# (C) 2014 Tenable Network Security, Inc.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable Network Security, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_5_SLA_and_Subscription_Agreement.pdf
# http://static.tenable.com/prod_docs/Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
# $Revision: 1.16 $
# $Date: 2014/08/14 15:31:12 $
#
# Description:
#
# This document consists of a list of Microsoft Windows 8 security settings (Level 1) as suggested by
# the CIS Microsoft Windows 8 Benchmark v1.0.0.
#
# Tenable has made a best effort to map the settings specified in the standard to a proprietary
# .audit format that will be used by the Windows compliance module to perform the audit.
#
# See Also:
# https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf
#
# NOTE: Some queries in this .audit require site-specific data to be known to the query in order to function properly.
# Please note the following queries and edit their values accordingly.
#
#
#Safeguards Windows 8 Audit ob体育 v1.3 11-31-2016
#
description : "CIS_MS_Windows_8_Level_1_v1.0.0.audit for MS Microsoft Windows 8, from CIS Microsoft Windows 8 Benchmark v1.0.0"
## 1 Computer Configuration
## 1.1 Security Settings
## 1.1.1 Account Policies
type : LOCKOUT_POLICY
description : "1.1.1.1 Set 'Account lockout threshold' to '3 invalid logon attempt(s)'"
info : "This policy setting determines the number of failed logon attempts before a lock occurs."
reference : "PCI|8.5.13,CCE|CCE-21671-3,Level|1S,800-53|AC-1"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Account lockout threshold' is set to 3 invalid attempts."
value_type : POLICY_DWORD
lockout_policy : LOCKOUT_THRESHOLD
value_data : [1..3]
type : LOCKOUT_POLICY
description : "1.1.1.2 Set 'Account lockout duration' to '120 minutes'"
info : "This policy setting determines the length of time that must pass before a locked account is unlocked and a"
info : "user can try to log on again."
reference : "PCI|8.5.14,CCE|CCE-22402-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Account lockout duration' is set to a minimum of 120 minutes."
value_type : TIME_MINUTE
lockout_policy : LOCKOUT_DURATION
value_data : [120..MAX]
type : LOCKOUT_POLICY
description : "1.1.1.3 Set 'Reset account lockout counter after' to '120 minute(s)'"
info : "This policy setting determines the length of time before the Account lockout threshold resets to zero."
reference : "PCI|8.5,CCE|CCE-22541-7,Level|1S,800-53|AC-7"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Reset account lockout counter after' is set to 120 minutes."
value_type : TIME_MINUTE
lockout_policy : LOCKOUT_RESET
value_data : [120..MAX]
type : PASSWORD_POLICY
description : "1.1.1.4 Set 'Minimum password length' to '8 or more character(s)'"
info : "This policy setting determines the least number of characters that make up a password for a user account."
reference : "800-53|IA-5,PCI|8.5.10,CCE|CCE-22921-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Minimum password length' is set to a minimum of 8 characters."
value_type : POLICY_DWORD
password_policy : MINIMUM_PASSWORD_LENGTH
value_data : [8..MAX]
type : PASSWORD_POLICY
description : "1.1.1.5 Set 'Enforce password history' to '24 or more'"
info : "This policy setting determines the number of renewed, unique passwords that have to be associated with a user"
info : "account before you can reuse an old password."
reference : "PCI|8.5.12,CCE|CCE-22909-6,Level|1S,800-53|IA-5,800-53|CM-6"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Enforce password history' is set to a minimum of 24 passwords."
value_type : POLICY_DWORD
password_policy : ENFORCE_PASSWORD_HISTORY
value_data : [24..MAX]
type : PASSWORD_POLICY
description : "1.1.1.6 Set 'Password must meet complexity requirements' to 'Enabled'"
info : "This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords."
reference : "800-53|IA-5,PCI|8.5,CCE|CCE-22567-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Password must meet complexity requirements' is set to a minimum of 24 passwords."
value_type : POLICY_SET
password_policy : COMPLEXITY_REQUIREMENTS
value_data : "Enabled"
type : PASSWORD_POLICY
description : "1.1.1.7 Set 'Store passwords using reversible encryption' to 'Disabled'"
info : "This policy setting determines whether the operating system stores passwords in a way that uses reversible"
info : "encryption, which provides support for application protocols that require knowledge of the user's password"
info : "for authentication purposes."
reference : "800-53|IA-5,800-53|AU-9,PCI|8.4,CCE|CCE-21910-5,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Store passwords using reversible encryption' is disabled."
value_type : POLICY_SET
password_policy : REVERSIBLE_ENCRYPTION
value_data : "Disabled"
type : PASSWORD_POLICY
description : "1.1.1.8 Set 'Minimum password age' to '1 or more day(s)'"
info : "This policy setting determines the number of days that you must use a password before you can change it."
reference : "800-53|IA-5,PCI|8.5,CCE|CCE-21414-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure minimum password age is set to a minimum of 1 day."
value_type : TIME_DAY
password_policy : MINIMUM_PASSWORD_AGE
value_data : [1..MAX]
## 1.1.2 Advanced Audit Policy Configuration
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.1 Set 'Audit Policy: Privilege Use: Sensitive Privilege Use' to 'Success and Failure'"
info : "This subcategory reports when a user account or service uses a sensitive privilege."
reference : "800-53|AU-2,PCI|10.3.4,PCI|10.3.3,PCI|10.2.2,PCI|10.3.2,PCI|10.3.5,CCE|CCE-22624-1,PCI|10.3.6,PCI|10.3.1,PCI|10.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Privilege Use: Sensitive Privilege Use' is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "Sensitive Privilege Use"
value_data : "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.2 Set 'Audit Policy: Account Management: Other Account Management Events' to 'Success and Failure'"
info : "This subcategory reports other account management events."
reference : "800-53|AU-2,PCI|10.3.4,PCI|10.3.3,PCI|10.2.2,CCE|CCE-23036-7,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Account Management: Other Account Management Events' is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "Other Account Management Events"
value_data : "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.3 Set 'Audit Policy: Logon-Logoff: IPsec Quick Mode' to 'No Auditing'"
info : "This subcategory reports the results of IKE protocol and AuthIP during Quick Mode negotiations."
info : "4654: An IPsec Quick Mode negotiation failed."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.2.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,CCE|CCE-21855-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Logon-Logoff: IPsec Quick Mode' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "IPsec Quick Mode"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.4 Set 'Audit Policy: Detailed Tracking: RPC Events' to 'No Auditing'"
info : "This subcategory reports remote procedure call (RPC) connection events."
reference : "PCI|10.2,CCE|CCE-21820-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Detailed Tracking: RPC Events' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "RPC Events"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.5 Set 'Audit Policy: DS Access: Directory Service Access' to 'No Auditing'"
info : "This subcategory reports when an AD DS object is accessed."
reference : "800-53|AU-2,PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,CCE|CCE-22534-2,PCI|10.3.5,PCI|10.2.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'DS Access: Directory Service Access' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Directory Service Access"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.6 Set 'Audit Policy: Policy Change: MPSSVC Rule-Level Policy Change' to 'No Auditing'"
info : "This subcategory reports changes in policy rules used by the Microsoft Protection Service (MPSSVC.exe)."
reference : "PCI|10.2,CCE|CCE-22630-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Policy Change: MPSSVC Rule-Level Policy Change' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "MPSSVC Rule-Level Policy Change"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.7 Set 'Audit Policy: Account Management: Distribution Group Management' to 'No Auditing'"
info : "This subcategory reports each event of distribution group management, such as when a distribution group is created,"
info : "changed, or deleted or when a member is added to or removed from a distribution group."
reference : "800-53|AU-2,PCI|10.3.4,PCI|10.3.3,PCI|10.2.2,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,CCE|CCE-23096-1"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Account Management: Distribution Group Management' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Distribution Group Management"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.8 Set 'Audit Policy: Detailed Tracking: Process Termination' to 'No Auditing'"
info : "This subcategory reports when a process terminates."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.2.7,CCE|CCE-23604-2,PCI|10.3.6,PCI|10.3.1,PCI|10.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Detailed Tracking: Process Termination' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Process Termination"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.9 Set 'Audit Policy: Object Access: Detailed ob体育 Share' to 'No Auditing'"
info : "This policy setting allows you to audit attempts to access files and folders on a shared folder."
reference : "PCI|10.3.4,PCI|10.3.3,CCE|CCE-23288-4,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Object Access: Detailed ob体育 Share' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Detailed ob体育 Share"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.10 Set 'Audit Policy: Account Management: User Account Management' to 'Success and Failure'"
info : "This subcategory reports each event of user account management, such as when a user account is created, changed,"
info : "or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed."
reference : "800-53|AU-2,PCI|10.3.4,PCI|10.3.3,PCI|10.2.2,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,CCE|CCE-22890-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Account Management: User Account Management' is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "User Account Management"
value_data : "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.11 Set 'Audit Policy: Account Management: Computer Account Management' to 'Success and Failure'"
info : "This subcategory reports each event of computer account management, such as when a computer account is created,"
info : "changed, deleted, renamed, disabled, or enabled."
reference : "800-53|AU-2,PCI|10.3.4,CCE|CCE-21905-5,PCI|10.3.3,PCI|10.2.2,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure Configure 'Account Management: Computer Account Management' is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "Computer Account Management"
value_data : "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.12 Set 'Audit Policy: System: Security System Extension' to 'Success and Failure'"
info : "This subcategory reports the loading of extension code such as authentication packages by the security subsystem."
reference : "800-53|AU-2,PCI|10.2,CCE|CCE-25527-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'System: Security System Extension' is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "Security System Extension"
value_data : "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.13 Set 'Audit Policy: System: Security State Change' to 'Success and Failure'"
info : "This subcategory reports changes in security state of the system, such as when the security subsystem"
info : "starts and stops."
reference : "800-53|AU-2,PCI|10.2,CCE|CCE-22876-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'System: Security State Change' is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "Security State Change"
value_data : "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.14 Set 'Audit Policy: Logon-Logoff: Network Policy Server' to 'No Auditing'"
info : "This subcategory reports events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.2.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,CCE|CCE-23313-0,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Logon-Logoff: Network Policy Server' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Network Policy Server"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.15 Set 'Audit Policy: Detailed Tracking: DPAPI Activity' to 'No Auditing'"
info : "This subcategory reports encrypt or decrypt calls into the data protections application interface (DPAPI)."
reference : "CCE|CCE-23076-3,PCI|10.2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Detailed Tracking: DPAPI Activity' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "DPAPI Activity"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.16 Set 'Audit Policy: System: IPsec Driver' to 'Success and Failure'"
info : "This subcategory reports on the activities of the Internet Protocol security (IPsec) driver."
reference : "800-53|AU-2,PCI|10.2,CCE|CCE-23505-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'System: IPsec Driver' is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "IPsec Driver"
value_data : "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.17 Set 'Audit Policy: Account Management: Security Group Management' to 'Success and Failure'"
info : "This subcategory reports each event of security group management, such as when a security group is created, changed,"
info : "or deleted or when a member is added to or removed from a security group."
reference : "800-53|AU-2,PCI|10.3.4,PCI|10.3.3,PCI|10.2.2,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,CCE|CCE-22381-8,PCI|10.3.1,PCI|10.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Account Management: Security Group Management is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "Security Group Management"
value_data : "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.18 Set 'Audit Policy: Account Logon: Other Account Logon Events' to 'No Auditing'"
info : "This subcategory reports the events that occur in response to credentials submitted for a user"
info : "account logon request"
info : "that do not relate to credential validation or Kerberos tickets."
reference : "800-53|AU-2,PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,CCE|CCE-22351-1,PCI|10.2.4,PCI|10.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Account Logon: Other Account Logon Events' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Other Account Logon Events"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.19 Set 'Audit Policy: Object Access: Registry' to 'No Auditing'"
info : "This subcategory reports when registry objects are accessed."
reference : "800-53|AU-2,PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,CCE|CCE-21996-4,PCI|10.3,PCI|10.2.4,PCI|10.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Object Access: Registry' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Registry"
value_data : "No auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.20 Set 'Audit Policy: Privilege Use: Other Privilege Use Events' to 'No Auditing'"
info : "This subcategory is not used."
reference : "PCI|10.2,CCE|CCE-22124-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Privilege Use: Other Privilege Use Events' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Other Privilege Use Events"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.21 Set 'Audit Policy: Policy Change: Filtering Platform Policy Change' to 'No Auditing'"
info : "This subcategory reports the addition and removal of objects from WFP, including startup filters."
reference : "CCE|CCE-22210-9,PCI|10.2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Policy Change: Filtering Platform Policy Change' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Filtering Platform Policy Change"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.22 Set 'Audit Policy: Object Access: Central Access Policy Staging' to 'No Auditing'"
info : "This policy setting allows you to audit access requests where the permission granted or denied by a proposed"
info : "policy differs from the current central access policy on an object."
reference : "CCE|CCE-23207-4,PCI|10.2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Object Access: Central Access Policy Staging' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Central Policy Staging"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.23 Set 'Audit Policy: Policy Change: Authorization Policy Change' to 'No Auditing'"
info : "This subcategory reports changes in authorization policy including permissions (DACL) changes."
reference : "PCI|10.2,CCE|CCE-22204-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Policy Change: Authorization Policy Change' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Authorization Policy Change"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.24 Set 'Audit Policy: Account Logon: Kerberos Authentication Service' to 'No Auditing'"
info : "This subcategory reports events generated by the Kerberos Authentication Server."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.2.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,CCE|CCE-22178-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Account Logon: Kerberos Authentication Service' is set to No Auditing or Success (minimum), or Failure (minimum), or Success and Failure."
value_type : AUDIT_SET
audit_policy_subcategory: "Kerberos Authentication Service"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.25 Set 'Audit Policy: Logon-Logoff: Logoff' to 'Success'"
info : "This subcategory reports when a user logs off from the system."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,CCE|CCE-22565-6,PCI|10.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Logon-Logoff: Logoff' is set to 'Success"
value_type : AUDIT_SET
audit_policy_subcategory: "Logoff"
value_data : "Success"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.26 Set 'Audit Policy: Account Management: Application Group Management' to 'No Auditing'"
info : "This subcategory reports each event of application group management on a computer, such as when an application"
info : "group is created, changed, or deleted or when a member is added to or removed from an application group."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.2.2,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,CCE|CCE-23336-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Account Management: Application Group Management' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Application Group Management"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.27 Set 'Audit Policy: DS Access: Directory Service Changes' to 'No Auditing'"
info : "This subcategory reports changes to objects in Active Directory Domain Services (AD DS)."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.2.5,PCI|10.3.6,PCI|10.3.1,CCE|CCE-21956-8,PCI|10.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'DS Access: Directory Service Changes' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Directory Service Changes"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.28 Set 'Audit Policy: Object Access: Kernel Object' to 'No Auditing'"
info : "This subcategory reports when kernel objects such as processes and mutexes are accessed."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1,CCE|CCE-22184-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Object Access: Kernel Object' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Kernel Object"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.29 Set 'Audit Policy: Policy Change: Other Policy Change Events' to 'No Auditing'"
info : "This subcategory reports other types of security policy changes such as configuration of the Trusted Platform Module"
info : "(TPM) or cryptographic providers."
reference : "PCI|10.2,CCE|CCE-22798-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Policy Change: Other Policy Change Events' is set to No Auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Other Policy Change Events"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.30 Set 'Audit Policy: Object Access: Application Generated' to 'No Auditing'"
info : "This subcategory reports when applications attempt to generate audit events by using the Windows auditing"
info : "application programming interfaces (APIs)."
reference : "PCI|10.2,CCE|CCE-23565-5,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure ''Object Access: Application Generated'' is set to No Auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Application Generated"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.31 Set 'Audit Policy: Logon-Logoff: Account Lockout' to 'No Auditing'"
info : "This subcategory reports when a user's account is locked out as a result of too many failed logon attempts."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,CCE|CCE-22859-3,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Logon-Logoff: Account Lockout' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Account Lockout"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.32 Set 'Audit Policy: Policy Change: Audit Policy Change' to 'Success and Failure'"
info : "This subcategory reports changes in audit policy including SACL changes."
reference : "800-53|AU-2,PCI|10.3.4,CCE|CCE-22854-4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.2.3,PCI|10.3.6,PCI|10.3.1,PCI|10.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Policy Change: Audit Policy Change' is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "Audit Policy Change"
value_data : "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.33 Set 'Audit Policy: Object Access: ob体育 Share' to 'No Auditing'"
info : "This subcategory reports when a file share is accessed."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,CCE|CCE-21844-6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Object Access: ob体育 Share' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "ob体育 Share"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.34 Set 'Audit Policy: System: System Integrity' to 'Success and Failure'"
info : "This subcategory reports on violations of integrity of the security subsystem."
reference : "PCI|10.2,CCE|CCE-23558-0,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'System: System Integrity' is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "System Integrity"
value_data : "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.35 Set 'Audit Policy: System: Other System Events' to 'No Auditing'"
info : "This subcategory reports on other system events."
reference : "800-53|AU-2,CCE|CCE-23028-4,PCI|10.2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'System: Other System Events' is set to No Auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Other System Events"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.36 Set 'Audit Policy: Logon-Logoff: Other Logon/Logoff Events' to 'No Auditing'"
info : "This subcategory reports other logon/logoff-related events, such as Terminal Services session disconnects"
info : " and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,CCE|CCE-22723-1,PCI|10.3,PCI|10.2.4,PCI|10.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Logon-Logoff: Other Logon/Logoff Events' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Other Logon/Logoff Events"
value_data : "No auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.37 Set 'Audit Policy: DS Access: Directory Service Replication' to 'No Auditing'"
info : "This subcategory reports when replication between two domain controllers begins and ends."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.2.5,CCE|CCE-22437-8,PCI|10.3.6,PCI|10.3.1,PCI|10.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'DS access: Directory Service Replication' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Directory Service Replication"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.38 Set 'Audit Policy: Object Access: Filtering Platform Packet Drop' to 'No Auditing'"
info : "This subcategory reports when packets are dropped by Windows Filtering Platform (WFP)."
reference : "CCE|CCE-22558-1,PCI|10.2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Object Access: Filtering Platform Packet Drop' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Filtering Platform Packet Drop"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.39 Set 'Audit Policy: DS Access: Detailed Directory Service Replication' to 'No Auditing'"
info : "This subcategory reports detailed information about the information replicating between domain controllers."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.2.5,PCI|10.3.6,CCE|CCE-21471-8,PCI|10.3.1,PCI|10.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'DS Access: Detailed Directory Service Replication' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Detailed Directory Service Replication"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.40 Set 'Audit Policy: Object Access: Other Object Access Events' to 'No Auditing'"
info : "This subcategory reports other object access-related events such as Task Scheduler jobs and COM+ objects."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,CCE|CCE-22206-7,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Object Access: Other Object Access Events' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Other Object Access Events"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.41 Set 'Audit Policy: Object Access: Filtering Platform Connection' to 'No Auditing'"
info : "This subcategory reports when connections are allowed or blocked by Windows Filtering Platform (WFP)."
reference : "CCE|CCE-22577-1,PCI|10.2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Object Access: Filtering Platform Connection' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Filtering Platform Connection"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.42 Set 'Audit Policy: Privilege Use: Non Sensitive Privilege Use' to 'No Auditing'"
info : "This subcategory reports when a user account or service uses a non-sensitive privilege."
reference : "CCE|CCE-21816-4,PCI|10.2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Privilege Use: Non Sensitive Privilege Use' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Non Sensitive Privilege Use"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.43 Set 'Audit Policy: Object Access: Certification Services' to 'No Auditing'"
info : "This subcategory reports when Certification Services operations are performed."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,CCE|CCE-21726-5,PCI|10.2.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Object Access: Certification Services' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Certification Services"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.44 Set 'Audit Policy: Logon-Logoff: Special Logon' to 'Success'"
info : "This subcategory reports when a special logon is used."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1,CCE|CCE-21798-4,Level|1S,800-53|AU-2"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Logon-Logoff: Special Logon' is set to Success (minimum)."
value_type : AUDIT_SET
audit_policy_subcategory: "Special Logon"
value_data : "Success"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.45 Set 'Audit Policy: Object Access: Handle Manipulation' to 'No Auditing'"
info : "This subcategory reports when a handle to an object is opened or closed."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,CCE|CCE-22465-9,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Object Access: Handle Manipulation' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Handle Manipulation"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.46 Set 'Audit Policy: Object Access: Removable Storage' to 'No Auditing'"
info : "This policy setting allows you to audit user attempts to access file system objects on a removable storage device."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,CCE|CCE-21659-8,PCI|10.3,PCI|10.2.4,PCI|10.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Object Access: Removable Storage' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Removable Storage"
value_data : "No auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.47 Set 'Audit Policy: Logon-Logoff: IPsec Main Mode' to 'No Auditing'"
info : "This subcategory reports the results of Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol"
info : "(AuthIP) during Main Mode negotiations."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.2.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,CCE|CCE-22378-4,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Logon-Logoff: IPsec Main Mode' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "IPsec Main Mode"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.48 Set 'Audit Policy: Account Logon: Credential Validation' to 'Success and Failure'"
info : "This subcategory reports the results of validation tests on credentials submitted for a user account logon request."
reference : "PCI|10.3.4,PCI|10.3.3,CCE|CCE-23198-5,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure the audit policy 'Account Logon: Credential Validation' is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "Credential Validation"
value_data : "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.49 Set 'Audit Policy: Account Logon: Kerberos Service Ticket Operations' to 'No Auditing'"
info : "This subcategory reports generated by Kerberos ticket request processes on the domain controller that is authoritative"
info : "for the domain account."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.2.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,CCE|CCE-23241-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Account Logon: Kerberos Service Ticket Operations' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Kerberos Service Ticket Operations"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.50 Set 'Audit Policy: Logon-Logoff: Logon' to 'Success and Failure'"
info : "This subcategory reports when a user attempts to log on to the system."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,CCE|CCE-22438-6,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Logon-Logoff: Logon' is set to success and failure"
value_type : AUDIT_SET
audit_policy_subcategory: "Logon"
value_data : "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.51 Set 'Audit Policy: Detailed Tracking: Process Creation' to 'Success'"
info : "This subcategory reports the creation of a process and the name of the program or user that created it."
reference : "800-53|AU-2,PCI|10.3.4,PCI|10.3.3,CCE|CCE-22905-4,PCI|10.3.2,PCI|10.3.5,PCI|10.2.7,PCI|10.3.6,PCI|10.3.1,PCI|10.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Detailed Tracking: Process Creation' is set to success."
value_type : AUDIT_SET
audit_policy_subcategory: "Process Creation"
value_data : "Success"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.52 Set 'Audit Policy: Logon-Logoff: IPsec Extended Mode' to 'No Auditing"
info : "This subcategory reports the results of AuthIP during Extended Mode negotiations."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,CCE|CCE-22902-1,PCI|10.2.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Logon-Logoff: IPsec Extended Mode' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "IPsec Extended Mode"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.53 Set 'Audit Policy: Object Access: SAM' to 'No Auditing'"
info : "This subcategory reports when SAM objects are accessed."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1,CCE|CCE-22906-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Object Access: SAM' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "SAM"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.54 Set 'Audit Policy: Object Access: ob体育 System' to 'No Auditing'"
info : "This subcategory reports when file system objects are accessed."
reference : "PCI|10.3.4,CCE|CCE-22156-4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Object Access: ob体育 System' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "ob体育 System"
value_data : "No Auditing" || "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "1.1.2.55 Set 'Audit Policy: Policy Change: Authentication Policy Change' to 'Success'"
info : "This subcategory reports changes in authentication policy."
reference : "800-53|AU-2,CCE|CCE-23454-2,PCI|10.2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Policy Change: Authentication Policy Change' is set to Success (minimum)."
value_type : AUDIT_SET
audit_policy_subcategory: "Authentication Policy Change"
value_data : "Success"
## 1.1.3 Security Options
## 1.1.3.1 Accounts
type : REGISTRY_SETTING
description : "1.1.3.1.1 Set 'Accounts: Block Microsoft accounts' to 'Users can't add or log on with Microsoft accounts'"
info : "This policy setting prevents users from adding new Microsoft accounts on this computer."
solution : "Make sure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'"
reference : "CCE|CCE-21665-5,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "NoConnectedUser"
value_data : 1
type : CHECK_ACCOUNT
description : "1.1.3.1.2 Configure 'Accounts: Rename guest account'"
info : "This control recommends choosing a name for the built-in local guest account that is different"
info : "from the default."
solution : "Make sure 'Accounts: Rename guest account' is not set to guest."
reference : "800-53|AC-7,800-53|CM-6,PCI|2.1,CCE|CCE-21399-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_TEXT
account_type : GUEST_ACCOUNT
value_data : "guest"
check_type : CHECK_NOT_EQUAL
type : CHECK_ACCOUNT
description : "1.1.3.1.3 Set 'Accounts: Administrator account status' to 'Disabled'."
info : "This policy setting enables or disables the Administrator account during normal operation."
reference : "800-53|AC-3,800-53|AC-6,CCE|CCE-22297-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Accounts: Administrator account status' is set to Disabled."
value_type : POLICY_SET
value_data : "Disabled"
account_type : ADMINISTRATOR_ACCOUNT
type : CHECK_ACCOUNT
description : "1.1.3.1.4 Configure 'Accounts: Rename administrator account'"
info : "This policy setting enables or disables the Administrator account during normal operation."
solution : "Make sure 'Rename administrator account' is not set to Administrator or Admin (non standard)."
reference : "CCE|CCE-22097-0,800-53|AC-7,800-53|CM-6,PCI|2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_TEXT
account_type : ADMINISTRATOR_ACCOUNT
value_data : "Administrator" || "admin"
check_type : CHECK_NOT_EQUAL
type : CHECK_ACCOUNT
description : "1.1.3.1.5 Set 'Accounts: Guest account status' to 'Disabled'"
info : "This policy setting determines whether the Guest account is enabled or disabled."
reference : "800-53|AC-3,800-53|SC-5,800-53|CM-7,800-53|CM-6,PCI|2.1,CCE|CCE-22548-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Accounts: Guest account status' is set to Disabled."
value_type : POLICY_SET
value_data : "Disabled"
account_type : GUEST_ACCOUNT
type : REGISTRY_SETTING
description : "1.1.3.1.6 Set 'Accounts: Limit local account use of blank passwords to console logon only' to 'Enabled'"
info : "This policy setting determines whether local accounts that are not password protected can be used to log on from"
info : "locations other than the physical computer console."
reference : "800-53|AC-3,800-53|SC-5,800-53|CM-7,800-53|CM-6,CCE|CCE-23264-5,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Accounts: Limit local account use of blank passwords to console logon only' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\"
reg_item : "LimitBlankPasswordUse"
value_data : 1
## 1.1.3.2 Audit
type : REGISTRY_SETTING
description : "1.1.3.2.1 Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled'"
info : "This policy setting determines whether the system shuts down if it is unable to log Security events."
reference : "CCE|CCE-22303-2,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Audit: Shut down system immediately if unable to log security audits' is set to disabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\"
reg_item : "crashonauditfail"
value_data : 0
type : REGISTRY_SETTING
description : "1.1.3.2.2 Set 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' to 'Enabled' "
info : "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista."
reference : "800-53|AU-2,CCE|CCE-22973-2,PCI|10.2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\"
reg_item : "scenoapplylegacyauditpolicy"
value_data : 1
## 1.1.3.4 Devices
type : REGISTRY_SETTING
description : "1.1.3.4.3 Set 'Devices: Allowed to format and eject removable media' to 'Administrators and Interactive Users'"
info : "This policy setting determines who is allowed to format and eject removable media."
reference : "800-53|AC-3,800-53|SC-5,800-53|CM-7,800-53|MP-2,800-53|CM-6,CCE|CCE-23193-6,PCI|7.1.2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Devices: Allowed to format and eject removable media' is set to administrators."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
reg_item : "AllocateDASD"
value_data : 0
## 1.1.3.5 Domain member
type : REGISTRY_SETTING
description : "1.1.3.5.1 Set 'Domain member: Require strong (Windows 2000 or later) session key' to 'Enabled'"
info : "When this policy setting is enabled, a secure channel can only be established with domain controllers that"
info : "are capable of encrypting secure channel data with a strong (128-bit) session key."
reference : "800-53|SC-2,800-53|CM-6,PCI|2.2.3,CCE|CCE-23007-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Domain member: Require strong (Windows 2000 or later) session key' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\"
reg_item : "requirestrongkey"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.3.5.2 Set 'Domain member: Digitally sign secure channel data (when possible)' to 'Enabled'"
info : "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel"
info : "traffic that it initiates must be digitally signed."
reference : "PCI|8.4,800-53|SC-9,CCE|CCE-22386-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Domain member: Digitally sign secure channel data (when possible)' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\"
reg_item : "signsecurechannel"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.3.5.3 Set 'Domain member: Digitally encrypt secure channel data (when possible)' to 'Enabled'"
info : "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure"
info : "channel traffic that it initiates."
reference : "800-53|SC-9,PCI|8.4,CCE|CCE-22611-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Domain member: Digitally encrypt secure channel data (when possible)' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\"
reg_item : "sealsecurechannel"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.3.5.4 Set 'Domain member: Maximum machine account password age' to '30 or fewer day(s) but not 0'"
info : "This policy setting determines the maximum allowable age for a computer account password."
reference : "800-53|IA-5,CCE|CCE-9123-1,800-53|AC-3,800-53|SC-5,800-53|CM-6,PCI|8.5,CCE|CCE-21621-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Domain member: Maximum machine account password age' is set to a maximum of 30 days."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters"
reg_item : "MaximumPasswordAge"
reg_type : REG_DWORD
value_data : [1..30]
type : REGISTRY_SETTING
description : "1.1.3.5.5 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled'"
info : "This policy setting determines whether all secure channel traffic that is initiated by the domain member"
info : "must be signed or encrypted."
reference : "800-53|SC-9,PCI|8.4,CCE|CCE-22707-4,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\"
reg_item : "requiresignorseal"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.3.5.6 Set 'Domain member: Disable machine account password changes' to 'Disabled'"
info : "This policy setting determines whether a domain member can periodically change its computer account password."
reference : "800-53|IA-5,CCE|CCE-22359-4,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Domain member: Disable machine account password changes' is disabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\"
reg_item : "disablepasswordchange"
value_data : 0
## 1.1.3.6 Interactive logon
type : REGISTRY_SETTING
description : "1.1.3.6.1 Set 'Interactive logon: Machine account lockout threshold' to 3 or fewer invalid logon attempts"
info : "This security setting determines the number of failed logon attempts that causes the machine to be locked out."
reference : "CCE|CCE-22731-4,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Interactive logon: Machine account lockout threshold' is set to 3 or fewer invalid logon attempts"
value_type : POLICY_DWORD
value_data : [MIN..3]
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "MaxDevicePasswordFailedAttempts"
type : REGISTRY_SETTING
description : "1.1.3.6.2 Set 'Interactive logon: Smart card removal behavior' to 'Lock Workstation'"
info : "This policy setting determines what happens when the smart card for a logged-on user is removed from"
info : "the smart card reader."
reference : "800-53|AC-3,800-53|SC-5,800-53|CM-7,PCI|2.2.3,800-53|CM-6,CCE|CCE-22168-9,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Interactive logon: Smart card removal behavior' is set to lock the workstation."
value_type : POLICY_TEXT
reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
reg_item : "scremoveoption"
value_data : "1"
# 1.1.3.6.3 Configure 'Interactive logon: Require smart card' (Not Scored)
type : REGISTRY_SETTING
description : "1.1.3.6.3 Configure 'Interactive logon: Require smart card'"
info : "This policy setting determines if a user is required log on to a computer with a smart card."
reference : "PCI|8.5,CCE|CCE-22663-9,Level|1N"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Interactive logon: Require smart card' is set to your organization's security policy."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "scforceoption"
value_data : 0
type : REGISTRY_SETTING
description : "1.1.3.6.3 Set 'startup (minutes)' to '10 or more minute(s)'"
info : "This policy setting determines the amount of time before previously scheduled Automatic Update installations"
info : "will proceed after system startup."
reference : "Level|1S,800-53|SI-2,CCE|CCE-10205-3,PCI|2.2.3"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure ''startup (minutes)' is set to '10 or more minute(s)'"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\"
reg_item : "RescheduleWaitTime"
value_data : [MIN..10]
type : REGISTRY_SETTING
description : "1.1.3.6.4 Set 'Interactive logon: Do not display last user name' to 'Enabled'"
info : "This policy setting determines whether the account name of the last user to log on to the client computers in your"
info : "organization will be displayed in each computer's respective Windows logon screen."
reference : "800-53|AC-2,CCE|CCE-22615-9,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Interactive logon: Do not display last user name' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "DontDisplayLastUserName"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.3.6.5 Set 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' to '2 or fewer logon(s)'"
info : "This policy setting determines whether a user can log on to a Windows domain using cached account information."
reference : "800-53|AC-3,800-53|SC-5,800-53|CM-7,800-53|CM-6,PCI|2.2.3,CCE|CCE-22102-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to 2 or fewer logons."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
reg_item : "cachedlogonscount"
value_data : [MIN..2]
type : REGISTRY_SETTING
description : "1.1.3.6.6 Set 'Interactive logon: Require Domain Controller authentication to unlock workstation' to 'Disabled'"
info : "Logon information is required to unlock a locked computer."
reference : "800-53|AC-3,800-53|SC-5,800-53|CM-7,800-53|CM-6,CCE|CCE-23063-1,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Interactive logon: Require Domain Controller authentication to unlock workstation' is disabled."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
reg_item : "ForceUnlockLogon"
value_data : 0
type : REGISTRY_SETTING
description : "1.1.3.6.7 Set 'Interactive logon: Prompt user to change password before expiration' to '14 or more day(s)'"
info : "This policy setting determines how far in advance users are warned that their password will expire."
reference : "800-53|IA-5,PCI|8.5,CCE|CCE-21892-5,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Interactive logon: Prompt user to change password before expiration' is set to a minimum of 14 days."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
reg_item : "passwordexpirywarning"
value_data : [14..MAX]
type : REGISTRY_SETTING
description : "1.1.3.6.8 Set 'Interactive logon: Do not require CTRL+ALT+DEL' to 'Disabled'"
info : "This policy setting determines whether users must press CTRL+ALT+DEL before they log on."
reference : "800-53|AC-3,800-53|SC-5,800-53|CM-7,800-53|CM-6,CCE|CCE-23522-6,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Interactive logon: Do not require CTRL+ALT+DEL' is disabled."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "DisableCAD"
value_data : 0
#1.1.3.6.9 Configure 'Interactive logon: Message text for users attempting to log on' (Scored)
type : REGISTRY_SETTING
description : "1.1.3.6.10 Set 'Interactive logon: Machine inactivity limit' to '900 or fewer seconds'"
info : "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit,"
info : "then the screen saver will run, locking the session."
reference : "CCE|CCE-21920-4,PCI|8.5.15,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Interactive logon: Machine inactivity limit' to '900 or fewer seconds' is set to a maximum of 900 seconds (15 minutes)."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "InactivityTimeoutSecs"
value_data : 900
check_type : CHECK_LESS_THAN_OR_EQUAL
## 1.1.3.7 Microsoft network client
type : REGISTRY_SETTING
description : "1.1.3.7.1 Set 'Microsoft network client: Send unencrypted password to third-party SMB servers' to 'Disabled'"
info : "Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication"
info : "to third-party SMB servers that do not support password encryption."
reference : "800-53|SC-8,PCI|8.4,CCE|CCE-22405-5,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to disabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\"
reg_item : "EnablePlainTextPassword"
value_data : 0
type : REGISTRY_SETTING
description : "1.1.3.7.2 Set 'Microsoft network client: Digitally sign communications (always)' to 'Enabled'"
info : "This policy setting determines whether packet signing is required by the SMB client component."
reference : "PCI|4.1,800-53|SC-8,800-53|SC-9,800-53|CM-6,PCI|2.2.3,CCE|CCE-22428-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Microsoft network client: Digitally sign communications (always)' is set to enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\"
reg_item : "RequireSecuritySignature"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.3.7.3 Set 'Microsoft network client: Digitally sign communications (if server agrees)' to 'Enabled'"
info : "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing."
reference : "PCI|4.1,CCE|CCE-21863-6,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\"
reg_item : "EnableSecuritySignature"
value_data : 1
## 1.1.3.8 Microsoft network server
type : REGISTRY_SETTING
description : "1.1.3.8.1 Set 'Microsoft network server: Disconnect clients when logon hours expire' to 'Enabled'"
info : "This policy setting determines whether to disconnect users who are connected to the local computer outside"
info : "their user account's valid logon hours."
reference : "800-53|SC-1,800-53|AC-3,800-53|SC-5,CCE|CCE-21516-0,800-53|CM-7,PCI|2.2.3,800-53|CM-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Microsoft network server: Disconnect clients when logon hours expire' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\"
reg_item : "enableforcedlogoff"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.3.8.2 Set 'Microsoft network server: Amount of idle time required before suspending session' to '15 or fewer minute(s)'"
info : "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session"
info : "before the session is suspended because of inactivity."
reference : "800-53|AC-3,800-53|CM-7,800-53|AC-1,800-53|CM-6,CCE|CCE-21523-6,PCI|8.5.15,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Microsoft network server: Amount of idle time required before suspending session' is set to a maximum of 15 minutes."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\"
reg_item : "autodisconnect"
value_data : [MIN..15]
type : REGISTRY_SETTING
description : "1.1.3.8.3 Set 'Microsoft network server: Digitally sign communications (if client agrees)' to 'Enabled'"
info : "This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a"
info : "client that attempts to establish a connection."
reference : "800-53|AC-3,PCI|4.1,800-53|SC-8,800-53|CM-7,800-53|CM-6,PCI|2.2.3,CCE|CCE-22538-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Microsoft network server: Digitally sign communications (if client agrees)' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\"
reg_item : "enablesecuritysignature"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.3.8.4 Set 'Microsoft network server: Server SPN target name validation level' to 'Accept if provided by client'"
info : "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs"
info : "on the service principal name (SPN) that is provided by the client computer when it establishes a session using the"
info : "server message block (SMB) protocol."
reference : "800-53|SC-9,CCE|CCE-21959-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client'"
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\"
reg_item : "SmbServerNameHardeningLevel"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.3.8.5 Set 'Microsoft network server: Digitally sign communications (always)' to 'Enabled'"
info : "This policy setting determines if the server side SMB service is required to perform SMB packet signing."
reference : "800-53|SC-8,PCI|4.1,PCI|2.2.3,CCE|CCE-21791-9,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Microsoft network server: Digitally sign communications (always)' is set to enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\"
reg_item : "requiresecuritysignature"
value_data : 1
## 1.1.3.9 MSS
type : REGISTRY_SETTING
description : "1.1.3.9.3 Set 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' to 'Disabled'"
info : "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista."
reference : "800-53|AC-3,800-53|SC-5,800-53|CM-7,800-53|IA-2,PCI|2.2.3,800-53|CM-6,CCE|CCE-22349-5,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure AutoAdminLogon is disabled."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
reg_item : "AutoAdminLogon"
value_data : 0
type : REGISTRY_SETTING
description : "1.1.3.9.4 Set 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' to '0.9 or less'"
info : "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold."
reference : "800-53|SC-5,800-53|AC-4,800-53|AU-9,PCI|10.7,CCE|CCE-23100-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure WarningLevel is set to 90 percent."
value_type : POLICY_DWORD
reg_key : "HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\"
reg_item : "WarningLevel"
value_data : 90
check_type : CHECK_LESS_THAN_OR_EQUAL
type : REGISTRY_SETTING
description : "1.1.3.9.5 Set 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' to 'Highest protection, source routing is completely disabled'"
info : "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take"
info : "through the network."
reference : "CCE|CCE-23103-5,800-53|AC-3,800-53|SC-5,800-53|CM-7,800-53|CM-6,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure DisableIPSourceRouting is set to a value of Highest protection, source routing is completely disabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\"
reg_item : "DisableIPSourceRouting"
value_data : 2
# 1.1.3.9.6 Set 'MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments)' to 'Not Defined' (Not Scored)
type : REGISTRY_SETTING
description : "1.1.3.9.6 Set 'MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments)' to 'Not Defined'"
info : "This entry appears as MSS: (AutoReboot) Allow Windows to automatically restart after a system crash."
reference : "CCE|CCE-22295-0,PCI|2.2.3,Level|1N"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure AutoReboot is set to your organization's security policy."
value_type : POLICY_DWORD
reg_key : "HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\"
reg_item : "AutoReboot"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.3.9.14 Set 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' to '0'"
info : "The time in seconds before the screen saver grace period expires (0 recommended) in the SCE."
reference : "800-53|AC-3,800-53|CM-7,CCE|CCE-22617-5,PCI|2.2.3,800-53|AC-1,800-53|CM-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure ScreenSaverGracePeriod is set to 0 seconds."
value_type : POLICY_TEXT
reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
reg_item : "ScreenSaverGracePeriod"
value_data : "0"
type : REGISTRY_SETTING
description : "1.1.3.9.15 Set 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' to 'Highest protection, source routing is completely disabled' "
info : "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow"
info : "through the network."
reference : "800-53|AC-3,800-53|SC-5,800-53|CM-7,800-53|CM-6,PCI|2.2.3,CCE|CCE-22578-9,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure DisableIPSourceRouting is set to a value of Highest protection, source routing is completely disabled'"
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\"
reg_item : "DisableIPSourceRouting"
value_data : 2
## 1.1.3.10 Network access
type : REGISTRY_SETTING
description : "1.1.3.10.1 Set 'Network access: Let Everyone permissions apply to anonymous users' to 'Disabled'"
info : "This policy setting determines what additional permissions are assigned for anonymous connections to the computer."
reference : "800-53|AC-2,800-53|IA-2,PCI|2.2.3,CCE|CCE-22447-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure EveryoneIncludesAnonymous is disabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\"
reg_item : "EveryoneIncludesAnonymous"
value_data : 0
type : ANONYMOUS_SID_SETTING
description : "1.1.3.10.2 Set 'Network access: Allow anonymous SID/Name translation' to 'Disabled'"
info : "This policy setting determines whether an anonymous user can request security identifier (SID)"
info : "attributes for another user."
reference : "CCE|CCE-22042-6,800-53|AC-3,800-53|CM-7,PCI|2.2.3,800-53|CM-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Network access: Allow anonymous SID/Name translation' is disabled."
value_type : POLICY_SET
value_data : "Disabled"
type : REGISTRY_SETTING
description : "1.1.3.10.3 Set 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' to 'Enabled'"
info : "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares."
reference : "800-53|AC-3,800-53|CM-7,PCI|2.2.3,800-53|CM-6,CCE|CCE-22585-4,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is enabled so this is not allowed."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\"
reg_item : "RestrictAnonymous"
value_data : 1
# 1.1.3.10.4 Configure 'Network access: Named Pipes that can be accessed anonymously' (Not Scored)
type : REGISTRY_SETTING
description : "1.1.3.10.5 Set 'Network access: Restrict anonymous access to Named Pipes and Shares' to 'Enabled'"
info : "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named"
info : "in the Named pipes and Shares."
reference : "800-53|CM-7,PCI|2.2.3,CCE|CCE-22658-9,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure restrictnullsessaccess is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\"
reg_item : "restrictnullsessaccess"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.3.10.6 Set 'Network access: Sharing and security model for local accounts' to 'Classic - local users authenticate as themselves'"
info : "This policy setting determines how network logons that use local accounts are authenticated."
reference : "CCE|CCE-21740-6,800-53|CM-7,800-53|IA-2,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Network access: Sharing and security model for local accounts' is set to classic."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\"
reg_item : "ForceGuest"
value_data : 0
type : REGISTRY_SETTING
description : "1.1.3.10.7 Set 'Network access: Remotely accessible registry paths and sub-paths' to the following list"
info : "This policy setting determines which registry paths and sub-paths will be accessible when an application or"
info : "process references the WinReg key to determine access permissions."
reference : "CCE|CCE-22977-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure Remotely accessible registry paths are set to 'System\CurrentControlSet\Control\Print\Printers',
'System\CurrentControlSet\Services\Eventlog',
'Software\Microsoft\OLAP Server',
'Software\Microsoft\Windows NT\CurrentVersion\Print',
'Software\Microsoft\Windows NT\CurrentVersion\Windows',
'System\CurrentControlSet\Control\ContentIndex',
'System\CurrentControlSet\Control\Terminal Server',
'System\CurrentControlSet\Control\Terminal Server\UserConfig',
'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration',
'Software\Microsoft\Windows NT\CurrentVersion\Perflib',
'System\CurrentControlSet\Services\SysmonLog'."
value_type : POLICY_MULTI_TEXT
reg_key : "HKLM\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\"
reg_item : "Machine"
value_data : "System\CurrentControlSet\Control\Print\Printers" && "System\CurrentControlSet\Services\Eventlog" && "Software\Microsoft\OLAP Server" && "Software\Microsoft\Windows NT\CurrentVersion\Print" && "Software\Microsoft\Windows NT\CurrentVersion\Windows" && "System\CurrentControlSet\Control\ContentIndex" && "System\CurrentControlSet\Control\Terminal Server" && "System\CurrentControlSet\Control\Terminal Server\UserConfig" && "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" && "Software\Microsoft\Windows NT\CurrentVersion\Perflib" && "System\CurrentControlSet\Services\SysmonLog"
# 1.1.3.10.8 Set 'Network access: Shares that can be accessed anonymously' to 'Not Defined' (Scored)
type : REGISTRY_SETTING
description : "1.1.3.11.3 Configure Network access: Shares that can be accessed anonymously"
solution : "Make sure NullSessionShares is set to your organization's security policy."
reference : "800-53|CM-7,800-53|IA-2,PCI|2.2.3,CCE|CCE-23257-9,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
info : "This policy setting determines which network shares can be accessed by anonymous users."
value_type : POLICY_MULTI_TEXT
reg_key : "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\"
reg_item : "NullSessionShares"
value_data : ""
type : REGISTRY_SETTING
description : "1.1.3.10.10 Set 'Network access: Remotely accessible registry paths' to the following list"
info : "This policy setting determines which registry paths and sub-paths will be accessible when an application or process"
info : "references the WinReg key."
reference : "800-53|CM-7,PCI|2.2.3,CCE|CCE-21504-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure Remotely accessible registry paths are set to 'System\CurrentControlSet\Control\Print\Printers',
'System\CurrentControlSet\Services\Eventlog',
'Software\Microsoft\OLAP Server',
'Software\Microsoft\Windows NT\CurrentVersion\Print',
'Software\Microsoft\Windows NT\CurrentVersion\Windows',
'System\CurrentControlSet\Control\ContentIndex',
'System\CurrentControlSet\Control\Terminal Server',
'System\CurrentControlSet\Control\Terminal Server\UserConfig',
'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration',
'Software\Microsoft\Windows NT\CurrentVersion\Perflib',
'System\CurrentControlSet\Services\SysmonLog'."
value_type : POLICY_MULTI_TEXT
reg_key : "HKLM\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\"
reg_item : "Machine"
value_data : "System\CurrentControlSet\Control\Print\Printers" && "System\CurrentControlSet\Services\Eventlog" && "Software\Microsoft\OLAP Server" && "Software\Microsoft\Windows NT\CurrentVersion\Print" && "Software\Microsoft\Windows NT\CurrentVersion\Windows" && "System\CurrentControlSet\Control\ContentIndex" && "System\CurrentControlSet\Control\Terminal Server" && "System\CurrentControlSet\Control\Terminal Server\UserConfig" && "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" && "Software\Microsoft\Windows NT\CurrentVersion\Perflib" && "System\CurrentControlSet\Services\SysmonLog"
## 1.1.3.11 Network security
type : REGISTRY_SETTING
description : "1.1.3.11.1 Set 'Network security: Do not store LAN Manager hash value on next password change' to 'Enabled'"
info : "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when"
info : "the password is changed."
reference : "PCI|8.4,800-53|AC-3,800-53|SC-5,800-53|CM-7,800-53|CM-6,CCE|CCE-22552-4,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Network security: Do not store LAN Manager hash value on next password change' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\"
reg_item : "NoLMHash"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.3.11.2 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' to 'Require NTLMv2 session security,Require 128-bit encryption'"
info : "This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider."
reference : "CCE|CCE-23391-6,Level|1S,PCI|8.4,800-53|AC-3,800-53|CM-6"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to require NTLMv2 session security and 128-bit encryption."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\"
reg_item : "NTLMMinClientSec"
value_data : 537395200
type : REGISTRY_SETTING
description : "1.1.3.11.3 Set 'Network security: Allow Local System to use computer identity for NTLM' to 'Enabled'"
info : "This policy setting causes Local System services that use Negotiate to use the computer identity when NTLM"
info : "authentication is selected by the negotiation."
reference : "800-53|CM-7,800-53|IA-2,PCI|2.2.3,CCE|CCE-23578-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Allow Local System to use computer identity for NTLM' is configured to 'Enabled'"
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa"
reg_item : "UseMachineID"
value_data : 1
reg_option : CAN_BE_NULL
type : REGISTRY_SETTING
description : "1.1.3.11.4 Set 'Network security: Allow LocalSystem NULL session fallback' to 'Disabled'"
info : "This control determines if a service is allowed to establish a NULL session connection."
solution : "Make sure 'Allow LocalSystem NULL session fallback' is configured to 'Disabled'"
reference : "800-53|CM-7,800-53|IA-2,PCI|2.2.3,CCE|CCE-23261-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0"
reg_item : "allownullsessionfallback"
value_data : 0
reg_option : CAN_BE_NULL
type : REGISTRY_SETTING
description : "1.1.3.11.7 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' to 'Require NTLMv2 session security,Require 128-bit encryption'"
info : "This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider."
reference : "PCI|8.4,800-53|AC-3,800-53|CM-6,CCE|CCE-22749-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to require NTLMv2 session security and 128-bit encryption."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\"
reg_item : "NTLMMinClientSec"
value_data : 537395200
# 1.1.3.11.10 Set 'Network Security: Restrict NTLM: Audit Incoming NTLM Traffic' to 'Not Defined' (Scored)
type : REGISTRY_SETTING
description : "1.1.3.11.10 Set 'Network Security: Restrict NTLM: Audit Incoming NTLM Traffic' to 'Not Defined'"
info : "This policy setting allows you to audit incoming NTLM traffic."
solution : "Make sure 'Network Security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to your organization's security policy."
reference : "CCE|CCE-21941-0,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\"
reg_item : "AuditReceivingNTLMTraffic"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.3.11.11 Set 'Network security: LAN Manager authentication level' to 'Send NTLMv2 response only. Refuse LM & NTLM'"
info : "LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal"
info : "computers together on a single network."
reference : "PCI|8.4,800-53|AC-3,CCE|CCE-22639-9,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Network security: LAN Manager authentication level' is set to send NTLMv2 response only and refuse LM and NTLM."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\"
reg_item : "LmCompatibilityLevel"
value_data : 5
# 1.1.3.11.12 Set 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' to 'Disabled' (Scored)
type : REGISTRY_SETTING
description : "1.1.3.11.12 Set 'Network Security: Allow PKU2U authentication requeststo this computer to use online identities' to 'Disabled'"
info : "The PKU2U protocol is a peer-to-peer authentication protocol. In most managed networks authentication should be managed centrally."
solution : "Make sure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to your organization's security policy."
reference : "PCI|8.5,800-53|CM-7,800-53|IA-2,CCE|CCE-22829-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\LSA\pku2u\"
reg_item : "AllowOnlineID"
value_data : 0
# 1.1.3.11.15 Set 'Network Security: Configure encryption types allowed for Kerberos' to 'RC4\AES128\AES256\Future types'(Scored)
type : REGISTRY_SETTING
description : "1.1.3.11.15 Set 'Network Security: Configure encryption types allowed for Kerberos' to 'RC4\AES128\AES256\Future types'"
info : "This policy setting allows you to set the encryption types that Kerberos is allowed to use."
solution : "Make sure 'Network Security: Configure encryption types allowed for Kerberos' is set to your organization's security policy."
reference : "CCE|CCE-22301-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\"
reg_item : "SupportedEncryptionTypes"
value_data : 2147483644
type : REGISTRY_SETTING
description : "1.1.3.11.16 Set 'Network security: LDAP client signing requirements' to 'Negotiate signing'"
info : "This policy setting determines the level of data signing that is requested on behalf of clients that"
info : "issue LDAP BIND requests."
reference : "PCI|8.4,800-53|CM-7,CCE|CCE-23400-5,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Network security: LDAP client signing requirements' is set to negotiate signing."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\LDAP\"
reg_item : "LDAPClientIntegrity"
value_data : 1
## 1.1.3.12 Recovery console
type : REGISTRY_SETTING
description : "1.1.3.12.1 Set 'Recovery console: Allow automatic administrative logon' to 'Disabled'"
info : "The recovery console is a command-line environment that is used to recover from system problems."
solution : "Make sure 'Recovery console: Allow automatic administrative logon' is disabled."
reference : "800-53|IA-2,PCI|2.2.3,800-53|AC-1,CCE|CCE-22384-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\"
reg_item : "securitylevel"
value_data : 0
type : REGISTRY_SETTING
description : "1.1.3.12.2 Set 'Recovery console: Allow floppy copy and access to all drives and all folders' to 'Disabled'"
info : "This policy setting makes the Recovery Console SET command available which allows you to set the following recovery"
info : "console environment variables: - AllowWildCards. Enables wildcard support for some commands (such as the DEL command)."
info : "- AllowAllPaths. Allows access to all files and folders on the computer. - AllowRemovableMedia. Allows files to be"
info : "copied to removable media, such as a floppy disk."
reference : "CCE|CCE-23133-2,800-53|CM-2,800-53|CM-7,PCI|2.2.3,800-53|AC-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Recovery console: Allow floppy copy and access to all drives and all folders' is disabled."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\"
reg_item : "setcommand"
value_data : 0
## 1.1.3.13 Shutdown
type : REGISTRY_SETTING
description : "1.1.3.13.1 Set 'Shutdown: Clear virtual memory pagefile' to 'Disabled'"
info : "This policy setting determines whether the virtual memory pagefile is cleared when the system is shut down."
reference : "CCE|CCE-22950-0,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Shutdown: Clear virtual memory pagefile' is disabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\"
reg_item : "ClearPageob体育AtShutdown"
value_data : 0
type : REGISTRY_SETTING
description : "1.1.3.13.2 Set 'Shutdown: Allow system to be shut down without having to log on' to 'Enabled'"
info : "This policy setting determines whether a computer can be shut down when a user is not logged on."
reference : "CCE|CCE-22913-8,800-53|CM-7,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'Shutdown: Allow system to be shut down without having to log on' is disabled."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "ShutdownWithoutLogon"
value_data : 0
## 1.1.3.14 System cryptography
type : REGISTRY_SETTING
description : "1.1.3.14.2 Set 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' to 'Enabled' "
info : "This policy setting determines whether the Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider"
info : "supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher."
reference : "PCI|8.4,800-53|SC-9,CCE|CCE-21453-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\"
reg_item : "Enabled"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.3.15.1 Set 'System objects: Strengthen default permissions of internal system objects (e'g' Symbolic Links)' to 'Enabled'"
info : "This policy setting determines the strength of the default discretionary access control list (DACL) for objects."
reference : "CCE|CCE-22783-5,PCI|2.2.3,800-53|CM-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'System objects: Strengthen default permissions of internal system objects' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Session Manager\"
reg_item : "ProtectionMode"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.3.15.2 Set 'System objects: Require case insensitivity for nonWindows subsystems' to 'Enabled'"
info : "This policy setting determines whether case insensitivity is enforced for all subsystems."
reference : "CCE|CCE-22786-8,PCI|2.2.3,800-53|CM-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'System objects: Require case insensitivity for non-Windows subsystems' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Session Manager\Kernel\"
reg_item : "ObCaseInsensitive"
value_data : 1
## 1.1.3.16 System settings
type : REGISTRY_SETTING
description: "1.1.3.17.1 Set 'User Account Control: Admin Approval Mode for the Built-in Administrator account' to 'Enabled' "
info : "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account."
reference : "PCI|7.1.1,800-53|AC-2,800-53|IA-2,CCE|CCE-22294-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "FilterAdministratorToken"
value_data : 1
type : REGISTRY_SETTING
description: "1.1.3.17.2 Set 'User Account Control: Detect application installations and prompt for elevation' to 'Enabled'"
info : "This policy setting controls the behavior of application installation detection for the computer."
reference : "800-53|AC-3,800-53|AC-6,CCE|CCE-22466-7,PCI|7.1.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
solution : "Make sure 'User Account Control: Detect application installations and prompt for elevation' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "EnableInstallerDetection"
value_data : 1
type : REGISTRY_SETTING
description: "1.1.3.17.3 Set 'User Account Control: Behavior of the elevation prompt for standard users' to 'Automatically deny elevation requests' "
info : "This policy setting controls the behavior of the elevation prompt for standard users"
solution : "Make sure 'Behavior of the Elevation Prompt for Standard Users' is set to Automatically deny elevation requests."
reference : "CCE|CCE-21703-4,PCI|7.1.1,800-53|AC-2,800-53|IA-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System"
reg_item : "ConsentPromptBehaviorUser"
value_data : 0
type : REGISTRY_SETTING
description: "1.1.3.17.4 Set 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' to 'Prompt for consent on the secure desktop'"
info : "This policy setting controls the behavior of the elevation prompt for administrators."
solution : "Make sure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'"
reference : "CCE|CCE-22243-0,PCI|7.1.1,800-53|AC-2,800-53|IA-2,Level|1N"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System"
reg_item : "ConsentPromptBehaviorAdmin"
value_data : 1
type : REGISTRY_SETTING
description: "1.1.3.17.5 Set 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' to 'Enabled'"
info : "This policy setting controls whether applications that request to run with a User Interface Accessibility"
info : "(UIAccess) integritylevel must reside in a secure location in the file system."
solution : "Make sure 'Only Elevate UIAccess applications that are Installed in Secure Locations' is Enabled."
reference : "CCE|CCE-22553-2,800-53|AC-3,800-53|AC-6,PCI|7.1.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System"
reg_item : "EnableSecureUIAPaths"
value_data : 1
type : REGISTRY_SETTING
description: "1.1.3.17.6 Set 'User Account Control: Virtualize file and registry write failures to per-user locations' to 'Enabled'"
info : "This policy setting controls whether application write failures are redirected to defined registry and"
info : "file system locations."
solution : "Make sure 'User Account Control: Virtualize file and registry write failures to per-user locations' is enabled."
reference : "CCE|CCE-22126-7,800-53|AC-3,800-53|AC-6,PCI|7.1.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "EnableVirtualization"
value_data : 1
type : REGISTRY_SETTING
description: "1.1.3.17.7 Set 'User Account Control: Switch to the secure desktop when prompting for elevation' to 'Enabled'"
info : "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop"
info : "or the secure desktop."
solution : "Make sure 'User Account Control: Switch to the secure desktop when prompting for elevation' is enabled."
reference : "800-53|AC-3,800-53|AC-6,CCE|CCE-21801-6,PCI|7.1.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "PromptOnSecureDesktop"
value_data : 1
type : REGISTRY_SETTING
description: "1.1.3.17.8 Set 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' to 'Disabled' "
info : "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically"
info : "disable the secure desktop for elevation prompts used by a standard user."
solution : "Make sure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is disabled."
reference : "PCI|7.2.2,800-53|AC-3,800-53|AC-6,PCI|7.1.1,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,CCE|CCE-21458-5,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "EnableUIADesktopToggle"
value_data : 0
type : REGISTRY_SETTING
description: "1.1.3.17.9 Set 'User Account Control: Only elevate executables that are signed and validated' to 'Disabled'"
info : "This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications"
info : "that request elevation of privilege."
solution : "Make sure 'User Account Control: Only elevate executables that are signed and validated' is disabled."
reference : "CCE|CCE-22436-0,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "ValidateAdminCodeSignatures"
value_data : 0
type : REGISTRY_SETTING
description: "1.1.3.17.10 Set 'User Account Control: Run all administrators in Admin Approval Mode' to 'Enabled'"
info : "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer."
solution : "Make sure 'User Account Control: Run all administrators in Admin Approval Mode' is enabled."
reference : "CCE|CCE-21534-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "EnableLUA"
value_data : 1
## 1.1.4 User Rights Assignment
type : USER_RIGHTS_POLICY
description: "1.1.4.2 Set 'Deny log on through Remote Desktop Services' to 'Guests'"
info : "This policy setting determines whether users can log on as Terminal Services clients."
solution : "Make sure 'Deny log on through Remote Desktop Services' to 'Guests'."
reference : "PCI|7.2.2,PCI|7.1.2,PCI|7.2.1,CCE|CCE-21638-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeDenyRemoteInteractiveLogonRight
value_data : "Guests"
value_data : ""
type : USER_RIGHTS_POLICY
description : "1.1.4.3 Set 'Deny access to this computer from the network' to 'Guests'"
info : "This policy setting prohibits users from connecting to a computer from across the network."
solution : "Make sure 'Deny access to this computer from the network' is set to guests."
reference : "800-53|IA-2,PCI|7.2.2,CCE|CCE-21840-4,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeDenyNetworkLogonRight
value_data : "guests"
type : USER_RIGHTS_POLICY
description : "1.1.4.4 Set 'Create a pagefile' to 'Administrators'"
info : "This policy setting allows users to change the size of the pagefile."
solution : "Make sure 'Create a pagefile' is set to administrators."
reference : "800-53|AC-3,800-53|CM-6,PCI|7.2.2,CCE|CCE-21617-6,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeCreatePagefilePrivilege
value_data : "Administrators"
type : USER_RIGHTS_POLICY
description : "1.1.4.5 Set 'Create permanent shared objects' to 'No One'"
info : "This user right is useful to kernel-mode components that extend the object namespace."
solution : "Make sure 'Create permanent shared objects' is set to No One."
reference : "800-53|AC-3,800-53|CM-6,PCI|7.2.2,CCE|CCE-22141-6,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeCreatePermanentPrivilege
value_data : ""
type : USER_RIGHTS_POLICY
description : "1.1.4.6 Set 'Increase scheduling priority' to 'Administrators'"
info : "This policy setting determines whether users can increase the base priority class of a process."
solution : "Make sure 'Increase scheduling priority' is set to Administrators."
reference : "800-53|AC-3,800-53|CM-6,PCI|7.2.2,CCE|CCE-22960-9,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeIncreaseBasePriorityPrivilege
value_data : "Administrators"
type : USER_RIGHTS_POLICY
description : "1.1.4.7 Set 'Access this computer from the network' to 'Users, Administrators'"
info : "This policy setting allows other users on the network to connect to the computer and is required by various"
info : "network protocols that include Server Message Block (SMB)-based protocols, NetBIOS, Common Internet ob体育 System (CIFS),"
info : "and Component Object Model Plus (COM+)."
solution : "Make sure 'Access this computer from the network' is set to administrators and usersllers. "
reference : "800-53|AC-3,800-53|CM-6,PCI|7.2.2,CCE|CCE-22976-5,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeNetworkLogonRight
value_data : "administrators" && "users"
type : USER_RIGHTS_POLICY
description : "1.1.4.8 Set 'Force shutdown from a remote system' to 'Administrators'"
info : "This policy setting allows users to shut down Windows Vista-based computers from remote locations on the network."
solution : "Make sure 'Force shutdown from a remote system' is set to administrators."
reference : "800-53|AC-1,PCI|7.2.2,PCI|7.1.3,PCI|7.1.2,CCE|CCE-22886-6,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeRemoteShutdownPrivilege
value_data : "Administrators"
type : USER_RIGHTS_POLICY
description : "1.1.4.9 Set 'Change the time zone' to 'LOCAL SERVICE, Administrators, Users'"
info : "This setting determines which users can change the time zone of the computer."
solution : "Make sure 'Change the time zone' is set to local service, administrators, and users."
reference : "PCI|7.2.2,CCE|CCE-22291-9,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeTimeZonePrivilege
value_data : "administrators" && "local service" && "users"
type : USER_RIGHTS_POLICY
description : "1.1.4.10 Set 'Create global objects' to 'Administrators, SERVICE, LOCAL SERVICE, NETWORK SERVICE'"
info : "This policy setting determines whether users can create global objects that are available to all sessions."
solution : "Make sure 'Create global objects' is set to administrators, service, local service and network service."
reference : "800-53|AC-3,800-53|CM-6,PCI|7.2.2,PCI|7.1.3,CCE|CCE-21432-0,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeCreateGlobalPrivilege
value_data : "administrators" && "local service" && "network service" && "service"
type : USER_RIGHTS_POLICY
description : "1.1.4.11 Set 'Enable computer and user accounts to be trusted for delegation' to 'No One'"
info : "This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory."
solution : "Make sure 'Enable computer and user accounts to be trusted for delegation' is set to no one."
reference : "800-53|AC-3,800-53|CM-6,PCI|7.2.2,CCE|CCE-23258-7,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeEnableDelegationPrivilege
value_data : ""
type : USER_RIGHTS_POLICY
description : "1.1.4.12 Set 'Profile single process' to 'Administrators'"
info : "This policy setting determines which users can use tools to monitor the performance of non-system processes."
solution : "Make sure 'Profile single process' is set to Administrators."
reference : "800-53|CM-6,PCI|7.2.2,CCE|CCE-21895-8,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeProfileSingleProcessPrivilege
value_data : "administrators"
type : USER_RIGHTS_POLICY
description : "1.1.4.13 Set 'Shut down the system' to 'Administrators, Users'"
info : "This policy setting determines which users can shut down the operating system with the Shut Down command."
solution : "Make sure 'Shut down the system' is set to Administrators."
reference : "800-53|AC-3,800-53|CM-7,800-53|CM-6,PCI|7.2.2,CCE|CCE-21391-8,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeShutdownPrivilege
value_data : "administrators" && "users"
type : USER_RIGHTS_POLICY
description : "1.1.4.14 Set 'Take ownership of files or other objects' to 'Administrators'"
info : "This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads."
solution : "Make sure 'Take ownership of files or other objects' is set to Administrators."
reference : "800-53|CM-6,PCI|7.2.2,CCE|CCE-23192-8,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeTakeOwnershipPrivilege
value_data : "administrators"
type : USER_RIGHTS_POLICY
description : "1.1.4.15 Set 'Create symbolic links' to 'Administrators'"
info : "This policy setting determines which users can create symbolic links."
solution : "Make sure 'Create symbolic links' is set to administrators."
reference : "800-53|CM-7,800-53|CM-6,PCI|7.2.2,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,CCE|CCE-22166-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeCreateSymbolicLinkPrivilege
value_data : "administrators"
type : USER_RIGHTS_POLICY
description : "1.1.4.16 Set 'Act as part of the operating system' to 'No One'"
info : "This policy setting allows a process to assume the identity of any user and thus gain access to the resources that"
info : "the user is authorized to access."
solution : "Make sure no one can act as part of the operating system."
reference : "800-53|IA-2,800-53|AC-1,PCI|7.2.2,CCE|CCE-23381-7,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeTcbPrivilege
value_data : ""
type : USER_RIGHTS_POLICY
description : "1.1.4.17 Set 'Modify firmware environment values' to 'Administrators'"
info : "This policy setting allows users to configure the system-wide environment variables that affect hardware configuration."
solution : "Make sure 'Modify firmware environment values' is set to Administrators."
reference : "PCI|7.2.2,CCE|CCE-23145-6,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,800-53|CM-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeSystemEnvironmentPrivilege
value_data : "administrators"
type : USER_RIGHTS_POLICY
description : "1.1.4.18 Set 'Back up files and directories' to 'Administrators'"
info : "This policy setting allows users to circumvent file and directory permissions to back up the system."
solution : "Make sure 'Back up files and directories' is set to administrators."
reference : "800-53|CP-9,PCI|7.2.2,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,CCE|CCE-23314-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeBackupPrivilege
value_data : "administrators"
type : USER_RIGHTS_POLICY
description : "1.1.4.19 Debug programs = Administrators"
info : "This policy setting determines which user accounts will have the right to attach a debugger to any process"
info : "or to the kernel."
solution : "Make sure 'Debug programs' is set to administrators only."
reference : "800-53|AC-3,PCI|7.2.2,CCE|CCE-21982-4,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeDebugPrivilege
value_data : "Administrators"
type : USER_RIGHTS_POLICY
description : "1.1.4.20 Set 'Access Credential Manager as a trusted caller' to 'No One'"
info : "This security setting is used by Credential Manager during Backup and Restore."
solution : "Make sure 'Access Credential Manager as a trusted caller' is set no one."
reference : "800-53|AC-3,PCI|7.2.2,PCI|7.1.2,PCI|7.2.1,CCE|CCE-23439-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeTrustedCredManAccessPrivilege
value_data : ""
type : USER_RIGHTS_POLICY
description : "1.1.4.21 Set 'Deny log on locally' to 'Guests'"
info : "This security setting determines which users are prevented from logging on at the computer."
solution : "Make sure 'Deny log on locally' is set to guest accounts only."
reference : "800-53|IA-2,PCI|7.2.2,CCE|CCE-22816-3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeDenyInteractiveLogonRight
value_data : "Guests"
type : USER_RIGHTS_POLICY
description : "1.1.4.22 Set 'Profile system performance' to 'NT SERVICE\WdiServiceHost,Administrators'"
info : "This policy setting allows users to use tools to view the performance of different system processes,"
info : "which could be abused to allow attackers to determine a system's active processes and provide insight"
info : "into the potential attack surface of the computer."
solution : "Make sure 'Profile system performance' is set to Administrators and NT SERVICE\WdiServiceHost."
reference : "800-53|CM-6,PCI|7.2.2,CCE|CCE-21755-4,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeSystemProfilePrivilege
value_data : "wdiservicehost" && "administrators"
type : USER_RIGHTS_POLICY
description : "1.1.4.23 Set 'Restore files and directories' to 'Administrators'"
info : "This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions"
info : "when restoring backed up files and directories on computers that run Windows Vista in your environment."
solution : "Make sure 'Restore files and directories' is set to Administrators."
reference : "PCI|7.2.2,800-53|CP-9,CCE|CCE-23442-7,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeRestorePrivilege
value_data : "administrators"
type : USER_RIGHTS_POLICY
description : "1.1.4.24 Set 'Perform volume maintenance tasks' to 'Administrators'"
info : "This policy setting allows users to manage the system's volume or disk configuration, which could allow a user"
info : "to delete a volume and cause data loss as well as a denial-of-service condition."
solution : "Make sure 'Perform volume maintenance tasks' is set to Administrators."
reference : "800-53|AC-3,800-53|CP-9,800-53|CM-6,PCI|7.2.2,PCI|7.1.3,CCE|CCE-22904-7,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeManageVolumePrivilege
value_data : "administrators"
type : USER_RIGHTS_POLICY
description : "1.1.4.25 Set 'Impersonate a client after authentication' to 'Administrators, SERVICE, Local Service, Network Service'"
info : "The policy setting allows programs that run on behalf of a user to impersonate that user so that they can act"
info : "on behalf of the user."
solution : "Make sure 'Impersonate a client after authentication' is set to Administrators, SERVICE, Local Service and Network Service."
reference : "800-53|AC-2,PCI|7.2.2,PCI|7.1.3,PCI|7.1.2,CCE|CCE-24477-2,PCI|7.2.1"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeImpersonatePrivilege
value_data : "administrators" && "local service" && "Service" && "Network Service"
type : USER_RIGHTS_POLICY
description : "1.1.4.27 Set 'Adjust memory quotas for a process' to 'Administrators, Local Service, Network Service'"
info : "This policy setting allows a user to adjust the maximum amount of memory that is available to a process."
solution : "Make sure 'Adjust memory quotas for a process' is set to administrators, local service and network service."
reference : "800-53|AC-3,800-53|AC-6,PCI|7.2.2,CCE|CCE-22688-6,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeIncreaseQuotaPrivilege
value_data : "administrators" && "local service" && "network service"
type : USER_RIGHTS_POLICY
description : "1.1.4.28 Set 'Manage auditing and security log' to 'Administrators'"
info : "This policy setting determines which users can change the auditing options for files and directories and clear"
info : "the Security log."
solution : "Make sure 'Manage auditing and security log' is set to Administrators."
reference : "PCI|7.2.2,800-53|AU-2,CCE|CCE-21788-5,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeSecurityPrivilege
value_data : "Administrators"
type : USER_RIGHTS_POLICY
description : "1.1.4.29 Set 'Deny log on as a batch job' to 'Guests'"
info : "This policy setting determines which accounts will not be able to log on to the computer as a batch job."
solution : "Make sure 'Deny log on as a batch job' is set to guests."
reference : "PCI|7.2.2,PCI|7.1.2,PCI|7.2.1,CCE|CCE-22936-9,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeDenyBatchLogonRight
value_data : "guests"
type : USER_RIGHTS_POLICY
description : "1.1.4.30 Set 'Bypass traverse checking' to 'Users, NETWORK SERVICE, LOCAL SERVICE, Administrators' "
info : "This policy setting allows users who do not have the Traverse Folder access permission to pass through folders"
info : "when they browse an object path in the NTFS file system or the registry."
solution : "Make sure 'Bypass traverse checking' is set to authenticated users, administrators, local service, and network service."
reference : "800-53|AC-3,PCI|7.2.2,PCI|7.1.3,PCI|7.1.2,CCE|CCE-23566-3,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeChangeNotifyPrivilege
value_data : "users" && "backup operators" && "local service" && "network service"
type : USER_RIGHTS_POLICY
description : "1.1.4.31 Set 'Increase a process working set' to 'Administrators, Local Service'"
info : "This privilege determines which user accounts can increase or decrease the size of a process's working set."
solution : "Make sure 'Increase a process working set' is set to Administrators and Local Service."
reference : "800-53|AC-3,800-53|CM-6,PCI|7.2.2,CCE|CCE-21894-1,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeIncreaseWorkingSetPrivilege
value_data : "Administrators" && "Local Service"
type : USER_RIGHTS_POLICY
description : "1.1.4.32 Set 'Change the system time' to 'LOCAL SERVICE, Administrators'"
info : "This policy setting determines which users and groups can change the time and date on the internal clock of the"
info : "computers in your environment."
solution : "Make sure 'Change the system time' is set to local service and administrators."
reference : "800-53|AU-8,800-53|CM-7,PCI|7.2.2,CCE|CCE-21990-7,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeSystemTimePrivilege
value_data : "administrators" && "local service"
type : USER_RIGHTS_POLICY
description : "1.1.4.35 Set 'Generate security audits' to 'Local Service, Network Service'"
info : "This policy setting determines which users or processes can generate audit records in the Security log."
solution : "Make sure 'Generate security audits' is set to Local Service and Network Service."
reference : "800-53|AU-2,PCI|7.2.2,CCE|CCE-21774-5,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeAuditPrivilege
value_data : "local service" && "network service"
type : USER_RIGHTS_POLICY
description : "1.1.4.36 Set 'Allow log on locally' to 'Administrators, Users'"
info : "This policy setting determines which users can interactively log on to computers in your environment."
solution : "Make sure 'Allow log on locally' is set to administrators and users."
reference : "800-53|AC-3,PCI|7.2.2,PCI|7.1.3,PCI|7.1.2,CCE|CCE-25228-8,PCI|7.2.1"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeInteractiveLogonRight
value_data : "administrators" && "users"
type : USER_RIGHTS_POLICY
description : "1.1.4.37 Set 'Lock pages in memory' to 'No One'"
info : "This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data"
info : "to virtual memory on disk."
solution : "Make sure 'Lock pages in memory' is set to 'no one'."
reference : "800-53|SI-3,PCI|7.2.2,CCE|CCE-21994-9,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeLockMemoryPrivilege
value_data : ""
type : USER_RIGHTS_POLICY
description : "1.1.4.39 Configure 'Remove computer from docking station'"
info : "This policy setting allows the user of a portable computer to click Eject PC on the Start menu to undock the computer."
solution : "Make sure 'Remove computer from docking station' is set to Administrators and Users."
reference : "800-53|PE-3,PCI|7.2.2,CCE|CCE-22135-8,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1N"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeUndockPrivilege
value_data : "administrators" && "users"
type : USER_RIGHTS_POLICY
description : "1.1.4.40 Set 'Replace a process level token' to 'Local Service, Network Service'"
info : "This policy setting allows one process or service to start another service or process with a different"
info : "security access token."
solution : "Make sure 'Replace a process level token' is set to Local Service and Network Service."
reference : "800-53|CM-7,800-53|CM-6,PCI|7.2.2,CCE|CCE-22472-5,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeAssignPrimaryTokenPrivilege
value_data : "Local Service" && "Network Service"
type : USER_RIGHTS_POLICY
description : "1.1.4.41 Set 'Create a token object' to 'No One'"
info : "This policy setting allows a process to create an access token, which may provide elevated rights to"
info : "access sensitive data."
solution : "Make sure no one has the user right 'Create a token object'"
reference : "PCI|7.2.2,PCI|7.1.2,CCE|CCE-22082-2,PCI|7.2.1"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeCreateTokenPrivilege
value_data : ""
type : USER_RIGHTS_POLICY
description : "1.1.4.42 Set 'Modify an object label' to 'No one'"
info : "This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys,"
info : "or processes owned by other users."
solution : "Make sure 'Modify an object label' is set to no one."
reference : "800-53|AC-3,800-53|CM-6,PCI|7.2.2,PCI|7.1.2,CCE|CCE-22469-1,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : USER_RIGHT
right_type : SeReLabelPrivilege
value_data : ""
## 1.1.5 Windows Firewall With Advanced Security
type : REGISTRY_SETTING
description : "1.1.5.1.1 Set 'Windows Firewall: Domain: Display a notification' to 'Yes (default)'"
info : "This setting allows Windows Firewall with Advanced Security to display notifications to the user when a"
info : "program is blocked."
solution : "Make sure 'Windows Firewall: Domain: Display a notification' is set to the default value yes."
reference : "CCE|CCE-23450-0,PCI|1.2.1,800-53|CM-6,800-53|CM-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\"
reg_item : "DisableNotifications"
value_data : 0
type : REGISTRY_SETTING
description : "1.1.5.1.2 Set 'Windows Firewall: Domain: Logging: Size limit (KB)' to '16384 KB or greater'"
info : "Use this option to specify the size limit of the file in which Windows Firewall will write its log information."
solution : "Make sure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'"
reference : "CCE|CCE-22458-4,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
value_data : [16384..MAX]
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\"
reg_item : "Logob体育Size"
type : REGISTRY_SETTING
description : "1.1.5.1.3 Set 'Windows Firewall: Domain: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log'"
info : "Use this option to specify the path and name of the file in which Windows Firewall will write its log information."
solution : "Make sure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log'"
reference : "CCE|CCE-23521-8,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_TEXT
value_data : "%windir%\system32\logfiles\firewall\domainfirewall.log"
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\"
reg_item : "Logob体育Path"
type : REGISTRY_SETTING
description : "1.1.5.1.4 Set 'Windows Firewall: Domain: Apply local firewall rules' to 'Yes (default)'"
info : "This setting controls whether local administrators are allowed to create local firewall rules that apply together"
info : "with firewall rules configured by Group Policy."
solution : "Make sure 'Windows Firewall: Public: Apply local firewall rules' is set to yes."
reference : "CCE|CCE-21968-3,800-53|AC-4,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\"
reg_item : "AllowLocalPolicyMerge"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.5.1.5 Set 'Windows Firewall: Domain: Apply local connection security rules' to 'Yes (default)'"
info : "This setting controls whether local administrators are allowed to create connection security rules that apply together"
info : "with connection security rules configured by Group Policy."
solution : "Make sure 'Windows Firewall: Private: Apply local connection security rules' is set to yes."
reference : "CCE|CCE-23253-8,PCI|1.2.1,800-53|CM-6,800-53|SC-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\"
reg_item : "AllowLocalIPsecPolicyMerge"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.5.1.6 Set 'Windows Firewall: Domain: Allow unicast response' to 'No'"
info : "This setting controls whether this computer receives unicast responses to its outgoing multicast or broadcast messages."
solution : "Make sure 'Windows Firewall: Domain: Allow unicast response' is set to no."
reference : "800-53|SC-5,800-53|SC-7,CCE|CCE-23201-7,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\"
reg_item : "DisableUnicastResponsesToMulticastBroadcast"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.5.1.7 Set 'Windows Firewall: Domain: Outbound connections' to 'Allow (default)'"
info : "This setting determines the behavior for outbound connections that do not match an outbound firewall rule."
solution : "Make sure 'Windows Firewall: Domain: Outbound connections' is set to the default value of allow."
reference : "PCI|1.2.1,CCE|CCE-22324-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\"
reg_item : "DefaultOutboundAction"
value_data : 0
type : REGISTRY_SETTING
description : "1.1.5.1.8 Set 'Windows Firewall: Domain: Logging: Log dropped packets' to 'Yes'"
info : "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason."
solution : "Make sure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to the default value of Yes."
reference : "CCE|CCE-23030-0,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\"
reg_item : "LogDroppedPackets"
type : REGISTRY_SETTING
description : "1.1.5.1.9 Set 'Windows Firewall: Domain: Logging: Log successful connections' to 'Yes'"
info : "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection."
solution : "Make sure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'."
reference : "CCE|CCE-21810-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\"
reg_item : "LogSuccessfulConnections"
type : REGISTRY_SETTING
description : "1.1.5.1.10 Set 'Inbound Connections' to 'Enabled:Block (default)'"
info : "This setting determines the behavior for inbound connections that do not match an inbound firewall rule."
solution : "Make sure 'Inbound connections' is set to the default Enabled:Block."
reference : "800-53|AC-4,800-53|SC-7,CCE|CCE-22387-5,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\"
reg_item : "DefaultInboundAction"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.5.1.11 Set 'Windows Firewall: Domain: Firewall state' to 'On (recommended)'"
info : "Select On to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic."
solution : "Make sure 'Windows Firewall: Domain: Firewall state' is set to On."
reference : "CCE|CCE-23090-4,800-53|AC-4,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\"
reg_item : "EnableFirewall"
value_data : 1
## 1.1.5.2 Private Profile
type : REGISTRY_SETTING
description : "1.1.5.2.1 Set 'Windows Firewall: Private: Firewall state' to 'On (recommended)'"
info : "Select On to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic."
solution : "Make sure 'Windows Firewall: Private: Firewall state' is set to on."
reference : "800-53|AC-4,PCI|1.2.1,CCE|CCE-21714-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\"
reg_item : "EnableFirewall"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.5.2.2 Set 'Windows Firewall: Private: Outbound connections' to 'Allow (default)'"
info : "This setting determines the behavior for outbound connections that do not match an outbound firewall rule."
solution : "Make sure 'Windows Firewall: Private: Outbound connections' is set to the default setting Allow."
reference : "CCE|CCE-23180-3,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\"
reg_item : "DefaultOutboundAction"
value_data : 0
type : REGISTRY_SETTING
description : "1.1.5.2.3 Set 'Windows Firewall: Private: Apply local firewall rules' to 'Yes (default)'"
info : "This setting controls whether local administrators are allowed to create local firewall rules that apply together"
info : "with firewall rules configured by Group Policy."
solution : "Make sure 'Windows Firewall: Private: Apply local firewall rules' is set to yes (default setting)."
reference : "800-53|AC-4,CCE|CCE-22676-1,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\"
reg_item : "AllowLocalPolicyMerge"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.5.1.4 Set 'Windows Firewall: Private: Logging: Size limit (KB)' to '16384 KB or greater'"
info : "Use this option to specify the size limit of the file in which Windows Firewall will write its log information."
solution : "Make sure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'"
reference : "CCE|CCE-23447-6,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
value_data : [16384..MAX]
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\"
reg_item : "Logob体育Size"
type : REGISTRY_SETTING
description : "1.1.5.2.5 Set 'Windows Firewall: Private: Apply local connection security rules' to 'Yes (default)'"
info : "This setting controls whether local administrators are allowed to create connection security rules that apply"
info : "together with connection security rules configured by Group Policy."
solution : "Make sure 'Windows Firewall: Private: Apply local connection security rules' is set to yes."
reference : "CCE|CCE-22915-3,PCI|1.2.1,800-53|CM-6,800-53|SC-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\"
reg_item : "AllowLocalIPsecPolicyMerge"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.5.2.6 Set 'Windows Firewall: Private: Display a notification' to 'Yes (default)' "
info : "This setting allows Windows Firewall with Advanced Security to display notifications to the user when a"
info : "program is blocked."
solution : "Make sure 'Windows Firewall: Private: Display a notification' is set to yes."
reference : "PCI|1.2.1,CCE|CCE-22877-5,800-53|CM-6,800-53|CM-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\"
reg_item : "DisableNotifications"
value_data : 0
type : REGISTRY_SETTING
description : "1.1.5.2.7 Set 'Inbound Connections' to 'Enabled:Block (default)'"
info : "This setting determines the behavior for inbound connections that do not match an inbound firewall rule."
solution : "Make sure 'Inbound connections' is set to the default setting Enabled:Block."
reference : "CCE|CCE-21826-3,PCI|1.2.1,800-53|AC-4,800-53|SC-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\"
reg_item : "DefaultInboundAction"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.5.2.8 Set 'Windows Firewall: Private: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log'"
info : "Use this option to specify the path and name of the file in which Windows Firewall will write its log information."
solution : "Make sure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log'"
reference : "CCE|CCE-21460-1,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_TEXT
value_data : "%windir%\system32\logfiles\firewall\privatefirewall.log"
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\"
reg_item : "Logob体育Path"
type : REGISTRY_SETTING
description : "1.1.5.2.9 Set 'Windows Firewall: Private: Allow unicast response' to 'No' "
info : "This setting controls whether this computer receives unicast responses to its outgoing multicast or broadcast messages."
solution : "Make sure 'Windows Firewall: Private: Allow unicast response' is set to no."
reference : "800-53|SC-5,800-53|SC-7,PCI|1.2.1,CCE|CCE-22003-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\"
reg_item : "DisableUnicastResponsesToMulticastBroadcast"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.5.2.10 Set 'Windows Firewall: Private: Logging: Log successful connections' to 'Yes'"
info : "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection."
solution : "Make sure 'Windows Firewall: Private: Logging: Log successful connections' is set to Yes."
reference : "PCI|1.2.1,CCE|CCE-23120-9,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\"
reg_item : "LogSuccessfulConnections"
type : REGISTRY_SETTING
description : "1.1.5.2.11 Set 'Windows Firewall: Private: Logging: Log dropped packets' to 'Yes'"
info : "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason."
solution : "Make sure 'Windows Firewall: Private: Logging: Log dropped packets' is set to Yes."
reference : "PCI|1.2.1,CCE|CCE-21256-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\"
reg_item : "LogDroppedPackets"
## 1.1.5.3 Public Profile
type : REGISTRY_SETTING
description : "1.1.5.3.1 Set 'Windows Firewall: Public: Outbound connections' to 'Allow (default)'"
info : "This setting determines the behavior for outbound connections that do not match an outbound firewall rule."
solution : "Make sure 'Windows Firewall: Public: Outbound connections' is set to the default setting allow."
reference : "PCI|1.2.1,CCE|CCE-22181-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\"
reg_item : "DefaultOutboundAction"
value_data : 0
type : REGISTRY_SETTING
description : "1.1.5.3.2 Set 'Windows Firewall: Public: Apply local firewall rules' to 'Yes (default)'"
info : "This setting controls whether local administrators are allowed to create local firewall rules that apply together"
info : "with firewall rules configured by Group Policy."
solution : "Make sure 'Windows Firewall: Public: Apply local firewall rules' is set to yes."
reference : "800-53|AC-4,CCE|CCE-23240-5,PCI|1.2.1"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\"
reg_item : "AllowLocalPolicyMerge"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.5.3.3 Set 'Windows Firewall: Public: Apply local connection security rules' to 'No'"
info : "This setting controls whether local administrators are allowed to create connection security rules that apply together"
info : "with connection security rules configured by Group Policy."
solution : "Make sure 'Windows Firewall: Domain: Apply local connection security rules' is set to no."
reference : "CCE|CCE-23253-8,PCI|1.2.1,800-53|CM-6,800-53|SC-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\"
reg_item : "AllowLocalIPsecPolicyMerge"
value_data : 0
type : REGISTRY_SETTING
description : "1.1.5.3.4 Set 'Windows Firewall: Public: Logging: Log dropped packets' to 'Yes'"
info : "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason."
solution : "Make sure 'Windows Firewall: Public: Logging: Log dropped packets' is set to Yes."
reference : "PCI|1.2.1,CCE|CCE-23017-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\"
reg_item : "LogDroppedPackets"
type : REGISTRY_SETTING
description : "1.1.5.3.5 Set 'Windows Firewall: Public: Display a notification' to 'No'"
info : "This setting allows Windows Firewall with Advanced Security to display notifications to the user when a"
info : "program is blocked."
solution : "Make sure 'Windows Firewall: Private: Display a notification' is set to no."
reference : "800-53|CM-6,800-53|CM-3,PCI|1.2.1,CCE|CCE-22028-5,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\"
reg_item : "DisableNotifications"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.5.3.6 Set 'Windows Firewall: Public: Allow unicast response' to 'No'"
info : "This setting controls whether this computer receives unicast responses to its outgoing multicast or broadcast messages."
solution : "Make sure 'Windows Firewall: Public: Allow unicast response' is set to no."
reference : "CCE|CCE-22993-0,PCI|1.2.1,800-53|SC-5,800-53|SC-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\"
reg_item : "DisableUnicastResponsesToMulticastBroadcast"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.5.3.7 Set 'Windows Firewall: Public: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log'"
info : "Use this option to specify the path and name of the file in which Windows Firewall will write its log information."
solution : "Make sure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log'"
reference : "CCE|CCE-22267-9,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_TEXT
value_data : "%windir%\system32\logfiles\firewall\publicfirewall.log"
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\"
reg_item : "Logob体育Path"
type : REGISTRY_SETTING
description : "1.1.5.3.8 Set 'Windows Firewall: Public: Logging: Log successful connections' to 'Yes'"
info : "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection."
solution : "Make sure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'."
reference : "CCE|CCE-21530-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\"
reg_item : "LogSuccessfulConnections"
type : REGISTRY_SETTING
description : "1.1.5.3.9 "
info : "Use this option to specify the size limit of the file in which Windows Firewall will write its log information."
solution : "Make sure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'"
reference : "CCE|CCE-22460-0,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
value_data : [16384..MAX]
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\"
reg_item : "Logob体育Size"
type : REGISTRY_SETTING
description : "1.1.5.3.10 Set 'Windows Firewall: Public: Firewall state' to 'On (recommended)'"
info : "Select On to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic."
solution : "Make sure 'Windows Firewall: Public: Firewall state' is set to On."
reference : "800-53|AC-4,CCE|CCE-21359-5,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\"
reg_item : "EnableFirewall"
value_data : 1
type : REGISTRY_SETTING
description : "1.1.5.3.11 Set 'Inbound Connections' to 'Enabled:Block (default)'"
info : "This setting determines the behavior for inbound connections that do not match an inbound firewall rule."
solution : "Make sure 'Inbound connections' is set to the default Enabled:Block."
reference : "CCE|CCE-22517-7,PCI|1.2.1,800-53|AC-4,800-53|SC-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\"
reg_item : "DefaultInboundAction"
value_data : 1
## 1.2 Administrative Templates
## 1.2.3 System
## 1.2.3.1 Internet Communication Management
type : REGISTRY_SETTING
description : "1.2.3.1.2 Set 'Turn off downloading of print drivers over HTTP' to 'Enabled'"
info : "This policy setting controls whether the computer can download print driver packages over HTTP."
solution : "Make sure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'"
reference : "800-53|CM-3,CCE|CCE-22183-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Policies\Microsoft\Windows NT\Printers"
reg_item : "DisableWebPnPDownload"
type : REGISTRY_SETTING
description : "1.2.3.1.3 Set 'Turn off Windows Update device driver searching' to 'Enabled'"
info : "This policy setting specifies whether Windows will search Windows Update for device drivers when"
info : "no local drivers for a device are present."
solution : "Make sure 'Turn off Windows Update device driver searching' is set to 'Enabled'"
reference : "800-53|SI-2,PCI|2.2.3,CCE|CCE-22310-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Policies\Microsoft\Windows\DriverSearching"
reg_item : "DontSearchWindowsUpdate"
reg_option : CAN_BE_NULL
type : REGISTRY_SETTING
description : "1.2.3.1.4 Set 'Turn off the 'Publish to Web' task for files and folders' to 'Enabled'"
info : "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to"
info : "the Web, and Publish the selected items to the Web are available from ob体育 and Folder Tasks in Windows folders."
solution : "Make sure 'Turn off the 'Publish to Web' task for files and folders' is set to 'Enabled'"
reference : "800-53|CM-6,PCI|2.2.3,CCE|CCE-21949-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
reg_item : "NoPublishingWizard"
type : REGISTRY_SETTING
description : "1.2.3.1.5 Set 'Turn off the Windows Messenger Customer Experience Improvement Program' to 'Enabled'"
info : "This policy setting specifies whether Windows Messenger can collect anonymous information about how the"
info : "Windows Messenger software and service is used."
solution : "Make sure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'"
reference : "CCE|CCE-23062-3,PCI|2.2.3,800-53|SC-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
value_data : 2
reg_key : "HKLM\Software\Policies\Microsoft\Messenger\Client"
reg_item : "CEIP"
type : REGISTRY_SETTING
description : "1.2.3.1.6 Set 'Turn off Search Companion content file updates' to 'Enabled'"
info : "This policy setting specifies whether Search Companion should automatically download content updates during"
info : "local and Internet searches."
solution : "Make sure 'Turn off Search Companion content file updates' is set to 'Enabled'"
reference : "800-53|CM-5,PCI|2.2.3,800-53|CM-6,CCE|CCE-21785-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Policies\Microsoft\SearchCompanion"
reg_item : "DisableContentob体育Updates"
type : REGISTRY_SETTING
description : "1.2.3.1.8 Set 'Turn off Internet download for Web publishing and online ordering wizards' to 'Enabled'"
info : "This policy setting controls whether Windows will download a list of providers for the Web publishing and"
info : "online ordering wizards."
solution : "Make sure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'"
reference : "PCI|2.2.3,800-53|CM-3,CCE|CCE-22152-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
reg_item : "NoWebServices"
type : REGISTRY_SETTING
description : "1.2.3.1.9 Set 'Turn off printing over HTTP' to 'Enabled'"
info : "This control defines whether a client computer is allowed to print over HTTP."
solution : "Make sure 'Turn off printing over HTTP' is Enabled"
reference : "800-53|CM-3,CCE|CCE-22539-1,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows NT\Printers"
reg_item : "DisableHTTPPrinting"
value_data : 1
## 1.2.3.2 Logon
type : REGISTRY_SETTING
description : "1.2.3.2.1 Set 'Turn on PIN sign-in' to 'Disabled'"
info : "This policy setting allows you to control whether a domain user can sign in using a PIN."
solution : "Make sure 'Turn on PIN sign-in' is set to 'Disabled'"
reference : "CCE|CCE-22265-3,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\System\"
reg_item : "AllowDomainPINLogon"
value_data : 0
type : REGISTRY_SETTING
description : "1.2.3.2.4 Set 'Do not enumerate connected users on domain-joined computers' to 'Enabled'"
info : "This policy setting prevents connected users from being enumerated on domain-joined computers."
solution : "Make sure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'"
reference : "CCE|CCE-22562-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\System\"
reg_item : "DontEnumerateConnectedUsers"
value_data : 1
type : REGISTRY_SETTING
description : "1.2.3.2.6 Set 'Enumerate local users on domain-joined computers' to 'Disabled'"
info : "This policy setting allows local users to be enumerated on domain-joined computers."
solution : "Make sure 'Enumerate local users on domain-joined computers' is set to 'Disabled'"
reference : "CCE|CCE-21626-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\System\"
reg_item : "EnumerateLocalUsers"
value_data : 1
## 1.2.3.3 Power Management
type : REGISTRY_SETTING
description : "1.2.3.3.3 Set 'Require a Password When a Computer Wakes (Plugged In)' to 'Enabled'"
info : "This control determines if Windows requires a password after it resumes from sleep."
solution : "Make sure 'Require a Password When a Computer Wakes (Plugged In)' is Enabled."
reference : "CCE|CCE-21635-8,PCI|2.2.3,Level|1S,800-53|IA-5"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51"
reg_item : "ACSettingIndex"
value_data : 1
type : REGISTRY_SETTING
description : "1.2.3.3.4 Set 'Require a Password When a Computer Wakes (On Battery)' to 'Enabled'"
info : "This control determines if Windows requires a password after it resumes from sleep."
solution : "Make sure 'Require a Password When a Computer Wakes (On Battery)' is Enabled."
reference : "CCE|CCE-22157-2,PCI|2.2.3,Level|1S,800-53|IA-5"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51"
reg_item : "DCSettingIndex"
value_data : 1
## 1.2.3.4 Remote Assistance
type : REGISTRY_SETTING
description : "1.2.3.4.1 Set 'Configure Solicited Remote Assistance' to 'Disabled'"
info : "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer."
solution : "Make sure Set 'Configure Solicited Remote Assistance' is Disabled"
reference : "PCI|2.2.3,800-53|CM-6,CCE|CCE-23317-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\policies\Microsoft\Windows NT\Terminal Services\"
reg_item : "fAllowToGetHelp"
value_data : 0
type : REGISTRY_SETTING
description : "1.2.3.4.2 Set 'Configure Offer Remote Assistance' to 'Disabled'"
info : "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer."
solution : "Make sure Set 'Configure Offer Remote Assistance' is Disabled"
reference : "PCI|2.2.3,800-53|AC-1,CCE|CCE-21152-4,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\policies\Microsoft\Windows NT\Terminal Services\"
reg_item : "fAllowUnsolicited"
value_data : 0
type : REGISTRY_SETTING
description : "1.2.3.5 Set 'RPC Runtime Unauthenticated Client Restriction to Apply:' to 'Enabled:Authenticated'"
info : "This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers."
solution : "Make sure Set 'RPC Runtime Unauthenticated Client Restriction to Apply:' is set to 'Enabled:Authenticated'"
reference : "PCI|2.2.3,800-53|CM-6,CCE|CCE-23021-9,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\policies\Microsoft\Windows NT\Rpc\"
reg_item : "RestrictRemoteClients"
value_data : 1
type : REGISTRY_SETTING
description : "1.2.3.6 Set 'Enable RPC Endpoint Mapper Client Authentication' to 'Disabled'"
info : "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call"
info : "they are making contains authentication information."
solution : "Make sure Set 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Disabled'"
reference : "PCI|2.2.3,800-53|CM-6,CCE|CCE-22863-5,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\policies\Microsoft\Windows NT\Rpc\"
reg_item : "EnableAuthEpResolution"
value_data : 0
type : REGISTRY_SETTING
description : "1.2.3.7 Set 'Do not apply during periodic background processing' to 'Enabled:FALSE'"
info : "This policy setting determines when registry policies are updated."
solution : "Make sure Set 'Do not apply during periodic background processing' is set to 'Enabled:FALSE'"
reference : "CCE|CCE-22964-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\"
reg_item : "NoBackgroundPolicy"
value_data : 1
type : REGISTRY_SETTING
description : "1.2.3.8 Set 'Process even if the Group Policy objects have not changed' to 'Enabled:TRUE'"
info : "This policy setting determines when registry policies are updated."
solution : "Make sure Set 'Process even if the Group Policy objects have not changed' is set to 'Enabled:TRUE'"
reference : "Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\"
reg_item : "NoGPOListChanges"
value_data : 1
type : REGISTRY_SETTING
description : "1.2.3.9 Set 'Choose the boot-start drivers that can be initialized:' to 'Enabled:Good, unknown and bad but critical'"
info : "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined"
info : "by an Early Launch Antimalware boot-start driver."
solution : "Make sure Set 'Choose the boot-start drivers that can be initialized:'is set to 'Enabled:Good, unknown and bad but critical'"
reference : "CCE|CCE-23349-4,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Policies\EarlyLaunch\"
reg_item : "DriverLoadPolicy"
value_data : 1
type : REGISTRY_SETTING
description : "1.2.3.11 Set 'Select update server:' to 'Enabled:Search Managed Server'"
info : "This policy setting allows you to specify the search server that Windows uses to find updates for device drivers."
solution : "Make sure Set 'Select update server:' is set to 'Enabled:Search Managed Server'"
reference : "CCE|CCE-23227-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\DriverSearching\"
reg_item : "DriverServerSelection"
value_data : 1
type : REGISTRY_SETTING
description : "1.2.3.13 Set 'Prevent installation of devices using drivers that match these device setup classes' to 'Enabled'"
info : "This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for"
info : "device drivers that Windows is prevented from installing."
solution : "Make sure Set 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'"
reference : "CCE|CCE-21694-5,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\"
reg_item : "DenyDeviceClasses"
value_data : 1
type : REGISTRY_SETTING
description : "1.2.3.14 Set 'Also apply to matching devices that are already installed' to 'True'"
info : "This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for"
info : "device drivers that Windows is prevented from installing."
solution : "Make sure Set 'Also apply to matching devices that are already installed' is set to 'True'"
reference : "Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\"
reg_item : "DenyDeviceClassesRetroactive"
value_data : 1
## 1.2.4 Windows Components
## 1.2.4.1 AutoPlay Policies
type : REGISTRY_SETTING
description : "1.2.4.1.1 Set 'Turn off Autoplay on' to 'Enabled:All drives'"
info : "Enable the Turn off Autoplay setting to disable the Autoplay feature."
solution : "Make sure 'Turn off Autoplay on:' is set to the value 255 which means it is Enabled:All drives."
reference : "CCE|CCE-22150-7,800-53|CM-7,PCI|2.2.3,800-53|CM-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"
reg_item : "NoDriveTypeAutoRun"
value_data : 255
# 1.2.4.2.7 Configure 'Choose default folder for recovery password' (Not Scored)
type : REGISTRY_SETTING
description : "1.2.4.2.8 Configure 'Provide the unique identifiers for your organization'"
info : "This policy setting allows you to associate unique organizational identifiers to a new drive that is"
info : "enabled with BitLocker."
solution : "Configure this setting in a manner that is consistent with security and operational requirements of your organization."
reference : "CCE|CCE-22698-5,Level|1N"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\FVE\"
reg_item : "IdentificationField"
value_data : 1
type : REGISTRY_SETTING
description : "1.2.4.2.9 Set 'Allow Standby States (S1-S3) When Sleeping (On Battery)' to 'Disabled'"
info : "Dictates whether or not Windows is allowed to use standby states when sleeping the computer."
solution : "Make sure 'Allow Standby States (S1-S3) When Sleeping (On Battery)' to 'Disabled'"
reference : "CCE|CCE-21627-5,Level|1S,800-53|IA-5,PCI|2.2.3"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab\"
reg_item : "DCSettingIndex"
value_data : 0
type : REGISTRY_SETTING
description : "1.2.4.2.10 Set 'Allow Standby States (S1-S3) When Sleeping (Plugged In)' to 'Disabled'"
info : "Dictates whether or not Windows is allowed to use standby states when sleeping the computer."
solution : "Make sure 'Allow Standby States (S1-S3) When Sleeping (Plugged In)' to 'Disabled'"
reference : "800-53|IA-5,PCI|2.2.3,CCE|CCE-22787-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab\"
reg_item : "ACSettingIndex"
value_data : 0
## 1.2.4.3 Credential User Interface
type : REGISTRY_SETTING
description : "1.2.4.3.3 Set 'Enumerate administrator accounts on elevation' to 'Disabled'"
info : "This control defines whether a user is allowed to see all administrator accounts displayed when a user attempts to"
info : "elevate a running application."
solution : "Make sure 'Enumerate administrator accounts on elevation' is set to 'Disabled'"
reference : "800-53|AC-3,CCE|CCE-21675-4,800-53|AC-2,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI"
reg_item : "EnumerateAdministrators"
value_data : 0
type : REGISTRY_SETTING
description : "1.2.4.4.2 Set 'Security: Maximum Log Size (KB)' to 'Enabled:20480 or greater'"
info : "This policy setting specifies the maximum size of the log file in kilobytes."
solution : "Make sure 'Security: Maximum Log Size (KB)' is set to 'Enabled:20480 or greater'"
reference : "800-53|AU-2,CCE|CCE-22581-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\EventLog\Security\"
reg_item : "MaxSize"
value_data : 1
type : REGISTRY_SETTING
description : "1.2.4.4.3 Set 'System: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled'"
info : "This policy setting controls Event Log behavior when the log file reaches its maximum size."
solution : "Make sure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
reference : "CCE|CCE-22242-2,Level|1S,PCI|10.7"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\EventLog\System\"
reg_item : "Retention"
value_data : 0
type : REGISTRY_SETTING
description : "1.2.4.4.4 Set 'Security: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled' "
info : "This policy setting controls Event Log behavior when the log file reaches its maximum size."
solution : "Make sure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
reference : "CCE|CCE-22637-3,Level|1S,PCI|10.7"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\EventLog\Security\"
reg_item : "Retention"
value_data : 0
type : REGISTRY_SETTING
description : "1.2.4.4.5 Set 'Application: Maximum Log Size (KB)' to 'Enabled:20480 or greater'"
info : "This policy setting specifies the maximum size of the log file in kilobytes."
solution : "Make sure 'Application: Maximum Log Size (KB)' is set to 'Enabled:20480 or greater'"
reference : "CCE|CCE-22528-4,Level|1S,PCI|10.7"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\EventLog\Application\"
reg_item : "MaxSize"
value_data : 1
type : REGISTRY_SETTING
description : "1.2.4.4.6 Set 'System: Maximum Log Size (KB)' to 'Enabled:20480 or greater'"
info : "This policy setting controls Event Log behavior when the log file reaches its maximum size."
solution : "Make sure 'Application: Maximum Log Size (KB)' is set to 'Enabled:20480 or greater'"
reference : "800-53|AU-2,CCE|CCE-21736-4,Level|1S,PCI|10.7"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\EventLog\Application\"
reg_item : "Retention"
value_data : 0
## 1.2.4.5 Remote Desktop Services
type : REGISTRY_SETTING
description : "1.2.4.5.1 Set 'Do not allow drive redirection' to 'Enabled'"
info : "This control defines whether a user is allowed to share the local drives on their client computers to Terminal Servers"
info : "that they access."
solution : "Make sure 1.2.4.5.1 Set 'Do not allow drive redirection' is set to 'Enabled'"
reference : "CCE|CCE-23088-8,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
reg_item : "fDisableCdm"
value_data : 1
type : REGISTRY_SETTING
description : "1.2.4.5.3 Set 'Encryption Level' to 'Enabled:High Level'"
info : "This policy setting specifies whether the computer that is about to host the remote connection will enforce"
info : "an encryption level for all data sent between it and the client computer for the remote session."
solution : "Make sure 'Encryption Level' is set to 'Enabled:High Level'"
reference : "800-53|SC-9,CCE|CCE-22847-8,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
reg_item : "MinEncryptionLevel"
value_data : 3
type : REGISTRY_SETTING
description : "1.2.4.5.4 Set 'Always prompt for password upon connection' to 'Enabled'"
info : "This policy setting specifies whether Terminal Services always prompts the client computer for a"
info : "password upon connection."
solution : "Make sure 'Always prompt for password upon connection' is set to 'Enabled'"
reference : "CCE|CCE-23127-4,800-53|CM-7,PCI|2.2.3,800-53|AC-1,800-53|CM-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
reg_item : "fPromptForPassword"
value_data : 1
type : REGISTRY_SETTING
description : "1.2.4.5.5 Set 'Do not allow passwords to be saved' to 'Enabled'"
info : "This control defines whether the Terminal Services client will save passwords."
solution : "Make sure 'Do not allow passwords to be saved' is set to 'Enabled'"
reference : "800-53|IA-5,CCE|CCE-21696-0,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
reg_item : "DisablePasswordSaving"
value_data : 1
## 1.2.4.6 Windows Remote Management
type : REGISTRY_SETTING
description : "1.2.4.6.1 Set 'Disallow Digest authentication' to 'Enabled'"
info : "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client"
info : "will not use Digest authentication."
solution : "Make sure 'Disallow Digest authentication' is set to 'Enabled'"
reference : "CCE|CCE-23167-0,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\"
reg_item : "AllowDigest"
value_data : 1
type : REGISTRY_SETTING
description : "1.2.4.6.2 Set 'Allow Basic authentication' to 'Disabled'"
info : "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication."
solution : "Make sure 'Allow Basic authentication' is set to 'Disabled'"
reference : "CCE|CCE-22490-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\"
reg_item : "AllowBasic"
value_data : 0
type : REGISTRY_SETTING
description : "1.2.4.6.3 Set 'Allow Basic authentication' to 'Disabled'"
info : "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication"
info : "from a remote client."
solution : "Make sure 'Allow Basic authentication' is set to 'Disabled'"
reference : "CCE|CCE-22475-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\"
reg_item : "AllowBasic"
value_data : 0
type : REGISTRY_SETTING
description : "1.2.4.6.4 Set 'Disallow WinRM from storing RunAs credentials' to 'Enabled'"
info : "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow"
info : "RunAs credentials to be stored for any plug-ins."
solution : "Make sure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'"
reference : "CCE|CCE-21701-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\"
reg_item : "DisableRunAs"
value_data : 1
type : REGISTRY_SETTING
description : "1.2.4.6.5 Set 'Allow unencrypted traffic' to 'Disabled'"
info : "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives"
info : "unencrypted messages over the network."
solution : "Make sure 'Allow unencrypted traffic' is set to 'Disabled'"
reference : "CCE|CCE-23319-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\"
reg_item : "AllowUnencryptedTraffic"
value_data : 0
## 1.2.4.7 Windows Update
type : REGISTRY_SETTING
description : "1.2.4.7.2 Set 'Reschedule Automatic Updates scheduled installations' to 'Enabled'"
info : "This policy setting determines the amount of time before previously scheduled Automatic Update installations"
info : "will proceed after system startup."
solution : "Make sure 'Reschedule Automatic Updates scheduled installations' is set to 'Enabled'"
reference : "800-53|SI-2,PCI|2.2.3,CCE|CCE-21394-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\"
reg_item : "RescheduleWaitTimeEnabled"
value_data : 1
type : REGISTRY_SETTING
description : "1.2.4.7.4 Set 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' to 'Disabled'"
info : "This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default"
info : "choice in the Shut Down Windows dialog."
solution : "Make sure 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' is set to 'Disabled'"
reference : "CCE|CCE-22748-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\"
reg_item : "NoAUAsDefaultShutdownOption"
value_data : 0
type : REGISTRY_SETTING
description : "1.2.4.7.5 Set 'Configure Automatic Updates' to 'Enabled'"
info : "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS."
solution : "Make sure 'Configure Automatic Updates' is set to 'Enabled'"
reference : "800-53|SI-2,800-53|CM-3,PCI|2.2.3,CCE|CCE-22199-4,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\"
reg_item : "NoAutoUpdate"
value_data : 1
type : REGISTRY_SETTING
description : "1.2.4.7.6 Set 'Configure automatic updating' to '3 - Auto download and notify for install'"
info : "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS."
solution : "Make sure 'Configure automatic updating' is set to '3 - Auto download and notify for install'"
reference : "800-53|SI-2,PCI|2.2.3,800-53|CM-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\"
reg_item : "AUOptions"
value_data : 3
type : REGISTRY_SETTING
description : "1.2.4.7.7 Set 'Scheduled install day' to '0 - Every day'"
info : "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS."
solution : "Make sure 'Scheduled install day' is set to '0 - Every day'"
reference : "Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\"
reg_item : "ScheduledInstallDay"
value_data : 0
type : REGISTRY_SETTING
description : "1.2.4.7.8 Set 'No auto-restart with logged on users for scheduled automatic updates installations' to 'Disabled'"
info : "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are"
info : "logged on to them to complete a scheduled installation."
solution : "Make sure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'"
reference : "CCE|CCE-22096-2,800-53|IA-2,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\"
reg_item : "NoAutoRebootWithLoggedOnUsers"
value_data : 0
type : REGISTRY_SETTING
description : "1.2.4.7.9 Set 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' to 'Disabled'"
info : "This policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the"
info : "Shut Down Windows dialog box."
solution : "Make sure 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' is set to 'Disabled'"
reference : "800-53|SI-2,PCI|2.2.3,800-53|CM-6,CCE|CCE-22285-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\"
reg_item : "NoAUShutdownOption"
value_data : 0
type : REGISTRY_SETTING
description : "1.2.4.9 Set 'Turn off Data Execution Prevention for Explorer' to 'Disabled'"
info : "This control defines whether Data Execute Prevention (DEP) is enabled or disabled for the explorer process."
solution : "Make sure 'Turn off Data Execution Prevention for Explorer' is Disabled"
reference : "PCI|2.2.3,800-53|CM-3,CCE|CCE-23124-1,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\Explorer"
reg_item : "NoDataExecutionPrevention"
value_data : 0
type : REGISTRY_SETTING
description : "1.2.4.11 Set 'Always install with elevated privileges' to 'Disabled'"
info : "This setting extends elevated privileges to all programs."
solution : "Make sure 'Always install with elevated privileges' is set to Disabled."
reference : "CCE|CCE-22116-8,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\Installer\"
reg_item : "AlwaysInstallElevated"
value_data : 0
type : REGISTRY_SETTING
description : "1.2.4.14 Set 'Pick one of the following settings' to 'Enabled:Require approval from an administrator before running downloaded unknown software'"
info : "This policy setting allows you to manage the behavior of Windows SmartScreen."
solution : "Make sure 'Pick one of the following settings' is set to 'Enabled:Require approval from an administrator before running downloaded unknown software'"
reference : "CCE|CCE-21645-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\System\"
reg_item : "EnableSmartScreen"
value_data : 1
type : REGISTRY_SETTING
description : "1.2.4.16 Set 'Allow Remote Shell Access' to 'Enabled'"
info : "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands."
solution : "Make sure 'Allow Remote Shell Access' is enabled."
reference : "800-53|AC-3,800-53|AC-1,800-53|CM-6,CCE|CCE-22319-8,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS"
reg_item : "AllowRemoteShellAccess"
value_data : 1
## 2 User Configuration
type : REGISTRY_SETTING
description : "2.3 Set 'Notify antivirus programs when opening attachments' to 'Enabled'"
info : "This control defines whether antivirus program to be notified when opening attachments."
solution : "Make sure 'Notify antivirus programs when opening attachments' is Enabled."
reference : "800-53|SI-3,PCI|5.1.1,CCE|CCE-23008-6,PCI|5.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments"
reg_item : "ScanWithAntiVirus"
value_data : 3
type : REGISTRY_SETTING
description : "2.4 Set 'Do not preserve zone information in file attachments' to 'Disabled'"
info : "This control defines whether the zone of origin of the file attachments is preserved."
solution : "Make sure 'Do not preserve zone information in file attachments' is Disabled."
reference : "800-53|CM-6,CCE|CCE-22010-3,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments"
reg_item : "SaveZoneInformation"
value_data : 2
type : REGISTRY_SETTING
description : "2.8 Set 'Password protect the screen saver' to 'Enabled'"
info : "This control enforces password protection on the system when screen saver is enabled."
solution : "Make sure 'Password protect the screen saver' is Enabled."
reference : "800-53|IA-5,800-53|AC-1,800-53|CM-6,CCE|CCE-21963-4,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKU\Software\Policies\Microsoft\Windows\Control Panel\Desktop"
reg_item : "ScreenSaverIsSecure"
reg_ignore_hku_users : "S-1-5-18,S-1-5-19,S-1-5-20"
reg_option : CAN_NOT_BE_NULL
type : REGISTRY_SETTING
description : "2.9 Set 'Enable screen saver' to 'Enabled'"
info : "This policy setting allows you to manage whether or not screen savers run."
solution : "Make sure 'Enable screen saver' is set to 'Enabled'"
reference : "CCE|CCE-21766-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKU\Software\Policies\Microsoft\Windows\Control Panel\Desktop"
reg_item : "ScreenSaveActive"
value_data : 1
reg_ignore_hku_users : "S-1-5-18,S-1-5-19,S-1-5-20"
type : REGISTRY_SETTING
description : "2.10 Set 'Seconds' to 'Enabled:900 or fewer seconds'"
info : "This control defines the timeout setting for screen saver."
solution : "Make sure 'Seconds' is set to 'Enabled:900 or fewer seconds'"
reference : "800-53|AC-1,CCE|CCE-21525-1,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKU\Software\Policies\Microsoft\Windows\Control Panel\Desktop"
reg_item : "ScreenSaveTimeOut"
value_data : [MIN..900]
reg_ignore_hku_users : "S-1-5-18,S-1-5-19,S-1-5-20"
reg_option : CAN_NOT_BE_NULL
type : REGISTRY_SETTING
description : "2.11 Set 'Screen saver executable name' to 'Enabled:scrnsave.scr'"
info : "This policy setting allows you to manage whether or not screen savers run."
solution : "Make sure 'Screen saver executable name' is set to 'Enabled:scrnsave.scr'"
reference : "PCI|2.2.3,800-53|AC-1,CCE|CCE-22959-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf"
value_type : POLICY_TEXT
value_data : "scrnsave.scr"
reg_key : "HKU\Software\Policies\Microsoft\Windows\Control Panel\Desktop"
reg_item : "SCRNSAVE.EXE"
reg_ignore_hku_users : "S-1-5-18,S-1-5-19,S-1-5-20"
reg_option : CAN_NOT_BE_NULL