# (C) 2013-2014 Tenable Network Security, Inc. # # This script is released under the Tenable Subscription License and # may not be used from within scripts released under another license # without authorization from Tenable Network Security, Inc. # # See the following licenses for details: # # http://static.tenable.com/prod_docs/Nessus_5_SLA_and_Subscription_Agreement.pdf # http://static.tenable.com/prod_docs/Subscription_Agreement.pdf # # @PROFESSIONALFEED@ # $Revision: 1.14 $ # $Date: 2014/08/04 18:11:47 $ # # Description : This .audit is designed against the CIS Security Configuration Benchmark For # Microsoft Windows Server 2012 Domain Controller Version 1.0.0 January 31, 2013. # # Ref : https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf # # #Safeguards Windows Server 2012 Audit ob体育 v1.3 9-30-2016 # type : REGISTRY_SETTING description : "Windows Server 2012 is installed (non-R2)" info : "This check determines if Windows Server 2012 is installed (Fails if R2)" value_type : POLICY_TEXT reg_key : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" reg_item : "ProductName" value_data : "^.*R2.*" check_type : CHECK_NOT_REGEX type : REGISTRY_SETTING description : "Windows Server 2012 is installed" value_type : POLICY_TEXT value_data : "^[a-zA-Z0-9\(\)\s]*2012[\s]*[a-zA-Z0-9\(\)\s]*$" reg_key : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" reg_item : "ProductName" check_type : CHECK_REGEX description : "CIS Security Benchmark For Microsoft Windows Server 2012 Member Server" ## 1 Computer Configuration ## 1.1 Security Settings ## 1.1.1 Account Policies # 1.1.1.1 Set 'Account lockout threshold' to '3 invalid logon attempt(s)'(Scored) type : LOCKOUT_POLICY description : "1.1.1.1 Account lockout threshold <= 3" solution : "Make sure 'Account lockout threshold' is set 3 invalid attempts." reference : "PCI|8.5.13,CCE|CCE-23909-5" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD lockout_policy: LOCKOUT_THRESHOLD value_data : 3 check_type : CHECK_LESS_THAN_OR_EQUAL # 1.1.1.2 Set 'Account lockout duration' to '0 minutes' (Scored) type : LOCKOUT_POLICY description : "1.1.1.2 Account lockout duration = 120+ minutes" info : "This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. If set to 0 minutes then the administrator will have to manually reset the account." solution : "Make sure 'Account lockout duration' is set to a minimum of 0 minutes." reference : "PCI|8.5.14,CCE|CCE-24768-4" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : TIME_MINUTE lockout_policy: LOCKOUT_DURATION value_data : [120..MAX] # 1.1.1.3 Set 'Reset account lockout counter after' to '120+ minute(s)' (Scored) type : LOCKOUT_POLICY description : "1.1.1.3 Reset account lockout counter after >= 120" info : "This policy setting determines the length of time before the Account lockout threshold resets to zero." solution : "Make sure 'Reset account lockout counter after' is set to a minimum of 0 minutes." reference : "CCE|CCE-24840-1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : TIME_MINUTE lockout_policy: LOCKOUT_RESET value_data : [120..MAX] # 1.1.1.4 Set 'Minimum password length' to '8 or more character(s)' (Scored) type : PASSWORD_POLICY description : "1.1.1.4 Minimum password length >= 8" info : "This policy setting determines the least number of characters that make up a password for a user account. Brute force attacks try every possible combination of characters. The more characters with diverse characters the longer the brute force method will take." solution : "Make sure 'Minimum password length' is set to a minimum of 8 characters." reference : "PCI|8.5.10,CCE|CCE-25317-9" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD password_policy: MINIMUM_PASSWORD_LENGTH value_data : [8..MAX] # 1.1.1.5 Set 'Enforce password history' to '24 or more' (Scored) type : PASSWORD_POLICY description : "1.1.1.5 Enforce password history >= 24" info : "This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password." solution : "Make sure 'Enforce password history' is set to a minimum of 24 passwords." reference : "PCI|8.5.12,CCE|CCE-24644-7" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD password_policy: ENFORCE_PASSWORD_HISTORY value_data : [24..MAX] # 1.1.1.6 Set 'Password must meet complexity requirements' to 'Enabled' (Scored) type : PASSWORD_POLICY description : "1.1.1.6 Password must meet complexity requirements = Enabled" info : "This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords." solution : "Make sure 'Password must meet complexity requirements' is set to a minimum of 24 passwords." reference : "PCI|8.5,CCE|CCE-25602-4" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_SET password_policy: COMPLEXITY_REQUIREMENTS value_data : "Enabled" # 1.1.1.7 Set 'Store passwords using reversible encryption' to 'Disabled' (Scored) type : PASSWORD_POLICY description : "1.1.1.7 Store passwords using reversible encryption = Disabled" info : "Windows authentication model allows storage of a password hash (not the actual password). The password hash cannot be decoded to regain the original password. To authenticate the password the password must be encrypted and compared with the original encrypted password. If the encrypted passwords both match, then access is granted." solution : "Make sure 'Store passwords using reversible encryption' is disabled." reference : "PCI|8.4,CCE|CCE-23951-7" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_SET password_policy: REVERSIBLE_ENCRYPTION value_data : "Disabled" # 1.1.1.8 Set 'Minimum password age' to '1 or more day(s)' (Scored) type : PASSWORD_POLICY description : "1.1.1.8 Minimum password age >= 1" info : "Brute force attacks can take as little as a week to a couple of months in order to crack the passwd, depending on length. Changing the password will help prevent these type of attacks especially if the new password is entirely different." solution : "Make sure minimum password age is set to a minimum of 1 day." reference : "CCE|CCE-24018-4,PCI|8.5" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : TIME_DAY password_policy: MINIMUM_PASSWORD_AGE value_data : [1..MAX] ## 1.1.2 Advanced Audit Policy Configuration # 1.1.2.1 Set 'Audit Policy: Account Logon: Credential Validation' to 'Success and Failure' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.1 Account Logon: Credential Validation = Success and Failure" info : "This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authoritative, whereas for local accounts, the local computer is authoritative." solution : "Make sure the audit policy 'Account Logon: Credential Validation' is set to success and failure." reference : "PCI|10.3.4,PCI|10.3.3,CCE|CCE-25088-6,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Credential Validation" value_data : "Success, Failure" # 1.1.2.2 Set 'Audit Policy: Account Logon: Kerberos Authentication Service' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.2 Account Logon: Kerberos Authentication Service = No Auditing" info : "This subcategory reports events generated by the Kerberos Authentication Server." solution : "Make sure 'Audit Policy: Account Logon: Kerberos Authentication Service' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.2.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,CCE|CCE-24553-0" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Kerberos Authentication Service" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.3 Set 'Audit Policy: Account Logon: Kerberos Service Ticket Operations' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.3 Account Logon: Kerberos Service Ticket Operations = No Auditing" info : "This subcategory reports generated by Kerberos ticket request processes on the domain controller that is authoritative for the domain account. Events for this subcategory include: 4769: A Kerberos service ticket was requested. 4770: A Kerberos service ticket was renewed. 4773: A Kerberos service ticket request failed." solution : "Make sure 'Audit Policy: Account Logon: Kerberos Service Ticket Operations' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.2.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,CCE|CCE-25549-7" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Kerberos Service Ticket Operations" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.4 Set 'Audit Policy: Account Logon: Other Account Logon Events' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.4 Account Logon: Other Account Logon Events = No Auditing" info : "This subcategory reports the events that occur in response to credentials submitted for a user account logon request that do not relate to credential validation or Kerberos tickets." info : "CCE-24509-2" info : "ref: https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf pg. 37" solution : "Make sure 'Audit Policy: Account Logon: Other Account Logon Events' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,CCE|CCE-24509-2,PCI|10.2.4,PCI|10.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Other Account Logon Events" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.5 Set 'Audit Policy: Account Management: Application Group Management' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.5 Account Management: Application Group Management = No Auditing" info : "This subcategory reports each event of application group management on a computer, such as when an application group is created, changed, or deleted or when a member is added to or removed from an application group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of application group accounts." solution : "Make sure 'Audit Policy: Account Management: Application Group Management' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.2.2,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,CCE|CCE-24868-2" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Application Group Management" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.6 Configure 'Audit Policy: Account Management: Computer Account Management' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.6 Configure Account Management: Computer Account Management" info : "This subcategory reports each event of computer account management, such as when a computer account is created, changed, deleted, renamed, disabled, or enabled." solution : "Make sure 'Configure Audit Policy: Account Management: Computer Account Management' is set to success and failure." reference : "PCI|10.3.4,CCE|CCE-23482-3,PCI|10.3.3,PCI|10.2.2,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Computer Account Management" value_data : "Success" # 1.1.2.7 Set 'Audit Policy: Account Management: Distribution Group Management' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.7 Account Management: Distribution Group Management = No Auditing" info : "This subcategory reports each event of distribution group management, such as when a distribution group is created, changed, or deleted or when a member is added to or removed from a distribution group." solution : "Make sure 'Audit Policy: Account Management: Distribution Group Management' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.2.2,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,CCE|CCE-25739-4" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Distribution Group Management" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.8 Set 'Audit Policy: Account Management: Other Account Management Events' to 'Success and Failure' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.8 Account Management: Other Account Management Events = Success and Failure" info : "This subcategory reports other account management events." solution : "Make sure 'Audit Policy: Account Management: Other Account Management Events' is set to success and failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.2.2,CCE|CCE-24588-6,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Other Account Management Events" value_data : "Success, Failure" # 1.1.2.9 Set 'Audit Policy: Account Management: Security Group Management' to 'Success and Failure' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.9 Account Management: Security Group Management = Success and Failure" info : "This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of security group accounts." solution : "Make sure 'Audit Policy: Account Management: Security Group Management' is set to success and failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.2.2,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,CCE|CCE-23955-8,PCI|10.3.1,PCI|10.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Security Group Management" value_data : "Success, Failure" # 1.1.2.10 Set 'Audit Policy: Account Management: User Account Management' to 'Success and Failure' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.10 Account Management: User Account Management = Success and Failure" info : "This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed." solution : "Make sure 'Audit Policy: Account Management: User Account Management' is set to success and failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.2.2,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,CCE|CCE-25123-1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "User Account Management" value_data : "Success, Failure" # 1.1.2.11 Set 'Audit Policy: Detailed Tracking: DPAPI Activity' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.11 Detailed Tracking: DPAPI Activity = No Auditing" info : "This subcategory reports encrypt or decrypt calls into the data protections application interface (DPAPI)." solution : "Make sure 'Audit Policy: Detailed Tracking: DPAPI Activity' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "CCE|CCE-25011-8,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "DPAPI Activity" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.12 Set 'Audit Policy: Detailed Tracking: Process Creation' to 'Success' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.12 Detailed Tracking: Process Creation = Success" info : "This subcategory reports the creation of a process and the name of the program or user that created it." solution : "Make sure 'Audit Policy: Detailed Tracking: Process Creation' is set to Success (minimum)." reference : "CCE|CCE-25461-5" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Process Creation" value_data : "Success" || "Success, Failure" # 1.1.2.13 Set 'Audit Policy: Detailed Tracking: Process Termination' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.13 Detailed Tracking: Process Termination = No Auditing" info : "This subcategory reports when a process terminates." solution : "Make sure 'Audit Policy: Detailed Tracking: Process Termination' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.2.7,CCE|CCE-25490-4,PCI|10.3.6,PCI|10.3.1,PCI|10.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Process Termination" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.14 Set 'Audit Policy: Detailed Tracking: RPC Events' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.14 Detailed Tracking: RPC Events = No Auditing" info : "This subcategory reports remote procedure call (RPC) connection events." solution : "Make sure 'Audit Policy: Detailed Tracking: RPC Events' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.2,CCE|CCE-23502-8" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "RPC Events" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.15 Set 'Audit Policy: DS Access: Detailed Directory Service Replication' to 'No Auditing' (Scored) # Level 1 - Domain Controller Only # 1.1.2.16 Set 'Audit Policy: DS Access: Directory Service Access' to 'Success and Failure' (Scored) # Level 1 - Domain Controller Only # 1.1.2.17 Set 'Audit Policy: DS Access: Directory Service Changes' to 'Success and Failure' (Scored) # Level 1 - Domain Controller Only # 1.1.2.18 Set 'Audit Policy: DS Access: Directory Service Replication' to 'No Auditing' (Scored) # Level 1 - Domain Controller Only # 1.1.2.19 Set 'Audit Policy: Logon-Logoff: Account Lockout' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.19 Logon-Logoff: Account Lockout = No Auditing" info : "This subcategory reports when a user's account is locked out as a result of too many failed logon attempts." solution : "Make sure 'Audit Policy: Logon-Logoff: Account Lockout' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,CCE|CCE-24598-5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Account Lockout" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.20 Set 'Audit Policy: Logon-Logoff: IPsec Extended Mode' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.20 Logon-Logoff: IPsec Extended Mode = No Auditing" info : "This subcategory reports the results of AuthIP during Extended Mode negotiations." solution : "Make sure 'Audit Policy: Logon-Logoff: IPsec Extended Mode' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,CCE|CCE-24404-6,PCI|10.2.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "IPsec Extended Mode" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.21 Set 'Audit Policy: Logon-Logoff: IPsec Main Mode' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.21 Logon-Logoff: IPsec Main Mode = No Auditing" info : "This subcategory reports the results of Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations." solution : "Make sure 'Audit Policy: Logon-Logoff: IPsec Main Mode' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.2.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,CCE|CCE-24584-5" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "IPsec Main Mode" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.22 Set 'Audit Policy: Logon-Logoff: IPsec Quick Mode' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.22 Logon-Logoff: IPsec Quick Mode = No Auditing" info : "This subcategory reports the results of IKE protocol and AuthIP during Quick Mode negotiations. 4654: An IPsec Quick Mode negotiation failed." solution : "Make sure 'Audit Policy: Logon-Logoff: IPsec Quick Mode' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.2.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,CCE|CCE-23614-1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "IPsec Quick Mode" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.23 Set 'Audit Policy: Logon-Logoff: Logoff' to 'Success' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.23 Logon-Logoff: Logoff = Success" info : "This subcategory reports when a user logs off from the system." solution : "Make sure 'Audit Policy: Logon-Logoff: Logoff' is set to 'Success'" reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,CCE|CCE-24901-1,PCI|10.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Logoff" value_data : "Success" || "Success, Failure" # 1.1.2.24 Set 'Audit Policy: Logon-Logoff: Logon' to 'Success and Failure' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.24 Logon-Logoff: Logon = Success and Failure" info : "This subcategory reports when a user attempts to log on to the system." solution : "Make sure 'Audit Policy: Logon-Logoff: Logon' is set to success and failure" reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,CCE|CCE-23670-3,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Logon" value_data : "Success, Failure" # 1.1.2.25 Set 'Audit Policy: Logon-Logoff: Network Policy Server' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.25 Logon-Logoff: Network Policy Server = No Auditing" info : "This subcategory reports events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests." solution : "Make sure 'Audit Policy: Logon-Logoff: Network Policy Server' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.2.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,CCE|CCE-25189-2" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Network Policy Server" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.26 Set 'Audit Policy: Logon-Logoff: Other Logon/Logoff Events' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.26 Logon-Logoff: Other Logon/Logoff Events = No Auditing" info : "This subcategory reports other logon/logoff-related events, such as Terminal Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation." solution : "Make sure 'Audit Policy: Logon-Logoff: Other Logon/Logoff Events' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,CCE|CCE-24494-7,PCI|10.3,PCI|10.2.4,PCI|10.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Other Logon/Logoff Events" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.27 Set 'Audit Policy: Logon-Logoff: Special Logon' to 'Success' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.27 Logon-Logoff: Special Logon = Success" info : "This subcategory reports when a special logon is used." solution : "Make sure 'Audit Policy: Logon-Logoff: Special Logon' is set to Success (minimum)." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1,CCE|CCE-24187-7" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Special Logon" value_data : "Success" || "Success, Failure" # 1.1.2.28 Set 'Audit Policy: Object Access: Application Generated' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.28 Object Access: Application Generated = No Auditing" info : "This subcategory reports when applications attempt to generate audit events by using the Windows auditing application programming interfaces (APIs)." solution : "Make sure ''Audit Policy: Object Access: Application Generated'' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.2,CCE|CCE-25316-1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Application Generated" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.29 Set 'Audit Policy: Object Access: Central Access Policy Staging' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.29 Object Access: Central Access Policy Staging = No Auditing" info : "This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object." solution : "Make sure 'Audit Policy: Object Access: Central Access Policy Staging' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "CCE|CCE-24643-9,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Central Policy Staging" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.30 Set 'Audit Policy: Object Access: Certification Services' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.30 Object Access: Certification Services = No Auditing" info : "This subcategory reports when Certification Services operations are performed." solution : "Make sure 'Audit Policy: Object Access: Certification Services' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,CCE|CCE-23129-0,PCI|10.2.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Certification Services" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.31 Set 'Audit Policy: Object Access: Detailed ob体育 Share' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.31 Object Access: Detailed ob体育 Share = No Auditing" info : "This policy setting allows you to audit attempts to access files and folders on a shared folder." solution : "Make sure 'Audit Policy: Object Access: Detailed ob体育 Share' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,CCE|CCE-24791-6,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Detailed ob体育 Share" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.32 Set 'Audit Policy: Object Access: ob体育 Share' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.32 Object Access: ob体育 Share = No Auditing" info : "This subcategory reports when a file share is accessed." solution : "Make sure 'Audit Policy: Object Access: ob体育 Share' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,CCE|CCE-24035-8,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "ob体育 Share" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.33 Set 'Audit Policy: Object Access: ob体育 System' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.33 Object Access: ob体育 System = No Auditing" info : "This subcategory reports when file system objects are accessed." solution : "Make sure 'Audit Policy: Object Access: ob体育 System' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,CCE|CCE-24456-6,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "ob体育 System" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.34 Set 'Audit Policy: Object Access: Filtering Platform Connection' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.34 Object Access: Filtering Platform Connection = No Auditing" info : "This subcategory reports when connections are allowed or blocked by Windows Filtering Platform (WFP)." solution : "Make sure 'Audit Policy: Object Access: Filtering Platform Connection' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "CCE|CCE-24714-8,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Filtering Platform Connection" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.35 Set 'Audit Policy: Object Access: Filtering Platform Packet Drop' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.35 Object Access: Filtering Platform Packet Drop = No Auditing" info : "This subcategory reports when packets are dropped by Windows Filtering Platform (WFP)." solution : "Make sure 'Audit Policy: Object Access: Filtering Platform Packet Drop' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "CCE|CCE-24824-5,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Filtering Platform Packet Drop" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.36 Set 'Audit Policy: Object Access: Handle Manipulation' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.36 Object Access: Handle Manipulation = No Auditing" info : "This subcategory reports when a handle to an object is opened or closed. Only objects with SACLs cause these events to be generated, and only if the attempted handle operation matches the SACL." solution : "Make sure 'Audit Policy: Object Access: Handle Manipulation' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,CCE|CCE-24599-3,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Handle Manipulation" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.37 Set 'Audit Policy: Object Access: Kernel Object' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.37 Object Access: Kernel Object = No Auditing" info : "This subcategory reports when kernel objects such as processes and mutexes are accessed." solution : "Make sure 'Audit Policy: Object Access: Kernel Object' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1,CCE|CCE-23655-4" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Kernel Object" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.38 Set 'Audit Policy: Object Access: Other Object Access Events' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.38 Object Access: Other Object Access Events = No Auditing" info : "This subcategory reports other object access-related events such as Task Scheduler jobs and COM+ objects." solution : "Make sure 'Audit Policy: Object Access: Other Object Access Events' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,CCE|CCE-24236-2,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Other Object Access Events" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.39 Set 'Audit Policy: Object Access: Registry' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.39 Object Access: Registry = No Auditing" info : "This subcategory reports when registry objects are accessed." solution : "Make sure 'Audit Policy: Object Access: Registry' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,CCE|CCE-23630-7,PCI|10.3,PCI|10.2.4,PCI|10.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Registry" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.40 Set 'Audit Policy: Object Access: Removable Storage' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.40 Object Access: Removable Storage = No Auditing" info : "This policy setting allows you to audit user attempts to access file system objects on a removable storage device." solution : "Make sure 'Audit Policy: Object Access: Removable Storage' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,CCE|CCE-22826-2,PCI|10.3,PCI|10.2.4,PCI|10.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Removable Storage" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.41 Set 'Audit Policy: Object Access: SAM' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.41 Object Access: SAM = No Auditing" info : "This subcategory reports when SAM objects are accessed." solution : "Make sure 'Audit Policy: Object Access: SAM' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1,CCE|CCE-24439-2" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "SAM" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.42 Set 'Audit Policy: Policy Change: Audit Policy Change' to 'Success and Failure' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.42 Policy Change: Audit Policy Change = Success and Failure" info : "This subcategory reports changes in audit policy including SACL changes." solution : "Make sure 'Audit Policy: Policy Change: Audit Policy Change' is set to success and failure." reference : "PCI|10.3.4,CCE|CCE-25035-7,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.2.3,PCI|10.3.6,PCI|10.3.1,PCI|10.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Audit Policy Change" value_data : "Success, Failure" # 1.1.2.43 Set 'Audit Policy: Policy Change: Authentication Policy Change' to 'Success' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.43 Policy Change: Authentication Policy Change = Success" info : "This subcategory reports changes in authentication policy." solution : "Make sure 'Audit Policy: Policy Change: Authentication Policy Change' is set to Success (minimum)." reference : "CCE|CCE-25674-3,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Authentication Policy Change" value_data : "Success" || "Success, Failure" # 1.1.2.44 Set 'Audit Policy: Policy Change: Authorization Policy Change' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.44 Policy Change: Authorization Policy Change = No Auditing" info : "This subcategory reports changes in authorization policy including permissions (DACL) changes." solution : "Make sure 'Audit Policy: Policy Change: Authorization Policy Change' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.2,CCE|CCE-24421-0" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Authorization Policy Change" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.45 Set 'Audit Policy: Policy Change: Filtering Platform Policy Change' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.45 Policy Change: Filtering Platform Policy Change = No Auditing" info : "This subcategory reports the addition and removal of objects from WFP, including startup filters." solution : "Make sure 'Audit Policy: Policy Change: Filtering Platform Policy Change' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "CCE|CCE-24965-6,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Filtering Platform Policy Change" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.46 Set 'Audit Policy: Policy Change: MPSSVC Rule-Level Policy Change' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.46 Policy Change: MPSSVC Rule-Level Policy Change = No Auditing" info : "This subcategory reports changes in policy rules used by the Microsoft Protection Service (MPSSVC.exe)." solution : "Make sure 'Audit Policy: Policy Change: MPSSVC Rule-Level Policy Change' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.2,CCE|CCE-24259-4" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "MPSSVC Rule-Level Policy Change" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.47 Set 'Audit Policy: Policy Change: Other Policy Change Events' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.47 Policy Change: Other Policy Change Events = No Auditing" info : "This subcategory reports other types of security policy changes such as configuration of the Trusted Platform Module (TPM) or cryptographic providers." solution : "Make sure 'Audit Policy: Policy Change: Other Policy Change Events' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.2,CCE|CCE-25169-4" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Other Policy Change Events" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.48 Set 'Audit Policy: Privilege Use: Non Sensitive Privilege Use' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.48 Privilege Use: Non Sensitive Privilege Use = No Auditing" info : "This subcategory reports when a user account or service uses a non-sensitive privilege." solution : "Make sure 'Audit Policy: Privilege Use: Non Sensitive Privilege Use' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "CCE|CCE-23876-6,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Non Sensitive Privilege Use" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.49 Set 'Audit Policy: Privilege Use: Other Privilege Use Events' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.49 Privilege Use: Other Privilege Use Events = No Auditing" info : "This subcategory is not used." solution : "Make sure 'Audit Policy: Privilege Use: Other Privilege Use Events' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "PCI|10.2,CCE|CCE-23920-2" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Other Privilege Use Events" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.50 Set 'Audit Policy: Privilege Use: Sensitive Privilege Use' to 'Success and Failure' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.50 Privilege Use: Sensitive Privilege Use = Success and Failure" info : "A sensitive privilege includes some of the following user rights: Act as part of the O.S, back up files and directories. This subcategory reports when a user account or service uses a sensitive privilege." solution : "Make sure 'Audit Policy: Privilege Use: Sensitive Privilege Use' is set to success and failure." reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.2.2,PCI|10.3.2,PCI|10.3.5,CCE|CCE-24691-8,PCI|10.3.6,PCI|10.3.1,PCI|10.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Sensitive Privilege Use" value_data : "Success, Failure" # 1.1.2.51 Set 'Audit Policy: System: IPsec Driver' to 'Success and Failure' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.51 System: IPsec Driver = Success and Failure" info : "This subcategory reports on the activities of the Internet Protocol security (IPsec) driver." solution : "Make sure 'Audit Policy: System: IPsec Driver' is set to success and failure." reference : "PCI|10.2,CCE|CCE-25372-4" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "IPsec Driver" value_data : "Success, Failure" # 1.1.2.52 Set 'Audit Policy: System: Other System Events' to 'No Auditing' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.52 System: Other System Events = No Auditing" info : "This subcategory reports on other system events." solution : "Make sure 'Audit Policy: System: Other System Events' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure." reference : "CCE|CCE-25187-6,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Other System Events" value_data : "No auditing" || "Success" || "Failure" || "Success, Failure" # 1.1.2.53 Set 'Audit Policy: System: Security State Change' to 'Success and Failure' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.53 System: Security State Change = Success and Failure" info : "This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops." solution : "Make sure 'Audit Policy: System: Security State Change' is set to success and failure." reference : "PCI|10.2,CCE|CCE-25178-5" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Security State Change" value_data : "Success, Failure" # 1.1.2.54 Set 'Audit Policy: System: Security System Extension' to 'Success and Failure' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.54 System: Security System Extension = Success and Failure" info : "This subcategory reports the loading of extension code such as authentication packages by the security subsystem." solution : "Make sure 'Audit Policy: System: Security System Extension' is set to success and failure." reference : "PCI|10.2,CCE|CCE-25527-3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "Security System Extension" value_data : "Success, Failure" # 1.1.2.55 Set 'Audit Policy: System: System Integrity' to 'Success and Failure' (Scored) type : AUDIT_POLICY_SUBCATEGORY description : "1.1.2.55 System: System Integrity = Success and Failure" info : "This subcategory reports on violations of integrity of the security subsystem." solution : "Make sure 'Audit Policy: System: System Integrity' is set to success and failure." reference : "PCI|10.2,CCE|CCE-25093-6" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : AUDIT_SET audit_policy_subcategory: "System Integrity" value_data : "Success, Failure" ## 1.1.3 Security Options ## 1.1.3.1 Accounts # 1.1.3.1.3 Set 'Accounts: Limit local account use of blank passwords to console logon only' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.1.3 Accounts: Limit local account use of blank passwords to console logon only = Enabled" info : "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console." solution : "Make sure 'Accounts: Limit local account use of blank passwords to console logon only' is enabled." reference : "CCE|CCE-25589-3,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\" reg_item : "LimitBlankPasswordUse" value_data : 1 ## 1.1.3.2 Audit # 1.1.3.2.3 Set 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.2.3 Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings = Enabled" info : "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista." solution : "Make sure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to enabled." reference : "CCE|CCE-24252-9,PCI|10.2" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\" reg_item : "scenoapplylegacyauditpolicy" value_data : 1 # 1.1.3.2.4 Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.2.4 Audit: Shut down system immediately if unable to log security audits = Disabled" info : "This policy setting determines whether the system shuts down if it is unable to log Security events." solution : "Make sure 'Audit: Shut down system immediately if unable to log security audits' is set to disabled." reference : "CCE|CCE-23988-9,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\" reg_item : "crashonauditfail" value_data : 0 # 1.1.3.4.4 Set 'Devices: Allowed to format and eject removable media' to 'Administrators' (Scored) type : REGISTRY_SETTING description : "1.1.3.4.4 Devices: Allowed to format and eject removable media = Administrators" info : "This policy setting determines who is allowed to format and eject removable media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges." solution : "Make sure 'Devices: Allowed to format and eject removable media' is set to administrators." reference : "CCE|CCE-25217-1,PCI|7.1.2" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" reg_item : "AllocateDASD" value_data : 0 # 1.1.3.4.5 Set 'Devices: Prevent users from installing printer drivers' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.4.5 Devices: Prevent users from installing printer drivers = Enabled" info : "It is feasible for a attacker to disguise a Trojan horse program as a printer driver." solution : "Make sure 'Devices: Prevent users from installing printer drivers' is set to enabled." reference : "CCE|CCE-25176-9,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\" reg_item : "AddPrinterDrivers" value_data : 1 ## 1.1.3.5 Domain controller # 1.1.3.5.1 Set 'Domain controller: Allow server operators to schedule tasks' to 'Disabled' (Scored) # Level 1 - Domain Controller Only # 1.1.3.5.2 Set 'Domain controller: LDAP server signing requirements' to 'Require signing' (Scored) # Level 1 - Domain Controller Only # 1.1.3.5.3 Set 'Domain controller: Refuse machine account password changes' to 'Disabled' (Scored) ## 1.1.3.6 Domain member # 1.1.3.6.1 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.6.1 Domain member: Digitally encrypt or sign secure channel data (always) = Enabled" info : "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted." solution : "Make sure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to enabled." reference : "PCI|8.4,CCE|CCE-24465-7" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\" reg_item : "requiresignorseal" value_data : 1 # 1.1.3.6.2 Set 'Domain member: Digitally encrypt secure channel data (when possible)' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.6.2 Domain member: Digitally encrypt secure channel data (when possible) = Enabled" info : "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates." solution : "Make sure 'Domain member: Digitally encrypt secure channel data (when possible)' is enabled." reference : "PCI|8.4,CCE|CCE-24414-5" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\" reg_item : "sealsecurechannel" value_data : 1 # 1.1.3.6.3 Set 'Domain member: Digitally sign secure channel data (when possible)' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.6.3 Domain member: Digitally sign secure channel data (when possible) = Enabled" info : "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed." solution : "Make sure 'Domain member: Digitally sign secure channel data (when possible)' is enabled." reference : "PCI|8.4,CCE|CCE-24812-0" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\" reg_item : "signsecurechannel" value_data : 1 # 1.1.3.6.4 Set 'Domain member: Disable machine account password changes' to 'Disabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.6.4 Domain member: Disable machine account password changes = Disabled" info : "This policy setting determines whether a domain member can periodically change its computer account password." solution : "Make sure 'Domain member: Disable machine account password changes' is disabled." reference : "CCE|CCE-24243-8,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\" reg_item : "disablepasswordchange" value_data : 0 # 1.1.3.6.5 Set 'Domain member: Maximum machine account password age' to '24 or fewer day(s)' (Scored) type : REGISTRY_SETTING description : "1.1.3.6.5 Domain member: Maximum machine account password age <= 24" info : "This policy setting determines the maximum allowable age for a computer account password." solution : "Make sure 'Domain member: Maximum machine account password age' is set to a maximum of 24 days." reference : "PCI|8.5,CCE|CCE-23596-0" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters" reg_item : "MaximumPasswordAge" reg_type : REG_DWORD value_data : [MIN..24] # 1.1.3.6.6 Set 'Domain member: Require strong (Windows 2000 or later) session key' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.6.6 Domain member: Require strong (Windows 2000 or later) session key = Enabled" info : "When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key." solution : "Make sure 'Domain member: Require strong (Windows 2000 or later) session key' is enabled." reference : "PCI|2.2.3,CCE|CCE-25198-3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\" reg_item : "requirestrongkey" value_data : 1 ## 1.1.3.7 Interactive logon # 1.1.3.7.5 Set 'Interactive logon: Do not display last user name' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.7.5 Interactive logon: Do not display last user name = Enabled" info : "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen." solution : "Make sure 'Interactive logon: Do not display last user name' is enabled." reference : "CCE|CCE-24748-6,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\" reg_item : "DontDisplayLastUserName" value_data : 1 # 1.1.3.7.6 Set 'Interactive logon: Do not require CTRL+ALT+DEL' to 'Disabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.7.6 Interactive logon: Do not require CTRL+ALT+DEL = Disabled" info : "This policy setting determines whether users must press CTRL+ALT+DEL before they log on." solution : "Make sure 'Interactive logon: Do not require CTRL+ALT+DEL' is disabled." reference : "CCE|CCE-25803-8,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\" reg_item : "DisableCAD" value_data : 0 # 1.1.3.7.7 Set 'Interactive logon: Machine inactivity limit' to '900 or fewer seconds' (Scored) type : REGISTRY_SETTING description : "1.1.3.7.7 Interactive logon: Machine inactivity limit <= 900" info : "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session." solution : "Make sure 'Interactive logon: Machine inactivity limit' to '900 or fewer seconds' is set to a maximum of 900 seconds (15 minutes)." reference : "CCE|CCE-23043-3,PCI|8.5.15" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\" reg_item : "InactivityTimeoutSecs" value_data : 900 check_type : CHECK_LESS_THAN_OR_EQUAL # 1.1.3.7.8 Set 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' to '2 or fewer logon(s)' (Scored) type : REGISTRY_SETTING description : "1.1.3.7.8 Interactive logon: Number of previous logons to cache (in case domain controller is not available) <= 2" info : "This policy setting determines whether a user can log on to a Windows domain using cached account information. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords." solution : "Make sure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to 2 or fewer logons." reference : "PCI|2.2.3,CCE|CCE-24264-4" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" reg_item : "cachedlogonscount" value_data : [MIN..2] # 1.1.3.7.9 Set 'Interactive logon: Prompt user to change password before expiration' to '14 or more day(s)' (Scored) type : REGISTRY_SETTING description : "1.1.3.7.9 Interactive logon: Prompt user to change password before expiration >= 14" info : "This policy setting determines how far in advance users are warned that their password will expire." solution : "Make sure 'Interactive logon: Prompt user to change password before expiration' is set to a minimum of 14 days." reference : "PCI|8.5,CCE|CCE-23704-0" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" reg_item : "passwordexpirywarning" value_data : [14..MAX] # 1.1.3.7.10 Set 'Interactive logon: Require Domain Controller authentication to unlock workstation' to 'Disabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.7.10 Interactive logon: Require Domain Controller authentication to unlock workstation = Disabled" info : "Logon information is required to unlock a locked computer." solution : "Make sure 'Interactive logon: Require Domain Controller authentication to unlock workstation' is disabled." reference : "CCE|CCE-25643-8,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" reg_item : "ForceUnlockLogon" value_data : 0 # 1.1.3.7.12 Set 'Interactive logon: Machine account lockout threshold' to 3 or fewer invalid logon attempts (Scored) type : REGISTRY_SETTING description : "1.1.3.7.12 Interactive logon: Machine account lockout threshold <= 3" info : "The machine lockout policy is enforced only on those machines that have Bitlocker enabled for protecting OS volumes." solution : "Make sure 'Interactive logon: Machine account lockout threshold' is set to a maximum of 3." reference : "PCI|2.2.3,CCE|CCE-22731-4" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\" reg_item : "MaxDevicePasswordFailedAttempts" value_data : [MIN..3] ## 1.1.3.8 Microsoft network client # 1.1.3.8.1 Set 'Microsoft network client: Digitally sign communications (always)' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.8.1 Microsoft network client: Digitally sign communications (always) = Enabled" info : "This policy setting determines whether packet signing is required by the SMB client component." solution : "Make sure 'Microsoft network client: Digitally sign communications (always)' is set to enabled." reference : "PCI|4.1,PCI|2.2.3,CCE|CCE-24969-8" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\" reg_item : "RequireSecuritySignature" value_data : 1 # 1.1.3.8.2 Set 'Microsoft network client: Digitally sign communications (if server agrees)' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.8.2 Microsoft network client: Digitally sign communications (if server agrees) = Enabled" info : "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing." solution : "Make sure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to enabled." reference : "PCI|4.1,CCE|CCE-24740-3,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\" reg_item : "EnableSecuritySignature" value_data : 1 # 1.1.3.8.3 Set 'Microsoft network client: Send unencrypted password to third-party SMB servers' to 'Disabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.8.3 Microsoft network client: Send unencrypted password to third-party SMB servers = Disabled" info : "Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to third-party SMB servers that do not support password encryption." solution : "Make sure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to disabled." reference : "PCI|8.4,CCE|CCE-24751-0" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\" reg_item : "EnablePlainTextPassword" value_data : 0 ## 1.1.3.9 Microsoft network server # 1.1.3.9.2 Set 'Microsoft network server: Amount of idle time required before suspending session' to '15 or fewer minute(s)' (Scored) type : REGISTRY_SETTING description : "1.1.3.9.2 Microsoft network server: Amount of idle time required before suspending session <= 15" info : "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity." solution : "Make sure 'Microsoft network server: Amount of idle time required before suspending session' is set to a maximum of 15 minutes." reference : "CCE|CCE-23897-2,PCI|8.5.15" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\" reg_item : "autodisconnect" value_data : [MIN..15] # 1.1.3.9.3 Set 'Microsoft network server: Digitally sign communications (always)' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.9.3 Microsoft network server: Digitally sign communications (always) = Enabled" info : "This policy setting determines if the server side SMB service is required to perform SMB packet signing." solution : "Make sure 'Microsoft network server: Digitally sign communications (always)' is set to enabled." reference : "PCI|4.1,PCI|2.2.3,CCE|CCE-23716-4" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\" reg_item : "requiresecuritysignature" value_data : 1 # 1.1.3.9.4 Set 'Microsoft network server: Digitally sign communications (if client agrees)' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.9.4 Microsoft network server: Digitally sign communications (if client agrees) = Enabled" info : "This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection." solution : "Make sure 'Microsoft network server: Digitally sign communications (if client agrees)' is enabled." reference : "PCI|4.1,PCI|2.2.3,CCE|CCE-24354-3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\" reg_item : "enablesecuritysignature" value_data : 1 # 1.1.3.9.5 Set 'Microsoft network server: Disconnect clients when logon hours expire' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.9.5 Microsoft network server: Disconnect clients when logon hours expire = Enabled" info : "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours." solution : "Make sure 'Microsoft network server: Disconnect clients when logon hours expire' is enabled." reference : "CCE|CCE-24148-9,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\" reg_item : "enableforcedlogoff" value_data : 1 # 1.1.3.10.11 Set 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' to 'Disabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.10.11 MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) = Disabled" info : "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista." solution : "Make sure AutoAdminLogon is disabled." reference : "PCI|2.2.3,CCE|CCE-24927-6" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" reg_item : "AutoAdminLogon" value_data : 0 # 1.1.3.10.12 Set 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' to 'Highest protection, source routing is completely disabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.10.12 MSS: (DisableIPSourceRouting IPv6) IP source routing protection level = Highest protection, source routing is completely disabled" info : "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network." solution : "Make sure DisableIPSourceRouting is set to a value of Highest protection, source routing is completely disabled." reference : "PCI|2.2.3,CCE|CCE-24452-5" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\" reg_item : "DisableIPSourceRouting" value_data : 2 # 1.1.3.10.13 Set 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' to 'Highest protection, source routing is completely disabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.10.13 MSS: (DisableIPSourceRouting) IP source routing protection level = Highest protection, source routing is completely disabled" info : "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network." solution : "Make sure DisableIPSourceRouting is set to a value of Highest protection, source routing is completely disabled." reference : "CCE|CCE-24968-0,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\" reg_item : "DisableIPSourceRouting" value_data : 2 # 1.1.3.10.14 Set 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.10.14 MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) = Enabled" info : "The DLL search order can be configured to search for DLLs that are requested by running processes." solution : "Make sure SafeDllSearchMode is enabled." reference : "CCE|CCE-23462-5,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\" reg_item : "SafeDllSearchMode" value_data : 1 # 1.1.3.10.15 Set 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' to '0' (Scored) type : REGISTRY_SETTING description : "1.1.3.10.15 MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) = 0" info : "The time in seconds before the screen saver grace period expires (0 recommended) in the SCE." solution : "Make sure ScreenSaverGracePeriod is set to 0 seconds." reference : "CCE|CCE-24993-8,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_TEXT reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" reg_item : "ScreenSaverGracePeriod" value_data : "0" # 1.1.3.10.16 Set 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' to '0.9 or less' (Scored) type : REGISTRY_SETTING description : "1.1.3.10.16 MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning <= 0.9" info : "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold." solution : "Make sure WarningLevel is set to 90 percent." reference : "PCI|10.7,CCE|CCE-25110-8" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\" reg_item : "WarningLevel" check_type : CHECK_LESS_THAN_OR_EQUAL value_data : 90 # 1.1.3.11.4 Set 'Network access: Allow anonymous SID/Name translation' to 'Disabled' (Scored) type : ANONYMOUS_SID_SETTING description : "1.1.3.11.4 Network access: Allow anonymous SID/Name translation = Disabled" info : "This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user." solution : "Make sure 'Network access: Allow anonymous SID/Name translation' is disabled." reference : "CCE|CCE-24597-7,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_SET value_data : "Disabled" # 1.1.3.11.5 Set 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.11.5 Network access: Do not allow anonymous enumeration of SAM accounts and shares = Enabled" info : "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares." solution : "Make sure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is enabled so this is not allowed." reference : "CCE|CCE-24774-2,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\" reg_item : "RestrictAnonymous" value_data : 1 # 1.1.3.11.6 Set 'Network access: Do not allow anonymous enumeration of SAM accounts' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.11.6 Network access: Do not allow anonymous enumeration of SAM accounts = Enabled" info : "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager." solution : "Make sure RestrictAnonymousSAM is enabled." reference : "CCE|CCE-23082-1,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\" reg_item : "RestrictAnonymousSAM" value_data : 1 # 1.1.3.11.7 Set 'Network access: Let Everyone permissions apply to anonymous users' to 'Disabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.11.7 Network access: Let Everyone permissions apply to anonymous users = Disabled" info : "This policy setting determines what additional permissions are assigned for anonymous connections to the computer." solution : "Make sure EveryoneIncludesAnonymous is disabled." reference : "CCE|CCE-23807-1,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\" reg_item : "EveryoneIncludesAnonymous" value_data : 0 # 1.1.3.11.8 Set 'Network access: Remotely accessible registry paths and sub-paths' to 'System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Softwar (Scored) type : REGISTRY_SETTING description : "1.1.3.11.8 Configure Network access: Remotely accessible registry paths and sub-paths" info : "This policy setting determines which registry paths and sub-paths will be accessible when an application or process references the WinReg key." solution : "Make sure Remotely accessible registry paths are set to 'System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\SysmonLog'." reference : "CCE|CCE-25426-8,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_MULTI_TEXT reg_key : "HKLM\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\" reg_item : "Machine" value_data : "System\CurrentControlSet\Control\Print\Printers" && "System\CurrentControlSet\Services\Eventlog" && "Software\Microsoft\OLAP Server" && "Software\Microsoft\Windows NT\CurrentVersion\Print" && "Software\Microsoft\Windows NT\CurrentVersion\Windows" && "System\CurrentControlSet\Control\ContentIndex" && "System\CurrentControlSet\Control\Terminal Server" && "System\CurrentControlSet\Control\Terminal Server\UserConfig" && "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" && "Software\Microsoft\Windows NT\CurrentVersion\Perflib" && "System\CurrentControlSet\Services\SysmonLog" # 1.1.3.11.9 Set 'Network access: Remotely accessible registry paths' to 'System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion' (Scored) type : REGISTRY_SETTING description : "1.1.3.11.9 Configure Network access: Remotely accessible registry paths" info : "This policy setting determines which registry paths will be accessible after referencing the WinReg key to determine access permissions to the paths." solution : "Make sure Remotely accessible registry paths are set to 'System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion'." reference : "CCE|CCE-23899-8,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_MULTI_TEXT reg_key : "HKLM\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\" reg_item : "Machine" value_data : "System\CurrentControlSet\Control\ProductOptions" && "System\CurrentControlSet\Control\Server Applications" && "Software\Microsoft\Windows NT\CurrentVersion" # 1.1.3.11.10 Set 'Network access: Restrict anonymous access to Named Pipes and Shares' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.11.10 Network access: Restrict anonymous access to Named Pipes and Shares = Enabled" info : "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Named pipes and Shares." solution : "Make sure restrictnullsessaccess is enabled." reference : "CCE|CCE-24564-7,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\" reg_item : "restrictnullsessaccess" value_data : 1 # 1.1.3.11.11 Set 'Network access: Sharing and security model for local accounts' to 'Classic - local users authenticate as themselves' (Scored) type : REGISTRY_SETTING description : "1.1.3.11.11 Network access: Sharing and security model for local accounts = Classic - local users authenticate as themselves" info : "This policy setting determines how network logons that use local accounts are authenticated." solution : "Make sure 'Network access: Sharing and security model for local accounts' is set to classic." reference : "CCE|CCE-22742-1,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\" reg_item : "ForceGuest" value_data : 0 ## 1.1.3.12 Network security # 1.1.3.12.13 Set 'Network security: Do not store LAN Manager hash value on next password change' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.12.13 Network security: Do not store LAN Manager hash value on next password change = Enabled" info : "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed." solution : "Make sure 'Network security: Do not store LAN Manager hash value on next password change' is enabled." reference : "PCI|8.4,CCE|CCE-24150-5" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\" reg_item : "NoLMHash" value_data : 1 # 1.1.3.12.14 Set 'Network security: LAN Manager authentication level' to 'Send NTLMv2 response only. Refuse LM & NTLM' (Scored) type : REGISTRY_SETTING description : "1.1.3.12.14 Network security: LAN Manager authentication level = Send NTLMv2 response only. Refuse LM & NTLM" info : "LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network." solution : "Make sure 'Network security: LAN Manager authentication level' is set to send NTLMv2 response only and refuse LM and NTLM." reference : "PCI|8.4,CCE|CCE-24650-4" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\" reg_item : "LmCompatibilityLevel" value_data : 5 # 1.1.3.12.15 Set 'Network security: LDAP client signing requirements' to 'Negotiate signing' (Scored) type : REGISTRY_SETTING description : "1.1.3.12.15 Network security: LDAP client signing requirements = Negotiate signing" info : "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests." solution : "Make sure 'Network security: LDAP client signing requirements' is set to negotiate signing." reference : "PCI|8.4,CCE|CCE-25245-2" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Services\LDAP\" reg_item : "LDAPClientIntegrity" value_data : 1 # 1.1.3.12.16 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' to 'Require NTLMv2 session security,Require 128-bit encryption' (Scored) type : REGISTRY_SETTING description : "1.1.3.12.16 Network security: Minimum session security for NTLM SSP based (including secure RPC) clients = Require NTLMv2 session security,Require 128-bit encryption" info : "This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider." solution : "Make sure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to require NTLMv2 session security and 128-bit encryption." reference : "PCI|8.4,CCE|CCE-24783-3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\" reg_item : "NTLMMinClientSec" value_data : 537395200 # 1.1.3.12.17 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' to 'Require NTLMv2 session security,Require 128-bit encryption' (Scored) type : REGISTRY_SETTING description : "1.1.3.12.17 Network security: Minimum session security for NTLM SSP based (including secure RPC) servers = Require NTLMv2 session security,Require 128-bit encryption" info : "This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider." solution : "Make sure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to require NTLMv2 session security and 128 bit encryption." reference : "CCE|CCE-25264-3,PCI|8.4" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\" reg_item : "NTLMMinServerSec" value_data : 537395200 ## 1.1.3.13 Recovery console # 1.1.3.13.1 Set 'Recovery console: Allow automatic administrative logon' to 'Disabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.13.1 Recovery console: Allow automatic administrative logon = Disabled" info : "The recovery console is a command-line environment that is used to recover from system problems." solution : "Make sure 'Recovery console: Allow automatic administrative logon' is disabled." reference : "CCE|CCE-24470-7,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\" reg_item : "securitylevel" value_data : 0 # 1.1.3.13.2 Set 'Recovery console: Allow floppy copy and access to all drives and all folders' to 'Disabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.13.2 Recovery console: Allow floppy copy and access to all drives and all folders = Disabled" info : "This policy setting makes the Recovery Console SET command available which allows you to set the following recovery console environment variables: - AllowWildCards. Enables wildcard support for some commands (such as the DEL command). - AllowAllPaths. Allows access to all files and folders on the computer. - AllowRemovableMedia. Allows files to be copied to removable media, such as a floppy disk." solution : "Make sure 'Recovery console: Allow floppy copy and access to all drives and all folders' is disabled." reference : "CCE|CCE-25274-2,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\" reg_item : "setcommand" value_data : 0 ## 1.1.3.14 Shutdown # 1.1.3.14.1 Set 'Shutdown: Allow system to be shut down without having to log on' to 'Disabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.14.1 Shutdown: Allow system to be shut down without having to log on = Disabled" info : "This policy setting determines whether a computer can be shut down when a user is not logged on." solution : "Make sure 'Shutdown: Allow system to be shut down without having to log on' is disabled." reference : "CCE|CCE-25100-9,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\" reg_item : "ShutdownWithoutLogon" value_data : 0 # 1.1.3.14.2 Set 'Shutdown: Clear virtual memory pagefile' to 'Disabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.14.2 Shutdown: Clear virtual memory pagefile = Disabled" info : "This policy setting determines whether the virtual memory pagefile is cleared when the system is shut down." solution : "Make sure 'Shutdown: Clear virtual memory pagefile' is disabled." reference : "CCE|CCE-25120-7,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\" reg_item : "ClearPageob体育AtShutdown" value_data : 0 ## 1.1.3.15 System cryptography # 1.1.3.15.2 Set 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.15.2 System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing = Enabled" info : "This policy setting determines whether the Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher." solution : "Make sure 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is enabled." reference : "PCI|8.4,CCE|CCE-23921-0" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\" reg_item : "Enabled" value_data : 1 ## 1.1.3.16 System objects # 1.1.3.16.1 Set 'System objects: Require case insensitivity for non-Windows subsystems' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.16.1 System objects: Require case insensitivity for non-Windows subsystems = Enabled" info : "This policy setting determines whether case insensitivity is enforced for all subsystems." solution : "Make sure 'System objects: Require case insensitivity for non-Windows subsystems' is enabled." reference : "CCE|CCE-24870-8,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Control\Session Manager\Kernel\" reg_item : "ObCaseInsensitive" value_data : 1 # 1.1.3.16.2 Set 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.16.2 System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) = Enabled" info : "This policy setting determines the strength of the default discretionary access control list (DACL) for objects." solution : "Make sure 'System objects: Strengthen default permissions of internal system objects' is enabled." reference : "PCI|2.2.3,CCE|CCE-24633-0" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Control\Session Manager\" reg_item : "ProtectionMode" value_data : 1 ## 1.1.3.17 System settings # 1.1.3.17.2 Set 'System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies' to 'Enabled' (Scored) type : REGISTRY_SETTING description : "1.1.3.17.2 System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies = Enabled" info : "This policy setting determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension." solution : "Make sure 'System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies' is enabled." reference : "CCE|CCE-24939-1,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\" reg_item : "AuthenticodeEnabled" value_data : 1 ## 1.1.3.18 User Account Control # 1.1.3.18.1 Set 'User Account Control: Admin Approval Mode for the Built-in Administrator account' to 'Enabled' (Scored) type : REGISTRY_SETTING description: "1.1.3.18.1 UAC: Admin Approval Mode for the Built-in Administrator account = Enabled" info : "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account." solution : "Make sure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is enabled." reference : "CCE|CCE-24134-9,PCI|7.1.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\" reg_item : "FilterAdministratorToken" value_data : 1 # 1.1.3.18.2 Set 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' to 'Disabled' (Scored) type : REGISTRY_SETTING description: "1.1.3.18.2 UAC: Allow UIAccess applications to prompt for elevation without using the secure desktop = Disabled" info : "This policy setting controls whether User Interface Accessibility programs can automatically disable the secure desktop." solution : "Make sure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is disabled." reference : "CCE|CCE-23295-9,PCI|7.1.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" reg_item : "EnableUIADesktopToggle" value_data : 0 # 1.1.3.18.3 Set 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' to 'Prompt for consent for non-Windows binaries' (Scored) type : REGISTRY_SETTING description: "1.1.3.18.3 Behavior of the elevation prompt for administrators in Admin Approval Mode = Prompt for consent for non-Windows binaries" info : "This policy setting controls the behavior of the elevation prompt for administrators." solution : "Make sure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to prompt for consent for non-Windows binaries." reference : "PCI|7.1.1,CCE|CCE-23877-4" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\" reg_item : "ConsentPromptBehaviorAdmin" value_data : 5 # 1.1.3.18.4 Set 'User Account Control: Behavior of the elevation prompt for standard users' to 'Prompt for credentials' (Scored) type : REGISTRY_SETTING description: "1.1.3.18.4 UAC: Behavior of the elevation prompt for standard users = Prompt for credentials" info : "This policy setting controls the behavior of the elevation prompt for standard users." solution : "Make sure 'User Account Control: Behavior of the elevation prompt for standard users' is set to prompt user for credentials." reference : "CCE|CCE-24519-1,PCI|7.1.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\" reg_item : "ConsentPromptBehaviorUser" value_data : 3 # 1.1.3.18.5 Set 'User Account Control: Detect application installations and prompt for elevation' to 'Enabled' (Scored) type : REGISTRY_SETTING description: "1.1.3.18.5 UAC: Detect application installations and prompt for elevation = Enabled" info : "This policy setting controls the behavior of application installation detection for the computer." solution : "Make sure 'User Account Control: Detect application installations and prompt for elevation' is enabled." reference : "CCE|CCE-24498-8,PCI|7.1.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\" reg_item : "EnableInstallerDetection" value_data : 1 # 1.1.3.18.6 Set 'User Account Control: Only elevate executables that are signed and validated' to 'Disabled' (Scored) type : REGISTRY_SETTING description: "1.1.3.18.6 UAC: Only elevate executables that are signed and validated = Disabled" info : "This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege." solution : "Make sure 'User Account Control: Only elevate executables that are signed and validated' is disabled." reference : "CCE|CCE-23880-8,PCI|7.1.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\" reg_item : "ValidateAdminCodeSignatures" value_data : 0 # 1.1.3.18.7 Set 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' to 'Enabled' (Scored) type : REGISTRY_SETTING description: "1.1.3.18.7 UAC: Only elevate UIAccess applications that are installed in secure locations = Enabled" info : "This policy setting controls whether applications that request to run with a UIAccess integrity level must reside in a secure location." solution : "Make sure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is enabled." reference : "PCI|7.1.1,CCE|CCE-25471-4" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\" reg_item : "EnableSecureUIAPaths" value_data : 1 # 1.1.3.18.8 Set 'User Account Control: Run all administrators in Admin Approval Mode' to 'Enabled' (Scored) type : REGISTRY_SETTING description: "1.1.3.18.8 UAC: Run all administrators in Admin Approval Mode = Enabled" info : "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer." solution : "Make sure 'User Account Control: Run all administrators in Admin Approval Mode' is enabled." reference : "CCE|CCE-23653-9,PCI|7.1.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\" reg_item : "EnableLUA" value_data : 1 # 1.1.3.18.9 Set 'User Account Control: Switch to the secure desktop when prompting for elevation' to 'Enabled' (Scored) type : REGISTRY_SETTING description: "1.1.3.18.9 UAC: Switch to the secure desktop when prompting for elevation = Enabled" info : "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop." solution : "Make sure 'User Account Control: Switch to the secure desktop when prompting for elevation' is enabled." reference : "CCE|CCE-23656-2,PCI|7.1.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\" reg_item : "PromptOnSecureDesktop" value_data : 1 # 1.1.3.18.10 Set 'User Account Control: Virtualize file and registry write failures to per-user locations' to 'Enabled' (Scored) type : REGISTRY_SETTING description: "1.1.3.18.10 UAC: Virtualize file and registry write failures to per-user locations = Enabled" info : "This policy setting controls whether application write failures are redirected to defined registry and file system locations." solution : "Make sure 'User Account Control: Virtualize file and registry write failures to per-user locations' is enabled." reference : "PCI|7.1.1,CCE|CCE-24231-3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\" reg_item : "EnableVirtualization" value_data : 1 ## 1.1.4 User Rights Assignments # 1.1.4.3 Set 'Access Credential Manager as a trusted caller' to 'No One' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.3 Access Credential Manager as a trusted caller = No One" info : "This security setting is used by Credential Manager during Backup and Restore." solution : "Make sure 'Access Credential Manager as a trusted caller' is set no one." reference : "PCI|7.2.2,PCI|7.1.2,PCI|7.2.1,CCE|CCE-25683-4" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeTrustedCredManAccessPrivilege value_data : "" # 1.1.4.4 Configure 'Access this computer from the network' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.4 Access this computer from the network = Administrators, Authenticated Users" info : "This policy setting allows other users on the network to connect to the computer and is required by various network protocols." solution : "Make sure 'Access this computer from the network' is set to administrators, authenticated users and enterprise domain controllers. " reference : "PCI|7.2.2,CCE|CCE-24938-3,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeNetworkLogonRight value_data : "administrators" && "authenticated users" # 1.1.4.5 Set 'Act as part of the operating system' to 'No One' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.5 Act as part of the operating system = No One" info : "This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access." solution : "Make sure no one can act as part of the operating system." reference : "PCI|7.2.2,CCE|CCE-25043-1,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeTcbPrivilege value_data : "" # 1.1.4.6 Set 'Add workstations to domain' to 'Administrators' (Scored) # Level 1 - Domain Controller Only # 1.1.4.7 Set 'Adjust memory quotas for a process' to 'Administrators, Local Service, Network Service' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.7 Adjust memory quotas for a process = Administrators, Local Service, Network Service" info : "This policy setting allows a user to adjust the maximum amount of memory that is available to a process." solution : "Make sure 'Adjust memory quotas for a process' is set to administrators, local service and network service." reference : "PCI|7.2.2,CCE|CCE-25112-4,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeIncreaseQuotaPrivilege value_data : "administrators" && "local service" && "network service" # 1.1.4.8 Set 'Allow log on locally' to 'Administrators' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.8 Allow log on locally = Administrators" info : "This policy setting determines which users can interactively log on to computers in your environment." solution : "Make sure 'Allow log on locally' is set to administrators." reference : "PCI|7.2.2,PCI|7.1.3,PCI|7.1.2,CCE|CCE-25228-8,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeInteractiveLogonRight value_data : "administrators" # 1.1.4.9 Set 'Allow log on through Remote Desktop Services' to 'Administrators' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.9 Allow log on through Remote Desktop Services = Administrators" info : "This policy setting determines which users or groups have the right to log on as a Terminal Services client." solution : "Make sure 'Allow log on through Remote Desktop Services' is set to administrators." reference : "PCI|7.2.2,PCI|7.1.3,PCI|7.1.2,CCE|CCE-24406-1,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeRemoteInteractiveLogonRight value_data : "Administrators" # 1.1.4.10 Set 'Back up files and directories' to 'Administrators' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.10 Back up files and directories = Administrators" info : "This policy setting allows users to circumvent file and directory permissions to back up the system." solution : "Make sure 'Back up files and directories' is set to administrators." reference : "PCI|7.2.2,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,CCE|CCE-25380-7" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeBackupPrivilege value_data : "administrators" # 1.1.4.11 Configure 'Bypass traverse checking' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.11 Bypass traverse checking = Authenticated Users, Administrators, Local Service, Network Service" info : "This policy setting allows users who do not have the Traverse Folder access permission to pass through folders." solution : "Make sure 'Bypass traverse checking' is set to authenticated users, administrators, local service, and network service." reference : "PCI|7.2.2,PCI|7.1.3,PCI|7.1.2,CCE|CCE-25271-8,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeChangeNotifyPrivilege value_data : "authenticated users" && "backup operators" && "local service" && "network service" # 1.1.4.12 Set 'Change the system time' to 'LOCAL SERVICE, Administrators' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.12 Change the system time = LOCAL SERVICE, Administrators" info : "This policy setting determines which users and groups can change the time and date on the internal clock of the computers in your environment." solution : "Make sure 'Change the system time' is set to local service and administrators." reference : "PCI|7.2.2,CCE|CCE-24185-1,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeSystemTimePrivilege value_data : "administrators" && "local service" # 1.1.4.13 Set 'Change the time zone' to 'LOCAL SERVICE, Administrators' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.13 Change the time zone = LOCAL SERVICE, Administrators" info : "This setting determines which users can change the time zone of the computer." solution : "Make sure 'Change the time zone' is set to local service and administrators." reference : "PCI|7.2.2,CCE|CCE-24632-2,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeTimeZonePrivilege value_data : "administrators" && "local service" # 1.1.4.14 Set 'Create a pagefile' to 'Administrators' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.14 Create a pagefile = Administrators" info : "This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer." solution : "Make sure 'Create a pagefile' is set to administrators." reference : "PCI|7.2.2,CCE|CCE-23972-3,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeCreatePagefilePrivilege value_data : "Administrators" # 1.1.4.15 Set 'Create a token object' to 'No One' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.15 Create a token object = No One" info : "This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data." solution : "Make sure no one has the user right 'Create a token object'" reference : "PCI|7.2.2,PCI|7.1.2,CCE|CCE-23939-2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeCreateTokenPrivilege value_data : "" # 1.1.4.16 Set 'Create global objects' to 'Administrators, SERVICE, LOCAL SERVICE, NETWORK SERVICE' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.16 Create global objects = Administrators, SERVICE, LOCAL SERVICE, NETWORK SERVICE" info : "This policy setting determines whether users can create global objects that are available to all sessions." solution : "Make sure 'Create global objects' is set to administrators, service, local service and network service." reference : "PCI|7.2.2,PCI|7.1.3,CCE|CCE-23850-1,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeCreateGlobalPrivilege value_data : "administrators" && "local service" && "network service" && "service" # 1.1.4.17 Set 'Create permanent shared objects' to 'No One' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.17 Create permanent shared objects = No One" info : "This user right is useful to kernel-mode components that extend the object namespace." solution : "Make sure 'Create permanent shared objects' is set to no one." reference : "PCI|7.2.2,CCE|CCE-23723-0,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeCreatePermanentPrivilege value_data : "" # 1.1.4.18 Set 'Create symbolic links' to 'Administrators' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.18 Create symbolic links = Administrators" info : "This policy setting determines which users can create symbolic links." solution : "Make sure 'Create symbolic links' is set to administrators." reference : "PCI|7.2.2,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,CCE|CCE-24549-8" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeCreateSymbolicLinkPrivilege value_data : "administrators" # 1.1.4.19 Set 'Debug programs' to 'Administrators' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.19 Debug programs = Administrators" info : "This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel." solution : "Make sure 'Debug programs' is set to administrators only." reference : "PCI|7.2.2,CCE|CCE-23648-9,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeDebugPrivilege value_data : "Administrators" # 1.1.4.20 Set 'Deny access to this computer from the network' to 'Guests' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.20 Deny access to this computer from the network = Guests" info : "This policy setting prohibits users from connecting to a computer from across the network." solution : "Make sure 'Deny access to this computer from the network' is set to guests." reference : "PCI|7.2.2,CCE|CCE-24188-5,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeDenyNetworkLogonRight value_data : "guests" # 1.1.4.21 Set 'Deny log on as a batch job' to 'Guests' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.21 Deny log on as a batch job = Guests" info : "This policy setting determines which accounts will not be able to log on to the computer as a batch job." solution : "Make sure 'Deny log on as a batch job' is set to guests." reference : "PCI|7.2.2,PCI|7.1.2,PCI|7.2.1,CCE|CCE-25215-5" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeDenyBatchLogonRight value_data : "guests" # 1.1.4.22 Set 'Deny log on as a service' to 'No One' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.22 Deny log on as a service = No One" info : "This security setting determines which service accounts are prevented from registering a process as a service." solution : "Make sure 'Deny log on as service' is set to 'no one'." reference : "PCI|7.2.2,PCI|7.1.2,PCI|7.2.1,CCE|CCE-23117-5" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeDenyServiceLogonRight value_data : "" # 1.1.4.23 Set 'Deny log on locally' to 'Guests' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.23 Deny log on locally = Guests" info : "This security setting determines which users are prevented from logging on at the computer." solution : "Make sure 'Deny log on locally' is set to guest accounts only." reference : "PCI|7.2.2,CCE|CCE-24460-8,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeDenyInteractiveLogonRight value_data : "Guests" # 1.1.4.24 Configure 'Enable computer and user accounts to be trusted for delegation' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.24 Enable computer and user accounts to be trusted for delegation = Administrators" info : "This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory." solution : "Make sure 'Enable computer and user accounts to be trusted for delegation' is set to administrators." reference : "PCI|7.2.2,CCE|CCE-25270-0,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeEnableDelegationPrivilege value_data : "" # 1.1.4.25 Set 'Force shutdown from a remote system' to 'Administrators' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.25 Force shutdown from a remote system = Administrators" info : "This policy setting allows users to shut down Windows Vista-based computers from remote locations on the network." solution : "Make sure 'Force shutdown from a remote system' is set to administrators." reference : "PCI|7.2.2,PCI|7.1.3,PCI|7.1.2,CCE|CCE-24734-6,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeRemoteShutdownPrivilege value_data : "Administrators" # 1.1.4.26 Set 'Generate security audits' to 'Local Service, Network Service' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.26 Generate security audits = Local Service, Network Service" info : "This policy setting determines which users or processes can generate audit records in the Security log." solution : "Make sure 'Generate security audits' is set to Local Service and Network Service." reference : "PCI|7.2.2,CCE|CCE-24048-1,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeAuditPrivilege value_data : "local service" && "network service" # 1.1.4.27 Set 'Impersonate a client after authentication' to 'Administrators, SERVICE, Local Service, Network Service' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.27 Impersonate a client after authentication = Administrators, SERVICE, Local Service, Network Service" info : "The policy setting allows programs that run on behalf of a user to impersonate that user so that they can act on behalf of the user." solution : "Make sure 'Impersonate a client after authentication' is set to Administrators, SERVICE, Local Service and Network Service." reference : "PCI|7.2.2,PCI|7.1.3,PCI|7.1.2,CCE|CCE-24477-2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeImpersonatePrivilege value_data : "administrators" && "local service" && "Service" && "Network Service" # 1.1.4.28 Set 'Increase a process working set' to 'Administrators, Local Service' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.28 Increase a process working set = Administrators, Local Service" info : "This privilege determines which user accounts can increase or decrease the size of a process's working set." solution : "Make sure 'Increase a process working set' is set to Administrators and Local Service." reference : "PCI|7.2.2,CCE|CCE-24162-0,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeIncreaseWorkingSetPrivilege value_data : "Administrators" && "Local Service" # 1.1.4.29 Set 'Increase scheduling priority' to 'Administrators' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.29 Increase scheduling priority = Administrators" info : "This policy setting determines whether users can increase the base priority class of a process." solution : "Make sure 'Increase scheduling priority' is set to Administrators." reference : "PCI|7.2.2,CCE|CCE-24911-0,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeIncreaseBasePriorityPrivilege value_data : "Administrators" # 1.1.4.30 Set 'Load and unload device drivers' to 'Administrators' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.30 Load and unload device drivers = Administrators" info : "This policy setting allows users to dynamically load a new device driver on a system." solution : "Make sure 'Load and unload device drivers' is set to Administrators." reference : "PCI|7.2.2,CCE|CCE-24779-1,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeLoadDriverPrivilege value_data : "Administrators" # 1.1.4.31 Set 'Lock pages in memory' to 'No One' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.31 Lock pages in memory = No One" info : "This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk." solution : "Make sure 'Lock pages in memory' is set to 'no one'." reference : "PCI|7.2.2,CCE|CCE-23829-5,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeLockMemoryPrivilege value_data : "" # 1.1.4.32 Set 'Log on as a batch job' to 'Administrators' (Scored) # Level 1 - Domain Controller Only # 1.1.4.33 Set 'Manage auditing and security log' to 'Administrators' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.33 Manage auditing and security log = Administrators" info : "This policy setting determines which users can change the auditing options for files and directories and clear the Security log." solution : "Make sure 'Manage auditing and security log' is set to Administrators." reference : "PCI|7.2.2,CCE|CCE-23456-7,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeSecurityPrivilege value_data : "Administrators" # 1.1.4.34 Set 'Modify an object label' to 'No One' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.34 Modify an object label = No One" info : "This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users." solution : "Make sure 'Modify an object label' is set to no one." reference : "PCI|7.2.2,PCI|7.1.2,CCE|CCE-24682-7,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeReLabelPrivilege value_data : "" # 1.1.4.35 Set 'Modify firmware environment values' to 'Administrators' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.35 Set Modify firmware environment values to Administrators" info : "This policy setting allows users to configure the system-wide environment variables that affect hardware configuration." solution : "Make sure 'Modify firmware environment values' is set to Administrators." reference : "PCI|7.2.2,CCE|CCE-25533-1,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeSystemEnvironmentPrivilege value_data : "administrators" # 1.1.4.36 Set 'Perform volume maintenance tasks' to 'Administrators' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.36 Modify firmware environment values = Administrators" info : "This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume." solution : "Make sure 'Perform volume maintenance tasks' is set to Administrators." reference : "PCI|7.2.2,PCI|7.1.3,CCE|CCE-25070-4,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeManageVolumePrivilege value_data : "administrators" # 1.1.4.37 Set 'Profile single process' to 'Administrators' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.37 Profile single process = Administrators" info : "This policy setting determines which users can use tools to monitor the performance of non-system processes." solution : "Make sure 'Profile single process' is set to Administrators." reference : "PCI|7.2.2,CCE|CCE-23844-4,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeProfileSingleProcessPrivilege value_data : "administrators" # 1.1.4.38 Set 'Profile system performance' to 'Administrators,NT SERVICE\WdiServiceHost' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.38 Profile system performance = Administrators,NT SERVICE\WdiServiceHost" info : "This policy setting allows users to use tools to view the performance of different system processes." solution : "Make sure 'Profile system performance' is set to Administrators and NT SERVICE\WdiServiceHost." reference : "PCI|7.2.2,CCE|CCE-23802-2,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeSystemProfilePrivilege value_data : "wdiservicehost" && "administrators" # 1.1.4.39 Set 'Remove computer from docking station' to 'Administrators' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.39 Remove computer from docking station = Administrators" info : "This policy setting allows the user of a portable computer to click Eject PC on the Start menu to undock the computer." solution : "Make sure 'Remove computer from docking station' is set to Administrators." reference : "PCI|7.2.2,CCE|CCE-24550-6,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeUndockPrivilege value_data : "administrators" # 1.1.4.40 Set 'Replace a process level token' to 'Local Service, Network Service' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.40 Replace a process level token = Local Service, Network Service" info : "This policy setting allows one process or service to start another service or process with a different security access token." solution : "Make sure 'Replace a process level token' is set to Local Service and Network Service." reference : "PCI|7.2.2,CCE|CCE-24555-5,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeAssignPrimaryTokenPrivilege value_data : "Local Service" && "Network Service" # 1.1.4.41 Set 'Restore files and directories' to 'Administrators' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.41 Restore files and directories = Administrators" info : "This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions." solution : "Make sure 'Restore files and directories' is set to Administrators." reference : "PCI|7.2.2,CCE|CCE-25518-2,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeRestorePrivilege value_data : "administrators" # 1.1.4.42 Set 'Shut down the system' to 'Administrators' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.42 Shut down the system = Administrators" info : "This policy setting determines which users can shut down the operating system with the Shut Down command." solution : "Make sure 'Shut down the system' is set to Administrators." reference : "PCI|7.2.2,CCE|CCE-23500-2,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeShutdownPrivilege value_data : "administrators" # 1.1.4.43 Set 'Synchronize directory service data' to 'No One' (Scored) # Level 1 - Domain Controller Only # 1.1.4.44 Set 'Take ownership of files or other objects' to 'Administrators' (Scored) type : USER_RIGHTS_POLICY description : "1.1.4.44 Take ownership of files or other objects = Administrators" info : "This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads." solution : "Make sure 'Take ownership of files or other objects' is set to Administrators." reference : "PCI|7.2.2,CCE|CCE-25585-1,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : USER_RIGHT right_type : SeTakeOwnershipPrivilege value_data : "administrators" ## 1.1.5 Windows Firewall With Advanced Security ## 1.1.5.1 Public Profile # 1.1.5.1.1 Set 'Inbound connections' to 'Enabled:Block (default)' (Scored) type : REGISTRY_SETTING description : "1.1.5.1.1 Public Profile: Inbound connections = Block" info : "This setting determines the behavior for inbound connections that do not match an inbound firewall rule." solution : "Make sure 'Inbound connections' is set to the default Enabled:Block." reference : "CCE|CCE-24839-3,PCI|1.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\" reg_item : "DefaultInboundAction" value_data : 1 # 1.1.5.1.2 Set 'Windows Firewall: Public: Allow unicast response' to 'No' (Scored) type : REGISTRY_SETTING description : "1.1.5.1.2 Windows Firewall:Public: Allow unicast response = No" info : "This option controls whether this computer receives unicast responses to its outgoing multicast or broadcast messages." solution : "Make sure 'Windows Firewall: Public: Allow unicast response' is set to no." reference : "CCE|CCE-25111-6,PCI|1.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\" reg_item : "DisableUnicastResponsesToMulticastBroadcast" value_data : 1 # 1.1.5.1.3 Set 'Windows Firewall: Public: Apply local connection security rules' to 'Yes' (Scored) type : REGISTRY_SETTING description : "1.1.5.1.3 Windows Firewall:Public: Apply local connection security rules = Yes" info : "This setting controls whether local administrators are allowed to create connection security rules. These created connection security rules must apply with connection security rules configured by Group policy." solution : "Make sure 'Windows Firewall: Public: Apply local connection security rules' is set to yes." reference : "CCE|CCE-22773-6,PCI|1.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\" reg_item : "AllowLocalIPsecPolicyMerge" value_data : 1 # 1.1.5.1.4 Set 'Windows Firewall: Public: Apply local firewall rules' to 'Yes (default)' (Scored) type : REGISTRY_SETTING description : "1.1.5.1.4 Windows Firewall:Public: Apply local firewall rules = Yes" info : "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy." solution : "Make sure 'Windows Firewall: Public: Apply local firewall rules' is set to yes." reference : "CCE|CCE-24810-4,PCI|1.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\" reg_item : "AllowLocalPolicyMerge" value_data : 1 # 1.1.5.1.5 Set 'Windows Firewall: Public: Display a notification' to 'Yes' (Scored) type : REGISTRY_SETTING description : "1.1.5.1.5 Windows Firewall:Public: Display a notification = Yes" info : "This setting allows Windows Firewall with Advanced Security to display notifications to the user when a program is blocked." solution : "Make sure 'Windows Firewall: Public: Display a notification' is set to yes." reference : "CCE|CCE-23900-4,PCI|1.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\" reg_item : "DisableNotifications" value_data : 0 # 1.1.5.1.6 Set 'Windows Firewall: Public: Firewall state' to 'On (recommended)' (Scored) type : REGISTRY_SETTING description : "1.1.5.1.6 Windows Firewall:Public: Firewall state = On" info : "Select On to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic." solution : "Make sure 'Windows Firewall: Public: Firewall state' is turned on." reference : "PCI|1.2.1,CCE|CCE-23894-9" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\" reg_item : "EnableFirewall" value_data : 1 # 1.1.5.1.7 Set 'Windows Firewall: Public: Outbound connections' to 'Allow (default)' (Scored) type : REGISTRY_SETTING description : "1.1.5.1.7 Windows Firewall:Public: Outbound connections = Allow" info : "This setting determines the behavior for outbound connections that do not match an outbound firewall rule." solution : "Make sure 'Windows Firewall: Public: Outbound connections' is set to the default setting allow." reference : "PCI|1.2.1,CCE|CCE-23892-3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\" reg_item : "DefaultOutboundAction" value_data : 0 ## 1.1.5.2 Private Profile # 1.1.5.2.1 Set 'Inbound connections' to 'Enabled:Block (default)' (Scored) type : REGISTRY_SETTING description : "1.1.5.2.1 Private Profile: Inbound connections = Block" info : "This setting determines the behavior for inbound connections that do not match an inbound firewall rule." solution : "Make sure 'Inbound connections' is set to the default value of Enabled:Block." reference : "CCE|CCE-23486-4,PCI|1.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\" reg_item : "DefaultInboundAction" value_data : 1 # 1.1.5.2.2 Set 'Windows Firewall: Private: Allow unicast response' to 'No' (Scored) type : REGISTRY_SETTING description : "1.1.5.2.2 Windows Firewall:Private: Allow unicast response = No" info : "This setting controls whether this computer receives unicast responses to its outgoing multicast or broadcast messages." solution : "Make sure 'Windows Firewall: Private: Allow unicast response' is set to no." reference : "PCI|1.2.1,CCE|CCE-24624-9" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\" reg_item : "DisableUnicastResponsesToMulticastBroadcast" value_data : 1 # 1.1.5.2.3 Set 'Windows Firewall: Private: Apply local connection security rules' to 'Yes (default)' (Scored) type : REGISTRY_SETTING description : "1.1.5.2.3 Windows Firewall:Private: Apply local connection security rules = Yes" info : "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy." solution : "Make sure 'Windows Firewall: Private: Apply local connection security rules' is set to yes." reference : "CCE|CCE-24738-7,PCI|1.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\" reg_item : "AllowLocalIPsecPolicyMerge" value_data : 1 # 1.1.5.2.4 Set 'Windows Firewall: Private: Apply local firewall rules' to 'Yes (default)' (Scored) type : REGISTRY_SETTING description : "1.1.5.2.4 Windows Firewall:Private: Apply local firewall rules = Yes" info : "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy." solution : "Make sure 'Windows Firewall: Private: Apply local firewall rules' is set to yes (default setting)." reference : "CCE|CCE-24663-7,PCI|1.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\" reg_item : "AllowLocalPolicyMerge" value_data : 1 # 1.1.5.2.5 Set 'Windows Firewall: Private: Display a notification' to 'Yes (default)' (Scored) type : REGISTRY_SETTING description : "1.1.5.2.5 Windows Firewall:Private: Display a notification = Yes" info : "This setting allows Windows Firewall with Advanced Security to display notifications to the user when a program is blocked." solution : "Make sure 'Windows Firewall: Private: Display a notification' is set to yes." reference : "PCI|1.2.1,CCE|CCE-24907-8" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\" reg_item : "DisableNotifications" value_data : 0 # 1.1.5.2.6 Set 'Windows Firewall: Private: Firewall state' to 'On (recommended)' (Scored) type : REGISTRY_SETTING description : "1.1.5.2.6 Windows Firewall:Private: Firewall state = On" info : "Select On to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic." solution : "Make sure 'Windows Firewall: Private: Firewall state' is set to on." reference : "PCI|1.2.1,CCE|CCE-23615-8" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\" reg_item : "EnableFirewall" value_data : 1 # 1.1.5.2.7 Set 'Windows Firewall: Private: Outbound connections' to 'Allow (default)' (Scored) type : REGISTRY_SETTING description : "1.1.5.2.7 Windows Firewall:Private: Outbound connections = Allow" info : "This setting determines the behavior for outbound connections that do not match an outbound firewall rule." solution : "Make sure 'Windows Firewall: Private: Outbound connections' is set to the default setting Allow." reference : "CCE|CCE-25607-3,PCI|1.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\" reg_item : "DefaultOutboundAction" value_data : 0 ## 1.1.5.3 Domain Profile # 1.1.5.3.1 Set 'Inbound connections' to 'Enabled:Block (default)' (Scored) type : REGISTRY_SETTING description : "1.1.5.3.1 Domain Profile: Inbound connections = Block" info : "This setting determines the behavior for inbound connections that do not match an inbound firewall rule." solution : "Make sure 'Inbound connections' is set to the default setting Enabled:Block." reference : "CCE|CCE-24808-8,PCI|1.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\" reg_item : "DefaultInboundAction" value_data : 1 # 1.1.5.3.2 Set 'Windows Firewall: Domain: Allow unicast response' to 'No' (Scored) type : REGISTRY_SETTING description : "1.1.5.3.2 Windows Firewall:Domain: Allow unicast response = No" info : "This setting controls whether this computer receives unicast responses to its outgoing multicast or broadcast messages." solution : "Make sure 'Windows Firewall: Domain: Allow unicast response' is set to no." reference : "CCE|CCE-25359-1,PCI|1.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\" reg_item : "DisableUnicastResponsesToMulticastBroadcast" value_data : 1 # 1.1.5.3.3 Set 'Windows Firewall: Domain: Apply local connection security rules' to 'Yes (default)' (Scored) type : REGISTRY_SETTING description : "1.1.5.3.3 Windows Firewall:Domain: Apply local connection security rules = Yes" info : "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy." solution : "Make sure 'Windows Firewall: Domain: Apply local connection security rules' is set to the default value of yes." reference : "CCE|CCE-25534-9,PCI|1.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\" reg_item : "AllowLocalIPsecPolicyMerge" value_data : 1 # 1.1.5.3.4 Set 'Windows Firewall: Domain: Apply local firewall rules' to 'Yes (default)' (Scored) type : REGISTRY_SETTING description : "1.1.5.3.4 Windows Firewall:Domain: Apply local firewall rules = Yes" info : "This setting controls whether local administrators are allowed to create local firewall rules. These created rules must apply together with firewall rules configured by Group Policy." solution : "Make sure 'Windows Firewall: Domain: Apply local firewall rules' is set to the default value of yes." reference : "CCE|CCE-24639-7,PCI|1.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\" reg_item : "AllowLocalPolicyMerge" value_data : 1 # 1.1.5.3.5 Set 'Windows Firewall: Domain: Display a notification' to 'Yes (default)' (Scored) type : REGISTRY_SETTING description : "1.1.5.3.5 Windows Firewall:Domain: Display a notification = Yes" info : "This setting allows Windows Firewall with Advanced Security to display notifications to the user when a program is blocked." solution : "Make sure 'Windows Firewall: Domain: Display a notification' is set to the default value yes." reference : "CCE|CCE-25213-0,PCI|1.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\" reg_item : "DisableNotifications" value_data : 0 # 1.1.5.3.6 Set 'Windows Firewall: Domain: Firewall state' to 'On (recommended)' (Scored) type : REGISTRY_SETTING description : "1.1.5.3.6 Windows Firewall:Domain: Firewall state = On" info : "Select On to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic." solution : "Make sure 'Windows Firewall: Domain: Firewall state' is set to On." reference : "CCE|CCE-25350-0,PCI|1.2.1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\" reg_item : "EnableFirewall" value_data : 1 # 1.1.5.3.7 Set 'Windows Firewall: Domain: Outbound connections' to 'Allow (default)' (Scored) type : REGISTRY_SETTING description : "1.1.5.3.7 Windows Firewall:Domain: Outbound connections = Allow" info : "This setting determines the behavior for outbound connections that do not match an outbound firewall rule." solution : "Make sure 'Windows Firewall: Domain: Outbound connections' is set to the default value of allow." reference : "PCI|1.2.1,CCE|CCE-24936-7" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\" reg_item : "DefaultOutboundAction" value_data : 0 ## 1.2 Administrative Templates ## 1.2.1 Windows Components ## 1.2.1.1 AutoPlay Policies # 1.2.1.1.1 Set 'Turn off Autoplay on:' to 'Enabled:All drives' (Scored) type : REGISTRY_SETTING description : "1.2.1.1.1 Turn off Autoplay on = Enabled:All drives" info : "Enable the Turn off Autoplay setting to disable the Autoplay feature." solution : "Make sure 'Turn off Autoplay on:' is set to the value 255 which means it is Enabled:All drives." reference : "CCE|CCE-23878-2,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\" reg_item : "NoDriveTypeAutoRun" value_data : 255 ## 1.2.1.2 Event Log # 1.2.1.2.1 Set 'Security: Maximum Log Size (KB)' to 'Enabled:196608 or greater' (Scored) type : REGISTRY_SETTING description : "1.2.1.2.1 Security: Maximum Log Size (KB) >= 196608" info : "This policy setting specifies the maximum size of the log file in kilobytes." solution : "Make sure 'Security: Maximum Log Size (KB)' is Enabled and is set to a minimum size of 196,608 (KB)." reference : "CCE|CCE-24572-0,PCI|10.7" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\Windows\EventLog\Security\" reg_item : "MaxSize" value_data : 196608 # 1.2.1.2.2 Set 'System: Maximum Log Size (KB)' to 'Enabled:32768 or greater' (Scored) type : REGISTRY_SETTING description : "1.2.1.2.2 System: Maximum Log Size (KB) >= 32768" info : "This policy setting specifies the maximum size of the log file in kilobytes." solution : "Make sure 'System: Maximum Log Size (KB)' is Enabled and is set to a minimum of 32, 768 (KB)." reference : "PCI|10.7,CCE|CCE-24411-1" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\Windows\EventLog\System\" reg_item : "MaxSize" value_data : 32768 # 1.2.1.2.3 Set 'Application: Maximum Log Size (KB)' to 'Enabled:32768 or greater' (Scored) type : REGISTRY_SETTING description : "1.2.1.2.3 Application: Maximum Log Size (KB) >= 32768" info : "This policy setting specifies the maximum size of the log file in kilobytes." solution : "Make sure 'Application: Maximum Log Size (KB)' is Enabled and is set to a minimum of 32,768 (KB)." reference : "PCI|10.7,CCE|CCE-24277-6" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\Windows\EventLog\Application\" reg_item : "MaxSize" value_data : 32768 # 1.2.1.2.4 Set 'Security: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled' (Scored) type : REGISTRY_SETTING description : "1.2.1.2.4 Security: Control Event Log behavior when the log file reaches its maximum size = Disabled" info : "This policy setting controls Event Log behavior when the log file reaches its maximum size." solution : "Make sure 'Security: Control Event Log behavior when the log file reaches its maximum size' is Disabled so new events overwrite old events when the file is full." reference : "PCI|10.7,CCE|CCE-24583-7" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\Windows\EventLog\Security\" reg_item : "Retention" value_data : "0" # 1.2.1.2.5 Set 'System: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled' (Scored) type : REGISTRY_SETTING description : "1.2.1.2.5 System: Control Event Log behavior when the log file reaches its maximum size = Disabled" info : "This policy setting controls Event Log behavior when the log file reaches its maximum size." solution : "Make sure 'System: Control Event Log behavior when the log file reaches its maximum size' is Disabled so old events overwrite new events when the file is full." reference : "PCI|10.7,CCE|CCE-23782-6" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\Windows\EventLog\System\" reg_item : "Retention" value_data : "0" # 1.2.1.2.6 Set 'Application: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled' (Scored) type : REGISTRY_SETTING description : "1.2.1.2.6 Application: Control Event Log behavior when the log file reaches its maximum size = Disabled" info : "This policy setting controls Event Log behavior when the log file reaches its maximum size." solution : "Make sure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to Disabled so new events overwrite old events when the file is full." reference : "CCE|CCE-23646-3,PCI|10.7" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\Windows\EventLog\Application\" reg_item : "Retention" value_data : "0" ## 1.2.1.4 Windows Installer # 1.2.1.4.1 Set 'Always install with elevated privileges' to 'Disabled' (Scored) type : REGISTRY_SETTING description : "1.2.1.4.1 Windows Installer: Always install with elevated privileges = Disabled" info : "This setting extends elevated privileges to all programs." solution : "Make sure 'Always install with elevated privileges' is set to Disabled." reference : "CCE|CCE-23919-4,PCI|2.2.3" see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_Benchmark_v1.0.0.pdf" value_type : POLICY_DWORD reg_key : "HKLM\Software\Policies\Microsoft\Windows\Installer\" reg_item : "AlwaysInstallElevated" value_data : 0 description : "Windows Server 2012 is not installed" info : "Windows Server 2012 is not installed or Remote Registry Service is disabled."