CIS Hardening Windows 2019 10.16.76.68-Sf-Jkt-Itocbsd

Id
xccdf_org.cisecurity.benchmarks_
rule_9.3.4_L1_Ensure_Windows_F
irewall_Public_Settings_Display_a
_notification_is_set_to_No
rule_17.1.2_L1_Ensure_Audit_Ker
beros_Authentication_Service_is_
set_to_Success_and_Failure_DC_
Only
rule_2.3.17.2_L1_Ensure_User_Ac
count_Control_Behavior_of_the_
elevation_prompt_for_administra
tors_in_Admin_Approval_Mode_i
s_set_to_Prompt_for_consent_on
_the_secure_desktop
rule_2.3.1.5_L1_Configure_Accou
nts_Rename_administrator_accou
nt
rule_2.3.17.3_L1_Ensure_User_Ac
count_Control_Behavior_of_the_
elevation_prompt_for_standard_
users_is_set_to_Automatically_de
ny_elevation_requests
rule_2.3.9.2_L1_Ensure_Microsoft
_network_server_Digitally_sign_c
ommunications_always_is_set_to
_Enabled
rule_2.3.5.3_L1_Ensure_Domain_
controller_LDAP_server_channel_
binding_token_requirements_is_s
et_to_Always_DC_Only
rule_19.5.1.1_L1_Ensure_Turn_off
_toast_notifications_on_the_lock
_screen_is_set_to_Enabled
rule_17.1.3_L1_Ensure_Audit_Ker
beros_Service_Ticket_Operations
_is_set_to_Success_and_Failure_
DC_Only
irewall_Public_Settings_Apply_loc
al_connection_security_rules_is_s
et_to_No
rule_18.6.3_L1_Ensure_Point_and
_Print_Restrictions_When_updati
ng_drivers_for_an_existing_conne
ction_is_set_to_Enabled_Show_w
arning_and_elevation_prompt
rule_18.9.14.1_L1_Ensure_Turn_o
ff_cloud_consumer_account_stat
e_content_is_set_to_Enabled
rule_18.9.108.2.2_L1_Ensure_Con
figure_Automatic_Updates_Sched
uled_install_day_is_set_to_0_-
_Every_day
controller_LDAP_server_signing_r
equirements_is_set_to_Require_s
igning_DC_only
rule_18.8.26.1_L1_Ensure_Enume
ration_policy_for_external_device
s_incompatible_with_Kernel_DM
A_Protection_is_set_to_Enabled_
Block_All
rule_2.3.10.6_L1_Configure_Netw
ork_access_Named_Pipes_that_ca
n_be_accessed_anonymously_DC
_only
rule_18.9.65.3.9.1_L1_Ensure_Al
ways_prompt_for_password_upo
n_connection_is_set_to_Enabled
rule_18.8.7.2_L1_Ensure_Prevent
_device_metadata_retrieval_from
_the_Internet_is_set_to_Enabled
rule_18.9.65.3.9.4_L1_Ensure_Re
quire_user_authentication_for_re
mote_connections_by_using_Net
work_Level_Authentication_is_set
_to_Enabled
rule_18.8.4.2_L1_Ensure_Remote
_host_allows_delegation_of_non-
exportable_credentials_is_set_to_
Enabled
rule_18.9.17.6_L1_Ensure_Limit_
Diagnostic_Log_Collection_is_set_
to_Enabled
rule_18.5.21.1_L1_Ensure_Minimi
ze_the_number_of_simultaneous
_connections_to_the_Internet_or
_a_Windows_Domain_is_set_to_
Enabled_3__Prevent_Wi-
Fi_when_on_Ethernet
rule_19.7.28.1_L1_Ensure_Preven
t_users_from_sharing_files_within
_their_profile._is_set_to_Enabled
rule_18.5.4.1_L1_Ensure_Configur
e_DNS_over_HTTPS_DoH_name_r
esolution_is_set_to_Enabled_Allo
w_DoH_or_higher
rule_2.3.1.6_L1_Configure_Accou
nts_Rename_guest_account
rule_18.9.47.15_L1_Ensure_Confi
gure_detection_for_potentially_u
nwanted_applications_is_set_to_
Enabled_Block
rule_18.9.47.5.1.1_L1_Ensure_Co
nfigure_Attack_Surface_Reductio
n_rules_is_set_to_Enabled
rule_17.4.2_L1_Ensure_Audit_Dir
ectory_Service_Changes_is_set_to
_include_Success_DC_only
rule_18.3.6_L1_Ensure_NetBT_No
deType_configuration_is_set_to_E
nabled_P-node_recommended
rule_18.9.108.2.1_L1_Ensure_Con
figure_Automatic_Updates_is_set
_to_Enabled
rule_18.9.47.9.1_L1_Ensure_Scan
_all_downloaded_files_and_attac
hments_is_set_to_Enabled
rule_19.7.8.1_L1_Ensure_Configur
e_Windows_spotlight_on_lock_sc
reen_is_set_to_Disabled
irewall_Public_Settings_Apply_loc
al_firewall_rules_is_set_to_No
rule_2.2.27_L1_Ensure_Enable_co
mputer_and_user_accounts_to_b
e_trusted_for_delegation_is_set_t
o_Administrators_DC_only
rule_18.8.4.1_L1_Ensure_Encrypti
on_Oracle_Remediation_is_set_to
_Enabled_Force_Updated_Clients
rule_18.9.17.5_L1_Ensure_Enable
_OneSettings_Auditing_is_set_to_
Enabled
rule_17.2.3_L1_Ensure_Audit_Dist
ribution_Group_Management_is_
set_to_include_Success_DC_only
rule_18.9.100.1_L1_Ensure_Turn_
on_PowerShell_Script_Block_Logg
ing_is_set_to_Enabled
rule_18.9.47.9.2_L1_Ensure_Turn
_off_real-
time_protection_is_set_to_Disabl
ed
rule_18.6.1_L1_Ensure_Allow_Pri
nt_Spooler_to_accept_client_con
nections_is_set_to_Disabled
rule_18.9.17.3_L1_Ensure_Disable
_OneSettings_Downloads_is_set_t
o_Enabled
rule_18.9.85.1.1_L1_Ensure_Confi
gure_Windows_Defender_SmartS
creen_is_set_to_Enabled_Warn_a
nd_prevent_bypass
rule_18.6.2_L1_Ensure_Point_and
_Print_Restrictions_When_installi
ng_drivers_for_a_new_connectio
n_is_set_to_Enabled_Show_warni
ng_and_elevation_prompt
controller_Allow_server_operator
s_to_schedule_tasks_is_set_to_Di
sabled_DC_only
rule_18.9.47.9.4_L1_Ensure_Turn
_on_script_scanning_is_set_to_En
abled
rule_18.8.40.1_L1_Ensure_Config
ure_validation_of_ROCA-
vulnerable_WHfB_keys_during_au
thentication_is_set_to_Enabled_A
udit_or_higher_DC_only
rule_2.2.8_L1_Ensure_Allow_log_
on_through_Remote_Desktop_Se
rvices_is_set_to_Administrators_
DC_only
rule_18.8.3.1_L1_Ensure_Include_
command_line_in_process_creati
on_events_is_set_to_Enabled
rule_17.4.1_L1_Ensure_Audit_Dir
ectory_Service_Access_is_set_to_
include_Failure_DC_only
rule_2.2.5_L1_Ensure_Add_works
tations_to_domain_is_set_to_Ad
ministrators_DC_only
rule_2.3.9.3_L1_Ensure_Microsoft
_network_server_Digitally_sign_c
ommunications_if_client_agrees_i
s_set_to_Enabled
rule_19.7.4.2_L1_Ensure_Notify_a
ntivirus_programs_when_opening
_attachments_is_set_to_Enabled
rule_18.3.2_L1_Ensure_Configure
_SMB_v1_client_driver_is_set_to
_Enabled_Disable_driver_recomm
ended
irewall_Private_Settings_Display_
a_notification_is_set_to_No
rule_18.9.65.3.9.3_L1_Ensure_Re
quire_use_of_specific_security_la
yer_for_remote_RDP_connections
_is_set_to_Enabled_SSL
rule_18.3.3_L1_Ensure_Configure
_SMB_v1_server_is_set_to_Disabl
ed
rule_18.9.47.5.1.2_L1_Ensure_Co
nfigure_Attack_Surface_Reductio
n_rules_Set_the_state_for_each_
ASR_rule_is_configured
rule_19.7.43.1_L1_Ensure_Always
_install_with_elevated_privileges_
is_set_to_Disabled
rule_2.3.7.4_L1_Configure_Intera
ctive_logon_Message_text_for_us
ers_attempting_to_log_on
rule_18.9.46.1_L1_Ensure_Block_
all_consumer_Microsoft_account_
user_authentication_is_set_to_En
abled
rule_19.7.4.1_L1_Ensure_Do_not_
preserve_zone_information_in_fil
e_attachments_is_set_to_Disable
d
rule_19.7.8.2_L1_Ensure_Do_not_
suggest_third-
party_content_in_Windows_spotli
ght_is_set_to_Enabled
rule_2.3.7.5_L1_Configure_Intera
ctive_logon_Message_title_for_us
ers_attempting_to_log_on
rule_18.9.105.2.1_L1_Ensure_Pre
vent_users_from_modifying_setti
ngs_is_set_to_Enabled
rule_1.2.2_L1_Ensure_Account_lo
ckout_threshold_is_set_to_5_or_f
ewer_invalid_logon_attempts_but
_not_0
rule_2.2.31_L1_Ensure_Imperson
ate_a_client_after_authentication
_is_set_to_Administrators_LOCAL
_SERVICE_NETWORK_SERVICE_SE
RVICE_DC_only
rule_18.3.5_L1_Ensure_Limits_pri
nt_driver_installation_to_Adminis
trators_is_set_to_Enabled
rule_18.9.108.4.1_L1_Ensure_Ma
nage_preview_builds_is_set_to_D
isabled
rule_17.2.2_L1_Ensure_Audit_Co
mputer_Account_Management_is
_set_to_include_Success_DC_only
rule_18.9.47.5.3.1_L1_Ensure_Pre
vent_users_and_apps_from_acces
sing_dangerous_websites_is_set_
to_Enabled_Block
rule_18.9.17.7_L1_Ensure_Limit_
Dump_Collection_is_set_to_Enabl
ed
controller_Refuse_machine_accou
nt_password_changes_is_set_to_
Disabled_DC_only
Name Result
9.3.4. (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification'

is set to 'No' Fail
17.1.2. (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success

and Failure' (DC Only) Fail
2.3.17.2. (L1) Ensure 'User Account Control: Behavior of the elevation

prompt for administrators in Admin Approval Mode' is set to 'Prompt for
consent on the secure desktop' Fail
2.3.1.5. (L1) Configure 'Accounts: Rename administrator account' Fail
2.3.17.3. (L1) Ensure 'User Account Control: Behavior of the elevation

prompt for standard users' is set to 'Automatically deny elevation requests' Fail
2.3.9.2. (L1) Ensure 'Microsoft network server: Digitally sign

communications (always)' is set to 'Enabled' Fail
2.3.5.3. (L1) Ensure 'Domain controller: LDAP server channel binding token
requirements' is set to 'Always' (DC Only) Fail
19.5.1.1. (L1) Ensure 'Turn off toast notifications on the lock screen' is set
to 'Enabled' Fail
17.1.3. (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to
'Success and Failure' (DC Only) Fail
9.3.6. (L1) Ensure 'Windows Firewall: Public: Settings: Apply local

connection security rules' is set to 'No' Fail
18.6.3. (L1) Ensure 'Point and Print Restrictions: When updating drivers for
an existing connection' is set to 'Enabled: Show warning and elevation
prompt' Fail
18.9.14.1. (L1) Ensure 'Turn off cloud consumer account state content' is
set to 'Enabled' Fail
18.9.108.2.2. (L1) Ensure 'Configure Automatic Updates: Scheduled install

day' is set to '0 - Every day' Fail
2.3.5.4. (L1) Ensure 'Domain controller: LDAP server signing requirements'

is set to 'Require signing' (DC only) Fail
18.8.26.1. (L1) Ensure 'Enumeration policy for external devices

incompatible with Kernel DMA Protection' is set to 'Enabled: Block All' Fail
2.3.10.6. (L1) Configure 'Network access: Named Pipes that can be

accessed anonymously' (DC only) Fail
18.9.65.3.9.1. (L1) Ensure 'Always prompt for password upon connection' is

18.8.7.2. (L1) Ensure 'Prevent device metadata retrieval from the Internet'
is set to 'Enabled' Fail
18.9.65.3.9.4. (L1) Ensure 'Require user authentication for remote

connections by using Network Level Authentication' is set to 'Enabled' Fail
18.8.4.2. (L1) Ensure 'Remote host allows delegation of non-exportable

credentials' is set to 'Enabled' Fail
18.9.17.6. (L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled' Fail
18.5.21.1. (L1) Ensure 'Minimize the number of simultaneous connections

to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi
when on Ethernet' Fail
19.7.28.1. (L1) Ensure 'Prevent users from sharing files within their profile.'
18.5.4.1. (L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is
set to 'Enabled: Allow DoH' or higher Fail
2.3.1.6. (L1) Configure 'Accounts: Rename guest account' Fail

18.9.47.15. (L1) Ensure 'Configure detection for potentially unwanted
applications' is set to 'Enabled: Block' Fail
18.9.47.5.1.1. (L1) Ensure 'Configure Attack Surface Reduction rules' is set

to 'Enabled' Fail
17.4.2. (L1) Ensure 'Audit Directory Service Changes' is set to include

'Success' (DC only) Fail
18.3.6. (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-

node (recommended)' Fail
18.9.108.2.1. (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled' Fail
18.9.47.9.1. (L1) Ensure 'Scan all downloaded files and attachments' is set
to 'Enabled' Fail
19.7.8.1. (L1) Ensure 'Configure Windows spotlight on lock screen' is set to

Disabled' Fail
9.3.5. (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall
rules' is set to 'No' Fail
2.2.27. (L1) Ensure 'Enable computer and user accounts to be trusted for
delegation' is set to 'Administrators' (DC only) Fail
18.8.4.1. (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled:
Force Updated Clients' Fail
18.9.17.5. (L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled' Fail
17.2.3. (L1) Ensure 'Audit Distribution Group Management' is set to include

18.9.100.1. (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to

'Enabled' Fail
18.9.47.9.2. (L1) Ensure 'Turn off real-time protection' is set to 'Disabled' Fail
18.6.1. (L1) Ensure 'Allow Print Spooler to accept client connections' is set
to 'Disabled' Fail
18.9.17.3. (L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled' Fail
18.9.85.1.1. (L1) Ensure 'Configure Windows Defender SmartScreen' is set

to 'Enabled: Warn and prevent bypass' Fail
18.6.2. (L1) Ensure 'Point and Print Restrictions: When installing drivers for
a new connection' is set to 'Enabled: Show warning and elevation prompt' Fail
2.3.5.1. (L1) Ensure 'Domain controller: Allow server operators to schedule
tasks' is set to 'Disabled' (DC only) Fail
18.9.47.9.4. (L1) Ensure 'Turn on script scanning' is set to 'Enabled' Fail
18.8.40.1. (L1) Ensure 'Configure validation of ROCA-vulnerable WHfB keys

during authentication' is set to 'Enabled: Audit' or higher (DC only) Fail
2.2.8. (L1) Ensure 'Allow log on through Remote Desktop Services' is set to
'Administrators' (DC only) Fail
18.8.3.1. (L1) Ensure 'Include command line in process creation events' is

17.4.1. (L1) Ensure 'Audit Directory Service Access' is set to include 'Failure'
(DC only) Fail
2.2.5. (L1) Ensure 'Add workstations to domain' is set to 'Administrators'

(DC only) Fail
2.3.9.3. (L1) Ensure 'Microsoft network server: Digitally sign

communications (if client agrees)' is set to 'Enabled' Fail
19.7.4.2. (L1) Ensure 'Notify antivirus programs when opening attachments'

18.3.2. (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled:
Disable driver (recommended)' Fail
9.2.4. (L1) Ensure 'Windows Firewall: Private: Settings: Display a

notification' is set to 'No' Fail
18.9.65.3.9.3. (L1) Ensure 'Require use of specific security layer for remote
(RDP) connections' is set to 'Enabled: SSL' Fail
18.3.3. (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' Fail
18.9.47.5.1.2. (L1) Ensure 'Configure Attack Surface Reduction rules: Set

the state for each ASR rule' is configured Fail
19.7.43.1. (L1) Ensure 'Always install with elevated privileges' is set to

'Disabled' Fail
2.3.7.4. (L1) Configure 'Interactive logon: Message text for users attempting
to log on' Fail
18.9.46.1. (L1) Ensure 'Block all consumer Microsoft account user

authentication' is set to 'Enabled' Fail
19.7.4.1. (L1) Ensure 'Do not preserve zone information in file attachments'
is set to 'Disabled' Fail
19.7.8.2. (L1) Ensure 'Do not suggest third-party content in Windows
spotlight' is set to 'Enabled' Fail
2.3.7.5. (L1) Configure 'Interactive logon: Message title for users attempting
to log on' Fail
18.9.105.2.1. (L1) Ensure 'Prevent users from modifying settings' is set to

'Enabled' Fail
1.2.2. (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid
logon attempt(s), but not 0' Fail
2.2.31. (L1) Ensure 'Impersonate a client after authentication' is set to

'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only) Fail
18.3.5. (L1) Ensure 'Limits print driver installation to Administrators' is set

to 'Enabled' Fail
18.9.108.4.1. (L1) Ensure 'Manage preview builds' is set to 'Disabled' Fail
17.2.2. (L1) Ensure 'Audit Computer Account Management' is set to include

18.9.47.5.3.1. (L1) Ensure 'Prevent users and apps from accessing

dangerous websites' is set to 'Enabled: Block' Fail
18.9.17.7. (L1) Ensure 'Limit Dump Collection' is set to 'Enabled' Fail
2.3.5.5. (L1) Ensure 'Domain controller: Refuse machine account password

changes' is set to 'Disabled' (DC only) Fail
Active Overrides
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0

CIS Hardening Windows 2019 10.16.76.68-Sf-Jkt-Itocbsd

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CIS Hardening Windows 2019 10.16.76.68-Sf-Jkt-Itocbsd

Uploaded by

Copyright:

Available Formats

Id

9.3.4. (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification'

17.1.2. (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success

2.3.17.2. (L1) Ensure 'User Account Control: Behavior of the elevation

2.3.1.5. (L1) Configure 'Accounts: Rename administrator account' Fail

2.3.17.3. (L1) Ensure 'User Account Control: Behavior of the elevation

2.3.9.2. (L1) Ensure 'Microsoft network server: Digitally sign

9.3.6. (L1) Ensure 'Windows Firewall: Public: Settings: Apply local

18.9.108.2.2. (L1) Ensure 'Configure Automatic Updates: Scheduled install

2.3.5.4. (L1) Ensure 'Domain controller: LDAP server signing requirements'

18.8.26.1. (L1) Ensure 'Enumeration policy for external devices

2.3.10.6. (L1) Configure 'Network access: Named Pipes that can be

18.9.65.3.9.1. (L1) Ensure 'Always prompt for password upon connection' is

18.9.65.3.9.4. (L1) Ensure 'Require user authentication for remote

18.8.4.2. (L1) Ensure 'Remote host allows delegation of non-exportable

18.5.21.1. (L1) Ensure 'Minimize the number of simultaneous connections

2.3.1.6. (L1) Configure 'Accounts: Rename guest account' Fail

18.9.47.5.1.1. (L1) Ensure 'Configure Attack Surface Reduction rules' is set

17.4.2. (L1) Ensure 'Audit Directory Service Changes' is set to include

18.3.6. (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-

18.9.108.2.1. (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled' Fail

19.7.8.1. (L1) Ensure 'Configure Windows spotlight on lock screen' is set to

18.9.17.5. (L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled' Fail

17.2.3. (L1) Ensure 'Audit Distribution Group Management' is set to include

18.9.100.1. (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to

18.9.17.3. (L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled' Fail

18.9.85.1.1. (L1) Ensure 'Configure Windows Defender SmartScreen' is set

18.9.47.9.4. (L1) Ensure 'Turn on script scanning' is set to 'Enabled' Fail

18.8.40.1. (L1) Ensure 'Configure validation of ROCA-vulnerable WHfB keys

18.8.3.1. (L1) Ensure 'Include command line in process creation events' is

2.2.5. (L1) Ensure 'Add workstations to domain' is set to 'Administrators'

2.3.9.3. (L1) Ensure 'Microsoft network server: Digitally sign

19.7.4.2. (L1) Ensure 'Notify antivirus programs when opening attachments'

9.2.4. (L1) Ensure 'Windows Firewall: Private: Settings: Display a

18.3.3. (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' Fail

18.9.47.5.1.2. (L1) Ensure 'Configure Attack Surface Reduction rules: Set

19.7.43.1. (L1) Ensure 'Always install with elevated privileges' is set to

18.9.46.1. (L1) Ensure 'Block all consumer Microsoft account user

18.9.105.2.1. (L1) Ensure 'Prevent users from modifying settings' is set to

2.2.31. (L1) Ensure 'Impersonate a client after authentication' is set to

18.3.5. (L1) Ensure 'Limits print driver installation to Administrators' is set

18.9.108.4.1. (L1) Ensure 'Manage preview builds' is set to 'Disabled' Fail

17.2.2. (L1) Ensure 'Audit Computer Account Management' is set to include

18.9.47.5.3.1. (L1) Ensure 'Prevent users and apps from accessing

2.3.5.5. (L1) Ensure 'Domain controller: Refuse machine account password

You might also like