Master Windows 7 Compliance Analysis - CIS & USGCB

Master Windows 7 Compliance Analysis - CIS & USGCB - Computer Settings
By Haemish Edgerton Updated: 2/14/2017 Green = only applies to BitLocke
CIS USGCB
Win7 CIS CIS Win7
v1.2.0 Win7 v2.1.0 Win7 v3.0.1 v1.2.0 CCE
Rule # Rule # Rule # ID v5 GPO Folder
1 Computer Configuration
Policies
1.2 Windows Settings
1.2.1 Security Settings
1 1.2.1.4 1 Account Policies
1.2.1.4.2 1.1 Password Policy
1.1.1 1.2.1.4.2.4 1.1.1 CCE-8912-8 Enforce password history
1.1.2 1.2.1.4.2.3 1.1.2 CCE-9193-4 Maximum password age
1.1.3 1.2.1.4.2.5 1.1.3 CCE-9330-2 Minimum password age
1.1.4 1.2.1.4.2.2 1.1.4 CCE-9357-5 Minimum password length
1.1.5 1.2.1.4.2.6 1.1.5 CCE-9370-8 Password must meet complexit
1.1.6 1.2.1.4.2.1 1.1.6 CCE-9260-1 Store passwords using reversib
1.2.1.4.1 1.2 Account Lockout Policy
1.1.7 1.2.1.4.1.1 1.2.1 CCE-9308-8 Account lockout duration
1.1.8 1.2.1.4.1.2 1.2.2 CCE-9136-3 Account lockout threshold
1.1.9 1.2.1.4.1.3 1.2.3 CCE-9400-3 Reset account lockout counter
1.2.1.1 2 Local Policies
1.2 2.1 Audit Policy
1.2.1 Audit account logon events
1.2.2 Audit account management
1.2.3 Audit directory service access
1.2.4 Audit logon events
1.2.5 Audit object access
1.2.6 Audit policy change
1.2.7 Audit privilege use
1.2.8 Audit process tracking
1.2.9 Audit system events
1.8 1.2.1.1.2 2.2 User Rights Assignment
1.8.39 1.2.1.1.2.29 2.2.1 Access Credential Manager as a
1.8.1 1.2.1.1.2.33 2.2.2 CCE-9253-6 Access this computer from the
1.8.2 1.2.1.1.2.35 2.2.3 CCE-9407-8 Act as part of the operating sys
1.8.3 1.2.1.1.2.20 2.2.4 CCE-9068-8 Adjust memory quotas for a pro
1.8.28 1.2.1.1.2.3 2.2.5 CCE-9345-0 Allow log on locally

1.8.29 1.2.1.1.2.1 2.2.6 CCE-9107-4 Allow log on through Remote D
1.8.4 1.2.1.1.2.30 2.2.7 CCE-9389-8 Back up files and directories
1.8.5 1.2.1.1.2.7 CCE-8414-5 Bypass traverse checking
1.8.6 1.2.1.1.2.5 2.2.8 CCE-8612-4 Change the system time
1.2.1.1.2.9 2.2.9 CCE-8423-6 Change the time zone
1.8.7 1.2.1.1.2.17 2.2.10 CCE-9185-0 Create a pagefile

1.8.8 1.2.1.1.2.18 2.2.11 CCE-9215-5 Create a token object
1.8.9 1.2.1.1.2.25 2.2.12 CCE-8431-9 Create global objects
1.8.10 1.2.1.1.2.41 2.2.13 CCE-9254-4 Create permanent shared objec

1.8.30 1.2.1.1.2.19 2.2.14 CCE-8460-8 Create symbolic links
1.8.11 1.2.1.1.2.4 2.2.15 CCE-8583-7 Debug programs
1.8.12 1.2.1.1.2.23 2.2.16 CCE-9244-5 Deny access to this computer fr
1.2.1.1.2.34 2.2.17 CCE-9212-2 Deny log on as a batch job

1.2.1.1.2.36 2.2.18 CCE-9098-5 Deny log on as a service
1.8.31 1.2.1.1.2.32 2.2.19 CCE-9239-5 Deny log on locally
1.8.32 2.2.20 CCE-9274-2 Deny log on through Remote D
1.8.13 1.2.1.1.2.37 2.2.21 Enable computer and user acco

1.8.14 1.2.1.1.2.22 2.2.22 CCE-9336-9 Force shutdown from a remote
1.8.33 1.2.1.1.2.21 2.2.23 CCE-9226-2 Generate security audits
1.8.15 1.2.1.1.2.24 2.2.24 CCE-8467-3 Impersonate a client after auth
1.8.34 1.2.1.1.2.40 CCE-9048-0 Increase a process working set
1.8.16 1.2.1.1.2.6 2.2.25 CCE-8999-5 Increase scheduling priority

1.8.17 1.2.1.1.2.31 2.2.26 CCE-9135-5 Load and unload device drivers
1.8.18 1.2.1.1.2.27 2.2.27 CCE-9289-0 Lock pages in memory
1.8.35 1.2.1.1.2.2 2.2.28 CCE-9320-3 Log on as a batch job
1.8.36 1.2.1.1.2.11 2.2.29 CCE-9461-5 Log on as a service
1.8.19 1.2.1.1.2.28 2.2.30 CCE-9223-9 Manage auditing and security lo
1.8.21 1.2.1.1.2.16 2.2.31 CCE-9149-6 Modify an object label
1.8.20 1.2.1.1.2.14 2.2.32 CCE-9417-7 Modify firmware environment
1.8.22 1.2.1.1.2.26 2.2.33 CCE-8475-6 Perform volume maintenance t
1.8.23 1.2.1.1.2.15 2.2.34 CCE-9388-0 Profile single process
1.8.24 1.2.1.1.2.38 2.2.35 CCE-9419-3 Profile system performance
1.8.25 1.2.1.1.2.8 CCE-9326-0 Remove computer from dockin
1.8.26 1.2.1.1.2.13 2.2.36 CCE-8732-0 Replace a process level token
1.8.37 1.2.1.1.2.12 2.2.37 CCE-9124-9 Restore files and directories
1.8.27 1.2.1.1.2.39 2.2.38 CCE-9014-2 Shut down the system
1.8.38 1.2.1.1.2.10 2.2.39 CCE-9309-6 Take ownership of files or othe

1.9 1.2.1.1.1 2.3 Security Options
1.9.5 1.2.1.1.1.16 2.3.1.1 CCE-9199-1 Accounts: Administrator accoun
1.9.6 1.2.1.1.1.28 2.3.1.2 CCE-8714-8 Accounts: Guest account status
1.9.8 1.2.1.1.1.12 2.3.1.3 CCE-9418-5 Accounts: Limit local use of blan
1.9.3 2.3.1.4 CCE-8484-8 Accounts: Rename administrato
1.9.4 2.3.1.5 CCE-9229-6 Accounts: Rename guest accou
1.2.1.1.1.26 CCE-9150-4 Audit: Audit the access of globa
1.2.1.1.1.85 CCE-8789-0 Audit: Audit the use of Backup
1.2.11 1.2.1.1.1.44 2.3.2.1 CCE-9432-6 Audit: Force audit policy subcat
1.2.10 1.2.1.1.1.76 2.3.2.2 Audit: Shut down system imme
1.2.1.1.1.90 Devices: Allow undock without
1.9.9 1.2.1.1.1.4 2.3.4.1 Devices: Allowed to format and
1.9.10 1.2.1.1.1.39 2.3.4.2 CCE-9026-6 Devices: Prevent users from ins
1.9.11 CCE-9304-7 Devices: Restrict CD-ROM acces
1.9.12 CCE-9440-9 Devices: Restrict floppy access
1.9.13 1.2.1.1.1.55 2.3.6.1 CCE-8974-8 Domain member: Digitally encr
1.9.14 1.2.1.1.1.56 2.3.6.2 CCE-9251-0 Domain member: Digitally encr
1.9.15 1.2.1.1.1.49 2.3.6.3 CCE-9375-7 Domain member: Digitally sign
1.9.16 1.2.1.1.1.51 2.3.6.4 CCE-9295-7 Domain member: Disable mach
1.9.17 1.2.1.1.1.36 2.3.6.5 CCE-9123-1 Domain member: Maximum ma
1.9.18 1.2.1.1.1.13 2.3.6.6 CCE-9387-2 Domain member: Require stron
1.2.1.1.1.78 Interactive logon: Display user i
1.9.19 1.2.1.1.1.70 2.3.7.1 CCE-9449-0 Interactive logon: Do not displa
1.9.73 1.2.1.1.1.91 2.3.7.2 CCE-9317-9 Interactive logon: Do not requir
1.9.24 1.2.1.1.1.19 2.3.7.3 CCE-8973-0 Interactive logon: Message text
1.9.25 1.2.1.1.1.9 2.3.7.4 CCE-8740-3 Interactive logon: Message title
1.9.20 1.2.1.1.1.69 2.3.7.5 CCE-8487-1 Interactive logon: Number of pr
1.9.21 1.2.1.1.1.87 2.3.7.6 CCE-9307-0 Interactive logon: Prompt user
1.9.22 1.2.1.1.1.75 CCE-8818-7 Interactive logon: Require Dom
1.9.26 1.2.1.1.1.67 Interactive logon: Require smar
1.9.23 1.2.1.1.1.3 2.3.7.7 CCE-9067-0 Interactive logon: Smart card re
1.9.27 1.2.1.1.1.30 2.3.8.1 CCE-9327-8 Microsoft network client: Digita
1.9.28 1.2.1.1.1.7 2.3.8.2 CCE-9344-3 Microsoft network client: Digita
1.9.29 1.2.1.1.1.64 2.3.8.3 CCE-9265-0 Microsoft network client: Send
1.9.30 1.2.1.1.1.82 2.3.9.1 CCE-9406-0 Microsoft network server: Amo
1.9.31 1.2.1.1.1.29 2.3.9.2 CCE-9040-7 Microsoft network server: Digit
1.9.32 1.2.1.1.1.24 2.3.9.3 CCE-8825-2 Microsoft network server: Digit
1.9.33 1.2.1.1.1.21 2.3.9.4 CCE-9358-3 Microsoft network server: Disco
1.9.34 1.2.1.1.1.15 2.3.9.5 CCE-8503-5 Microsoft network server: Serv
1.9.7 1.2.1.1.1.22 2.3.10.1 CCE-9531-5 Network access: Allow anonym
1.9.48 1.2.1.1.1.42 2.3.10.2 CCE-9249-4 Network access: Do not allow a
1.9.49 1.2.1.1.1.62 2.3.10.3 CCE-9156-1 Network access: Do not allow a
1.2.1.1.1.92 2.3.10.4 CCE-8654-6 Network access: Do not allow s
1.9.50 1.2.1.1.1.20 2.3.10.5 CCE-8936-7 Network access: Let Everyone p
1.9.51 1.2.1.1.1.77 2.3.10.6 CCE-9218-9 Network access: Named Pipes t
1.9.52 2.3.10.7 CCE-9121-5 Network access: Remotely acce
1.9.2 1.2.1.1.1.63 2.3.10.8 CCE-9386-4 Network access: Remotely acce
1.9.53 1.2.1.1.1.32 2.3.10.9 CCE-9540-6 Network access: Restrict anony

1.9.54 1.2.1.1.1.88 2.3.10.10 CCE-9196-7 Network access: Shares that ca
1.9.55 1.2.1.1.1.10 2.3.10.11 CCE-9503-4 Network access: Sharing and se
1.9.71 1.2.1.1.1.66 2.3.11.1 CCE-9096-9 Network security: Allow Local S
1.9.70 1.2.1.1.1.53 2.3.11.2 CCE-8804-7 Network security: Allow LocalSy
1.9.72 1.2.1.1.1.46 2.3.11.3 CCE-9770-9 Network security: Allow PKU2U
1.2.1.1.1.34 2.3.11.4 CCE-9532-3 Network security: Configure en
1.9.56 1.2.1.1.1.47 2.3.11.5 CCE-8937-5 Network security: Do not store

1.2.1.1.1.57 2.3.11.6 CCE-9704-8 Network security: Force logoff w
1.9.57 1.2.1.1.1.61 2.3.11.7 CCE-8806-2 Network security: LAN Manage
1.9.58 1.2.1.1.1.81 2.3.11.8 CCE-9768-3 Network security: LDAP client s
1.9.59 1.2.1.1.1.11 2.3.11.9 CCE-9534-9 Network security: Minimum ses
1.9.1 1.2.1.1.1.72 2.3.11.10 CCE-9736-0 Network security: Minimum ses
1.2.1.1.1.68 Network Security: Restrict NTLM

1.9.60 1.2.1.1.1.54 CCE-8807-0 Recovery console: Allow autom
1.9.61 1.2.1.1.1.86 CCE-8945-8 Recovery console: Allow floppy
1.9.62 1.2.1.1.1.18 CCE-9707-1 Shutdown: Allow system to be
1.2.1.1.1.65 CCE-9222-1 Shutdown: Clear virtual memor
1.9.66 1.2.1.1.1.33 2.3.14.1 System cryptography: Force str
1.9.63 1.2.1.1.1.35 CCE-9266-8 System cryptography: Use FIPS
1.9.64 1.2.1.1.1.83 2.3.15.1 CCE-9319-5 System objects: Require case in
1.9.65 1.2.1.1.1.40 2.3.15.2 CCE-9191-8 System objects: Strengthen def
1.2.1.1.1.5 2.3.16.1 System settings: Optional subsy
1.9.67 1.2.1.1.1.84 System settings: Use Certificate
1.7.1 1.2.1.1.1.23 2.3.17.1 CCE-8811-2 User Account Control: Admin A
1.7.9 1.2.1.1.1.48 2.3.17.2 CCE-9301-3 User Account Control: Allow UI
1.7.2 1.2.1.1.1.89 2.3.17.3 CCE-8958-1 User Account Control: Behavior
1.7.3 1.2.1.1.1.52 2.3.17.4 CCE-8813-8 User Account Control: Behavior
1.7.4 1.2.1.1.1.2 2.3.17.5 CCE-9616-4 User Account Control: Detect a
1.2.1.1.1.37 CCE-9021-7 User Account Control: Only elev
1.7.5 1.2.1.1.1.79 2.3.17.6 CCE-9801-2 User Account Control: Only elev
1.7.6 1.2.1.1.1.80 2.3.17.7 CCE-9189-2 User Account Control: Run all a
1.7.7 1.2.1.1.1.50 2.3.17.8 CCE-9395-5 User Account Control: Switch to
1.7.8 1.2.1.1.1.74 2.3.17.9 CCE-8817-9 User Account Control: Virtualize
3 Event Log
4 Restricted Groups
5 System Services
CCE-10661-7 Bluetooth Support Service (bth
CCE-10150-1 Fax (Fax)
CCE-10543-7 HomeGroup Listener (HomeGro
CCE-9910-1 HomeGroup Provider (HomeGr
CCE-18249-3 IIS Admin Service (IISADMIN)
CCE-10699-7 Media Center Extender Service
CCE-18249-3 Microsoft FTP Service (FTPSVC)
CCE-10311-9 Parental Controls (WPCSvc)
CCE-18629-6 Simple TCP/IP Services (simptcp
CCE-18739-3 Telnet (TlntSvr)
CCE-18249-3 Web Management Service (WM
CCE-18300-4 Windows Media Center Receive
CCE-18300-4 Windows Media Center Schedu
CCE-18249-3 World Wide Web Publishing Se
6 Registry
7 File System
8 Wired Network (IEEE 802.3) Policies
1.5 1.2.1.3 9 Windows Firewall with Advanced Security
1.2.1.3.1 Windows Firewall with Advanced Security - LDA
1.2.1.3.1.1 Windows Firewall Properties
1.2.1.3.1.1.3 9.1 Domain Profile
State
1.5.1 1.2.1.3.1.1.3.3 9.1.1 CCE-9465-6 Firewall state
1.5.2 1.2.1.3.1.1.3.5 9.1.2 CCE-9620-6 Inbound connections
1.2.1.3.1.1.3.1 9.1.3 CCE-9509-1 Outbound connections
Settings
Firewall settings
1.5.3 1.2.1.3.1.1.3.4 9.1.4 CCE-9774-1 Display a notification
Unicast response
1.5.4 1.2.1.3.1.1.3.7 CCE-9069-6 Allow unicast response
Rule merging
1.5.5 1.2.1.3.1.1.3.2 9.1.5 CCE-9686-7 Apply local firewall rules
1.5.6 1.2.1.3.1.1.3.6 9.1.6 CCE-9329-4 Apply local connection security
Logging
9.1.7 CCE-10022-2 Name
9.1.8 CCE-9747-7 Size limit (KB)
9.1.9 CCE-10502-3 Log dropped packets
9.1.10 CCE-10268-1 Log successful connections
1.2.1.3.1.1.1 9.2 Private Profile
State
Settings
Firewall settings
Unicast response
Rule merging
Logging
9.2.7 CCE-10386-1 Name
1.2.1.3.1.1.2 9.3 Public Profile
State
Settings
Firewall settings
Unicast response
Rule merging
Logging
9.3.7 CCE-9926-7 Name
9.4 IPsec Settings
9.5 Inbound Rules
CCE-14854-4 Core Networking - Dynamic Ho
CCE-14986-4 Core Networking - Dynamic Ho
10 Network List Manager Policies
11 Wireless Network (IEEE 802.11) Policies
12 Public Key Policies
13 Software Restriction Policies
14 Network Access Protection NAP Client Configuration
15 Application Control Policies
16 IP Security Policies
1.3 1.2.1.2 17 Advanced Audit Policy Configuration
1.2.1.2.1 Audit Policies
1.2.1.2.1.8 17.1 Account Logon
1.3.19 1.2.1.2.1.8.4 17.1.1 CCE-9725-3 Audit Credential Validation
CCE-9718-8
1.2.1.2.1.8.1 CCE-9258-5 Audit Kerberos Authentication
CCE-9502-6
1.2.1.2.1.8.3 CCE-9148-8 Audit Kerberos Service Ticket O
CCE-9269-2
1.2.1.2.1.8.2 CCE-9808-7 Audit Other Account Logon Eve
CCE-9445-8
1.2.1.2.1.7 17.2 Account Management
1.2.1.2.1.7.6 17.2.1 CCE-8822-9 Audit Application Group Manag
CCE-9591-9
1.3.14 1.2.1.2.1.7.2 17.2.2 CCE-9498-7 Audit Computer Account Mana
CCE-9608-1
1.3.15 1.2.1.2.1.7.1 CCE-9644-6 Audit Distribution Group Mana
CCE-8829-4
1.3.16 1.2.1.2.1.7.5 17.2.3 CCE-9657-8 Audit Other Account Managem
CCE-9668-5
1.3.17 1.2.1.2.1.7.4 17.2.4 CCE-9692-5 Audit Security Group Managem
CCE-9056-3
1.3.18 1.2.1.2.1.7.3 17.2.5 CCE-9542-2 Audit User Account Manageme
CCE-9800-4
1.2.1.2.1.5 17.3 Detailed Tracking
1.2.1.2.1.5.1 CCE-9735-2 Audit DPAPI Activity
CCE-9412-8
1.3.11 1.2.1.2.1.5.3 17.3.1 CCE-9652-0 Audit Process Creation
CCE-9805-3
1.2.1.2.1.5.2 CCE-9227-0 Audit Process Termination
CCE-9818-6
1.2.1.2.1.5.4 CCE-9492-0 Audit RPC Events
CCE-9364-1
1.2.1.2.1.4 17.4 DS Access
1.2.1.2.1.4.2 CCE-9628-9 Audit Detailed Directory Service
CCE-9526-5
1.2.1.2.1.4.4 CCE-9765-9 Audit Directory Service Access
CCE-9791-5
1.2.1.2.1.4.3 CCE-9734-5 Audit Directory Service Change
CCE-8850-0
1.2.1.2.1.4.1 CCE-9637-0 Audit Directory Service Replicati
CCE-9755-0
1.2.1.2.1.3 17.5 Logon/Logoff
1.2.1.2.1.3.4 17.5.1 CCE-8853-4 Audit Account Lockout
CCE-9023-3
1.2.1.2.1.3.5 CCE-9661-0 Audit IPsec Extended Mode
CCE-8857-5
1.2.1.2.1.3.3 CCE-9715-4 Audit IPsec Main Mode
CCE-8956-5
1.2.1.2.1.3.6 CCE-9632-1 Audit IPsec Quick Mode
CCE-9671-9
1.3.5 1.2.1.2.1.3.7 17.5.2 CCE-8856-7 Audit Logoff
CCE-9058-9
1.3.6 1.2.1.2.1.3.9 17.5.3 CCE-9683-4 Audit Logon
CCE-9213-0
1.2.1.2.1.3.8 CCE-9076-1 Audit Network Policy Server
CCE-9741-0
1.2.1.2.1.3.1 17.5.4 CCE-9622-2 Audit Other Logon/Logoff Even
CCE-9631-3
1.3.7 1.2.1.2.1.3.2 17.5.5 CCE-9763-4 Audit Special Logon
CCE-9521-6
1.2.1.2.1.2 17.6 Object Access
1.2.1.2.1.2.10 CCE-9816-0 Audit Application Generated
CCE-8860-9
1.2.1.2.1.2.9 CCE-9460-7 Audit Certification Services
CCE-9488-8
1.2.1.2.1.2.11 CCE-9720-4 Audit Detailed File Share
CCE-8861-7
1.2.1.2.1.2.3 CCE-9376-5 Audit File Share
CCE-9405-2
1.3.8 1.2.1.2.1.2.4 CCE-9217-1 Audit File System
CCE-9811-1
1.2.1.2.1.2.12 CCE-9728-7 Audit Filtering Platform Connec
CCE-9569-5
1.2.1.2.1.2.7 CCE-9133-0 Audit Filtering Platform Packet
1.2.1.2.1.2.1 CCE-9789-9 Audit Handle Manipulation
CCE-10098-2
1.2.1.2.1.2.6 CCE-9803-8 Audit Kernel Object
CCE-9137-1
1.2.1.2.1.2.2 CCE-9455-7 Audit Other Object Access Even
CCE-9545-5
1.3.9 1.2.1.2.1.2.8 CCE-9737-8 Audit Registry
CCE-10078-4
1.2.1.2.1.2.5 CCE-9856-6 Audit SAM
CCE-9845-9
1.2.1.2.1.6 17.7 Policy Change
1.3.12 1.2.1.2.1.6.4 17.7.1 CCE-10021-4 Audit Audit Policy Change
CCE-9235-3
1.3.13 1.2.1.2.1.6.6 17.7.2 CCE-9976-2 Audit Authentication Policy Cha
CCE-10014-9
1.2.1.2.1.6.3 CCE-9633-9 Audit Authorization Policy Chan
CCE-10050-3
1.2.1.2.1.6.2 CCE-9902-8 Audit Filtering Platform Policy C
CCE-10081-8
1.2.1.2.1.6.1 CCE-9153-8 Audit MPSSVC Rule-Level Policy
CCE-9913-5
1.2.1.2.1.6.5 CCE-9596-8 Audit Other Policy Change Even
CCE-10049-5
1.2.1.2.1.9 17.8 Privilege Use
1.2.1.2.1.9.2 CCE-9190-0 Audit Non Sensitive Privilege Us
CCE-9159-5
1.2.1.2.1.9.1 CCE-9988-7 Audit Other Privilege Use Event
CCE-9314-6
1.3.10 1.2.1.2.1.9.3 17.8.1 CCE-9878-0 Audit Sensitive Privilege Use
CCE-9172-8
1.2.1.2.1.1 17.9 System
1.3.1 1.2.1.2.1.1.4 17.9.1 CCE-9925-9 Audit IPsec Driver
CCE-9802-0
1.2.1.2.1.1.5 17.9.2 CCE-9586-9 Audit Other System Events
CCE-10088-3
1.3.2 1.2.1.2.1.1.3 17.9.3 CCE-9850-9 Audit Security State Change
CCE-9179-3
1.3.3 1.2.1.2.1.1.2 17.9.4 CCE-9863-2 Audit Security System Extension
CCE-9998-6
1.3.4 1.2.1.2.1.1.1 17.9.5 CCE-9520-8 Audit System Integrity
CCE-9194-2
1.2.1.2.1.1 17.10 Global Object Access Auditing
CCE-9811-1 File System
CCE-9217-1
CCE-10078-4 Registry
CCE-9737-8
1.1 18 Administrative Templates
18.1 Control Panel
18.1.1 Personalization
18.1.2 Regional and Language Options
18.2 LAPS
18.2.1 <Ensure LAPS AdmPwd GPO Ex
18.2.2 Do not allow password expirati
18.2.3 Enable local admin password m
Password Settings
18.2.4
18.2.5
18.2.6
18.3 MSS (Legacy)
1.9.35 1.2.1.1.1.27 18.3.1 CCE-9342-7 MSS: (AutoAdminLogon) Enable
1.2.1.1.1.14 MSS: (AutoReboot) Allow Wind
1.9.68 1.2.1.1.1.25 18.3.2 CCE-8655-3 MSS: (DisableIPSourceRouting I
1.9.68 1.2.1.1.1.25 18.3.2 CCE-8655-3
1.9.36 1.2.1.1.1.17 18.3.3 CCE-9496-1 MSS: (DisableIPSourceRouting)
1.9.36 1.2.1.1.1.17 18.3.3 CCE-9496-1
18.3.4 MSS: (DisableSavePassword) Pr
1.9.37 18.3.5 CCE-8513-4 MSS: (EnableICMPRedirect) Allo
1.9.38 CCE-8560-5 MSS: (Hidden) Hide Computer F
1.9.39 18.3.6 CCE-9426-8 MSS: (KeepAliveTime) How ofte
1.9.39 18.3.6 CCE-9426-8
1.9.40 1.2.1.1.1.41 CCE-9439-1 MSS: (NoDefaultExempt) Config
1.9.41 1.2.1.1.1.6 18.3.7 CCE-8562-1 MSS: (NoNameReleaseOnDema

1.9.42 MSS: (NtfsDisable8dot3NameCr
1.9.43 18.3.8 CCE-9458-1 MSS: (PerformRouterDiscovery
1.9.44 1.2.1.1.1.59 18.3.9 CCE-9348-4 MSS: (SafeDllSearchMode) Ena
1.9.45 1.2.1.1.1.8 18.3.10 CCE-8591-0 MSS: (ScreenSaverGracePeriod
1.9.45 1.2.1.1.1.8 18.3.10 CCE-8591-0
1.9.69 1.2.1.1.1.60 18.3.11 CCE-9487-0 MSS: (TcpMaxDataRetransmiss
1.9.69 1.2.1.1.1.60 18.3.11 CCE-9487-0
1.9.46 1.2.1.1.1.45 18.3.12 CCE-9456-5 MSS: (TcpMaxDataRetransmiss
1.9.46 1.2.1.1.1.45 18.3.12 CCE-9456-5
1.9.47 1.2.1.1.1.73 18.3.13 CCE-9501-8 MSS: (WarningLevel) Percentag
1.9.47 1.2.1.1.1.73 18.3.13 CCE-9501-8
18.4 Network
18.4.1 Background Intelligent Transfer Service (BITS)
18.4.2 BranchCache
18.4.3 DirectAccess Client Experience Settings
18.4.4 DNS Client
18.4.5 Fonts
18.4.6 Hotspot Authentication
18.4.7 Lanman Server
18.4.8 Lanman Workstation
18.4.9 Link-Layer Topology Discovery
18.4.9.1 CCE-9783-2 Turn on Mapper I/O (LLTDIO) d
18.4.9.2 CCE-10059-4 Turn on Responder (RSPNDR) d
18.4.10 Microsoft Peer-to-Peer Networking Services
18.4.10.2 CCE-10438-0 Turn off Microsoft Peer-to-Peer
18.4.10.1 Peer Name Resolution Protocol
18.4.11 Network Connections
18.4.11.2 CCE-9953-1 Prohibit installation and configu
18.4.11.3 CCE-10359-8 Require domain users to elevat
CCE-10509-8 Route all traffic through the int
CCE-10509-8
18.4.11.1 Windows Firewall
18.4.12 Network Connectivity Status Indicator
18.4.13 Network Isolation
18.4.14 Network Provider
18.4.14.1 Hardened UNC Paths
18.4.15 Offline Files

18.4.16 QoS Packet Scheduler
18.4.17 SNMP
18.4.18 SSL Configuration Settings
18.4.19 TCPIP Settings
18.4.19.1 IPv6 Transition Technologies
CCE-10266-5 Set 6to4 State
CCE-10266-5
CCE-10764-9 Set IP-HTTPS State
CCE-10764-9
CCE-10130-3 Set ISATAP State
CCE-10130-3
CCE-10011-5 Set Teredo State
CCE-10011-5
18.4.19.2 Parameters
18.4.19.2.1 Disable IPv6 (TCPIP6 DisabledCo
18.4.20 Windows Connect Now
18.4.20.1 CCE-9879-8 Configuration of wireless settin
18.4.20.2 CCE-10778-9 Prohibit access of the Windows
18.5 Printers
CCE-10782-1 Extend Point and Print connecti
18.6 SCM: Pass the Hash Mitigations
18.6.1 Apply UAC restrictions to local a
18.6.2 WDigest Authentication (disabl
18.7 Start Menu and Taskbar
1.1.2 18.8 System
18.8.1 Access-Denied Assistance
18.8.2 App-V
18.8.3 Audit Process Creation
18.8.3.1 Include command line in proces
18.8.4 Credentials Delegation
18.8.5 Device Guard
18.8.6 Device Installation
18.8.6.2 CCE-10769-8 Allow remote access to the Plug
CCE-9901-0 Do not send a Windows error re
CCE-10553-6 Prevent creation of a system re
CCE-10165-9 Prevent device metadata retrie
CCE-9919-2 Specify search order for device
CCE-9919-2
18.8.6.1 Device Installation Restrictions
18.8.6.1.1 Prevent installation of devices u
18.8.6.1.2
18.8.6.1.3
18.8.7 Device Redirection
18.8.8 Disk NV Cache
18.8.9 Disk Quotas
18.8.10 Distributed COM
18.8.11 Driver Installation
18.8.12 Early Launch Antimalware
18.8.13 Enhanced Storage Access
18.8.14 File Classification Infrastructure
18.8.15 File Share Shadow Copy Agent
18.8.16 File Share Shadow Copy Provider
18.8.17 Filesystem
18.8.18 Folder Redirection
1.1.2.5 18.8.19 Group Policy
1.12.7 1.1.2.5.1 CCE-9361-7 Configure registry policy proces
1.1.2.5.2 18.8.19.2
1.12.7 1.1.2.5.3 18.8.19.3 CCE-9361-7
18.8.19.4 Turn off background refresh of
18.8.19.1 Logging and tracing
1.11 1.1.2.2 18.8.20 Internet Communication Management
1.1.2.2.1 18.8.20.1 Internet Communication settings
1.11.1 1.1.2.2.1.6 18.8.20.1.1 CCE-9195-9 Turn off downloading of print d
CCE-9819-4 Turn off Event Viewer "Events.a
18.8.20.1.2 CCE-10658-3 Turn off handwriting personaliz
18.8.20.1.3 CCE-10645-0 Turn off handwriting recognitio
18.8.20.1.4 CCE-10649-2 Turn off Internet Connection W
1.11.3 1.1.2.2.1.1 18.8.20.1.5 CCE-9674-3 Turn off Internet download for
18.8.20.1.6 CCE-10795-3 Turn off Internet File Associatio
1.11.4 1.1.2.2.1.7 18.8.20.1.7 CCE-10061-0 Turn off printing over HTTP
18.8.20.1.8 CCE-10160-0 Turn off Registration if URL con
1.11.5 1.1.2.2.1.5 18.8.20.1.9 CCE-10140-2 Turn off Search Companion con
18.8.20.1.10 CCE-9823-6 Turn off the "Order Prints" pictu
1.11.2 1.1.2.2.1.3 18.8.20.1.11 CCE-9643-8 Turn off the "Publish to Web" t
1.11.6 1.1.2.2.1.4 18.8.20.1.12 CCE-9559-6 Turn off the Windows Messeng
18.8.20.1.13 Turn off Windows Customer Ex
18.8.20.1.14 CCE-10441-4 Turn off Windows Error Reporti
1.11.7 1.1.2.2.1.2 Turn off Windows Update devic
18.8.21 iSCSI
18.8.22 KDC
18.8.23 Kerberos
18.8.24 Locale Services
1.1.2.6 18.8.25 Logon
18.8.25.1 CCE-10591-6 Always use classic logon
1.12.5 1.1.2.6.2 Do not process the legacy run li
1.12.6 1.1.2.6.1 CCE-10154-3 Do not process the run once lis
18.8.26 Mitigation Options
18.8.27 Net Logon
18.8.28 Performance Control Panel
1.1.2.1 18.8.29 Power Management
18.8.29.1 Button Settings
18.8.29.2 Energy Saver Settings
18.8.29.3 Hard Disk Settings
18.8.29.4 Notification Settings
1.1.2.1.1 18.8.29.5 Sleep Settings
1.1.2.1.1.3 18.8.29.5.1 Allow standby states (S1-S3) wh
1.1.2.1.1.1 18.8.29.5.2 Allow standby states (S1-S3) wh
1.12.1 1.1.2.1.1.2 18.8.29.5.3 CCE-9829-3 Require a password when a com
1.12.2 1.1.2.1.1.4 18.8.29.5.4 CCE-9670-1 Require a password when a com
CCE-13091-4 Specify the system hibernate ti
CCE-13091-4
CCE-13668-9 Specify the system hibernate ti
CCE-13668-9
Video and Display Settings
CCE-12924-7 Turn off the display (on battery
CCE-12924-7
CCE-12393-5 Turn off the display (plugged in
CCE-12393-5
18.8.30 Recovery
1.1.2.4 18.8.31 Remote Assistance
1.12.8 1.1.2.4.2 18.8.31.1 CCE-9960-6 Configure Offer Remote Assista
1.12.9 1.1.2.4.1 18.8.31.2 CCE-9506-7 Configure Solicited Remote Ass
CCE-10344-0 Turn on session logging
1.1.2.3 18.8.32 Remote Procedure Call
1.12.11 1.1.2.3.2 18.8.32.1 CCE-10181-6 Enable RPC Endpoint Mapper C
1.12.10 1.1.2.3.1 18.8.32.2 CCE-9396-3 Restrict Unauthenticated RPC c
1.12.10 1.1.2.3.1 18.8.32.2 CCE-9396-3
18.8.33 Removable Storage Access
18.8.34 Scripts
18.8.35 Server Manager
18.8.36 Shutdown
18.8.37 Shutdown Options
18.8.38 System Restore
18.8.39 Troubleshooting and Diagnostics
18.8.39.1 Application Compatibility Diagnostics
18.8.39.2 Corrupted File Recovery
18.8.39.3 Disk Diagnostic
18.8.39.4 Fault Tolerant Heap
18.8.39.5 Microsoft Support Diagnostic Tool
18.8.39.5.1 CCE-9842-6 Microsoft Support Diagnostic T
18.8.39.6 MSI Corrupted File Recovery
18.8.39.7 Scheduled Maintenance
18.8.39.8 Scripted Diagnostics
CCE-10606-2 Troubleshooting: Allow users to
18.8.39.9 Windows Boot Performance Diagnostics
18.8.39.10 Windows Memory Leak Diagnosis
18.8.39.11 Windows Performance PerfTrack
18.8.39.11.1 CCE-10219-4 Enable/Disable PerfTrack
18.8.40 Trusted Platform Module Services
18.8.41 User Profiles
18.8.42 Windows File Protection
18.8.43 Windows HotStart
18.8.44 Windows Time Service
18.8.44.1 Time Providers
Configure Windows NTP Client
CCE-10500-7
CCE-10368-9
CCE-9892-1
CCE-10756-5
CCE-10531-2
CCE-10774-8
CCE-10408-3
18.8.44.1.1 Enable Windows NTP Client
18.8.44.1.2 Enable Windows NTP Server
1.1.1 18.9 Windows Components
18.9.1 Active Directory Federation Services
18.9.2 ActiveX Installer Service
18.9.3 Add features to Windows 8 / 8.1 / 10
CCE-10137-8 Prevent the wizard from runnin
18.9.4 App Package Deployment
18.9.5 App Privacy
18.9.6 App runtime
18.9.7 Application Compatibility
CCE-10787-0 Turn off Inventory Collector
1.1.1.2 18.9.8 AutoPlay Policies
18.9.8.1 CCE-10655-9 Disallow Autoplay for non-volu
18.9.8.2 CCE-10527-0 Set the default behavior for Au
18.9.8.2 CCE-10527-0
1.12.12 1.1.1.2.1 18.9.8.3 CCE-9528-1 Turn off Autoplay
1.12.12 1.1.1.2.1 18.9.8.3 CCE-9528-1
18.9.9 Backup
18.9.10 Biometrics
1.1.1.1 18.9.11 BitLocker Drive Encryption
1.1.1.1.4 18.9.11.4 Choose drive encryption metho
1.1.1.1.4 18.9.11.4
1.1.1.1.2 18.9.11.1 Fixed Data Drives
1.1.1.1.2.2 18.9.11.1.1 Allow access to BitLocker-prote
1.1.1.1.2.4 18.9.11.1.2 Choose how BitLocker-protecte
1.1.1.1.2.5 18.9.11.1.3
1.1.1.1.2.6 18.9.11.1.4
1.1.1.1.2.7 18.9.11.1.5
1.1.1.1.2.8 18.9.11.1.6
1.1.1.1.2.9 18.9.11.1.7
1.1.1.1.2.10 18.9.11.1.8
1.1.1.1.2.11 18.9.11.1.9
1.1.1.1.2.1 18.9.11.1.10 Configure use of passwords for
1.1.1.1.2.3 18.9.11.1.11 Configure use of smart cards on
1.1.1.1.2.3 18.9.11.1.12
1.1.1.1.1 18.9.11.2 Operating System Drives
1.1.1.1.1.8 18.9.11.2.1 Allow enhanced PINs for startu
1.1.1.1.1.10 18.9.11.2.3
1.1.1.1.1.11 18.9.11.2.4
1.1.1.1.1.12 18.9.11.2.5
1.1.1.1.1.13 18.9.11.2.6
1.1.1.1.1.14 18.9.11.2.7
1.1.1.1.1.15 18.9.11.2.8
1.1.1.1.1.16 18.9.11.2.9
1.1.1.1.1.1 18.9.11.2.10 Configure minimum PIN length
1.1.1.1.1.1 18.9.11.2.10
1.1.1.1.1.2 18.9.11.2.11 Require additional authenticati
1.1.1.1.1.3 18.9.11.2.12
1.1.1.1.1.4 18.9.11.2.13
1.1.1.1.1.5 18.9.11.2.14
1.1.1.1.1.6 18.9.11.2.15
1.1.1.1.1.7 18.9.11.2.16
1.1.1.1.3 18.9.11.3 Removable Data Drives
1.1.1.1.3.2 18.9.11.3.1 Allow access to BitLocker-prote
1.1.1.1.3.4 18.9.11.3.3
1.1.1.1.3.5 18.9.11.3.4
1.1.1.1.3.6 18.9.11.3.5
1.1.1.1.3.7 18.9.11.3.6
1.1.1.1.3.8 18.9.11.3.7
1.1.1.1.3.9 18.9.11.3.8
1.1.1.1.3.10 18.9.11.3.9
1.1.1.1.3.12 18.9.11.3.10 Configure use of passwords for
1.1.1.1.3.1 18.9.11.3.11 Configure use of smart cards on
1.1.1.1.3.1 18.9.11.3.12
1.1.1.1.3.11 18.9.11.3.13 Deny write access to removable
1.1.1.1.3.11 18.9.11.3.14
18.9.12 Camera
18.9.13 Cloud Content
18.9.14 Connect
1.1.1.7 18.9.15 Credential User Interface
18.9.15.1 Do not display the password re
1.12.13 1.1.1.7.1 18.9.15.2 CCE-8838-2 Enumerate administrator accou
1.12.14 1.1.1.7.2 Require trusted path for creden
18.9.16 Data Collection and Preview Builds
18.9.17 Delivery Optimization
18.9.18 Desktop Gadgets
CCE-9857-4 Override the More Gadgets link
CCE-9857-4
CCE-10811-8 Restrict unpacking and installati
18.9.18.1 Turn off desktop gadgets
18.9.18.2 CCE-10586-6 Turn Off user-installed desktop
18.9.19 Desktop Window Manager
18.9.20 Device and Driver Compatibility
18.9.21 Device Registration (formerly Workplace Join)
18.9.22 Digital Locker
CCE-10759-9 Do not allow Digital Locker to ru
18.9.23 Edge UI
18.9.24 EMET
18.9.24.1 <Ensure EMET is installed>
18.9.24.2 Default Action and Mitigation S
18.9.24.2
18.9.24.2
18.9.24.2
18.9.24.2
18.9.24.3 Default Protections for Internet
18.9.24.4 Default Protections for Popular
18.9.24.5 Default Protections for Recomm
18.9.24.6 System ASLR
18.9.24.6
18.9.24.7 System DEP
18.9.24.7
18.9.24.8 System SEHOP
18.9.24.8
18.9.25 Event Forwarding
1.4 1.1.1.3 18.9.26 Event Log Service
1.1.1.3.1 18.9.26.1 Application
1.4.2 1.1.1.3.1.1 18.9.26.1.1 Control Event Log behavior whe
1.4.1 1.1.1.3.1.1 18.9.26.1.2 CCE-9603-2 Specify the maximum log file si
1.4.1 1.1.1.3.1.2 18.9.26.1.2 CCE-9603-2
1.1.1.3.2 18.9.26.2 Security
1.4.3 1.1.1.3.2.1 18.9.26.2.2 CCE-9967-1
18.9.26.3 Setup
18.9.26.3.1 Control Event Log behavior whe
18.9.26.3.2 CCE-10714-4 Specify the maximum log file si
18.9.26.3.2 CCE-10714-4
1.1.1.3.3 18.9.26.4 System
1.4.5 1.1.1.3.3.2 18.9.26.4.2 CCE-10156-8
18.9.27 Event Logging
18.9.28 Event Viewer
18.9.29 Family Safety
1.1.1.5 18.9.30 File Explorer
1.12.4 1.1.1.5.1 18.9.30.2 CCE-9918-4 Turn off Data Execution Preven
18.9.30.3 CCE-9874-9 Turn off heap termination on co
18.9.30.4 CCE-10623-7 Turn off shell protocol protecte
18.9.30.1 Previous Versions
18.9.31 File History
18.9.32 Game Explorer
CCE-10828-2 Turn off downloading of game i
CCE-10850-6 Turn off game updates
1.1.1.9 18.9.33 HomeGroup
1.12.15 1.1.1.9.1 18.9.33.1 CCE-10183-2 Prevent the computer from join
18.9.34 Import Video
18.9.35 Internet Explorer
18.9.36 Internet Information Services
18.9.37 Location and Sensors
18.9.37.1 Turn off location
18.9.38 Maintenance Scheduler
18.9.39 Maps
18.9.40 MDM
18.9.41 Microsoft Edge
18.9.42 Microsoft Secondary Authentication Factor
18.9.43 Microsoft User Experience Virtualization
18.9.44 NetMeeting
CCE-10763-1 Disable remote Desktop Sharin
18.9.45 Network Access Protection
18.9.46 Network Projector
18.9.47 OneDrive (formerly SkyDrive)
18.9.47.1 Prevent the usage of OneDrive
18.9.47.2 Prevent the usage of OneDrive
18.9.48 Online Assistance
18.9.49 Password Synchronization
18.9.50 Portable Operating System
18.9.51 Presentation Settings
1.10 1.1.1.8 18.9.52 Remote Desktop Services (formerly Terminal Servic
18.9.52.1 RD Licensing
1.1.1.8.2 18.9.52.2 Remote Desktop Connection Client
1.10.5 1.1.1.8.2.1 18.9.52.2.2 CCE-10090-9 Do not allow passwords to be s
18.9.52.2.1 RemoteFX USB Device Redirection
1.1.1.8.1 18.9.52.3 Remote Desktop Session Host
18.9.52.3.1 Application Compatibility
18.9.52.3.2 Connections
1.10.4 18.9.52.3.2.1 CCE-9985-3 Allow users to connect remotel
1.1.1.8.1.2 18.9.52.3.3 Device and Resource Redirection
18.9.52.3.3.1 Do not allow COM port redirecti
1.10.3 1.1.1.8.1.2.1 18.9.52.3.3.2 Do not allow drive redirection
18.9.52.3.3.3 Do not allow LPT port redirectio
18.9.52.3.3.4 Do not allow supported Plug an
18.9.52.3.4 Licensing
18.9.52.3.5 Printer Redirection
18.9.52.3.6 Profiles
18.9.52.3.7 RD Connection Broker
18.9.52.3.8 Remote Session Environment
1.1.1.8.1.1 18.9.52.3.9 Security
1.10.1 1.1.1.8.1.1.1 18.9.52.3.9.1 CCE-10103-0 Always prompt for password up
18.9.52.3.9.2 Require secure RPC communica
1.10.2 1.1.1.8.1.1.2 18.9.52.3.9.3 CCE-9764-2 Set client connection encryptio
1.10.2 1.1.1.8.1.1.2 18.9.52.3.9.3 CCE-9764-2
18.9.52.3.10 Session Time Limits
18.9.52.3.10.1 CCE-10608-8 Set time limit for active but idle
18.9.52.3.10.1 CCE-10608-8
18.9.52.3.10.2 CCE-9858-2 Set time limit for disconnected
18.9.52.3.10.2 CCE-9858-2
18.9.52.3.11 Temporary folders
18.9.52.3.11.1 CCE-10856-3 Do not delete temp folders upo
18.9.52.3.11.2 CCE-9864-0 Do not use temporary folders p
18.9.53 RSS Feeds
18.9.53.1 CCE-10730-0 Prevent downloading of enclos
18.9.54 Search
18.9.54.2 CCE-10496-8 Allow indexing of encrypted file
CCE-9866-5 Enable indexing uncached Exch
18.9.54.1 OCR
18.9.55 Security Center
18.9.56 Server for NIS
18.9.57 Shutdown Options
18.9.58 Smart Card
18.9.59 Software Protection Platform
18.9.60 Sound Recorder
18.9.61 Store
18.9.62 Sync your settings
18.9.63 Tablet PC
18.9.64 Task Scheduler
18.9.65 Text Input
18.9.66 Windows Calendar
18.9.67 Windows Color System
18.9.68 Windows Customer Experience Improvement Progr
18.9.69 Windows Defender
18.9.69.1 Client Interface
18.9.69.2 Exclusions
18.9.69.3 MAPS
18.9.69.3.1 CCE-9868-1 Join Microsoft MAPS
18.9.70 Windows Error Reporting
CCE-10157-6 Disable logging
CCE-9914-3 Disable Windows Error Reportin
CCE-10709-4 Display Error Notification
CCE-10824-1 Do not send additional data
18.9.70.1 Advanced Error Reporting Settings
18.9.70.2 Consent
18.9.70.2.1 Configure Default consent
18.9.70.2.1
18.9.71 Windows Game Recording and Broadcasting
18.9.72 Windows Hello for Business (formerly Microsoft Pas
18.9.73 Windows Ink Workspace
18.9.74 Windows Installer
18.9.74.1 CCE-9876-4 Allow user control over installs
18.9.74.2 Always install with elevated pri
18.9.74.3 CCE-9875-6 Prevent Internet Explorer secur
CCE-9888-9 Prohibit non-administrators fro
18.9.75 Windows Logon Options
CCE-9907-7 Report when logon server was
18.9.76 Windows Mail
CCE-11252-4 Turn off the communities featu
CCE-10882-9 Turn off Windows Mail applicati
18.9.77 Windows Media Center
18.9.78 Windows Media Digital Rights Management
CCE-9908-5 Prevent Windows Media DRM I
18.9.79 Windows Media Player
CCE-10692-2 Do Not Show First Use Dialog B
CCE-10602-1 Prevent Automatic Updates
18.9.80 Windows Meeting Space
18.9.81 Windows Messenger
18.9.82 Windows Mobility Center
18.9.83 Windows Movie Maker
18.9.84 Windows PowerShell
18.9.84.1 Turn on PowerShell Script Block
18.9.84.2 Turn on PowerShell Transcriptio
18.9.85 Windows Reliability Analysis
18.9.86 Windows Remote Management (WinRM)
18.9.86.1 WinRM Client
18.9.86.1.1 Allow Basic authentication
18.9.86.1.2 Allow unencrypted traffic
18.9.86.1.3 Disallow Digest authentication
18.9.86.2 WinRM Service
18.9.86.2.1 Allow Basic authentication
18.9.86.2.2 Allow remote server managem
18.9.86.2.3 Allow unencrypted traffic
18.9.86.2.4 Disallow WinRM from storing R
1.1.1.4 18.9.87 Windows Remote Shell
1.12.3 1.1.1.4.1 18.9.87.1 Allow Remote Shell Access
18.9.88 Windows SideShow
18.9.89 Windows System Resource Manager
1.6 1.1.1.6 18.9.90 Windows Update
1.6.1 1.1.1.6.1 18.9.90.2 CCE-9403-7 Configure Automatic Updates
1.6.1 1.1.1.6.1 CCE-9403-7
18.9.90.3
1.1.1.6.5 18.9.90.4 Do not adjust default option to
1.6.2 1.1.1.6.4 18.9.90.5 CCE-9464-9 Do not display 'Install Updates
1.6.3 1.1.1.6.3 18.9.90.6 CCE-9672-7 No auto-restart with logged on
1.6.4 1.1.1.6.2 18.9.90.7 CCE-10205-3 Reschedule Automatic Updates
1.1.1.6.2 18.9.90.7
1.1.1.6.6 Specify intranet Microsoft upda
1.1.1.6.8
1.1.1.6.7
18.9.90.1 Defer Windows Updates
CB - Computer Settings
Green = only applies to BitLocker profile
Policy
Enforce password history

Maximum password age
Minimum password age
Minimum password length
Password must meet complexity requirements
Store passwords using reversible encryption
Lockout Policy
Account lockout duration
Account lockout threshold
Reset account lockout counter after
Audit account logon events

Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
ts Assignment
Access Credential Manager as a trusted caller
Access this computer from the network
Act as part of the operating system
Adjust memory quotas for a process
Allow log on locally

Allow log on through Remote Desktop Services
Back up files and directories
Bypass traverse checking
Change the system time
Change the time zone
Create a pagefile
Create a token object
Create global objects
Create permanent shared objects

Create symbolic links
Debug programs
Deny access to this computer from the network
Deny log on as a batch job

Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services
Enable computer and user accounts to be trusted for delegation

Force shutdown from a remote system
Generate security audits
Impersonate a client after authentication
Increase a process working set
Increase scheduling priority

Load and unload device drivers
Lock pages in memory
Log on as a batch job
Log on as a service
Manage auditing and security log
Modify an object label
Modify firmware environment values
Perform volume maintenance tasks
Profile single process
Profile system performance
Remove computer from docking station
Replace a process level token
Restore files and directories
Shut down the system
Take ownership of files or other objects
Accounts: Administrator account status

Accounts: Guest account status
Accounts: Limit local use of blank passwords to console logon only
Accounts: Rename administrator account
Accounts: Rename guest account
Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore privilege
Audit: Force audit policy subcategory settings (Windows Vista or later) to override au
Audit: Shut down system immediately if unable to log security audits
Devices: Allow undock without having to log on
Devices: Allowed to format and eject removable media
Devices: Prevent users from installing printer drivers
Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age
Domain member: Require strong (Windows 2000 or later) session key
Interactive logon: Display user information when the session is locked
Interactive logon: Do not display last user name
Interactive logon: Do not require CTRL+ALT+DEL
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on
Interactive logon: Number of previous logons to cache (in case domain controller is n
Interactive logon: Prompt user to change password before expiration
Interactive logon: Require Domain Controller authentication to unlock workstation
Interactive logon: Require smart card
Interactive logon: Smart card removal behavior
Microsoft network client: Digitally sign communications (always)
Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network client: Send unencrypted password to third-party SMB servers
Microsoft network server: Amount of idle time required before suspending session
Microsoft network server: Digitally sign communications (always)
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft network server: Disconnect clients when logon hours expire
Microsoft network server: Server SPN target name validation level
Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Do not allow storage of passwords and credentials for network authentication
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and sub-paths
Network access: Restrict anonymous access to Named Pipes and Shares

Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
Network security: Allow Local System to use computer identity for NTLM
Network security: Allow LocalSystem NULL session fallback
Network security: Allow PKU2U authentication requests to this computer to use onlin
Network security: Configure encryption types allowed for Kerberos
Network security: Do not store LAN Manager hash value on next password change
Network security: Force logoff when logon hours expire
Network security: LAN Manager authentication level
Network security: LDAP client signing requirements
Network security: Minimum session security for NTLM SSP based (including secure RP
Network security: Minimum session security for NTLM SSP based (including secure R
Network Security: Restrict NTLM: Add remote server exceptions for NTLM authentication
Network Security: Restrict NTLM: Add server exceptions in this domain
Network Security: Restrict NTLM: Audit Incoming NTLM Traffic
Network Security: Restrict NTLM: Audit NTLM authentication in this domain
Network Security: Restrict NTLM: Incoming NTLM traffic
Network Security: Restrict NTLM: NTLM authentication in this domain
Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and all folders
Shutdown: Allow system to be shut down without having to log on
Shutdown: Clear virtual memory pagefile
System cryptography: Force strong key protection for user keys stored on the compu
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and sig
System objects: Require case insensitivity for non-Windows subsystems
System objects: Strengthen default permissions of internal system objects (e.g. Symbo
System settings: Optional subsystems
System settings: Use Certificate Rules on Windows Executables for Software Restricti
User Account Control: Admin Approval Mode for the Built-in Administrator account
User Account Control: Allow UIAccess applications to prompt for elevation without u
User Account Control: Behavior of the elevation prompt for administrators in Admi
User Account Control: Behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated
User Account Control: Only elevate UIAccess applications that are installed in secure
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for elevation
User Account Control: Virtualize file and registry write failures to per-user locations
Bluetooth Support Service (bthserv)

Fax (Fax)
HomeGroup Listener (HomeGroupListener)
HomeGroup Provider (HomeGroupProvider)
IIS Admin Service (IISADMIN)
Media Center Extender Service (Mcx2Svc)
Microsoft FTP Service (FTPSVC)
Parental Controls (WPCSvc)
Simple TCP/IP Services (simptcp)
Telnet (TlntSvr)
Web Management Service (WMSvc)
Windows Media Center Receiver Service (ehRecvr)
Windows Media Center Scheduler Service (ehSched)
World Wide Web Publishing Service (W3SVC)
ork (IEEE 802.3) Policies

ewall with Advanced Security
Firewall with Advanced Security - LDAP://CN=
ows Firewall Properties
omain Profile
Firewall state
Inbound connections
Outbound connections
Firewall settings
Display a notification
Unicast response
Allow unicast response
Rule merging
Apply local firewall rules
Apply local connection security rules
Name
Size limit (KB)
Log dropped packets
Log successful connections
ivate Profile
Firewall state
Inbound connections
Firewall settings
Unicast response
Rule merging
Name
Size limit (KB)
Log dropped packets
Firewall state
Inbound connections
Firewall settings
Unicast response
Rule merging
Name
Size limit (KB)
Log dropped packets
Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In)

Core Networking - Dynamic Host Configuration Protocol (DHCP-In)
Manager Policies
work (IEEE 802.11) Policies
striction Policies
ess Protection NAP Client Configuration
Control Policies
udit Policy Configuration
Audit Credential Validation
Audit Kerberos Authentication Service
Audit Kerberos Service Ticket Operations
Audit Other Account Logon Events
nt Management
Audit Application Group Management
Audit Computer Account Management

Audit Distribution Group Management
Audit Other Account Management Events
Audit Security Group Management
Audit User Account Management
ed Tracking
Audit DPAPI Activity
Audit Process Creation
Audit Process Termination
Audit RPC Events
Audit Detailed Directory Service Replication
Audit Directory Service Access
Audit Directory Service Changes
Audit Directory Service Replication
Audit Account Lockout
Audit IPsec Extended Mode
Audit IPsec Main Mode
Audit IPsec Quick Mode
Audit Logoff
Audit Logon
Audit Network Policy Server
Audit Other Logon/Logoff Events
Audit Special Logon

Audit Application Generated
Audit Certification Services
Audit Detailed File Share
Audit File Share
Audit File System
Audit Filtering Platform Connection
Audit Filtering Platform Packet Drop

Audit Handle Manipulation
Audit Kernel Object
Audit Other Object Access Events
Audit Registry
Audit SAM
Audit Audit Policy Change
Audit Authentication Policy Change
Audit Authorization Policy Change
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
Audit Other Policy Change Events
Audit Non Sensitive Privilege Use
Audit Other Privilege Use Events
Audit Sensitive Privilege Use

Audit IPsec Driver
Audit Other System Events
Audit Security State Change
Audit Security System Extension
Audit System Integrity
l Object Access Auditing

File System
Registry
Language Options
<Ensure LAPS AdmPwd GPO Extension / CSE is installed>

Do not allow password expiration time longer than required by policy
Enable local admin password management
Password Settings
Password Complexity:
Password Length:
Password Age (Days):
MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)

MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environm
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects agai
DisableIPSourceRoutingIPv6
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against p
DisableIPSourceRouting
MSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended)
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
MSS: (Hidden) Hide Computer From the Browse List (not recommended except for hi
MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds
KeepAliveTime
MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network tra
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name relea

MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 s
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace
ScreenSaverGracePeriod
MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is re
TcpMaxDataRetransmissions
MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retrans
TcpMaxDataRetransmissions
MSS: (WarningLevel) Percentage threshold for the security event log at which the sy
WarningLevel
Intelligent Transfer Service (BITS)
Client Experience Settings
opology Discovery
Turn on Mapper I/O (LLTDIO) driver
Turn on Responder (RSPNDR) driver
er-to-Peer Networking Services
Turn off Microsoft Peer-to-Peer Networking Services
me Resolution Protocol
Prohibit installation and configuration of Network Bridge on your DNS domain network
Require domain users to elevate when setting a network's location
Route all traffic through the internal network
Select from the following states:
nnectivity Status Indicator
Hardened UNC Paths
ation Settings
sition Technologies
Set 6to4 State
Set IP-HTTPS State
Select Interface state from the following options:
Set ISATAP State
Set Teredo State
Disable IPv6 (TCPIP6 DisabledComponents)
Configuration of wireless settings using Windows Connect Now

Prohibit access of the Windows Connect Now wizards
Extend Point and Print connection to search Windows Update

ash Mitigations
Apply UAC restrictions to local accounts on network logons
WDigest Authentication (disabling may require KB2871997)
ed Assistance
Include command line in process creation events
Allow remote access to the Plug and Play interface

Do not send a Windows error report when a generic driver is installed on a device
Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point
Prevent device metadata retrieval from the Internet
Specify search order for device driver source locations
Select source order:
stallation Restrictions
Prevent installation of devices using drivers that match these device setup classes
Prevent installation of devices using drivers that match these device setup classes:
Also apply to matching devices that are already installed:
Antimalware
orage Access
ation Infrastructure
adow Copy Agent
adow Copy Provider
Configure registry policy processing
Do not apply during periodic background processing:
Process even if the Group Policy objects have not changed:
Turn off background refresh of Group Policy
mmunication Management
Communication settings
Turn off downloading of print drivers over HTTP
Turn off Event Viewer "Events.asp" links
Turn off handwriting personalization data sharing
Turn off handwriting recognition error reporting
Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com
Turn off Internet download for Web publishing and online ordering wizards
Turn off Internet File Association service
Turn off printing over HTTP
Turn off Registration if URL connection is referring to Microsoft.com
Turn off Search Companion content file updates
Turn off the "Order Prints" picture task
Turn off the "Publish to Web" task for files and folders
Turn off the Windows Messenger Customer Experience Improvement Program
Turn off Windows Customer Experience Improvement Program
Turn off Windows Error Reporting
Turn off Windows Update device driver searching
Always use classic logon

Do not process the legacy run list
Do not process the run once list
Control Panel
aver Settings
Allow standby states (S1-S3) when sleeping (on battery)

Allow standby states (S1-S3) when sleeping (plugged in)
Require a password when a computer wakes (on battery)
Require a password when a computer wakes (plugged in)
Specify the system hibernate timeout (on battery)
System Sleep Timeout (seconds):
Specify the system hibernate timeout (plugged in)
System Sleep Timeout (seconds):
d Display Settings
Turn off the display (on battery)
Turn Off the Display (seconds):
Turn off the display (plugged in)
Turn Off the Display (seconds):
Configure Offer Remote Assistance

Configure Solicited Remote Assistance
Turn on session logging
Enable RPC Endpoint Mapper Client Authentication

Restrict Unauthenticated RPC clients
RPC Runtime Unauthenticated Client Restriction to Apply:
torage Access
ting and Diagnostics

on Compatibility Diagnostics
d File Recovery
ft Support Diagnostic Tool

Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider
upted File Recovery
d Maintenance
Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Pan
Boot Performance Diagnostics
Memory Leak Diagnosis
Performance PerfTrack
Enable/Disable PerfTrack
orm Module Services
e Protection
Configure Windows NTP Client
NtpServer
Type
CrossSiteSyncFlags
ResolvePeerBackoffMinutes
ResolvePeerBackoffMaxtimes
SpecialPollInterval
EventLogFlags
Enable Windows NTP Client
Enable Windows NTP Server
ory Federation Services

ller Service
to Windows 8 / 8.1 / 10
Prevent the wizard from running.
Deployment
Compatibility
Turn off Inventory Collector
Disallow Autoplay for non-volume devices

Set the default behavior for AutoRun
Default AutoRun Behavior:
Turn off Autoplay
Turn off Autoplay on:
ve Encryption
Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R
Select the encryption method:
Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
Choose how BitLocker-protected fixed drives can be recovered
Allow data recovery agent:
Configure user storage of BitLocker recovery information:
Omit recovery options from the BitLocker setup wizard:

Save BitLocker recovery information to AD DS for fixed data drives:
Configure storage of BitLocker recovery information to AD DS:
Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives:
Configure use of passwords for fixed data drives
Configure use of smart cards on fixed data drives
Require use of smart cards on fixed data drives:
g System Drives
Allow enhanced PINs for startup
Choose how BitLocker-protected operating system drives can be recovered

Save BitLocker recovery information to AD DS for operating system drives:
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives:
Configure minimum PIN length for startup
Minimum characters:
Require additional authentication at startup
Allow BitLocker without a compatible TPM:
Configure TPM startup:
Configure TPM startup PIN:
Configure TPM startup key:
Configure TPM startup key and PIN:
le Data Drives
Allow access to BitLocker-protected removable data drives from earlier versions of Windows
Choose how BitLocker-protected removable drives can be recovered

Save BitLocker recovery information to AD DS for removable data drives:
Do not enable BitLocker until recovery information is stored to AD DS for removable data drives:
Configure use of passwords for removable data drives
Configure use of smart cards on removable data drives
Require use of smart cards on removable data drives:
Deny write access to removable drives not protected by BitLocker
Do not allow write access to devices configured in another organization:
ser Interface
Do not display the password reveal button
Enumerate administrator accounts on elevation
Require trusted path for credential entry
on and Preview Builds
Override the More Gadgets link

Override Gadget Location
Restrict unpacking and installation of gadgets that are not digitally signed.
Turn off desktop gadgets
Turn Off user-installed desktop gadgets
dow Manager
river Compatibility
tration (formerly Workplace Join)
Do not allow Digital Locker to run
<Ensure EMET is installed>

Default Action and Mitigation Settings
Deep Hooks:
Anti Detours:
Banned Functions:
Exploit Action:
Default Protections for Internet Explorer
Default Protections for Popular Software
Default Protections for Recommended Software
System ASLR
ASLR Setting:
System DEP
DEP Setting:
System SEHOP
SEHOP Setting:
Control Event Log behavior when the log file reaches its maximum size
Specify the maximum log file size (KB)
Maximum Log Size (KB)
Turn off Data Execution Prevention for Explorer
Turn off heap termination on corruption
Turn off shell protocol protected mode
Turn off downloading of game information

Turn off game updates
Prevent the computer from joining a homegroup
rmation Services
Turn off location
condary Authentication Factor

er Experience Virtualization
Disable remote Desktop Sharing

ess Protection
rmerly SkyDrive)
Prevent the usage of OneDrive for file storage
Prevent the usage of OneDrive for file storage on Windows 8.1
nchronization
erating System
ktop Services (formerly Terminal Services)
Desktop Connection Client

Do not allow passwords to be saved
teFX USB Device Redirection
Desktop Session Host
cation Compatibility
Allow users to connect remotely using Remote Desktop Services

e and Resource Redirection
Do not allow COM port redirection
Do not allow drive redirection
Do not allow LPT port redirection
Do not allow supported Plug and Play device redirection
r Redirection
nnection Broker
te Session Environment
Always prompt for password upon connection

Require secure RPC communication
Set client connection encryption level
Encryption Level:
on Time Limits
Set time limit for active but idle Remote Desktop Services sessions
Idle session limit:
Set time limit for disconnected sessions
End a disconnected session:
orary folders
Do not delete temp folders upon exit
Do not use temporary folders per session
Prevent downloading of enclosures
Allow indexing of encrypted files

Enable indexing uncached Exchange folders
tection Platform
stomer Experience Improvement Program

Join Microsoft MAPS
or Reporting
Disable logging
Disable Windows Error Reporting
Display Error Notification
Do not send additional data
d Error Reporting Settings
Configure Default consent

Consent level:
me Recording and Broadcasting
llo for Business (formerly Microsoft Passport for Work)
k Workspace
Allow user control over installs

Always install with elevated privileges
Prevent Internet Explorer security prompt for Windows Installer scripts
Prohibit non-administrators from applying vendor signed updates
gon Options
Report when logon server was not available during user logon
Turn off the communities features

Turn off Windows Mail application
edia Digital Rights Management

Prevent Windows Media DRM Internet Access
Do Not Show First Use Dialog Boxes

Prevent Automatic Updates
eeting Space
obility Center
Turn on PowerShell Script Block Logging

Turn on PowerShell Transcription
liability Analysis
mote Management (WinRM)
Allow Basic authentication

Allow unencrypted traffic
Disallow Digest authentication
Allow Basic authentication

Allow remote server management through WinRM
Allow unencrypted traffic
Disallow WinRM from storing RunAs credentials
Allow Remote Shell Access
stem Resource Manager
Configure Automatic Updates

Configure automatic updating:
Scheduled install day:
Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog
No auto-restart with logged on users for scheduled automatic updates installations
Reschedule Automatic Updates scheduled installations
Wait after system startup (minutes):
Specify intranet Microsoft update service location
Set the intranet update service for detecting updates
Set the intranet statistics server
ndows Updates
Dark Gray = Setting not listed in this profile
CIS Win7 v1.2.0

Level 1 Value
(Desktop / Laptop)
24 or more passwords remembered

90 days or less
1 or more day(s)
8 or more character(s)
Enabled
Disabled
15 minute(s)
50 invalid logon attempt(s)
15 or more minute(s)
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No One>
Administrators
Users
<No One>
<not defined>
Administrators
Users
<not defined>
<not defined>
<not defined>
Administrators
LOCAL SERVICE
Administrators
<No One>
<not defined>
<No One>
Administrators
Administrators
Guests
Guests
<not defined>
<No One>
Administrators
LOCAL SERVICE
NETWORK SERVICE
Administrators
LOCAL SERVICE
NETWORK SERVICE
SERVICE
<not defined>
Administrators
Administrators
<No One>
<not defined>
<not defined>
Administrators
<No One>
Administrators
Administrators
<not defined>
Administrators
NT SERVICE\WdiServiceHost
Administrators
Users
LOCAL SERVICE
NETWORK SERVICE
<not defined>
Administrators
Users
Administrators
<not defined>
Disabled
Enabled
any value that does not contain the term "admin"
any value that does not contain the term "guest"
Enabled
Disabled
Administrators and Interactive Users

Enabled / <not defined>
<not defined>
<not defined>
Enabled
Enabled
Enabled
Disabled
30 days
Enabled
Enabled
Disabled
<consistent with organization requirements>
2 logons
14 days
Enabled / Disabled
<not defined>
Lock Workstation
Enabled
Enabled
Disabled
15 minutes
Enabled
Enabled
Enabled
<not defined>
Disabled
Enabled
Enabled
etwork authentication
Disabled
<not defined>
<not defined>
<not defined>
<not defined>
<not defined>
Classic - local users authenticate as themselves
<not defined>
<not defined>
Disabled
Enabled
Send NTLMv2 response only. Refuse LM

Negotiate signing
Require NTLMv2 session security
Require 128-bit encryption
M authentication
Disabled
<not defined>
<not defined>
User is prompted when the key is first used

<not defined>
<not defined>
Enabled
<not defined>
Enabled
Disabled
Prompt for credentials
Automatically deny elevation requests
Enabled
Enabled
Enabled
Enabled
Enabled
On
Block
Yes
No
<not defined>
<not defined>
On
Block
Yes
No
<not defined>
<not defined>
On
Block
No
No
No
No
Success
Success
<No auditing>
Success
Success
Success
Success
Success
Success
Success
<No auditing>
<No auditing>
Success and Failure
Success
<No auditing>
Success and Failure
Success and Failure
Success and Failure
Success and Failure
Disabled
m crash (recommended except for highly secure environments)
<not defined>
<not defined>
<not defined>
<not defined>
ved (recommended)
<not defined>
<not defined>
<not defined>
<not defined>
Multicast, broadcast, & ISAKMP exempt (best for Windows XP).

Enabled
<not defined>
<not defined>
Enabled
Enabled
0 seconds
<not defined>
<not defined>
<not defined>
<not defined>
Enabled
90% or less
omain network
uld normally prompt creation of a restore point
setup classes:
Enabled
TRUE (checked)
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
<not defined>
<not configured>
<not configured>
Enabled
Enabled
<not defined>
<not defined>
<not defined>
Enabled
Authenticated
ation with support provider
n Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS)
Enabled
All Drives
indows Server 2008, Windows 7, Windows Server 2008 R2)
ns of Windows
for fixed data drives:

for operating system drives:
ersions of Windows
for removable data drives:
<not configured>
<not configured>
Disabled
Enabled
32,768 KB or greater
Disabled
Enabled
Disabled
Enabled
Disabled
Enabled
<not configured>
<not configured>
Enabled
Enabled
High Level
<not defined>
Enabled
3 - Auto download and notify for install
Down Windows dialog box

Disabled
Disabled
Enabled
Blue = Different Desktop / Laptop settings
CIS Win7 v1.2.0

Level 2 Value
(Desktop / Laptop)
24 or more passwords remembered

90 days or less
1 or more day(s)
Enabled
Disabled
15 minute(s)
10 invalid logon attempt(s)
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No auditing>
<No One>
Administrators
Users
<No One>
Administrators
LOCAL SERVICE
NETWORK SERVICE
Administrators
Users
<No One>
Administrators
Administrators
LOCAL SERVICE
NETWORK SERVICE
Users
Administrators
LOCAL SERVICE
Administrators
<No One>
Administrators
LOCAL SERVICE
NETWORK SERVICE
SERVICE
<No One>
Administrators
<No One>
Guests
Guests
Everyone
<No One>
Administrators
LOCAL SERVICE
NETWORK SERVICE
Administrators
LOCAL SERVICE
NETWORK SERVICE
SERVICE
Administrators
LOCAL SERVICE
Administrators
Administrators
<No One>
Administrators
<No One>
Administrators
<No One>
Administrators
Administrators
Administrators
Administrators
Administrators
Users
LOCAL SERVICE
NETWORK SERVICE
Administrators
Administrators
Users
Administrators
Disabled
Disabled
Enabled
any value that does not contain the term "admin"
any value that does not contain the term "guest"
Enabled
Disabled
Administrators
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
30 days
Enabled
Enabled
Disabled
0 logons / 2 logons
14 days
Enabled / Disabled
Enabled
Lock Workstation
Enabled
Enabled
Disabled
15 minutes
Enabled
Enabled
Enabled
Accept if provided by client
Disabled
Enabled
Enabled
Disabled
<None> (blank)
System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal
Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog
Enabled
<None> (blank)
Enabled
Disabled
Disabled
Enabled
Send NTLMv2 response only. Refuse LM & NTLM

Negotiate signing
Disabled
Disabled
Disabled
User must enter a password each time they use a key

Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
On
Block
No
No
No
No
On
Block
No
No
No
No
On
Block
No
No
No
No
Success and Failure
Success and Failure

<No auditing>
Success and Failure
Success and Failure
Success and Failure
Success
Success
Success and Failure
Success
Failure
Failure
Success and Failure
Success
Success and Failure

Success and Failure
Success and Failure
Success and Failure
Success and Failure
Disabled
Enabled
Highest protection, source routing is completely disabled
Enabled
Disabled
Enabled
Enabled
300,000 or 5 minutes (recommended)

Enabled
Enabled
Disabled
Enabled
Enabled
0 seconds
Enabled
3
Enabled
3
Enabled
90% or less
Enabled
TRUE (checked)
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Disabled
Enabled
Enabled
Authenticated
he Windows Online Troubleshooting Service - WOTS)

Enabled
All Drives
Disabled
Enabled
Disabled
Enabled
Disabled
Enabled
Disabled
Enabled
Disabled
Enabled
Enabled
Disabled
Enabled
Enabled
Enabled
High Level
Disabled
Enabled
Disabled
Disabled
Enabled
CIS Win7 v2.1.0
Value
24 passwords remembered
60 days or less
1 day or greater
14 characters
Enabled
Disabled
15 minute(s) or greater
6 invalid logon attempt(s) or fewer
15 minute(s) or greater
No One
Users
Administrators
No One
Administrators
Local Service
Network Service
Administrators
Users
Administrators
LOCAL SERVICE
NETWORK SERVICE
Users
LOCAL SERVICE
Administrators
LOCAL SERVICE
Administrators
Users
Administrators
Administrators
SERVICE
LOCAL SERVICE
NETWORK SERVICE
Administrators
Guests
Guests
Guests
No One
Administrators
Local Service
Network Service
Administrators
SERVICE
Local Service
Network Service
Administrators
Local Service
Administrators
Administrators
No One
Administrators
Administrators
Administrators
Administrators
Administrators
Users
Local Service
Network Service
Administrators
Users
Administrators
Disabled
Disabled
Enabled

Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Disabled
30 days
Enabled
Enabled
Disabled
2 logons
14 days
Enabled
Lock Workstation
Enabled
Enabled
Disabled
15 minutes
Enabled
Enabled
Enabled
Disabled
Enabled
Enabled
Disabled
Enabled
<None> (blank)
Enabled
Send NTLMv2 response only. Refuse LM & NTLM.
Negotiate signing
Disabled
Disabled
Enabled
Enabled
Enabled
Disabled
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
On (recommended)
Block (default)
Allow (default)
Yes
No
Yes (default)
Yes (default)
On (recommended)
Block (default)
Allow (default)
Yes
No
Yes (default)
Yes (default)
On (recommended)
Block (default)
Allow (default)
No
No
Yes (default)
No
Success and Failure
<no auditing>
<no auditing>
<no auditing>
<no auditing>
Success
<no auditing>
Success and Failure
Success and Failure
Success and Failure
<no auditing>
Success
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
Success
Success and Failure
<no auditing>
<no auditing>
Success
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
Success and Failure
Success
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
<no auditing>
Success and Failure

Success and Failure
<no auditing>
Success and Failure
Success and Failure
Success and Failure
Disabled
Enabled
Enabled
Enabled
Enabled
0 seconds
Enabled
90%
Enabled
FALSE (unchecked)
TRUE (checked)
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled

Disabled (but only in BitLocker profile)

Enabled
Enabled
Disabled
Disabled
Enabled
Enabled
Authenticated
Enabled
All Drives
Enabled
AES 256-bit with Diffuser
Disabled
Enabled
1
Do not allow 48-digit recovery password
Do not allow 256-bit recovery key
1
0
Backup recovery passwords and key packages
0
Disabled
Enabled
1
Enabled
Enabled
0
Require 48-digit recovery password
1
1
Store recovery passwords and key packages
1
Enabled
7 characters
Enabled
0
Do not allow TPM
Require startup PIN with TPM
Do not allow startup key with TPM
Do not allow startup key and PIN with TPM
Disabled
Enabled
1
1
0
0
Disabled
Enabled
1
Enabled
1
Disabled
Enabled
32,768
Disabled
Enabled
81,920
Disabled
Enabled
32,768
Disabled
Disabled

Enabled
Enabled
Enabled
High Level
Enabled
Enabled
Disabled
Disabled
Disabled
Enabled
1 minute
CIS Win7 v3.0.1
Level 1 Value
24 or more password(s)
60 or fewer days, but not 0
1 or more day(s)
Enabled
Disabled
10 or fewer invalid logon attempt(s), but not 0
<No One>
Administrators
<No One>
Administrators
LOCAL SERVICE
NETWORK SERVICE
Administrators
Users
Administrators
Remote Desktop Users
Administrators
Administrators
LOCAL SERVICE
Administrators
LOCAL SERVICE
Users
Administrators
<No One>
Administrators
LOCAL SERVICE
NETWORK SERVICE
SERVICE
<No One>
Administrators
Administrators
Must include both "Guests" group and
"Local account" at a minimum
Must include "Guests" group at a minimum
Must include both "Guests" group and
"Local account" at a minimum
<No One>
Administrators
LOCAL SERVICE
NETWORK SERVICE
Administrators
LOCAL SERVICE
NETWORK SERVICE
SERVICE
Administrators
Administrators
<No One>
Administrators
<No One>
Administrators
Administrators
Administrators
Administrators
LOCAL SERVICE
NETWORK SERVICE
Administrators
Administrators
Users
Administrators
Disabled
Disabled
Enabled
Enabled
Disabled
Enabled
Enabled
Enabled
Disabled
30 or fewer days, but not 0
Enabled
Enabled
Disabled
<non-empty - consistent with organization requirements>
Between 5 and 14 days
'Lock Workstation' or higher

Enabled
Enabled
Disabled
15 or fewer minute(s), but not 0
Enabled
Enabled
Enabled
'Accept if provided by client' or higher
Disabled
Enabled
Enabled
Enabled
Disabled
<None> (blank)
Enabled
<None> (blank)
Enabled
Disabled
Disabled
RC4_HMAC_MD5
AES128_HMAC_SHA1
AES256_HMAC_SHA1
Future encryption types
Enabled
Enabled
'Negotiate signing' or higher
Enabled
Enabled
<None> (blank)
Enabled
Disabled
Prompt for consent on the secure desktop
Enabled
Enabled
Enabled
Enabled
Enabled
On (recommended)
Block (default)
Allow (default)
No
Yes (default)
Yes (default)
%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log
Yes
Yes
On (recommended)
Block (default)
Allow (default)
No
Yes (default)
Yes (default)
%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log
Yes
Yes
On (recommended)
Block (default)
Allow (default)
Yes
No
No
%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log
Yes
Yes
Success and Failure
Success and Failure
Success and Failure

Success and Failure
Success and Failure
Success and Failure
Success
Success
Success
Success and Failure
Success and Failure
Success
Success and Failure
Success
Success and Failure

Success and Failure
Success and Failure
Success
Success and Failure
Success and Failure
<Ensure LAPS CSE is installed>

Enabled
Enabled
Enabled
Large letters + small letters + numbers + specials
15 or more
30 or fewer
Disabled
Enabled
Enabled
Disabled
Enabled
Enabled
Enabled
5 or fewer seconds
Enabled
90% or less
Enabled
Enabled
\\*\NETLOGON RequireMutualAuthentication=1,
RequireIntegrity=1
\\*\SYSVOL RequireMutualAuthentication=1,
RequireIntegrity=1
Enabled
Disabled
Disabled
Disabled
Enabled (but only in BitLocker profile)

<GUID for SBP-2 drive> (only in BitLocker profile)
TRUE (checked) (only in BitLocker profile)
Enabled
FALSE (unchecked)
TRUE (checked)
Disabled
Enabled

Enabled
Enabled
Disabled
Disabled
Enabled
Enabled
Authenticated
Enabled
Enabled
Do not execute any autorun commands
Enabled
All Drives
Enabled
Disabled
Enabled
1
Allow 48-digit recovery password
Allow 256-bit recovery key
1
0
0
Disabled
Enabled
1
Enabled
Enabled
0
1
1
1
Enabled
7 or more characters
Enabled
0
Do not allow TPM
Disabled
Enabled
1
1
0
0
Disabled
Enabled
1
Enabled
0
Enabled
Disabled
Enabled
Enabled
<Ensure EMET 5.51 or higher is installed>

Enabled
Enabled
Enabled
Enabled
User Configured
Enabled
Enabled
Enabled
Enabled
Application Opt-In
Enabled
Application Opt-Out
Enabled
Application Opt-Out
Disabled
Enabled
Disabled
Enabled
Disabled
Enabled
Disabled
Enabled
Disabled
Disabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
High Level
Disabled
Disabled
Enabled
Disabled
Enabled
Always ask before sending data
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
Disabled
Disabled
Enabled
Enabled
0 - Every day
Disabled
Disabled
Disabled
Enabled
1 minute
CIS Win7 v3.0.1
Level 2 Value
Administrators
<No One>
Enabled
4 or fewer logon(s)
'User is prompted when the key is first used' or higher
Enabled
Enabled
300,000 or 5 minutes (recommended)
Disabled
Enabled
3
Enabled
3
Disabled
Disabled
Enabled
0xff (255)
Disabled
Enabled
Enabled (but only in BitLocker profile)

<GUID for SBP-2 drive> (only in BitLocker profile)
TRUE (checked) (only in BitLocker profile)
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled

Disabled
Disabled
Enabled
Disabled
Enabled
Disabled
Enabled
1
Allow 48-digit recovery password
Allow 256-bit recovery key
1
0
0
Disabled
Enabled
1
Enabled
Enabled
0
1
1
1
Enabled
7 or more characters
Enabled
0
Do not allow TPM
Disabled
Enabled
1
1
0
0
Disabled
Enabled
1
Enabled
0
Enabled
Enabled
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
15 minutes or less
Enabled
1 minute
Disabled
Disabled
Disabled
Disabled
USGCB Win7 v1.2.0
Value Notes
24 passwords remembered
60 days
1 day
12 characters
Enabled
Disabled
15 minute(s)
5 invalid logon attempts
15 minute(s)
Administrators
<No One>
Administrators
LOCAL SERVICE
NETWORK SERVICE
Administrators
Users
Administrators
Remote Desktop Users
Administrators
Administrators
LOCAL SERVICE
NETWORK SERVICE
Users
Administrators
LOCAL SERVICE
Administrators
LOCAL SERVICE
Users
Administrators
<No One>
Administrators
LOCAL SERVICE
NETWORK SERVICE
SERVICE
<No One>
Administrators
Administrators
Guests Vista and 2008 (non-R2) do not support "Local account" (KB
Guests
<No One>
Guests
Guests Vista and 2008 (non-R2) do not support "Local account" (KB
Administrators
LOCAL SERVICE
NETWORK SERVICE
Administrators
LOCAL SERVICE
NETWORK SERVICE
SERVICE
Administrators
LOCAL SERVICE
Administrators
Administrators
<No One>
<No One>
<No One>
Administrators
<No One>
Administrators
Administrators
Administrators
Administrators
Administrators
Users
LOCAL SERVICE
NETWORK SERVICE
Administrators
Administrators
Users
Administrators
Disabled
Disabled
Enabled
Renamed_Admin
Renamed_Guest
Disabled
Disabled
Enabled
Disabled
Disabled
Disabled
Enabled
Enabled
Enabled
Disabled
30 days
Enabled
Enabled
Disabled
2
14 days
Disabled
Lock Workstation
Enabled
Enabled
Disabled
15 minutes
Enabled
Enabled
Enabled
Accept if provided by client
Disabled
Enabled
Enabled
Enabled
Disabled
<None> (blank)
Enabled
<None> (blank)
Enabled
Disabled
Disabled
RC4_HMAC_MD5
AES128_HMAC_SHA1
AES256_HMAC_SHA1
Future encryption types
Enabled
Enabled
Negotiate signing
Disabled
Disabled
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Disabled
Prompt for consent
Prompt for credentials on the secure desktop
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
On (recommended)
Block (default)
Allow (default)
Yes (default)
No
No
No
%SYSTEMROOT%\System32\logfiles\firewall\domainfirewall.log
16,384 KB
Yes
Yes
On (recommended)
Block (default)
Allow (default)
Yes (default)
No
No
No
%SYSTEMROOT%\System32\logfiles\firewall\privatefirewall.log
16,384 KB
Yes
Yes
On (recommended)
Block (default)
Allow (default)
Yes
No
No
No
%SYSTEMROOT%\System32\logfiles\firewall\publicfirewall.log
16,384 KB
Yes
Yes
Enabled - Yes
Enabled - Yes
Success and Failure Advanced Audit Policy Settings can only be applied to Vista
<no auditing> Advanced Audit Policy Settings can only be applied to Vista
Success Advanced Audit Policy Settings can only be applied to Vista

Failure Advanced Audit Policy Settings can only be applied to Vista
Failure Advanced Audit Policy Settings can only be applied to Vista
This category requires installing the AdmPwd.admx/adml te
This setting requires installing the AdmPwd.admx/adml tem

This category requires installing the MSS-Legacy.admx/adm
This setting requires installing the MSS-Legacy.admx/adml t
Enabled This setting requires installing the MSS-Legacy.admx/adml t

Highest protection, source routing is completely disabled This setting requires installing the MSS-Legacy.admx/adml t
Highest protection, source routing is completely disabled This setting requires installing the MSS-Legacy.admx/adml t
This setting requires installing the MSS-Legacy.admx/adml t
Disabled This setting requires installing the MSS-Legacy.admx/adml t
Enabled
300,000 or 5 minutes (recommended) This setting requires installing the MSS-Legacy.admx/adml t

Disabled This setting requires installing the MSS-Legacy.admx/adml t

5 seconds This setting requires installing the MSS-Legacy.admx/adml t
3 This setting requires installing the MSS-Legacy.admx/adml t
3 This setting requires installing the MSS-Legacy.admx/adml t
90% This setting requires installing the MSS-Legacy.admx/adml t
This category requires installing the GroupPolicy.admx/adm
This category requires installing the lanmanworkstation.adm
Disabled
Disabled
Enabled
Enabled
Enabled New setting in Windows 7 / Server 2008 R2
Enabled
Enabled State
This category requires installing the networkprovider.admx/
This setting requires installing the networkprovider.admx/a
Enabled
Disabled State
Enabled
Disabled State
Enabled
Disabled State
Enabled
Disabled State
This setting requires installing the Disable-IPv6-Components
Disabled
Enabled
Disabled
This category requires installing the PtH.admx/adml templa
This setting requires installing the PtH.admx/adml template
Does not apply to Windows Vista / Server 2008 - This setting
This category requires installing the appv.admx/adml templ
New setting in Windows 8.1 / Server 2012 R2, but retroactiv
This category requires installing the deviceguard.admx/adm
Disabled
Enabled
Disabled
Enabled
Enabled
Do not search Windows Update
Only applies to BitLocker - See http://support.microsoft.com

This category requires installing the DeviceRedirection.admx
This category requires installing the EnhancedStorage.admx
This category requires installing the FileServerVSSAgent.adm

Enabled
TRUE (checked)
Enabled
Disabled
Enabled New setting in Windows 7 / Server 2008 R2 - This setting req
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled This setting also triggers "Disable Windows Error Reporting"
Enabled
Enabled
This category requires installing the GroupPolicy.admx/adm
This category requires installing the Power.admx/adml temp
Only applies to BitLocker

Only applies to BitLocker
Enabled
Enabled
Enabled
3600
Enabled
3600
Enabled
1200
Enabled
1200
Disabled
Disabled
Enabled
Enabled
Enabled
Authenticated
Disabled
This category requires installing the sdiagschd.admx/adml t
Disabled
Disabled
Enabled
Local approved server, not "time.windows.com"
This category requires installing the WindowsAnytimeUpgra

Enabled Formerly known as "Prevent Windows Anytime Upgrade fro
Enabled Formerly known as "Turn off Program Inventory"

Enabled
Do not execute any autorun commands
Enabled
All Drives
New setting in Windows 7 / Server 2008 R2





This category requires installing the Camera.admx/adml tem
This category requires installing the WirelessDisplay.admx/a
New setting in Windows 8 / Server 2012, but also applies to

Disabled
This category requires installing the allowbuildpreview.adm

This category requires installing the DeliveryOptimization.ad
Enabled This setting does not exist in Windows 10 R1511 administrati

about:blank This setting does not exist in Windows 10 R1511 administrati
Enabled
Enabled
This category requires installing the WorkplaceJoin.admx/a
Enabled
This category requires installing the EMET.admx/adml temp
This setting requires installing the EMET.admx/adml templa

This is "Retain old events" renamed

Enabled
32,768 KB

Enabled
81,920 KB

Enabled
32,768 KB

Enabled
32,768 KB
This category requires installing the eventlogging.admx/adm
Disabled New setting in Windows 7 / Server 2008 R2
Disabled
Disabled
Enabled
Enabled
This category requires installing the microsoftedge.admx/ad
Enabled
Enabled
Disabled
Enabled
Enabled
High Level
Enabled
15 minutes
Enabled
1 minute
Disabled
Disabled
Enabled
This category requires installing the Search.admx/adml tem
Disabled
Disabled
This category requires installing the SearchOCR.admx/adml
This category requires installing the avsvalidationgp.admx/
This category requires installing the WinStoreUI.admx/adm
This category requires installing the textinput.admx/adml te

Disabled Formerly known as "Configure Microsoft Spynet Reporting"
Disabled
Enabled
Disabled
Enabled
This category requires installing the gamedvr.admx/adml te

This category requires installing the passport.admx/adml te
This category requires installing the WindowsInkWorkspace
Disabled Formerly known as "Enable user control over installs"

Microsoft states this must be configured in BOTH Computer
Disabled Formerly known as "Disable IE security prompt for Windows
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Applies to Windows 7 / Server 2008 and above (but not Vist

Applies to Windows 7 / Server 2008 and above (but not Vist
Enabled
Disabled
Disabled
Enabled
This category requires installing the WindowsUpdate.admx/

support "Local account" (KB2871997 not released for them)
support "Local account" (KB2871997 not released for them)

can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
the AdmPwd.admx/adml template files from Microsoft LAPS to access
he AdmPwd.admx/adml template files from Microsoft LAPS to access

the MSS-Legacy.admx/adml template files from Microsoft SCM to access
he MSS-Legacy.admx/adml template files from Microsoft SCM to access



the GroupPolicy.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
the lanmanworkstation.admx/adml template files from the Windows 10 Administrative Templates to access
ver 2008 R2
the networkprovider.admx/adml template files from MS15-011 / KB3000483 or the Windows 10 Administrative Templates to access
he networkprovider.admx/adml template files from MS15-011 / KB3000483 or the Windows 10 Administrative Templates to access
he Disable-IPv6-Components-KB929852.adm file in the remediation package. It is documented by MSKB 929852
the PtH.admx/adml template files from Microsoft SCM to access

he PtH.admx/adml template files from Microsoft SCM to access
a / Server 2008 - This setting requires installing the PtH.admx/adml template files from Microsoft SCM to access
the appv.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
erver 2012 R2, but retroactively applies to Windows 7 / Server 2008 R2 and above with KB3004375 installed
the deviceguard.admx/adml template files from the Windows 10 Administrative Templates to access
ttp://support.microsoft.com/kb/2516445
the DeviceRedirection.admx/adml template files from the Windows 7/2008R2, 8/2012, 8.1/2012R2 or 10 Administrative Templates to a
the EnhancedStorage.admx/adml template files from the Windows 7/2008R2, 8/2012, 8.1/2012R2 or 10 Administrative Templates to a
the FileServerVSSAgent.admx/adml template files from the Windows 8/2012, 8.1/2012R2 or 10 Administrative Templates to access
ver 2008 R2 - This setting requires installing the ShapeCollector.admx/adml template files from the Windows 7/2008R2, 8/2012, 8.1/201
e Windows Error Reporting" in 18.9.67 (Windows Components / Windows Error Reporting)
the GroupPolicy.admx/adml template files from the Windows 10 Administrative Templates to access
the Power.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
the sdiagschd.admx/adml template files from the Windows 7/2008R2, 8/2012, 8.1/2012R2 or 10 Administrative Templates to access
the WindowsAnytimeUpgrade.admx/adml template files from the Windows 8/2012, 8.1/2012R2 or 10 Administrative Templates to acc
ndows Anytime Upgrade from running." in the "Windows Anytime Upgrade" category
ogram Inventory"
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
ver 2008 R2
the Camera.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
the WirelessDisplay.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
ver 2012, but also applies to IE10 and above
the allowbuildpreview.admx/adml and datacollection.admx/adml template files from the Windows 10 Administrative Templates to ac
the DeliveryOptimization.admx/adml template files from the Windows 10 Administrative Templates to access
ndows 10 R1511 administrative templates

ndows 10 R1511 administrative templates
the WorkplaceJoin.admx/adml template files from the Windows 10 Administrative Templates to access
the EMET.admx/adml template files from EMET 5.5 to access
he EMET.admx/adml template files from EMET 5.5 to access

the eventlogging.admx/adml template files from the Windows 10 Administrative Templates to access
ver 2008 R2
ver 2008 R2
the microsoftedge.admx/adml template files from the Windows 10 Administrative Templates to access
the microsoftedge.admx/adml template files from the Windows 10 Administrative Templates to access
the Search.admx/adml template files from the Windows Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2 or 10 Administrative Templates to
the SearchOCR.admx/adml template files from the Windows 7/2008R2, 8/2012, 8.1/2012R2 or 10 Administrative Templates to access
the avsvalidationgp.admx/adml template files from the Windows 10 Administrative Templates to access
the WinStoreUI.admx/adml template files from the Windows 8/2012 or 8.1/2012R2 Administrative Templates to access
the textinput.admx/adml template files from the Windows 10 Administrative Templates to access
Microsoft Spynet Reporting"
the gamedvr.admx/adml template files from the Windows 10 Administrative Templates to access
the passport.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
the WindowsInkWorkspace.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
r control over installs"

nfigured in BOTH Computer and User to be enforced
ecurity prompt for Windows Installer scripts"
008 and above (but not Vista)

008 and above (but not Vista)
the WindowsUpdate.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
mplates to access
rative Templates to access
ative Templates to access

Administrative Templates to access
ative Templates to access

ws 7/2008R2, 8/2012, 8.1/2012R2 or 10 Administrative Templates to access
trative Templates to access
ministrative Templates to access
tes to access
Templates to access
dministrative Templates to access

strative Templates to access
lates to access
ates to access
strative Templates to access
e Templates to access
Master Windows 7 Compliance Analysis - CIS & USGCB - User Settings
By Haemish Edgerton Updated: 2/14/2017 Dark Gray = Setting not listed in this pr
CIS USGCB
Win7 CIS CIS Win7
v1.2.0 Win7 v2.1.0 Win7 v3.0.1 v1.2.0 CCE
Rule # Rule # Rule # ID v5 GPO Folder
2 User Configuration
Policies
2.1 19 Administrative Templates
19.1 Control Panel
19.1.1 Add or Remove Programs
19.1.2 Display
19.1.3 Personalization
1.13.10 2.1.2.1.1 19.1.3.1 CCE-10051-1 Enable screen saver
1.13.8 2.1.2.1.4 19.1.3.2 CCE-9958-0 Force specific screen saver
1.13.8 2.1.2.1.4 19.1.3.2
1.13.7 2.1.2.1.3 19.1.3.3 CCE-9730-3 Password protect the screen saver
1.13.9 2.1.2.1.2 19.1.3.4 CCE-10148-5 Screen saver timeout
1.13.9 2.1.2.1.2 19.1.3.4 CCE-10148-5
19.2 Desktop
19.3 Network
19.4 Shared Folders
19.5 Start Menu and Taskbar
19.5.1 Notifications
19.6 System
1.13.6 Prevent access to registry editing tools
19.6.1 Ctrl+Alt+Del Options
19.6.2 Driver Installation
19.6.3 Folder Redirecton
19.6.4 Group Policy
19.6.5 Internet Communication Management
19.6.5.1 Internet Communication settings
19.6.5.1.1 Turn off Help Experience Improvemen
CCE-10295-4 Turn off Help Ratings
2.1.1 19.7 Windows Components
19.7.1 Add features to Windows 8 / 8.1 / 10
19.7.2 App runtime
19.7.3 Application Compatibility
2.1.1.1 19.7.4 Attachment Manager
1.13.1 2.1.1.1.2 19.7.4.1 CCE-10166-7 Do not preserve zone information in fi
1.13.2 2.1.1.1.1 CCE-9684-2 Hide mechanisms to remove zone info
1.13.3 2.1.1.1.3 19.7.4.2 CCE-10076-8 Notify antivirus programs when openin
19.7.5 AutoPlay Policies
19.7.6 Backup
19.7.7 Cloud Content
19.7.8 Credential User Interface
19.7.9 Data Collection and Preview Builds
19.7.10 Desktop Gadgets
19.7.11 Desktop Window Manager
19.7.12 Digital Locker
19.7.13 Edge UI
19.7.14 File Explorer
1.13.4 Remove CD Burning features
1.13.5 Remove Security tab
19.7.15 File Revocation
19.7.16 IME
19.7.17 Import Video
19.7.18 Instant Search
19.7.19 Internet Explorer
19.7.20 Location and Sensors
19.7.21 Microsoft Edge
19.7.22 Microsoft Management Console
19.7.23 Microsoft User Experience Virtualization
19.7.24 NetMeeting
19.7.25 Network Projector
19.7.26 Network Sharing
19.7.26.1 CCE-10644-3 Prevent users from sharing files within
19.7.27 Presentation Settings
19.7.28 Remote Desktop Services
19.7.29 RSS Feeds
19.7.30 Search
19.7.31 Sound Recorder
19.7.32 Store
19.7.33 Tablet PC
19.7.34 Task Scheduler
19.7.35 Windows Calendar
19.7.36 Windows Color System
19.7.37 Windows Error Reporting
19.7.38 Windows Hello for Business (formerly Microsoft Pas
19.7.39 Windows Installer
19.7.39.1 Always install with elevated privileges
19.7.40 Windows Logon Options
19.7.41 Windows Mail
19.7.42 Windows Media Center
19.7.43 Windows Media Player
19.7.43.1 Networking
19.7.43.2 Playback
19.7.43.2.1 Prevent Codec Download
USGCB - User Settings
Dark Gray = Setting not listed in this profile
Policy
ve Templates
r Remove Programs
Enable screen saver

Force specific screen saver
Screen saver executable name:
Password protect the screen saver
Screen saver timeout
Number of seconds to wait to enable the screen saver:
nu and Taskbar
Prevent access to registry editing tools

Alt+Del Options
r Installation
r Redirecton
net Communication Management

ternet Communication settings
Turn off Help Experience Improvement Program
Turn off Help Ratings
Components
eatures to Windows 8 / 8.1 / 10
cation Compatibility
hment Manager
Do not preserve zone information in file attachments
Hide mechanisms to remove zone information
Notify antivirus programs when opening attachments
Play Policies
ntial User Interface
Collection and Preview Builds
op Gadgets
op Window Manager
Remove CD Burning features

Remove Security tab
net Explorer
on and Sensors
soft Management Console

soft User Experience Virtualization
ork Projector
Prevent users from sharing files within their profile.

ntation Settings
te Desktop Services
ows Calendar
ows Color System
ows Error Reporting
ows Hello for Business (formerly Microsoft Passport for Work)
ows Installer
Always install with elevated privileges
ows Logon Options
ows Media Center

ows Media Player
Prevent Codec Download

CIS Win7 v1.2.0
Level 1 Value
Enabled
Enabled
scrnsave.scr
Enabled
Enabled
900 seconds or less
<not configured>
Disabled
Enabled
Enabled
<not configured>
<not configured>
CIS Win7 v1.2.0
Level 2 Value
Enabled
Enabled
scrnsave.scr
Enabled
Enabled
900 seconds or less
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
CIS Win7 v2.1.0
Value
Enabled
Enabled
scrnsave.scr
Enabled
Enabled
900 seconds or less
Disabled
Enabled
Enabled
CIS Win7 v3.0.1
Level 1 Value
Enabled
Enabled
scrnsave.scr
Enabled
Enabled
900 seconds or fewer, but not 0
Disabled
Enabled
Enabled
Disabled
CIS Win7 v3.0.1
Level 2 Value
Enabled
Enabled
USGCB Win7 v1.2.0
Value Notes
Enabled
<not defined>
Enabled
Enabled
900 seconds
Enabled
This category requires installing the WindowsAnytimeUpgra
Disabled
Enabled
Enabled
This category requires installing the CloudContent.admx/ad
This category requires installing the DataCollection.admx/a
Enabled
This category requires installing the Search.admx/adml tem
This category requires installing the WinStoreUI.admx/adm

g the WindowsAnytimeUpgrade.admx/adml template files from the Windows 8/2012, 8.1/2012R2 or 10 Administrative Templates to ac
g the CloudContent.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
g the DataCollection.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
g the microsoftedge.admx/adml template files from the Windows 10 Administrative Templates to access
g the passport.admx/adml template files from the Windows 10 Administrative Templates to access
g the Search.admx/adml template files from the Windows Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2 or 10 Administrative Templates t
g the WinStoreUI.admx/adml template files from the Windows 8/2012 or 8.1/2012R2 Administrative Templates to access
g the passport.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
dministrative Templates to access
Templates to access
Templates to access
0 Administrative Templates to access
plates to access
lates to access

Master Windows 7 Compliance Analysis - CIS &amp; USGCB

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Master Windows 7 Compliance Analysis - CIS &amp; USGCB

Uploaded by

Copyright:

Available Formats

Master Windows 7 Compliance Analysis - CIS & USGCB - Computer Settings

By Haemish Edgerton Updated: 2/14/2017 Green = only applies to BitLocke

1.8.1 1.2.1.1.2.33 2.2.2 CCE-9253-6 Access this computer from the

1.8.2 1.2.1.1.2.35 2.2.3 CCE-9407-8 Act as part of the operating sys

1.8.3 1.2.1.1.2.20 2.2.4 CCE-9068-8 Adjust memory quotas for a pro

1.8.28 1.2.1.1.2.3 2.2.5 CCE-9345-0 Allow log on locally

1.8.4 1.2.1.1.2.30 2.2.7 CCE-9389-8 Back up files and directories

1.8.5 1.2.1.1.2.7 CCE-8414-5 Bypass traverse checking

1.8.6 1.2.1.1.2.5 2.2.8 CCE-8612-4 Change the system time

1.2.1.1.2.9 2.2.9 CCE-8423-6 Change the time zone

1.8.7 1.2.1.1.2.17 2.2.10 CCE-9185-0 Create a pagefile

1.8.9 1.2.1.1.2.25 2.2.12 CCE-8431-9 Create global objects

1.8.10 1.2.1.1.2.41 2.2.13 CCE-9254-4 Create permanent shared objec

1.8.12 1.2.1.1.2.23 2.2.16 CCE-9244-5 Deny access to this computer fr

1.2.1.1.2.34 2.2.17 CCE-9212-2 Deny log on as a batch job

1.8.32 2.2.20 CCE-9274-2 Deny log on through Remote D

1.8.13 1.2.1.1.2.37 2.2.21 Enable computer and user acco

1.8.33 1.2.1.1.2.21 2.2.23 CCE-9226-2 Generate security audits

1.8.15 1.2.1.1.2.24 2.2.24 CCE-8467-3 Impersonate a client after auth

1.8.34 1.2.1.1.2.40 CCE-9048-0 Increase a process working set

1.8.16 1.2.1.1.2.6 2.2.25 CCE-8999-5 Increase scheduling priority

1.8.24 1.2.1.1.2.38 2.2.35 CCE-9419-3 Profile system performance

1.8.25 1.2.1.1.2.8 CCE-9326-0 Remove computer from dockin

1.8.26 1.2.1.1.2.13 2.2.36 CCE-8732-0 Replace a process level token

1.8.37 1.2.1.1.2.12 2.2.37 CCE-9124-9 Restore files and directories

1.8.27 1.2.1.1.2.39 2.2.38 CCE-9014-2 Shut down the system

1.8.38 1.2.1.1.2.10 2.2.39 CCE-9309-6 Take ownership of files or othe

1.9.52 2.3.10.7 CCE-9121-5 Network access: Remotely acce

1.9.2 1.2.1.1.1.63 2.3.10.8 CCE-9386-4 Network access: Remotely acce

1.9.53 1.2.1.1.1.32 2.3.10.9 CCE-9540-6 Network access: Restrict anony

1.2.1.1.1.34 2.3.11.4 CCE-9532-3 Network security: Configure en

1.9.56 1.2.1.1.1.47 2.3.11.5 CCE-8937-5 Network security: Do not store

1.9.1 1.2.1.1.1.72 2.3.11.10 CCE-9736-0 Network security: Minimum ses

1.2.1.1.1.68 Network Security: Restrict NTLM

1.9.41 1.2.1.1.1.6 18.3.7 CCE-8562-1 MSS: (NoNameReleaseOnDema

18.4.14.1 Hardened UNC Paths

18.4.15 Offline Files

Enforce password history

Audit account logon events

Access this computer from the network

Act as part of the operating system

Adjust memory quotas for a process

Allow log on locally

Back up files and directories

Bypass traverse checking

Change the system time

Change the time zone

Create global objects

Create permanent shared objects

Deny access to this computer from the network

Deny log on as a batch job

Deny log on through Remote Desktop Services

Enable computer and user accounts to be trusted for delegation

Generate security audits

Impersonate a client after authentication

Increase a process working set

Increase scheduling priority

Profile system performance

Remove computer from docking station

Replace a process level token

Restore files and directories

Shut down the system

Take ownership of files or other objects

Accounts: Administrator account status

Master Windows 7 Compliance Analysis - CIS & USGCB

Master Windows 7 Compliance Analysis - CIS & USGCB