Network Sharing
19.7.26.1 CCE-10644-3 Prevent users from sharing files within
19.7.27 Presentation Settings
19.7.28 Remote Desktop Services
19.7.29 RSS Feeds
19.7.30 Search
19.7.31 Sound Recorder
19.7.32 Store
19.7.33 Tablet PC
19.7.34 Task Scheduler
19.7.35 Windows Calendar
19.7.36 Windows Color System
19.7.37 Windows Error Reporting
19.7.38 Windows Hello for Business (formerly Microsoft Pas
19.7.39 Windows Installer
19.7.39.1 Always install with elevated privileges
19.7.40 Windows Logon Options
19.7.41 Windows Mail
19.7.42 Windows Media Center
19.7.43 Windows Media Player
19.7.43.1 Networking
19.7.43.2 Playback
19.7.43.2.1 Prevent Codec Download
USGCB - User Settings
Dark Gray = Setting not listed in this profile
Policy
ve Templates
r Remove Programs
nu and Taskbar
cation Compatibility
hment Manager
Do not preserve zone information in file attachments
Hide mechanisms to remove zone information
Notify antivirus programs when opening attachments
Play Policies
ntial User Interface
Collection and Preview Builds
op Gadgets
op Window Manager
net Explorer
on and Sensors
ork Projector
ows Calendar
ows Color System
ows Error Reporting
ows Hello for Business (formerly Microsoft Passport for Work)
ows Installer
Always install with elevated privileges
ows Logon Options
Enabled
Enabled
scrnsave.scr
Enabled
Enabled
900 seconds or less
<not configured>
Disabled
Enabled
Enabled
<not configured>
<not configured>
CIS Win7 v1.2.0
Level 2 Value
Enabled
Enabled
scrnsave.scr
Enabled
Enabled
900 seconds or less
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
CIS Win7 v2.1.0
Value
Enabled
Enabled
scrnsave.scr
Enabled
Enabled
900 seconds or less
Disabled
Enabled
Enabled
CIS Win7 v3.0.1
Level 1 Value
Enabled
Enabled
scrnsave.scr
Enabled
Enabled
900 seconds or fewer, but not 0
Disabled
Enabled
Enabled
Disabled
CIS Win7 v3.0.1
Level 2 Value
Enabled
Enabled
USGCB Win7 v1.2.0
Value Notes
Enabled
<not defined>
Enabled
Enabled
900 seconds
Enabled
Disabled
Enabled
Enabled
This category requires installing the CloudContent.admx/ad
Enabled
g the DataCollection.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
g the microsoftedge.admx/adml template files from the Windows 10 Administrative Templates to access
g the passport.admx/adml template files from the Windows 10 Administrative Templates to access
g the Search.admx/adml template files from the Windows Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2 or 10 Administrative Templates t
g the WinStoreUI.admx/adml template files from the Windows 8/2012 or 8.1/2012R2 Administrative Templates to access
g the passport.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
dministrative Templates to access
Templates to access
Templates to access
plates to access
lates to access