# (C) 2015 Tenable Network Security, Inc.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable Network Security, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
#
# $Revision: 1.0 $
# $Date: Wed Apr 15 16:35:47 2015 -0400 $
#
# Description : # This document consists of a list of Microsoft Windows 8.1 security settings (Level 1) as suggested by
# the CIS Microsoft Windows 8 Benchmark v1.1.0.
#
# Tenable has made a best effort to map the settings specified in the standard to a proprietary
# .audit format that will be used by the Windows compliance module to perform the audit.
#
# See Also:
# https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf
#
#
#Safeguards Windows 8.1 Audit ob体育 v1.3 11-31-2016
#
description : "Safeguards Audit ob体育 for MS Microsoft Windows 8.1, from CIS Microsoft Windows 8.1 Benchmark v1.1.0"
type : REGISTRY_SETTING
description : "Windows 8 is installed"
value_type : POLICY_TEXT
value_data : "^[a-zA-Z0-9\(\)\s]*[Ww][Ii][Nn][Dd][Oo][Ww][Ss] 8\.1[a-zA-Z0-9\(\)\s]*$"
reg_key : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
reg_item : "ProductName"
check_type : CHECK_REGEX
## 1 Account Policies
## 1.1 Password Policy
type : PASSWORD_POLICY
description : "1.1.1 Set 'Enforce password history' to '24 or more'"
info : "This policy setting determines the number of renewed, unique passwords that have to be associated with a user"
info : "account before you can reuse an old password."
reference : "PCI|8.5.12,CCE|CCE-35219-5,Level|1S,800-53|IA-5,800-53|CM-6"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Enforce password history' is set to a minimum of 24 passwords."
value_type : POLICY_DWORD
password_policy : ENFORCE_PASSWORD_HISTORY
value_data : [24..MAX]
type : PASSWORD_POLICY
description : "1.1.3 Set 'Minimum password age' to '1 or more day(s)'"
info : "This policy setting determines the number of days that you must use a password before you can change it."
reference : "800-53|IA-5,PCI|8.5,CCE|CCE-35366-4,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure minimum password age is set to a minimum of 1 day."
value_type : TIME_DAY
password_policy : MINIMUM_PASSWORD_AGE
value_data : [1..MAX]
type : PASSWORD_POLICY
description : "1.1.4 Set 'Minimum password length' to '14 or more character(s)'"
info : "This policy setting determines the least number of characters that make up a password for a user account."
reference : "800-53|IA-5,PCI|8.5.10,CCE|CCE-33789-9,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Minimum password length' is set to a minimum of 8 characters."
value_type : POLICY_DWORD
password_policy : MINIMUM_PASSWORD_LENGTH
value_data : [14..MAX]
type : PASSWORD_POLICY
description : "1.1.5 Set 'Password must meet complexity requirements' to 'Enabled'"
info : "This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords."
reference : "800-53|IA-5,PCI|8.5,CCE|CCE-33777-4,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Password must meet complexity requirements' is set to a minimum of 24 passwords."
value_type : POLICY_SET
password_policy : COMPLEXITY_REQUIREMENTS
value_data : "Enabled"
type : PASSWORD_POLICY
description : "1.1.6 Set 'Store passwords using reversible encryption' to 'Disabled'"
info : "This policy setting determines whether the operating system stores passwords in a way that uses reversible"
info : "encryption, which provides support for application protocols that require knowledge of the user's password"
info : "for authentication purposes."
reference : "800-53|IA-5,800-53|AU-9,PCI|8.4,CCE|CCE-35370-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Store passwords using reversible encryption' is disabled."
value_type : POLICY_SET
password_policy : REVERSIBLE_ENCRYPTION
value_data : "Disabled"
## 1.2 Account Lockout Policy
type : LOCKOUT_POLICY
description : "1.2.1 Set 'Account lockout duration' to '120 or greater'"
info : "This policy setting determines the length of time that must pass before a locked account is unlocked and a"
info : "user can try to log on again."
reference : "PCI|8.5.14,CCE|CCE-35409-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Account lockout duration' is set to 120 or greater"
value_type : TIME_MINUTE
lockout_policy : LOCKOUT_DURATION
value_data : [15..MAX]
type : LOCKOUT_POLICY
description : "1.2.2 Set 'Account lockout threshold' to '3 or fewer but not 0 invalid logon attempt(s)'"
info : "This policy setting determines the number of failed logon attempts before a lock occurs."
reference : "PCI|8.5.13,CCE|CCE-33728-7,Level|1S,800-53|AC-1"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Account lockout threshold' is set to 3 or fewer but not 0 invalid attempts."
value_type : POLICY_DWORD
lockout_policy : LOCKOUT_THRESHOLD
value_data : [1..3]
check_type : CHECK_EQUAL
type : LOCKOUT_POLICY
description : "1.2.3 Set 'Reset account lockout counter after' to '120 minutes or greater '"
info : "This policy setting determines the length of time before the Account lockout threshold resets to zero."
reference : "PCI|8.5,CCE|CCE-35408-4,Level|1S,800-53|AC-7"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Reset account lockout counter after' is set to 120 minutes or greater."
value_type : TIME_MINUTE
lockout_policy : LOCKOUT_RESET
value_data : [15..MAX]
## 2 Local Policies
## 2.1 Audit Policy
## 2.2 User Rights Assignment
type : USER_RIGHTS_POLICY
description : "2.2.1 Set 'Access Credential Manager as a trusted caller' to 'No One'"
info : "This security setting is used by Credential Manager during Backup and Restore."
solution : "Make sure 'Access Credential Manager as a trusted caller' is set no one."
reference : "800-53|AC-3,PCI|7.2.2,PCI|7.1.2,PCI|7.2.1,CCE|CCE-35457-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeTrustedCredManAccessPrivilege
value_data : ""
type : USER_RIGHTS_POLICY
description : "2.2.2 Set 'Access this computer from the network' to 'Administrators, Authenticated Users''"
info : "This policy setting allows other users on the network to connect to the computer and is required by various"
info : "network protocols that include Server Message Block (SMB)-based protocols, NetBIOS, Common Internet ob体育 System (CIFS),"
info : "and Component Object Model Plus (COM+)."
solution : "Make sure 'Access this computer from the network' is set to administrators and usersllers. "
reference : "800-53|AC-3,800-53|CM-6,PCI|7.2.2,CCE|CCE-32928-4,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeNetworkLogonRight
value_data : "administrators" && "authenticated users"
type : USER_RIGHTS_POLICY
description : "2.2.3 Set 'Act as part of the operating system' to 'No One'"
info : "This policy setting allows a process to assume the identity of any user and thus gain access to the resources that"
info : "the user is authorized to access."
solution : "Make sure no one can act as part of the operating system."
reference : "800-53|IA-2,800-53|AC-1,PCI|7.2.2,CCE|CCE-35403-5,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeTcbPrivilege
value_data : ""
type : USER_RIGHTS_POLICY
description : "2.2.4 Set 'Adjust memory quotas for a process' to 'Administrators, Local Service, Network Service'"
info : "This policy setting allows a user to adjust the maximum amount of memory that is available to a process."
solution : "Make sure 'Adjust memory quotas for a process' is set to administrators, local service and network service."
reference : "800-53|AC-3,800-53|AC-6,PCI|7.2.2,CCE|CCE-35490-2,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeIncreaseQuotaPrivilege
value_data : "administrators" && "local service" && "network service"
type : USER_RIGHTS_POLICY
description : "2.2.5 Set 'Allow log on locally' to 'Administrators, Users'"
info : "This policy setting determines which users can interactively log on to computers in your environment."
solution : "Make sure 'Allow log on locally' is set to administrators and users."
reference : "800-53|AC-3,PCI|7.2.2,PCI|7.1.3,PCI|7.1.2,CCE|CCE-35640-2,PCI|7.2.1"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeInteractiveLogonRight
value_data : "administrators" && "users"
type : USER_RIGHTS_POLICY
description : "2.2.6 Set 'Allow log on through Remote Desktop Services' to 'Administrators, Remote Desktop Users'"
info : "This policy setting determines which users or groups have the right to log on as a Terminal Services client."
solution : "Make sure 'Allow log on through Remote Desktop Services' is set to administrators."
reference : "PCI|7.2.2,PCI|7.1.3,PCI|7.1.2,CCE|CCE-24406-1,PCI|7.2.1"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeRemoteInteractiveLogonRight
value_data : "Administrators" && "Remote Desktop Users"
type : USER_RIGHTS_POLICY
description : "2.2.7 Set 'Back up files and directories' to 'Administrators'"
info : "This policy setting allows users to circumvent file and directory permissions to back up the system."
solution : "Make sure 'Back up files and directories' is set to administrators."
reference : "800-53|CP-9,PCI|7.2.2,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,CCE|CCE-35699-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeBackupPrivilege
value_data : "administrators"
type : USER_RIGHTS_POLICY
description : "2.2.8 Set 'Change the system time' to 'LOCAL SERVICE, Administrators'"
info : "This policy setting determines which users and groups can change the time and date on the internal clock of the"
info : "computers in your environment."
solution : "Make sure 'Change the system time' is set to local service and administrators."
reference : "800-53|AU-8,800-53|CM-7,PCI|7.2.2,CCE|CCE-33094-4,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeSystemTimePrivilege
value_data : "administrators" && "local service"
type : USER_RIGHTS_POLICY
description : "2.2.9 Set 'Change the time zone' to 'LOCAL SERVICE, Administrators, Users'"
info : "This setting determines which users can change the time zone of the computer."
solution : "Make sure 'Change the time zone' is set to local service, administrators, and users."
reference : "PCI|7.2.2,CCE|CCE-33431-8,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeTimeZonePrivilege
value_data : "administrators" && "local service" && "users"
type : USER_RIGHTS_POLICY
description : "2.2.10 Set 'Create a pagefile' to 'Administrators'"
info : "This policy setting allows users to change the size of the pagefile."
solution : "Make sure 'Create a pagefile' is set to administrators."
reference : "800-53|AC-3,800-53|CM-6,PCI|7.2.2,CCE|CCE-33051-4,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeCreatePagefilePrivilege
value_data : "Administrators"
type : USER_RIGHTS_POLICY
description : "2.2.11 Set 'Create a token object' to 'No One'"
info : "This policy setting allows a process to create an access token, which may provide elevated rights to"
info : "access sensitive data."
solution : "Make sure no one has the user right 'Create a token object'"
reference : "PCI|7.2.2,PCI|7.1.2,CCE|CCE-33779-0,PCI|7.2.1"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeCreateTokenPrivilege
value_data : ""
type : USER_RIGHTS_POLICY
description : "2.2.12 Set 'Create global objects' to 'Administrators, SERVICE, LOCAL SERVICE, NETWORK SERVICE'"
info : "This policy setting determines whether users can create global objects that are available to all sessions."
solution : "Make sure 'Create global objects' is set to administrators, service, local service and network service."
reference : "800-53|AC-3,800-53|CM-6,PCI|7.2.2,PCI|7.1.3,CCE|CCE-33095-1,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeCreateGlobalPrivilege
value_data : "administrators" && "local service" && "network service" && "service"
type : USER_RIGHTS_POLICY
description : "2.2.13 Set 'Create permanent shared objects' to 'No One'"
info : "This user right is useful to kernel-mode components that extend the object namespace."
solution : "Make sure 'Create permanent shared objects' is set to No One."
reference : "800-53|AC-3,800-53|CM-6,PCI|7.2.2,CCE|CCE-33780-8,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeCreatePermanentPrivilege
value_data : ""
type : USER_RIGHTS_POLICY
description : "2.2.14 Set 'Create symbolic links' to 'Administrators'"
info : "This policy setting determines which users can create symbolic links."
solution : "Make sure 'Create symbolic links' is set to administrators."
reference : "800-53|CM-7,800-53|CM-6,PCI|7.2.2,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,CCE|CCE-33053-0,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeCreateSymbolicLinkPrivilege
value_data : "administrators"
type : USER_RIGHTS_POLICY
description : "2.2.15 Set 'Debug programs' to 'Administrators'"
info : "This policy setting determines which user accounts will have the right to attach a debugger to any process"
info : "or to the kernel."
solution : "Make sure 'Debug programs' is set to administrators only."
reference : "800-53|AC-3,PCI|7.2.2,CCE|CCE-33157-9,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeDebugPrivilege
value_data : "Administrators"
type : USER_RIGHTS_POLICY
description : "2.2.16 Set 'Deny access to this computer from the network' to include 'Guests, Local account'"
info : "This policy setting prohibits users from connecting to a computer from across the network."
solution : "Make sure 'Deny access to this computer from the network' is set to guests and local account."
reference : "800-53|IA-2,PCI|7.2.2,CCE|CCE-34173-5,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeDenyNetworkLogonRight
value_data : "guests" && "local account"
type : USER_RIGHTS_POLICY
description : "2.2.17 Set 'Deny log on as a batch job' to 'Guests'"
info : "This policy setting determines which accounts will not be able to log on to the computer as a batch job."
solution : "Make sure 'Deny log on as a batch job' is set to guests."
reference : "PCI|7.2.2,PCI|7.1.2,PCI|7.2.1,CCE|CCE-35461-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeDenyBatchLogonRight
value_data : "guests"
type : USER_RIGHTS_POLICY
description : "2.2.18 Set 'Deny log on as a service' to include 'Guests'"
info : "This security setting determines which service accounts are prevented from registering a process as a service."
solution : "Make sure 'Deny log on as service' is set to 'Guests'."
reference : "PCI|7.2.2,PCI|7.1.2,PCI|7.2.1,CCE|CCE-33731-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeDenyServiceLogonRight
value_data : "Guests"
type : USER_RIGHTS_POLICY
description : "2.2.19 Set 'Deny log on locally' to 'Guests'"
info : "This security setting determines which users are prevented from logging on at the computer."
solution : "Make sure 'Deny log on locally' is set to guest accounts only."
reference : "800-53|IA-2,PCI|7.2.2,CCE|CCE-35293-0,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeDenyInteractiveLogonRight
value_data : "Guests"
type : USER_RIGHTS_POLICY
description : "2.2.20 Set 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'"
info : "This policy setting determines whether users can log on as Terminal Services clients."
solution : "Make sure 'Deny log on through Remote Desktop Services' to 'Guests, Local account'."
reference : "PCI|7.2.2,PCI|7.1.2,PCI|7.2.1,CCE|CCE-33787-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeDenyRemoteInteractiveLogonRight
value_data : "Guests"
value_data : "guests" && "local account"
type : USER_RIGHTS_POLICY
description : "2.2.21 Set 'Enable computer and user accounts to be trusted for delegation' to 'No One'"
info : "This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory."
solution : "Make sure 'Enable computer and user accounts to be trusted for delegation' is set to no one."
reference : "800-53|AC-3,800-53|CM-6,PCI|7.2.2,CCE|CCE-33778-2,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeEnableDelegationPrivilege
value_data : ""
type : USER_RIGHTS_POLICY
description : "2.2.22 Set 'Force shutdown from a remote system' to 'Administrators'"
info : "This policy setting allows users to shut down Windows Vista-based computers from remote locations on the network."
solution : "Make sure 'Force shutdown from a remote system' is set to administrators."
reference : "800-53|AC-1,PCI|7.2.2,PCI|7.1.3,PCI|7.1.2,CCE|CCE-33715-4,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeRemoteShutdownPrivilege
value_data : "Administrators"
type : USER_RIGHTS_POLICY
description : "2.2.23 Set 'Generate security audits' to 'LOCAL SERVICE, NETWORK SERVICE'"
info : "This policy setting determines which users or processes can generate audit records in the Security log."
solution : "Make sure 'Generate security audits' is set to Local Service and Network Service."
reference : "800-53|AU-2,PCI|7.2.2,CCE|CCE-35363-1,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeAuditPrivilege
value_data : "local service" && "network service"
type : USER_RIGHTS_POLICY
description : "2.2.24 Set 'Impersonate a client after authentication' to 'Administrators, SERVICE, Local Service, Network Service'"
info : "The policy setting allows programs that run on behalf of a user to impersonate that user so that they can act"
info : "on behalf of the user."
solution : "Make sure 'Impersonate a client after authentication' is set to Administrators, SERVICE, Local Service and Network Service."
reference : "800-53|AC-2,PCI|7.2.2,PCI|7.1.3,PCI|7.1.2,CCE|CCE-34021-6,PCI|7.2.1"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeImpersonatePrivilege
value_data : "administrators" && "local service" && "Service" && "Network Service"
type : USER_RIGHTS_POLICY
description : "2.2.25 Set 'Increase scheduling priority' to 'Administrators'"
info : "This policy setting determines whether users can increase the base priority class of a process."
solution : "Make sure 'Increase scheduling priority' is set to Administrators."
reference : "800-53|AC-3,800-53|CM-6,PCI|7.2.2,CCE|CCE-35178-3,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeIncreaseBasePriorityPrivilege
value_data : "Administrators"
type : USER_RIGHTS_POLICY
description : "2.2.26 Set 'Load and unload device drivers' to 'Administrators'"
info : "This policy setting allows users to dynamically load a new device driver on a system."
solution : "Make sure 'Load and unload device drivers' is set to Administrators."
reference : "800-53|CM-5,800-53|CM-6,PCI|7.2.2,CCE|CCE-34903-5,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeLoadDriverPrivilege
value_data : "Administrators"
type : USER_RIGHTS_POLICY
description : "2.2.27 Set 'Lock pages in memory' to 'No One'"
info : "This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data"
info : "to virtual memory on disk."
solution : "Make sure 'Lock pages in memory' is set to 'no one'."
reference : "800-53|SI-3,PCI|7.2.2,CCE|CCE-33807-9,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeLockMemoryPrivilege
value_data : ""
type : USER_RIGHTS_POLICY
description : "2.2.28 Set 'Manage auditing and security log' to 'Administrators'"
info : "This policy setting determines which users can change the auditing options for files and directories and clear"
info : "the Security log."
solution : "Make sure 'Manage auditing and security log' is set to Administrators."
reference : "PCI|7.2.2,800-53|AU-2,CCE|CCE-35275-7,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeSecurityPrivilege
value_data : "Administrators"
type : USER_RIGHTS_POLICY
description : "2.2.29 Set 'Modify an object label' to 'No one'"
info : "This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys,"
info : "or processes owned by other users."
solution : "Make sure 'Modify an object label' is set to no one."
reference : "800-53|AC-3,800-53|CM-6,PCI|7.2.2,PCI|7.1.2,CCE|CCE-34913-4,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeReLabelPrivilege
value_data : ""
type : USER_RIGHTS_POLICY
description : "2.2.30 Set 'Modify firmware environment values' to 'Administrators'"
info : "This policy setting allows users to configure the system-wide environment variables that affect hardware configuration."
solution : "Make sure 'Modify firmware environment values' is set to Administrators."
reference : "PCI|7.2.2,CCE|CCE-35183-3,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,800-53|CM-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeSystemEnvironmentPrivilege
value_data : "administrators"
type : USER_RIGHTS_POLICY
description : "2.2.31 Set 'Perform volume maintenance tasks' to 'Administrators'"
info : "This policy setting allows users to manage the system's volume or disk configuration, which could allow a user"
info : "to delete a volume and cause data loss as well as a denial-of-service condition."
solution : "Make sure 'Perform volume maintenance tasks' is set to Administrators."
reference : "800-53|AC-3,800-53|CP-9,800-53|CM-6,PCI|7.2.2,PCI|7.1.3,CCE|CCE-35369-8,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeManageVolumePrivilege
value_data : "administrators"
type : USER_RIGHTS_POLICY
description : "2.2.32 Set 'Profile single process' to 'Administrators'"
info : "This policy setting determines which users can use tools to monitor the performance of non-system processes."
solution : "Make sure 'Profile single process' is set to Administrators."
reference : "800-53|CM-6,PCI|7.2.2,CCE|CCE-35000-9,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeProfileSingleProcessPrivilege
value_data : "administrators"
type : USER_RIGHTS_POLICY
description : "2.2.33 Set 'Profile system performance' to 'NT SERVICE\WdiServiceHost,Administrators'"
info : "This policy setting allows users to use tools to view the performance of different system processes,"
info : "which could be abused to allow attackers to determine a system's active processes and provide insight"
info : "into the potential attack surface of the computer."
solution : "Make sure 'Profile system performance' is set to Administrators and NT SERVICE\WdiServiceHost."
reference : "800-53|CM-6,PCI|7.2.2,CCE|CCE-35001-7,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeSystemProfilePrivilege
value_data : "wdiservicehost" && "administrators"
type : USER_RIGHTS_POLICY
description : "2.2.34 Set 'Replace a process level token' to 'Local Service, Network Service'"
info : "This policy setting allows one process or service to start another service or process with a different"
info : "security access token."
solution : "Make sure 'Replace a process level token' is set to Local Service and Network Service."
reference : "800-53|CM-7,800-53|CM-6,PCI|7.2.2,CCE|CCE-35003-3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeAssignPrimaryTokenPrivilege
value_data : "Local Service" && "Network Service"
type : USER_RIGHTS_POLICY
description : "2.2.35 Set 'Restore files and directories' to 'Administrators'"
info : "This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions"
info : "when restoring backed up files and directories on computers that run Windows Vista in your environment."
solution : "Make sure 'Restore files and directories' is set to Administrators."
reference : "PCI|7.2.2,800-53|CP-9,CCE|CCE-35067-8,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeRestorePrivilege
value_data : "administrators"
type : USER_RIGHTS_POLICY
description : "2.2.36 Set 'Shut down the system' to 'Administrators, Users'"
info : "This policy setting determines which users can shut down the operating system with the Shut Down command."
solution : "Make sure 'Shut down the system' is set to Administrators."
reference : "800-53|AC-3,800-53|CM-7,800-53|CM-6,PCI|7.2.2,CCE|CCE-35004-1,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeShutdownPrivilege
value_data : "administrators" && "users"
type : USER_RIGHTS_POLICY
description : "2.2.37 Set 'Take ownership of files or other objects' to 'Administrators'"
info : "This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads."
solution : "Make sure 'Take ownership of files or other objects' is set to Administrators."
reference : "800-53|CM-6,PCI|7.2.2,CCE|CCE-35009-0,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : USER_RIGHT
right_type : SeTakeOwnershipPrivilege
value_data : "administrators"
## 2.3 Security Options
## 2.3.1 Accounts
type : CHECK_ACCOUNT
description : "2.3.1.1 Set 'Accounts: Administrator account status' to 'Disabled'."
info : "This policy setting enables or disables the Administrator account during normal operation."
reference : "800-53|AC-3,800-53|AC-6,CCE|CCE-33511-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Accounts: Administrator account status' is set to Disabled."
value_type : POLICY_SET
value_data : "Disabled"
account_type : ADMINISTRATOR_ACCOUNT
type : REGISTRY_SETTING
description : "2.3.1.2 Set 'Accounts: Block Microsoft accounts' to 'Users can't add or log on with Microsoft accounts'"
info : "This policy setting prevents users from adding new Microsoft accounts on this computer."
solution : "Make sure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'"
reference : "CCE|CCE-35487-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "NoConnectedUser"
value_data : 3
type : CHECK_ACCOUNT
description : "2.3.1.3 Set 'Accounts: Guest account status' to 'Disabled'"
info : "This policy setting determines whether the Guest account is enabled or disabled."
reference : "800-53|AC-3,800-53|SC-5,800-53|CM-7,800-53|CM-6,PCI|2.1,CCE|CCE-33949-9,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Accounts: Guest account status' is set to Disabled."
value_type : POLICY_SET
value_data : "Disabled"
account_type : GUEST_ACCOUNT
type : REGISTRY_SETTING
description : "2.3.1.4 Set 'Accounts: Limit local account use of blank passwords to console logon only' to 'Enabled'"
info : "This policy setting determines whether local accounts that are not password protected can be used to log on from"
info : "locations other than the physical computer console."
reference : "800-53|AC-3,800-53|SC-5,800-53|CM-7,800-53|CM-6,CCE|CCE-32929-2,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Accounts: Limit local account use of blank passwords to console logon only' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\"
reg_item : "LimitBlankPasswordUse"
value_data : 1
type : CHECK_ACCOUNT
description : "2.3.1.5 Configure 'Accounts: Rename administrator account'"
info : "This policy setting enables or disables the Administrator account during normal operation."
solution : "Make sure 'Rename administrator account' is not set to Administrator or Admin (non standard)."
reference : "CCE|CCE-33034-0,800-53|AC-7,800-53|CM-6,PCI|2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_TEXT
account_type : ADMINISTRATOR_ACCOUNT
value_data : "Administrator" || "admin"
check_type : CHECK_NOT_EQUAL
type : CHECK_ACCOUNT
description : "2.3.1.6 Configure 'Accounts: Rename guest account'"
info : "This control recommends choosing a name for the built-in local guest account that is different"
info : "from the default."
solution : "Make sure 'Accounts: Rename guest account' is not set to guest."
reference : "800-53|AC-7,800-53|CM-6,PCI|2.1,CCE|CCE-35488-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_TEXT
account_type : GUEST_ACCOUNT
value_data : "guest"
check_type : CHECK_NOT_EQUAL
## 2.3.2 Audit
type : REGISTRY_SETTING
description : "2.3.2.1 Set 'Audit: Force audit policy subcategory settings to override audit policy category settings' to 'Enabled'"
info : "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista."
reference : "800-53|AU-2,CCE|CCE-35533-9,PCI|10.2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\"
reg_item : "scenoapplylegacyauditpolicy"
value_data : 1
type : REGISTRY_SETTING
description : "2.3.2.2 Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled'"
info : "This policy setting determines whether the system shuts down if it is unable to log Security events."
reference : "CCE|CCE-33046-4,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Audit: Shut down system immediately if unable to log security audits' is set to disabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\"
reg_item : "crashonauditfail"
value_data : 0
## 2.3.3 DCOM
## 2.3.4 Devices
type : REGISTRY_SETTING
description : "2.3.4.1 Set 'Devices: Allowed to format and eject removable media' to 'Administrators and Interactive Users'"
info : "This policy setting determines who is allowed to format and eject removable media."
reference : "800-53|AC-3,800-53|SC-5,800-53|CM-7,800-53|MP-2,800-53|CM-6,CCE|CCE-34355-8,PCI|7.1.2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Devices: Allowed to format and eject removable media' is set to administrators and interactive users."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
reg_item : "AllocateDASD"
value_data : 2
## 2.3.5 Domain controller
## 2.3.6 Domain member
type : REGISTRY_SETTING
description : "2.3.6.1 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled'"
info : "This policy setting determines whether all secure channel traffic that is initiated by the domain member"
info : "must be signed or encrypted."
reference : "800-53|SC-9,PCI|8.4,CCE|CCE-34892-0,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\"
reg_item : "requiresignorseal"
value_data : 1
type : REGISTRY_SETTING
description : "2.3.6.2 Set 'Domain member: Digitally encrypt secure channel data (when possible)' to 'Enabled'"
info : "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure"
info : "channel traffic that it initiates."
reference : "800-53|SC-9,PCI|8.4,CCE|CCE-35273-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Domain member: Digitally encrypt secure channel data (when possible)' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\"
reg_item : "sealsecurechannel"
value_data : 1
type : REGISTRY_SETTING
description : "2.3.6.3 Set 'Domain member: Digitally sign secure channel data (when possible)' to 'Enabled'"
info : "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel"
info : "traffic that it initiates must be digitally signed."
reference : "PCI|8.4,800-53|SC-9,CCE|CCE-34893-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Domain member: Digitally sign secure channel data (when possible)' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\"
reg_item : "signsecurechannel"
value_data : 1
type : REGISTRY_SETTING
description : "2.3.6.4 Set 'Domain member: Disable machine account password changes' to 'Disabled'"
info : "This policy setting determines whether a domain member can periodically change its computer account password."
reference : "800-53|IA-5,CCE|CCE-34986-0,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Domain member: Disable machine account password changes' is disabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\"
reg_item : "disablepasswordchange"
value_data : 0
type : REGISTRY_SETTING
description : "2.3.6.5 Set 'Domain member: Maximum machine account password age' to '30 or fewer day(s) but not 0'"
info : "This policy setting determines the maximum allowable age for a computer account password."
reference : "800-53|IA-5,CCE|CCE-34894-6,800-53|AC-3,800-53|SC-5,800-53|CM-6,PCI|8.5,CCE|CCE-21621-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Domain member: Maximum machine account password age' is set to a maximum of 30 days."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters"
reg_item : "MaximumPasswordAge"
reg_type : REG_DWORD
value_data : [1..30]
type : REGISTRY_SETTING
description : "2.3.6.6 Set 'Domain member: Require strong (Windows 2000 or later) session key' to 'Enabled'"
info : "When this policy setting is enabled, a secure channel can only be established with domain controllers that"
info : "are capable of encrypting secure channel data with a strong (128-bit) session key."
reference : "800-53|SC-2,800-53|CM-6,PCI|2.2.3,CCE|CCE-35177-5,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Domain member: Require strong (Windows 2000 or later) session key' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\"
reg_item : "requirestrongkey"
value_data : 1
## 2.3.7 Interactive logon
type : REGISTRY_SETTING
description : "2.3.7.1 Set 'Interactive logon: Do not display last user name' to 'Enabled'"
info : "This policy setting determines whether the account name of the last user to log on to the client computers in your"
info : "organization will be displayed in each computer's respective Windows logon screen."
reference : "800-53|AC-2,CCE|CCE-34898-7,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Interactive logon: Do not display last user name' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "DontDisplayLastUserName"
value_data : 1
type : REGISTRY_SETTING
description : "2.3.7.2 Set 'Interactive logon: Do not require CTRL+ALT+DEL' to 'Disabled'"
info : "This policy setting determines whether users must press CTRL+ALT+DEL before they log on."
reference : "800-53|AC-3,800-53|SC-5,800-53|CM-7,800-53|CM-6,CCE|CCE-35099-1,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Interactive logon: Do not require CTRL+ALT+DEL' is disabled."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "DisableCAD"
value_data : 0
type : REGISTRY_SETTING
description : "2.3.7.3 Set 'Interactive logon: Machine account lockout threshold' to 10 or fewer invalid logon attempts"
info : "This security setting determines the number of failed logon attempts that causes the machine to be locked out."
reference : "CCE|CCE-34899-5,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Interactive logon: Machine account lockout threshold' is set to 10 or fewer invalid logon attempts"
value_type : POLICY_DWORD
value_data : [MIN..10]
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "MaxDevicePasswordFailedAttempts"
type : REGISTRY_SETTING
description : "2.3.7.4 Set 'Interactive logon: Machine inactivity limit' to '900 or fewer seconds, but not 0'"
info : "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit,"
info : "then the screen saver will run, locking the session."
reference : "CCE|CCE-34900-1,PCI|8.5.15,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Interactive logon: Machine inactivity limit' to '900 or fewer seconds, but not 0' is set to a maximum of 900 seconds (15 minutes), but not 0 seconds."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "InactivityTimeoutSecs"
value_data : [1..900]
type : REGISTRY_SETTING
description : "2.3.7.7 Set 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' to '2 or fewer logon(s)'"
info : "This policy setting determines whether a user can log on to a Windows domain using cached account information."
reference : "800-53|AC-3,800-53|SC-5,800-53|CM-7,800-53|CM-6,PCI|2.2.3,CCE|CCE-34901-9,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to 2 or fewer logons."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
reg_item : "cachedlogonscount"
value_data : [MIN..2]
type : REGISTRY_SETTING
description : "2.3.7.8 Set 'Interactive logon: Prompt user to change password before expiration' to '14 days or greater'"
info : "This policy setting determines how far in advance users are warned that their password will expire."
reference : "800-53|IA-5,PCI|8.5,CCE|CCE-35274-0,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Interactive logon: Prompt user to change password before expiration' is set 14 days or greater."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
reg_item : "passwordexpirywarning"
value_data : [14..MAX]
type : REGISTRY_SETTING
description : "2.3.7.9 Set 'Interactive logon: Smart card removal behavior' to 'Lock Workstation'"
info : "This policy setting determines what happens when the smart card for a logged-on user is removed from"
info : "the smart card reader."
reference : "800-53|AC-3,800-53|SC-5,800-53|CM-7,PCI|2.2.3,800-53|CM-6,CCE|CCE-34988-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Interactive logon: Smart card removal behavior' is set to lock the workstation."
value_type : POLICY_TEXT
reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
reg_item : "scremoveoption"
value_data : "1"
## 2.3.8 Microsoft network client
type : REGISTRY_SETTING
description : "2.3.8.1 Set 'Microsoft network client: Digitally sign communications (always)' to 'Enabled'"
info : "This policy setting determines whether packet signing is required by the SMB client component."
reference : "PCI|4.1,800-53|SC-8,800-53|SC-9,800-53|CM-6,PCI|2.2.3,CCE|CCE-35222-9,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Microsoft network client: Digitally sign communications (always)' is set to enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\"
reg_item : "RequireSecuritySignature"
value_data : 1
type : REGISTRY_SETTING
description : "2.3.8.2 Set 'Microsoft network client: Digitally sign communications (if server agrees)' to 'Enabled'"
info : "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing."
reference : "PCI|4.1,CCE|CCE-34908-4,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\"
reg_item : "EnableSecuritySignature"
value_data : 1
type : REGISTRY_SETTING
description : "2.3.8.3 Set 'Microsoft network client: Send unencrypted password to third-party SMB servers' to 'Disabled'"
info : "Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication"
info : "to third-party SMB servers that do not support password encryption."
reference : "800-53|SC-8,PCI|8.4,CCE|CCE-33717-0,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to disabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\"
reg_item : "EnablePlainTextPassword"
value_data : 0
## 2.3.9 Microsoft network server
type : REGISTRY_SETTING
description : "2.3.9.1 Set 'Microsoft network server: Amount of idle time required before suspending session' to '15 or fewer minute(s)'"
info : "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session"
info : "before the session is suspended because of inactivity."
reference : "800-53|AC-3,800-53|CM-7,800-53|AC-1,800-53|CM-6,CCE|CCE-34909-2,PCI|8.5.15,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Microsoft network server: Amount of idle time required before suspending session' is set to a maximum of 15 minutes."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\"
reg_item : "autodisconnect"
value_data : [MIN..15]
type : REGISTRY_SETTING
description : "2.3.9.2 Set 'Microsoft network server: Digitally sign communications (always)' to 'Enabled'"
info : "This policy setting determines if the server side SMB service is required to perform SMB packet signing."
reference : "800-53|SC-8,PCI|4.1,PCI|2.2.3,CCE|CCE-35065-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Microsoft network server: Digitally sign communications (always)' is set to enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\"
reg_item : "requiresecuritysignature"
value_data : 1
type : REGISTRY_SETTING
description : "2.3.9.3 Set 'Microsoft network server: Digitally sign communications (if client agrees)' to 'Enabled'"
info : "This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a"
info : "client that attempts to establish a connection."
reference : "800-53|AC-3,PCI|4.1,800-53|SC-8,800-53|CM-7,800-53|CM-6,PCI|2.2.3,CCE|CCE-35182-5,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Microsoft network server: Digitally sign communications (if client agrees)' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\"
reg_item : "enablesecuritysignature"
value_data : 1
type : REGISTRY_SETTING
description : "2.3.9.4 Set 'Microsoft network server: Disconnect clients when logon hours expire' to 'Enabled'"
info : "This policy setting determines whether to disconnect users who are connected to the local computer outside"
info : "their user account's valid logon hours."
reference : "800-53|SC-1,800-53|AC-3,800-53|SC-5,CCE|CCE-34911-8,800-53|CM-7,PCI|2.2.3,800-53|CM-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Microsoft network server: Disconnect clients when logon hours expire' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\"
reg_item : "enableforcedlogoff"
value_data : 1
type : REGISTRY_SETTING
description : "2.3.9.5 Set 'Microsoft network server: Server SPN target name validation level' to 'Accept if provided by client'"
info : "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs"
info : "on the service principal name (SPN) that is provided by the client computer when it establishes a session using the"
info : "server message block (SMB) protocol."
reference : "800-53|SC-9,CCE|CCE-35299-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client'"
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\"
reg_item : "SmbServerNameHardeningLevel"
value_data : 1
## 2.3.10 MSS
type : REGISTRY_SETTING
description : "2.3.10.1 Set 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' to 'Disabled'"
info : "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista."
reference : "800-53|AC-3,800-53|SC-5,800-53|CM-7,800-53|IA-2,PCI|2.2.3,800-53|CM-6,CCE|CCE-35438-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure AutoAdminLogon is disabled."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
reg_item : "AutoAdminLogon"
value_data : 0
type : REGISTRY_SETTING
description : "2.3.10.2 Set 'MSS: IP source routing protection level' to 'Highest protection, source routing is completely disabled'"
info : "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow"
info : "through the network."
reference : "800-53|AC-3,800-53|SC-5,800-53|CM-7,800-53|CM-6,PCI|2.2.3,CCE|CCE-33790-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure DisableIPSourceRouting is set to a value of Highest protection, source routing is completely disabled'"
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\"
reg_item : "DisableIPSourceRouting"
value_data : 2
type : REGISTRY_SETTING
description : "2.3.10.3 Set 'MSS: IP source routing protection level' to 'Highest protection, source routing is completely disabled'"
info : "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take"
info : "through the network."
reference : "CCE|CCE-33816-0,800-53|AC-3,800-53|SC-5,800-53|CM-7,800-53|CM-6,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure DisableIPSourceRouting is set to a value of Highest protection, source routing is completely disabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\"
reg_item : "DisableIPSourceRouting"
value_data : 2
type : REGISTRY_SETTING
description : "2.3.10.4 Set 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' to 'Enabled'"
info : "SafeDllSearchMode searches the folders that are specified in the system path and then searches the current working folder."
reference : "CCE|CCE-34022-4,800-53|AC-3,800-53|SC-5,800-53|CM-7,800-53|CM-6,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure SafeDllSearchMode is set to enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Session Manager\"
reg_item : "SafeDllSearchMode"
value_data : 1
type : REGISTRY_SETTING
description : "2.3.10.5 Set 'MSS: The time in seconds before the screen saver grace period expires' to '0 seconds'"
info : "The time in seconds before the screen saver grace period expires 0 seconds in the SCE."
reference : "800-53|AC-3,800-53|CM-7,CCE|CCE-22617-5,PCI|2.2.3,800-53|AC-1,800-53|CM-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure ScreenSaverGracePeriod is set to 0 seconds."
value_type : POLICY_TEXT
reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
reg_item : "ScreenSaverGracePeriod"
value_data : "0"
type : REGISTRY_SETTING
description : "2.3.10.6 Set 'MSS: Percentage threshold for the security event log at which the system will generate a warning' to '0.9 or less'"
info : "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold."
reference : "800-53|SC-5,800-53|AC-4,800-53|AU-9,PCI|10.7,CCE|CCE-35406-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure WarningLevel is set to 90 percent."
value_type : POLICY_DWORD
reg_key : "HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\"
reg_item : "WarningLevel"
value_data : 90
check_type : CHECK_LESS_THAN_OR_EQUAL
## 2.3.11 Network access
type : ANONYMOUS_SID_SETTING
description : "2.3.11.1 Set 'Network access: Allow anonymous SID/Name translation' to 'Disabled'"
info : "This policy setting determines whether an anonymous user can request security identifier (SID)"
info : "attributes for another user."
reference : "CCE|CCE-34914-2,800-53|AC-3,800-53|CM-7,PCI|2.2.3,800-53|CM-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Network access: Allow anonymous SID/Name translation' is disabled."
value_type : POLICY_SET
value_data : "Disabled"
type : REGISTRY_SETTING
description : "2.3.11.2 Set 'Network access: Do not allow anonymous enumeration of SAM accounts' to 'Enabled'"
info : "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager."
reference : "800-53|AC-3,800-53|CM-7,PCI|2.2.3,800-53|CM-6,CCE|CCE-34631-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Network access: Do not allow anonymous enumeration of SAM accounts' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\"
reg_item : "RestrictAnonymousSAM"
value_data : 1
type : REGISTRY_SETTING
description : "2.3.11.3 Set 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' to 'Enabled'"
info : "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares."
reference : "800-53|AC-3,800-53|CM-7,PCI|2.2.3,800-53|CM-6,CCE|CCE-34631-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\"
reg_item : "RestrictAnonymous"
value_data : 1
type : REGISTRY_SETTING
description : "2.3.11.4 Set 'Network access: Let Everyone permissions apply to anonymous users' to 'Disabled'"
info : "This policy setting determines what additional permissions are assigned for anonymous connections to the computer."
reference : "800-53|AC-2,800-53|IA-2,PCI|2.2.3,CCE|CCE-35367-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure EveryoneIncludesAnonymous is disabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\"
reg_item : "EveryoneIncludesAnonymous"
value_data : 0
type : REGISTRY_SETTING
description : "2.3.11.5 Set 'Network access: Named Pipes that can be accessed anonymously' to 'None'"
info : "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access."
solution : "Make sure NullSessionPipes is set to NULL (None)"
reference : "CCE|CCE-23597-8,800-53|AC-2,800-53|IA-2,PCI|2.2.3,Level|1N"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_MULTI_TEXT
reg_key : "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\"
reg_item : "NullSessionPipes"
value_data : ""
reg_option : CAN_BE_NULL
type : REGISTRY_SETTING
description : "2.3.11.6 Set 'Network access: Remotely accessible registry paths' to the following list"
info : "This policy setting determines which registry paths and sub-paths will be accessible when an application or process"
info : "references the WinReg key."
reference : "800-53|CM-7,PCI|2.2.3,CCE|CCE-21504-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure Remotely accessible registry paths are set to
'System\CurrentControlSet\Control\ProductOptions',
'System\CurrentControlSet\Control\Server Applications',
'Software\Microsoft\Windows NT\CurrentVersion'."
value_type : POLICY_MULTI_TEXT
reg_key : "HKLM\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\"
reg_item : "Machine"
value_data : "System\CurrentControlSet\Control\ProductOptions" && "System\CurrentControlSet\Control\Server Applications" && "Software\Microsoft\Windows NT\CurrentVersion"
type : REGISTRY_SETTING
description : "2.3.11.7 Set 'Network access: Remotely accessible registry paths and sub-paths' to the following list"
info : "This policy setting determines which registry paths and sub-paths will be accessible when an application or"
info : "process references the WinReg key to determine access permissions."
reference : "CCE|CCE-35300-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure Remotely accessible registry paths are set to 'System\CurrentControlSet\Control\Print\Printers',
'System\CurrentControlSet\Services\Eventlog',
'Software\Microsoft\OLAP Server',
'Software\Microsoft\Windows NT\CurrentVersion\Print',
'Software\Microsoft\Windows NT\CurrentVersion\Windows',
'System\CurrentControlSet\Control\ContentIndex',
'System\CurrentControlSet\Control\Terminal Server',
'System\CurrentControlSet\Control\Terminal Server\UserConfig',
'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration',
'Software\Microsoft\Windows NT\CurrentVersion\Perflib',
'System\CurrentControlSet\Services\SysmonLog'."
value_type : POLICY_MULTI_TEXT
reg_key : "HKLM\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\"
reg_item : "Machine"
value_data : "System\CurrentControlSet\Control\Print\Printers" && "System\CurrentControlSet\Services\Eventlog" && "Software\Microsoft\OLAP Server" && "Software\Microsoft\Windows NT\CurrentVersion\Print" && "Software\Microsoft\Windows NT\CurrentVersion\Windows" && "System\CurrentControlSet\Control\ContentIndex" && "System\CurrentControlSet\Control\Terminal Server" && "System\CurrentControlSet\Control\Terminal Server\UserConfig" && "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" && "Software\Microsoft\Windows NT\CurrentVersion\Perflib" && "System\CurrentControlSet\Services\SysmonLog"
type : REGISTRY_SETTING
description : "2.3.11.8 Set 'Network access: Restrict anonymous access to Named Pipes and Shares' to 'Enabled'"
info : "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named"
info : "in the Named pipes and Shares."
reference : "800-53|CM-7,PCI|2.2.3,CCE|CCE-33563-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure restrictnullsessaccess is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\"
reg_item : "restrictnullsessaccess"
value_data : 1
type : REGISTRY_SETTING
description : "2.3.11.9 Configure Network access: Shares that can be accessed anonymously to 'None'"
solution : "Make sure NullSessionShares is set to none."
reference : "800-53|CM-7,800-53|IA-2,PCI|2.2.3,CCE|CCE-34651-0,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
info : "This policy setting determines which network shares can be accessed by anonymous users."
value_type : POLICY_MULTI_TEXT
reg_key : "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\"
reg_item : "NullSessionShares"
value_data : ""
reg_option : CAN_BE_NULL
type : REGISTRY_SETTING
description : "2.3.11.10 Set 'Network access: Sharing and security model for local accounts' to 'Classic - local users authenticate as themselves'"
info : "This policy setting determines how network logons that use local accounts are authenticated."
reference : "CCE|CCE-33719-6,800-53|CM-7,800-53|IA-2,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Network access: Sharing and security model for local accounts' is set to classic."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\"
reg_item : "ForceGuest"
value_data : 0
## 2.3.12 Network security
type : REGISTRY_SETTING
description : "2.3.12.1 Set 'Network security: Allow Local System to use computer identity for NTLM' to 'Enabled'"
info : "This policy setting causes Local System services that use Negotiate to use the computer identity when NTLM"
info : "authentication is selected by the negotiation."
reference : "800-53|CM-7,800-53|IA-2,PCI|2.2.3,CCE|CCE-33141-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Allow Local System to use computer identity for NTLM' is configured to 'Enabled'"
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa"
reg_item : "UseMachineID"
value_data : 1
reg_option : CAN_BE_NULL
type : REGISTRY_SETTING
description : "2.3.12.2 Set 'Network security: Allow LocalSystem NULL session fallback' to 'Disabled'"
info : "This control determines if a service is allowed to establish a NULL session connection."
solution : "Make sure 'Allow LocalSystem NULL session fallback' is configured to 'Disabled'"
reference : "800-53|CM-7,800-53|IA-2,PCI|2.2.3,CCE|CCE-35410-0,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0"
reg_item : "allownullsessionfallback"
value_data : 0
reg_option : CAN_BE_NULL
type : REGISTRY_SETTING
description : "2.3.12.3 Set 'Network Security: Allow PKU2U authentication requeststo this computer to use online identities' to 'Disabled'"
info : "The PKU2U protocol is a peer-to-peer authentication protocol. In most managed networks authentication should be managed centrally."
solution : "Make sure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to your organization's security policy."
reference : "PCI|8.5,800-53|CM-7,800-53|IA-2,CCE|CCE-35411-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\LSA\pku2u\"
reg_item : "AllowOnlineID"
value_data : 0
type : REGISTRY_SETTING
description : "2.3.12.4 Set 'Network Security: Configure encryption types allowed for Kerberos' to 'RC4\AES128\AES256\Future types'"
info : "This policy setting allows you to set the encryption types that Kerberos is allowed to use."
solution : "Set 'Network Security: Configure encryption types allowed for Kerberos' to 'RC4\AES128\AES256\Future types'"
reference : "CCE|CCE-35786-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\"
reg_item : "SupportedEncryptionTypes"
value_data : 2147483644
type : REGISTRY_SETTING
description : "2.3.12.5 Set 'Network security: Do not store LAN Manager hash value on next password change' to 'Enabled'"
info : "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when"
info : "the password is changed."
reference : "PCI|8.4,800-53|AC-3,800-53|SC-5,800-53|CM-7,800-53|CM-6,CCE|CCE-35225-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Network security: Do not store LAN Manager hash value on next password change' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\"
reg_item : "NoLMHash"
value_data : 1
type : PASSWORD_POLICY
description : "2.3.12.6 Configure 'Network security: Force logoff when logon hours expire' to 'Enabled'"
info : "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours."
solution : "Make sure 'Network security: Force logoff when logon hours expire' is set to enabled."
reference : "CCE|CCE-34993-6,Level|1N"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_SET
password_policy: FORCE_LOGOFF
value_data : "Enabled"
type : REGISTRY_SETTING
description : "2.3.12.7 Set 'Network security: LAN Manager authentication level' to 'Send NTLMv2 response only. Refuse LM & NTLM'"
info : "LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal"
info : "computers together on a single network."
reference : "PCI|8.4,800-53|AC-3,CCE|CCE-35302-9,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Network security: LAN Manager authentication level' is set to send NTLMv2 response only and refuse LM and NTLM."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\"
reg_item : "LmCompatibilityLevel"
value_data : 5
type : REGISTRY_SETTING
description : "2.3.12.8 Set 'Network security: LDAP client signing requirements' to 'Negotiate signing' or higher"
info : "This policy setting determines the level of data signing that is requested on behalf of clients that"
info : "issue LDAP BIND requests."
reference : "PCI|8.4,800-53|CM-7,CCE|CCE-33802-0,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Network security: LDAP client signing requirements' is set to negotiate signing or higher."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Services\LDAP\"
reg_item : "LDAPClientIntegrity"
value_data : 1
type : REGISTRY_SETTING
description : "2.3.12.9 Set 'Minimum session security for NTLM SSP based clients' to 'Require NTLMv2 session security,Require 128-bit encryption'"
info : "This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider."
reference : "PCI|8.4,800-53|AC-3,800-53|CM-6,CCE|CCE-35447-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to require NTLMv2 session security and 128-bit encryption."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\"
reg_item : "NTLMMinClientSec"
value_data : 537395200
type : REGISTRY_SETTING
description : "2.3.12.10 Set 'Minimum session security for NTLM SSP based servers' to 'Require NTLMv2 session security,Require 128-bit encryption'"
info : "This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider."
reference : "CCE|CCE-35108-0,Level|1S,PCI|8.4,800-53|AC-3,800-53|CM-6"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to require NTLMv2 session security and 128-bit encryption."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\"
reg_item : "NTLMMinServerSec"
value_data : 537395200
## 2.3.13 Recovery console
type : REGISTRY_SETTING
description : "2.3.13.1 Set 'Recovery console: Allow automatic administrative logon' to 'Disabled'"
info : "The recovery console is a command-line environment that is used to recover from system problems."
solution : "Make sure 'Recovery console: Allow automatic administrative logon' is disabled."
reference : "800-53|IA-2,PCI|2.2.3,800-53|AC-1,CCE|CCE-35228-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\"
reg_item : "securitylevel"
value_data : 0
type : REGISTRY_SETTING
description : "2.3.13.2 Set 'Recovery console: Allow floppy copy and access to all drives and all folders' to 'Disabled'"
info : "This policy setting makes the Recovery Console SET command available which allows you to set the following recovery"
info : "console environment variables: - AllowWildCards. Enables wildcard support for some commands (such as the DEL command)."
info : "- AllowAllPaths. Allows access to all files and folders on the computer. - AllowRemovableMedia. Allows files to be"
info : "copied to removable media, such as a floppy disk."
reference : "CCE|CCE-34757-5,800-53|CM-2,800-53|CM-7,PCI|2.2.3,800-53|AC-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Recovery console: Allow floppy copy and access to all drives and all folders' is disabled."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\"
reg_item : "setcommand"
value_data : 0
## 2.3.16 System objects
type : REGISTRY_SETTING
description : "2.3.16.1 Set 'System objects: Require case insensitivity for non-Windows subsystems' to 'Enabled'"
info : "This policy setting determines whether case insensitivity is enforced for all subsystems."
reference : "CCE|CCE-35008-2,PCI|2.2.3,800-53|CM-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'System objects: Require case insensitivity for non-Windows subsystems' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Session Manager\Kernel\"
reg_item : "ObCaseInsensitive"
value_data : 1
type : REGISTRY_SETTING
description : "2.3.16.2 Set 'System objects: Strengthen default permissions of internal system objects (e'g' Symbolic Links)' to 'Enabled'"
info : "This policy setting determines the strength of the default discretionary access control list (DACL) for objects."
reference : "CCE|CCE-35232-8,PCI|2.2.3,800-53|CM-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'System objects: Strengthen default permissions of internal system objects' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Control\Session Manager\"
reg_item : "ProtectionMode"
value_data : 1
## 2.3.17 System settings
## 2.3.18 User Account Control
type : REGISTRY_SETTING
description: "2.3.18.1 Set 'User Account Control: Admin Approval Mode for the Built-in Administrator account' to 'Enabled' "
info : "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account."
reference : "PCI|7.1.1,800-53|AC-2,800-53|IA-2,CCE|CCE-35338-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "FilterAdministratorToken"
value_data : 1
type : REGISTRY_SETTING
description: "2.3.18.2 Set 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' to 'Disabled' "
info : "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically"
info : "disable the secure desktop for elevation prompts used by a standard user."
solution : "Make sure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is disabled."
reference : "PCI|7.2.2,800-53|AC-3,800-53|AC-6,PCI|7.1.1,PCI|7.1.3,PCI|7.1.2,PCI|7.2.1,CCE|CCE-35458-9,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "EnableUIADesktopToggle"
value_data : 0
type : REGISTRY_SETTING
description: "2.3.18.3 Set 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' to 'Prompt for consent on the secure desktop'"
info : "This policy setting controls the behavior of the elevation prompt for administrators."
solution : "Make sure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'"
reference : "CCE|CCE-33784-0,PCI|7.1.1,800-53|AC-2,800-53|IA-2,Level|1N"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System"
reg_item : "ConsentPromptBehaviorAdmin"
value_data : 2
type : REGISTRY_SETTING
description: "2.3.18.4 Set 'User Account Control: Behavior of the elevation prompt for standard users' to 'Automatically deny elevation requests' "
info : "This policy setting controls the behavior of the elevation prompt for standard users"
solution : "Make sure 'Behavior of the Elevation Prompt for Standard Users' is set to Automatically deny elevation requests."
reference : "CCE|CCE-33785-7,PCI|7.1.1,800-53|AC-2,800-53|IA-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System"
reg_item : "ConsentPromptBehaviorUser"
value_data : 0
type : REGISTRY_SETTING
description: "2.3.18.5 Set 'User Account Control: Detect application installations and prompt for elevation' to 'Enabled'"
info : "This policy setting controls the behavior of application installation detection for the computer."
reference : "800-53|AC-3,800-53|AC-6,CCE|CCE-35429-0,PCI|7.1.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'User Account Control: Detect application installations and prompt for elevation' is enabled."
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "EnableInstallerDetection"
value_data : 1
type : REGISTRY_SETTING
description: "2.3.18.6 Set 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' to 'Enabled'"
info : "This policy setting controls whether applications that request to run with a User Interface Accessibility"
info : "(UIAccess) integritylevel must reside in a secure location in the file system."
solution : "Make sure 'Only Elevate UIAccess applications that are Installed in Secure Locations' is Enabled."
reference : "CCE|CCE-35401-9,800-53|AC-3,800-53|AC-6,PCI|7.1.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System"
reg_item : "EnableSecureUIAPaths"
value_data : 1
type : REGISTRY_SETTING
description: "2.3.18.7 Set 'User Account Control: Run all administrators in Admin Approval Mode' to 'Enabled'"
info : "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer."
solution : "Make sure 'User Account Control: Run all administrators in Admin Approval Mode' is enabled."
reference : "CCE|CCE-33788-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "EnableLUA"
value_data : 1
type : REGISTRY_SETTING
description: "2.3.18.8 Set 'User Account Control: Switch to the secure desktop when prompting for elevation' to 'Enabled'"
info : "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop"
info : "or the secure desktop."
solution : "Make sure 'User Account Control: Switch to the secure desktop when prompting for elevation' is enabled."
reference : "800-53|AC-3,800-53|AC-6,CCE|CCE-33815-2,PCI|7.1.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "PromptOnSecureDesktop"
value_data : 1
type : REGISTRY_SETTING
description: "2.3.18.9 Set 'User Account Control: Virtualize file and registry write failures to per-user locations' to 'Enabled'"
info : "This policy setting controls whether application write failures are redirected to defined registry and"
info : "file system locations."
solution : "Make sure 'User Account Control: Virtualize file and registry write failures to per-user locations' is enabled."
reference : "CCE|CCE-35459-7,800-53|AC-3,800-53|AC-6,PCI|7.1.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "EnableVirtualization"
value_data : 1
## 3 Event Log
## 4 Restricted Groups
## 5 System Services
## 6 Registry
## 7 ob体育 System
## 8 Wired Network (IEEE 802.3) Policies
## 9 Windows Firewall With Advanced Security
## 9.1 Domain Profile
type : REGISTRY_SETTING
description : "9.1.1 Set 'Windows Firewall: Domain: Firewall state' to 'On (recommended)'"
info : "Select On to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic."
solution : "Make sure 'Windows Firewall: Domain: Firewall state' is set to On."
reference : "CCE|CCE-33160-3,800-53|AC-4,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\"
reg_item : "EnableFirewall"
value_data : 1
type : REGISTRY_SETTING
description : "9.1.2 Set 'Windows Firewall: Domain: Inbound connections' to 'Block (default)'"
info : "This setting determines the behavior for inbound connections that do not match an inbound firewall rule."
solution : "Make sure 'Inbound connections' is set to the default setting Enabled:Block."
reference : "CCE|CCE-33063-9,PCI|1.2.1,800-53|AC-4,800-53|SC-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\"
reg_item : "DefaultInboundAction"
value_data : 1
type : REGISTRY_SETTING
description : "9.1.3 Set 'Windows Firewall: Domain: Outbound connections' to 'Allow (default)'"
info : "This setting determines the behavior for outbound connections that do not match an outbound firewall rule."
solution : "Make sure 'Windows Firewall: Domain: Outbound connections' is set to the default value of allow."
reference : "PCI|1.2.1,CCE|CCE-33098-5,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\"
reg_item : "DefaultOutboundAction"
value_data : 0
type : REGISTRY_SETTING
description : "9.1.4 Set 'Windows Firewall: Domain: Display a notification' to 'Yes (default)'"
info : "This setting allows Windows Firewall with Advanced Security to display notifications to the user when a"
info : "program is blocked."
solution : "Make sure 'Windows Firewall: Domain: Display a notification' is set to the default value yes."
reference : "CCE|CCE-33062-1,PCI|1.2.1,800-53|CM-6,800-53|CM-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\"
reg_item : "DisableNotifications"
value_data : 0
type : REGISTRY_SETTING
description : "9.1.5 Set 'Windows Firewall: Domain: Allow unicast response' to 'No'"
info : "This setting controls whether this computer receives unicast responses to its outgoing multicast or broadcast messages."
solution : "Make sure 'Windows Firewall: Domain: Allow unicast response' is set to no."
reference : "800-53|SC-5,800-53|SC-7,CCE|CCE-33060-5,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\"
reg_item : "DisableUnicastResponsesToMulticastBroadcast"
value_data : 1
type : REGISTRY_SETTING
description : "9.1.6 Set 'Windows Firewall: Domain: Apply local firewall rules' to 'Yes (default)'"
info : "This setting controls whether local administrators are allowed to create local firewall rules that apply together"
info : "with firewall rules configured by Group Policy."
solution : "Make sure 'Windows Firewall: Public: Apply local firewall rules' is set to yes."
reference : "CCE|CCE-33061-3,800-53|AC-4,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\"
reg_item : "AllowLocalPolicyMerge"
value_data : 1
type : REGISTRY_SETTING
description : "9.1.7 Set 'Windows Firewall: Domain: Apply local connection security rules' to 'Yes (default)'"
info : "This setting controls whether local administrators are allowed to create connection security rules that apply together"
info : "with connection security rules configured by Group Policy."
solution : "Make sure 'Windows Firewall: Domain: Apply local connection security rules' is set to no."
reference : "CCE|CCE-35701-2,PCI|1.2.1,800-53|CM-6,800-53|SC-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\"
reg_item : "AllowLocalIPsecPolicyMerge"
value_data : 1
type : REGISTRY_SETTING
description : "9.1.8 Set 'Windows Firewall: Domain: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log'"
info : "Use this option to specify the path and name of the file in which Windows Firewall will write its log information."
solution : "Make sure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log'"
reference : "CCE|CCE-23521-8,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_TEXT
value_data : "%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log"
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\"
reg_item : "Logob体育Path"
type : REGISTRY_SETTING
description : "9.1.9 Set 'Windows Firewall: Domain: Logging: Size limit (KB)' to '16384 KB or greater'"
info : "Use this option to specify the size limit of the file in which Windows Firewall will write its log information."
solution : "Make sure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'"
reference : "CCE|CCE-35083-5,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
value_data : [16384..MAX]
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\"
reg_item : "Logob体育Size"
type : REGISTRY_SETTING
description : "9.1.10 Set 'Windows Firewall: Domain: Logging: Log dropped packets' to 'Yes'"
info : "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason."
solution : "Make sure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to the default value of Yes."
reference : "CCE|CCE-35252-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\"
reg_item : "LogDroppedPackets"
type : REGISTRY_SETTING
description : "9.1.11 Set 'Windows Firewall: Domain: Logging: Log successful connections' to 'Yes'"
info : "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection."
solution : "Make sure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'."
reference : "CCE|CCE-35306-0,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\"
reg_item : "LogSuccessfulConnections"
## 9.2 Private Profile
type : REGISTRY_SETTING
description : "9.2.1 Set 'Windows Firewall: Private: Firewall state' to 'On (recommended)'"
info : "Select On to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic."
solution : "Make sure 'Windows Firewall: Private: Firewall state' is set to on."
reference : "800-53|AC-4,PCI|1.2.1,CCE|CCE-33066-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\"
reg_item : "EnableFirewall"
value_data : 1
type : REGISTRY_SETTING
description : "9.2.2 Set 'Windows Firewall: Private: Inbound connections' to 'Block (default)'"
info : "This setting determines the behavior for inbound connections that do not match an inbound firewall rule."
solution : "Make sure 'Inbound connections' is set to the default Enabled:Block."
reference : "CCE|CCE-33161-1,PCI|1.2.1,800-53|AC-4,800-53|SC-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\"
reg_item : "DefaultInboundAction"
value_data : 1
type : REGISTRY_SETTING
description : "9.2.3 Set 'Windows Firewall: Private: Outbound connections' to 'Allow (default)'"
info : "This setting determines the behavior for outbound connections that do not match an outbound firewall rule."
solution : "Make sure 'Windows Firewall: Private: Outbound connections' is set to the default setting Allow."
reference : "CCE|CCE-33162-9,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\"
reg_item : "DefaultOutboundAction"
value_data : 0
type : REGISTRY_SETTING
description : "9.2.4 Set 'Windows Firewall: Private: Display a notification' to 'Yes (default)' "
info : "This setting allows Windows Firewall with Advanced Security to display notifications to the user when a"
info : "program is blocked."
solution : "Make sure 'Windows Firewall: Private: Display a notification' is set to yes."
reference : "PCI|1.2.1,CCE|CCE-33065-4,800-53|CM-6,800-53|CM-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\"
reg_item : "DisableNotifications"
value_data : 0
type : REGISTRY_SETTING
description : "9.2.5 Set 'Windows Firewall: Private: Allow unicast response' to 'No' "
info : "This setting controls whether this computer receives unicast responses to its outgoing multicast or broadcast messages."
solution : "Make sure 'Windows Firewall: Private: Allow unicast response' is set to no."
reference : "800-53|SC-5,800-53|SC-7,PCI|1.2.1,CCE|CCE-35536-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\"
reg_item : "DisableUnicastResponsesToMulticastBroadcast"
value_data : 1
type : REGISTRY_SETTING
description : "9.2.6 Set 'Windows Firewall: Private: Apply local firewall rules' to 'Yes (default)'"
info : "This setting controls whether local administrators are allowed to create local firewall rules that apply together"
info : "with firewall rules configured by Group Policy."
solution : "Make sure 'Windows Firewall: Private: Apply local firewall rules' is set to yes (default setting)."
reference : "800-53|AC-4,CCE|CCE-35702-0,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\"
reg_item : "AllowLocalPolicyMerge"
value_data : 1
type : REGISTRY_SETTING
description : "9.2.7 Set 'Windows Firewall: Private: Apply local connection security rules' to 'Yes (default)'"
info : "This setting controls whether local administrators are allowed to create connection security rules that apply"
info : "together with connection security rules configured by Group Policy."
solution : "Make sure 'Windows Firewall: Private: Apply local connection security rules' is set to yes."
reference : "CCE|CCE-33064-7,PCI|1.2.1,800-53|CM-6,800-53|SC-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\"
reg_item : "AllowLocalIPsecPolicyMerge"
value_data : 1
type : REGISTRY_SETTING
description : "9.2.8 Set 'Windows Firewall: Private: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log'"
info : "Use this option to specify the path and name of the file in which Windows Firewall will write its log information."
solution : "Make sure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log'"
reference : "CCE|CCE-33437-5,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_TEXT
value_data : "%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log"
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\"
reg_item : "Logob体育Path"
type : REGISTRY_SETTING
description : "9.2.9 Set 'Windows Firewall: Private: Logging: Size limit (KB)' to '16384 KB or greater'"
info : "Use this option to specify the size limit of the file in which Windows Firewall will write its log information."
solution : "Make sure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'"
reference : "CCE|CCE-34356-6,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
value_data : [16384..MAX]
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\"
reg_item : "Logob体育Size"
type : REGISTRY_SETTING
description : "9.2.10 Set 'Windows Firewall: Private: Logging: Log dropped packets' to 'Yes'"
info : "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason."
solution : "Make sure 'Windows Firewall: Private: Logging: Log dropped packets' is set to Yes."
reference : "PCI|1.2.1,CCE|CCE-33436-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\"
reg_item : "LogDroppedPackets"
type : REGISTRY_SETTING
description : "9.2.11 Set 'Windows Firewall: Private: Logging: Log successful connections' to 'Yes'"
info : "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection."
solution : "Make sure 'Windows Firewall: Private: Logging: Log successful connections' is set to Yes."
reference : "PCI|1.2.1,CCE|CCE-34177-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\"
reg_item : "LogSuccessfulConnections"
## 9.3 Public Profile
type : REGISTRY_SETTING
description : "9.3.1 Set 'Windows Firewall: Public: Firewall state' to 'On (recommended)'"
info : "Select On to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic."
solution : "Make sure 'Windows Firewall: Public: Firewall state' is set to On."
reference : "800-53|AC-4,CCE|CCE-35703-8,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\"
reg_item : "EnableFirewall"
value_data : 1
type : REGISTRY_SETTING
description : "9.3.2 Set 'Windows Firewall: Public: Inbound connections' to 'Block (default)'"
info : "This setting determines the behavior for inbound connections that do not match an inbound firewall rule."
solution : "Make sure 'Inbound connections' is set to the default Enabled:Block."
reference : "800-53|AC-4,800-53|SC-7,CCE|CCE-33069-6,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\"
reg_item : "DefaultInboundAction"
value_data : 1
type : REGISTRY_SETTING
description : "9.3.3 Set 'Windows Firewall: Public: Outbound connections' to 'Allow (default)'"
info : "This setting determines the behavior for outbound connections that do not match an outbound firewall rule."
solution : "Make sure 'Windows Firewall: Public: Outbound connections' is set to the default setting allow."
reference : "PCI|1.2.1,CCE|CCE-33070-4,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\"
reg_item : "DefaultOutboundAction"
value_data : 0
type : REGISTRY_SETTING
description : "9.3.4 Set 'Windows Firewall: Public: Display a notification' to 'Yes'"
info : "This setting allows Windows Firewall with Advanced Security to display notifications to the user when a"
info : "program is blocked."
solution : "Make sure 'Windows Firewall: Public: Display a notification' is set to Yes."
reference : "800-53|CM-6,800-53|CM-3,PCI|1.2.1,CCE|CCE-33068-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\"
reg_item : "DisableNotifications"
value_data : 1
type : REGISTRY_SETTING
description : "9.3.5 Set 'Windows Firewall: Public: Allow unicast response' to 'No'"
info : "This setting controls whether this computer receives unicast responses to its outgoing multicast or broadcast messages."
solution : "Make sure 'Windows Firewall: Public: Allow unicast response' is set to no."
reference : "CCE|CCE-33067-0,PCI|1.2.1,800-53|SC-5,800-53|SC-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\"
reg_item : "DisableUnicastResponsesToMulticastBroadcast"
value_data : 1
type : REGISTRY_SETTING
description : "9.3.6 Set 'Windows Firewall: Domain: Apply local firewall rules' to 'Yes (default)'"
info : "This setting controls whether local administrators are allowed to create local firewall rules that apply together"
info : "with firewall rules configured by Group Policy."
solution : "Make sure 'Windows Firewall: Public: Apply local firewall rules' is set to yes."
reference : "CCE|CCE-35537-0,800-53|AC-4,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\"
reg_item : "AllowLocalPolicyMerge"
value_data : 1
type : REGISTRY_SETTING
description : "9.3.7 Set 'Windows Firewall: Public: Apply local connection security rules' to 'No'"
info : "This setting controls whether local administrators are allowed to create connection security rules that apply together"
info : "with connection security rules configured by Group Policy."
solution : "Make sure 'Windows Firewall: Domain: Apply local connection security rules' is set to no."
reference : "CCE|CCE-33099-3,PCI|1.2.1,800-53|CM-6,800-53|SC-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\"
reg_item : "AllowLocalIPsecPolicyMerge"
value_data : 0
type : REGISTRY_SETTING
description : "9.3.8 Set 'Windows Firewall: Public: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log'"
info : "Use this option to specify the path and name of the file in which Windows Firewall will write its log information."
solution : "Make sure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log'"
reference : "CCE|CCE-35117-1,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_TEXT
value_data : "%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log"
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\"
reg_item : "Logob体育Path"
type : REGISTRY_SETTING
description : "9.3.9 Set 'Windows Firewall: Public: Logging: Size limit (KB)' to '16384 KB or greater'"
info : "Use this option to specify the size limit of the file in which Windows Firewall will write its log information."
solution : "Make sure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'"
reference : "CCE|CCE-35421-7,PCI|1.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
value_data : [16384..MAX]
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\"
reg_item : "Logob体育Size"
type : REGISTRY_SETTING
description : "9.3.10 Set 'Windows Firewall: Public: Logging: Log dropped packets' to 'Yes'"
info : "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason."
solution : "Make sure 'Windows Firewall: Public: Logging: Log dropped packets' is set to Yes."
reference : "PCI|1.2.1,CCE|CCE-35116-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\"
reg_item : "LogDroppedPackets"
type : REGISTRY_SETTING
description : "9.3.11 Set 'Windows Firewall: Public: Logging: Log successful connections' to 'Yes'"
info : "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection."
solution : "Make sure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'."
reference : "CCE|CCE-33734-5,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\"
reg_item : "LogSuccessfulConnections"
## 10 Network List Manager Policies
## 11 Wireless Network (IEEE 802.11) Policies
## 12 Public Key Policies
## 13 Software Restriction Policies
## 14 Network Access Protection NAP Client Configuration
## 15 Application Control Policies AppLocker
## 16 IP Security Policies
## 17 Advanced Audit Policy Configuration
## 17.1 Account Logon
type : AUDIT_POLICY_SUBCATEGORY
description : "17.1.1 Set 'Audit Policy: Account Logon: Credential Validation' to 'Success and Failure'"
info : "This subcategory reports the results of validation tests on credentials submitted for a user account logon request."
reference : "PCI|10.3.4,PCI|10.3.3,CCE|CCE-35494-4,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure the audit policy 'Account Logon: Credential Validation' is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "Credential Validation"
value_data : "Success, Failure"
## 17.2 Account Management
type : AUDIT_POLICY_SUBCATEGORY
description : "17.2.1 Set 'Audit: Computer Account Management' to 'Success and Failure'"
info : "This subcategory reports each event of computer account management, such as when a computer account is created,"
info : "changed, deleted, renamed, disabled, or enabled."
reference : "800-53|AU-2,PCI|10.3.4,CCE|CCE-21905-5,PCI|10.3.3,PCI|10.2.2,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure Configure 'Account Management: Computer Account Management' is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "Computer Account Management"
value_data : "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "17.2.2 Set 'Audit Policy: Account Management: Other Account Management Events' to 'Success'"
info : "This subcategory reports other account management events."
reference : "800-53|AU-2,PCI|10.3.4,PCI|10.3.3,PCI|10.2.2,CCE|CCE-35497-7,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Account Management: Other Account Management Events' is set to success."
value_type : AUDIT_SET
audit_policy_subcategory: "Other Account Management Events"
value_data : "Success"
type : AUDIT_POLICY_SUBCATEGORY
description : "17.2.3 Set 'Audit Policy: Account Management: Security Group Management' to 'Success and Failure'"
info : "This subcategory reports each event of security group management, such as when a security group is created, changed,"
info : "or deleted or when a member is added to or removed from a security group."
reference : "800-53|AU-2,PCI|10.3.4,PCI|10.3.3,PCI|10.2.2,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,CCE|CCE-35498-5,PCI|10.3.1,PCI|10.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Account Management: Security Group Management is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "Security Group Management"
value_data : "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "17.2.4 Set 'Audit Policy: Account Management: User Account Management' to 'Success and Failure'"
info : "This subcategory reports each event of user account management, such as when a user account is created, changed,"
info : "or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed."
reference : "800-53|AU-2,PCI|10.3.4,PCI|10.3.3,PCI|10.2.2,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,CCE|CCE-35499-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Account Management: User Account Management' is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "User Account Management"
value_data : "Success, Failure"
## 17.3 Detailed Tracking
type : AUDIT_POLICY_SUBCATEGORY
description : "17.3.1 Set 'Audit Policy: Detailed Tracking: Process Creation' to 'Success'"
info : "This subcategory reports the creation of a process and the name of the program or user that created it."
reference : "800-53|AU-2,PCI|10.3.4,PCI|10.3.3,CCE|CCE-33040-7,PCI|10.3.2,PCI|10.3.5,PCI|10.2.7,PCI|10.3.6,PCI|10.3.1,PCI|10.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Detailed Tracking: Process Creation' is set to success."
value_type : AUDIT_SET
audit_policy_subcategory: "Process Creation"
value_data : "Success" || "Success, Failure"
## 17.4 DS Access
## 17.5 Logon/Logoff
type : AUDIT_POLICY_SUBCATEGORY
description : "17.5.1 Set 'Audit Policy: Logon-Logoff: Account Lockout' to 'Success'"
info : "This subcategory reports when a user's account is locked out as a result of too many failed logon attempts."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,CCE|CCE-35504-0,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Logon-Logoff: Account Lockout' is set to 'Success'."
value_type : AUDIT_SET
audit_policy_subcategory: "Account Lockout"
value_data : "Success" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "17.5.2 Set 'Audit Policy: Logon-Logoff: Logoff' to 'Success'"
info : "This subcategory reports when a user logs off from the system."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,CCE|CCE-35507-3,PCI|10.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Logon-Logoff: Logoff' is set to 'Success"
value_type : AUDIT_SET
audit_policy_subcategory: "Logoff"
value_data : "Success" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "17.5.3 Set 'Audit Policy: Logon-Logoff: Logon' to 'Success and Failure'"
info : "This subcategory reports when a user attempts to log on to the system."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,CCE|CCE-35508-1,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Logon-Logoff: Logon' is set to success and failure"
value_type : AUDIT_SET
audit_policy_subcategory: "Logon"
value_data : "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "17.5.4 Set 'Audit Other Logon/Logoff Events' to 'Success, Success and Failure, Failure'"
info : "This subcategory reports other logon/logoff-related events, such as Terminal Services session disconnects"
info : " and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,CCE|CCE-22723-1,PCI|10.3,PCI|10.2.4,PCI|10.2.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Logon-Logoff: Other Logon/Logoff Events' is set to no auditing."
value_type : AUDIT_SET
audit_policy_subcategory: "Other Logon/Logoff Events"
value_data : "Success" || "Failure" || "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "17.5.5 Set 'Audit Policy: Logon-Logoff: Special Logon' to 'Success'"
info : "This subcategory reports when a special logon is used."
reference : "PCI|10.3.4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.3.6,PCI|10.3.1,PCI|10.3,PCI|10.2.4,PCI|10.2.1,CCE|CCE-35511-5,Level|1S,800-53|AU-2"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Logon-Logoff: Special Logon' is set to Success (minimum)."
value_type : AUDIT_SET
audit_policy_subcategory: "Special Logon"
value_data : "Success" || "Success, Failure"
## 17.6 Object Access
type : AUDIT_POLICY_SUBCATEGORY
description : "17.6.1 Set 'Audit Removable Storage' to 'Success and Failure'"
info : "This policy setting allows you to audit user attempts to access file system objects on a removable storage device."
reference : "800-53|AU-2,PCI-DSS|10.3.4,CCE|CCE-35521-4,PCI-DSS|10.3.3,PCI-DSS|10.3.2,PCI-DSS|10.3.5,PCI-DSS|10.2.3,PCI-DSS|10.3.6,PCI-DSS|10.3.1,PCI-DSS|10.3,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Audit Removable Storage' is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory : "Removable Storage"
value_data : "Success, Failure"
## 17.7 Policy Change
type : AUDIT_POLICY_SUBCATEGORY
description : "17.7.1 Set 'Audit Policy: Policy Change: Audit Policy Change' to 'Success and Failure'"
info : "This subcategory reports changes in audit policy including SACL changes."
reference : "800-53|AU-2,PCI|10.3.4,CCE|CCE-35521-4,PCI|10.3.3,PCI|10.3.2,PCI|10.3.5,PCI|10.2.3,PCI|10.3.6,PCI|10.3.1,PCI|10.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Policy Change: Audit Policy Change' is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "Audit Policy Change"
value_data : "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "17.7.2 Set 'Audit Policy: Policy Change: Authentication Policy Change' to 'Success'"
info : "This subcategory reports changes in authentication policy."
reference : "800-53|AU-2,CCE|CCE-33091-0,PCI|10.2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Policy Change: Authentication Policy Change' is set to Success (minimum)."
value_type : AUDIT_SET
audit_policy_subcategory: "Authentication Policy Change"
value_data : "Success" || "Success, Failure"
## 17.8 Privilege Use
type : AUDIT_POLICY_SUBCATEGORY
description : "17.8.1 Set 'Audit Policy: Privilege Use: Sensitive Privilege Use' to 'Success and Failure'"
info : "This subcategory reports when a user account or service uses a sensitive privilege."
reference : "800-53|AU-2,PCI|10.3.4,PCI|10.3.3,PCI|10.2.2,PCI|10.3.2,PCI|10.3.5,CCE|CCE-35524-8,PCI|10.3.6,PCI|10.3.1,PCI|10.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Privilege Use: Sensitive Privilege Use' is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "Sensitive Privilege Use"
value_data : "Success, Failure"
## 17.9 System
type : AUDIT_POLICY_SUBCATEGORY
description : "17.9.1 Set 'Audit Policy: System: IPsec Driver' to 'Success and Failure'"
info : "This subcategory reports on the activities of the Internet Protocol security (IPsec) driver."
reference : "800-53|AU-2,PCI|10.2,CCE|CCE-35525-5,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'System: IPsec Driver' is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "IPsec Driver"
value_data : "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "17.9.2 Set 'Audit Policy: System: Other System Events' to 'Success and Failure'"
info : "This subcategory reports on other system events."
reference : "800-53|AU-2,CCE|CCE-32936-7,PCI|10.2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'System: Other System Events' is set to 'Success and Failure'."
value_type : AUDIT_SET
audit_policy_subcategory: "Other System Events"
value_data : "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "17.9.3 Set 'Audit Policy: System: Security State Change' to 'Success and Failure'"
info : "This subcategory reports changes in security state of the system, such as when the security subsystem"
info : "starts and stops."
reference : "800-53|AU-2,PCI|10.2,CCE|CCE-33043-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'System: Security State Change' is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "Security State Change"
value_data : "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "17.9.4 Set 'Audit Policy: System: Security System Extension' to 'Success and Failure'"
info : "This subcategory reports the loading of extension code such as authentication packages by the security subsystem."
reference : "800-53|AU-2,PCI|10.2,CCE|CCE-35526-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'System: Security System Extension' is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "Security System Extension"
value_data : "Success, Failure"
type : AUDIT_POLICY_SUBCATEGORY
description : "17.9.5 Set 'Audit Policy: System: System Integrity' to 'Success and Failure'"
info : "This subcategory reports on violations of integrity of the security subsystem."
reference : "PCI|10.2,CCE|CCE-35527-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'System: System Integrity' is set to success and failure."
value_type : AUDIT_SET
audit_policy_subcategory: "System Integrity"
value_data : "Success, Failure"
## 17.10 Global Object Access Auditing
## 18 Administrative Templates (Computer)
## 18.1 Control Panel
## 18.1.1 Personalization
type : REGISTRY_SETTING
description : "18.1.1.1 Set 'Prevent enabling lock screen camera' to 'Enabled'"
info : "Disables the lock screen camera toggle switch in PC Settings and prevents a"
info : "camera from being invoked on the lock screen."
reference : "CCE|CCE-35799-6"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Prevent enabling lock screen camera' is set to 'Enabled'."
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Policies\Microsoft\Windows\Personalization"
reg_item : "NoLockScreenCamera"
type : REGISTRY_SETTING
description : "18.1.1.2 Set 'Prevent enabling lock screen slide show' to 'Enabled'"
info : "Disables the lock screen slide show settings in PC Settings and prevents"
info : "a slide show from playing on the lock screen."
reference : "CCE|CCE-35800-2"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Prevent enabling lock screen slide show' is set to 'Enabled'."
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Policies\Microsoft\Windows\Personalization"
reg_item : "NoLockScreenSlideshow"
## 18.2 Network
## 18.3 Printers
## 18.4 SCM: Pass the Hash Mitigations
type : REGISTRY_SETTING
description : "18.4.1 Set 'Apply UAC restrictions to local accounts on network logons' to 'Enabled'"
info : "This setting controls whether local accounts can be used for remote administration via"
info : "network logon such as NET USE, connecting to C$."
reference : "Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'."
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"
reg_item : "LocalAccountTokenFilterPolicy"
type : REGISTRY_SETTING
description : "18.4.2 Set 'WDigest Authentication' to 'Disabled'"
info : "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext"
info : "password in memory, where it can be at risk of theft. If this setting is not configured."
reference : "CCE|CCE-35815-0"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
solution : "Make sure 'WDigest Authentication' is set to 'Disabled'."
value_type : POLICY_DWORD
value_data : 0
reg_key : "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\"
reg_item : "UseLogonCredential"
## 18.5 Start Menu and Taskbar
## 18.6 System
## 18.6.1 Access-Denied Assistance
## 18.6.2 Audit Process Creation
## 18.6.3 Credentials Delegation
## 18.6.4 Device Installation
## 18.6.4.1 Device Installation Restrictions
## 18.6.5 Device Redirection
## 18.6.6 Disk NV Cache
## 18.6.7 Disk Quotas
## 18.6.8 Distributed COM
## 18.6.9 Driver Installation
## 18.6.10 Early Launch Antimalware
type : REGISTRY_SETTING
description : "18.6.10.1 Set 'Boot-Start Driver Initialization Policy' to 'Enabled:Good, unknown and bad but critical'"
info : "This policy setting allows you to specify which boot-start drivers are initialized based on a"
info : "classification determined by an Early Launch Antimalware boot-start driver."
solution : "Make sure 'Boot-Start Driver Initialization Policy' is set to 'Enabled:Good, unknown and bad but critical'"
reference : "CCE|CCE-33231-2"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\System\CurrentControlSet\Policies\EarlyLaunch\"
reg_item : "DriverLoadPolicy"
value_data : 3
## 18.6.11 Enhanced Storage Access
## 18.6.12 ob体育 Classification Infrastructure
## 18.6.13 ob体育 Share Shadow Copy Agent
## 18.6.14 ob体育 Share Shadow Copy Provider
## 18.6.15 ob体育system
## 18.6.16 Folder Redirection
## 18.6.17 Group Policy
type : REGISTRY_SETTING
description : "18.6.17.2 Set 'Configure registry policy processing: Do not apply during periodic background processing' to 'False'"
info : "This policy setting determines when registry policies are updated."
solution : "Make sure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'False'"
reference : "CCE|CCE-35384-7"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\"
reg_item : "NoBackgroundPolicy"
value_data : 0
type : REGISTRY_SETTING
description : "18.6.17.3 Set 'Configure registry policy processing: Process even if the Group Policy objects have not changed' to 'True'"
info : "This policy setting determines when registry policies are updated."
solution : "Make sure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'True'"
reference : "CCE|CCE-35384-7"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\"
reg_item : "NoGPOListChanges"
value_data : 0
## 18.6.18 Internet Communication Management
type : REGISTRY_SETTING
description : "18.6.18.1.1 Set 'Turn off downloading of print drivers over HTTP' to 'Enabled'"
info : "This policy setting controls whether the computer can download print driver packages over HTTP."
solution : "Make sure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'"
reference : "800-53|CM-3,CCE|CCE-35781-4,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Policies\Microsoft\Windows NT\Printers"
reg_item : "DisableWebPnPDownload"
type : REGISTRY_SETTING
description : "18.6.18.1.2 Set 'Turn off Internet download for Web publishing and online ordering wizards' to 'Enabled'"
info : "This policy setting controls whether Windows will download a list of providers for the Web publishing and"
info : "online ordering wizards."
solution : "Make sure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'"
reference : "PCI|2.2.3,800-53|CM-3,CCE|CCE-33143-9,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
reg_item : "NoWebServices"
type : REGISTRY_SETTING
description : "18.6.18.1.3 Set 'Turn off printing over HTTP' to 'Enabled'"
info : "This control defines whether a client computer is allowed to print over HTTP."
solution : "Make sure 'Turn off printing over HTTP' is Enabled"
reference : "800-53|CM-3,CCE|CCE-33783-2,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows NT\Printers"
reg_item : "DisableHTTPPrinting"
value_data : 1
type : REGISTRY_SETTING
description : "18.6.18.1.4 Set 'Turn off Search Companion content file updates' to 'Enabled'"
info : "This policy setting specifies whether Search Companion should automatically download content updates during"
info : "local and Internet searches."
solution : "Make sure 'Turn off Search Companion content file updates' is set to 'Enabled'"
reference : "800-53|CM-5,PCI|2.2.3,800-53|CM-6,CCE|CCE-33817-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Policies\Microsoft\SearchCompanion"
reg_item : "DisableContentob体育Updates"
type : REGISTRY_SETTING
description : "18.6.18.1.5 Set 'Turn off the 'Publish to Web' task for files and folders' to 'Enabled'"
info : "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to"
info : "the Web, and Publish the selected items to the Web are available from ob体育 and Folder Tasks in Windows folders."
solution : "Make sure 'Turn off the 'Publish to Web' task for files and folders' is set to 'Enabled'"
reference : "800-53|CM-6,PCI|2.2.3,CCE|CCE-33246-0,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
reg_item : "NoPublishingWizard"
type : REGISTRY_SETTING
description : "18.6.18.1.6 Set 'Turn off the Windows Messenger Customer Experience Improvement Program' to 'Enabled'"
info : "This policy setting specifies whether Windows Messenger can collect anonymous information about how the"
info : "Windows Messenger software and service is used."
solution : "Make sure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'"
reference : "CCE|CCE-33957-2,PCI|2.2.3,800-53|SC-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
value_data : 2
reg_key : "HKLM\Software\Policies\Microsoft\Messenger\Client"
reg_item : "CEIP"
## 18.6.19 iSCSI
## 18.6.20 KDC
## 18.6.21 Kerberos
## 18.6.22 Locale Services
## 18.6.23 Logon
type : REGISTRY_SETTING
description : "18.6.23.1 Set 'Do not display network selection UI' to 'Enabled'"
info : "This policy setting allows you to control whether anyone can interact with available"
info : "networks UI on the logon screen."
solution : "Make sure 'Do not display network selection UI' is set to 'Enabled'"
reference : "800-53|SI-2,PCI|2.2.3,CCE|CCE-38353-9,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
value_data : 1
reg_key : "HKLM\Software\Policies\Microsoft\Windows\System\"
reg_item : "DontDisplayNetworkSelectionUI"
type : REGISTRY_SETTING
description : "18.6.23.2 Set 'Do not enumerate connected users on domain-joined computers' to 'Enabled'"
info : "This policy setting prevents connected users from being enumerated on domain-joined computers."
solution : "Make sure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'"
reference : "CCE|CCE-35207-0,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\System\"
reg_item : "DontEnumerateConnectedUsers"
value_data : 1
type : REGISTRY_SETTING
description : "18.6.23.3 Set 'Enumerate local users on domain-joined computers' to 'Disabled'"
info : "This policy setting allows local users to be enumerated on domain-joined computers."
solution : "Make sure 'Enumerate local users on domain-joined computers' is set to 'Disabled'"
reference : "CCE|CCE-34838-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\System\"
reg_item : "EnumerateLocalUsers"
value_data : 0
type : REGISTRY_SETTING
description : "18.6.23.4 Set 'Turn on PIN sign-in' to 'Disabled'"
info : "This policy setting allows you to control whether a domain user can sign in using a PIN."
solution : "Make sure 'Turn on PIN sign-in' is set to 'Disabled'"
reference : "CCE|CCE-35095-9,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\System\"
reg_item : "AllowDomainPINLogon"
value_data : 0
## 18.6.24 Net Logon
## 18.6.25 Performance Control Panel
## 18.6.26 Power Management
type : REGISTRY_SETTING
description : "18.6.26.1.3 Set 'Require a Password When a Computer Wakes (On Battery)' to 'Enabled'"
info : "This control determines if Windows requires a password after it resumes from sleep."
solution : "Make sure 'Require a Password When a Computer Wakes (On Battery)' is Enabled."
reference : "CCE|CCE-33782-4,PCI|2.2.3,Level|1S,800-53|IA-5"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51"
reg_item : "DCSettingIndex"
value_data : 1
type : REGISTRY_SETTING
description : "18.6.26.1.4 Set 'Require a Password When a Computer Wakes (Plugged In)' to 'Enabled'"
info : "This control determines if Windows requires a password after it resumes from sleep."
solution : "Make sure 'Require a Password When a Computer Wakes (Plugged In)' is Enabled."
reference : "CCE|CCE-35462-1,PCI|2.2.3,Level|1S,800-53|IA-5"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51"
reg_item : "ACSettingIndex"
value_data : 1
## 18.6.27 Recovery
## 18.6.28 Remote Assistance
type : REGISTRY_SETTING
description : "18.6.28.1 Set 'Configure Offer Remote Assistance' to 'Disabled'"
info : "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer."
solution : "Make sure Set 'Configure Offer Remote Assistance' is Disabled"
reference : "PCI|2.2.3,800-53|AC-1,CCE|CCE-33801-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\policies\Microsoft\Windows NT\Terminal Services\"
reg_item : "fAllowUnsolicited"
value_data : 0
type : REGISTRY_SETTING
description : "18.6.28.2 Set 'Configure Solicited Remote Assistance' to 'Disabled'"
info : "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer."
solution : "Make sure Set 'Configure Solicited Remote Assistance' is Disabled"
reference : "PCI|2.2.3,800-53|CM-6,CCE|CCE-35331-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\policies\Microsoft\Windows NT\Terminal Services\"
reg_item : "fAllowToGetHelp"
value_data : 0
## 18.6.29 Remote Procedure Call
type : REGISTRY_SETTING
description : "18.6.29.1 Set 'Enable RPC Endpoint Mapper Client Authentication' to 'Enabled'"
info : "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call"
info : "they are making contains authentication information."
solution : "Make sure Set 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'"
reference : "PCI|2.2.3,800-53|CM-6,CCE|CCE-35392-0,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\policies\Microsoft\Windows NT\Rpc\"
reg_item : "EnableAuthEpResolution"
value_data : 1
type : REGISTRY_SETTING
description : "18.6.29.2 Set 'Restrict Unauthenticated RPC clients' to 'Enabled:Authenticated'"
info : "This policy setting controls how the RPC server runtime handles unauthenticated RPC"
info : "clients connecting to RPC servers."
solution : "Make sure 'Restrict Unauthenticated RPC clients' is set to 'Enabled:Authenticated'"
reference : "PCI|2.2.3,800-53|CM-6,CCE|CCE-35391-2,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\policies\Microsoft\Windows NT\Rpc\"
reg_item : "RestrictRemoteClients"
value_data : 1
## 18.7 Windows Component
## 18.7.1 Active Directory Federation Services
## 18.7.2 ActiveX Installer Service
## 18.7.3 Add features to Windows 8.1
## 18.7.4 App Package Deployment
## 18.7.5 App runtime
type : REGISTRY_SETTING
description : "18.7.5.1 Set 'Allow Microsoft accounts to be optional' to 'Enabled'"
info : "This policy setting lets you control whether Microsoft accounts are optional for Windows"
info : "Store apps that require an account to sign in."
solution : "Make sure 'Allow Microsoft accounts to be optional' is set to 'Enabled'"
reference : "CCE|CCE-35803-6"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System"
reg_item : "MSAOptional"
value_data : 1
## 18.7.6 Application Compatibility
## 18.7.7 AutoPlay Policies
type : REGISTRY_SETTING
description : "18.7.7.1 Set 'Turn off Autoplay on' to 'Enabled:All drives'"
info : "Enable the Turn off Autoplay setting to disable the Autoplay feature."
solution : "Make sure 'Turn off Autoplay on:' is set to the value 255 which means it is Enabled:All drives."
reference : "CCE|CCE-33791-5,800-53|CM-7,PCI|2.2.3,800-53|CM-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"
reg_item : "NoDriveTypeAutoRun"
value_data : 255
## 18.7.8 Backup
## 18.7.9 Biometrics
## 18.7.10 BitLocker Drive Encryption
## 18.7.11 Credential User Interface
type : REGISTRY_SETTING
description : "18.7.11.1 Set 'Enumerate administrator accounts on elevation' to 'Disabled'"
info : "This control defines whether a user is allowed to see all administrator accounts displayed when a user attempts to"
info : "elevate a running application."
solution : "Make sure 'Enumerate administrator accounts on elevation' is set to 'Disabled'"
reference : "800-53|AC-3,CCE|CCE-35194-0,800-53|AC-2,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI"
reg_item : "EnumerateAdministrators"
value_data : 0
type : REGISTRY_SETTING
description : "18.7.19.1.1 Set 'Application: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled'"
info : "This policy setting controls Event Log behavior when the log file reaches its maximum size."
solution : "Make sure 'Application: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled'"
reference : "CCE|CCE-34169-3"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_TEXT
reg_key : "HKLM\Software\Policies\Microsoft\Windows\EventLog\Application\"
reg_item : "Retention"
value_data : "0"
type : REGISTRY_SETTING
description : "18.7.19.1.2 Set 'Application: Maximum Log Size (KB)' to 'Enabled:32768 or greater'"
info : "This policy setting specifies the maximum size of the log file in kilobytes."
solution : "Make sure 'Application: Maximum Log Size (KB)' to 'Enabled:32768 or greater'"
reference : "CCE|CCE-33975-4"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\EventLog\Application\"
reg_item : "MaxSize"
value_data : [32768..MAX]
## 18.7.19.2 Security
type : REGISTRY_SETTING
description : "18.7.19.2.1 Set 'Security: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled'"
info : "This policy setting controls Event Log behavior when the log file reaches its maximum size."
solution : "Make sure 'Security: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled'"
reference : "CCE|CCE-35090-0"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_TEXT
reg_key : "HKLM\Software\Policies\Microsoft\Windows\EventLog\Security"
reg_item : "Retention"
value_data : "0"
type : REGISTRY_SETTING
description : "18.7.19.2.2 Set 'Security: Maximum Log Size (KB)' to 'Enabled:196608 or greater'"
info : "This policy setting specifies the maximum size of the log file in kilobytes."
solution : "Make sure 'Security: Maximum Log Size (KB)' to 'Enabled:196608 or greater'"
reference : "CCE|CCE-33428-4"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\EventLog\Security"
reg_item : "MaxSize"
value_data : [196608..MAX]
## 18.7.19.3 Setup
type : REGISTRY_SETTING
description : "18.7.19.3.1 Set 'Setup: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled'"
info : "This policy setting controls Event Log behavior when the log file reaches its maximum size."
solution : "Make sure 'Setup: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled'"
reference : "CCE|CCE-34170-1"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_TEXT
reg_key : "HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup\"
reg_item : "Retention"
value_data : "0"
type : REGISTRY_SETTING
description : "18.7.19.3.2 Set 'Setup: Maximum Log Size (KB)' to 'Enabled:32768 or greater'"
info : "This policy setting specifies the maximum size of the log file in kilobytes."
solution : "Make sure 'Setup: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled'"
reference : "CCE|CCE-35091-8"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup\"
reg_item : "MaxSize"
value_data : [32768..MAX]
## 18.7.19.4 System
type : REGISTRY_SETTING
description : "18.7.19.4.1 Set 'System: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled'"
info : "This policy setting controls Event Log behavior when the log file reaches its maximum size."
solution : "Make sure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
reference : "CCE|CCE-33729-5,Level|1S,PCI|10.7"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_TEXT
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\System"
reg_item : "Retention"
value_data : "0"
type : REGISTRY_SETTING
description : "18.7.19.4.2 Set 'System: Maximum Log Size (KB)' to 'Enabled:32768 or greater'"
info : "This policy setting controls Event Log behavior when the log file reaches its maximum size."
solution : "Make sure 'System: Maximum Log Size (KB)' to 'Enabled:32768 or greater'"
reference : "800-53|AU-2,CCE|CCE-35288-0,Level|1S,PCI|10.7"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\EventLog\System\"
reg_item : "MaxSize"
value_data : [32768..MAX]
## 18.7.20 Event Viewer
## 18.7.21 Family Safety
## 18.7.22 ob体育 Explorer
type : REGISTRY_SETTING
description : "18.7.22.2 Set 'Configure Windows SmartScreen' to 'Enabled: Require approval from an administrator'"
info : "This policy setting allows you to manage the behavior of Windows SmartScreen."
solution : "Make sure 'Configure Windows SmartScreen' to 'Enabled: Require approval from an administrator before running downloaded unknown software'"
reference : "CCE|CCE-34026-5,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\System\"
reg_item : "EnableSmartScreen"
value_data : 2
type : REGISTRY_SETTING
description : "18.7.22.3 Set 'Turn off Data Execution Prevention for Explorer' to 'Disabled'"
info : "Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer."
solution : "Make sure 'Turn off Data Execution Prevention for Explorer' is Disabled"
reference : "PCI|2.2.3,800-53|CM-3,CCE|CCE-33608-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\Explorer"
reg_item : "NoDataExecutionPrevention"
value_data : 0
## 18.7.23 ob体育 History
## 18.7.24 Game Explorer
## 18.7.25 HomeGroup
type : REGISTRY_SETTING
description : "18.7.25.1 Set 'Prevent the computer from joining a homegroup' to 'Enabled'"
info : "This control prevents the computer from joining a homegroup."
solution : "Set 'Prevent the computer from joining a homegroup' to 'Enabled'"
reference : "800-53|CM-7,PCI|2.2.3,800-53|CM-6,CCE|CCE-34776-5,Level|1N"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\HomeGroup"
reg_item : "DisableHomeGroup"
value_data : 1
## 18.7.26 Import Video
## 18.7.27 Internet Explorer
## 18.7.28 Internet Information Services
## 18.7.29 Location and Sensors
## 18.7.30 Maintenance Scheduler
## 18.7.31 NetMeeting
## 18.7.32 Network Access Protection
## 18.7.33 Network Projector
## 18.7.34 OneDrive (formerly SkyDrive)
## 18.7.35 Online Assistance
## 18.7.36 Password Synchronization
## 18.8.37 Portable Operating System
## 18.7.38 Presentation Settings
## 18.7.39 Remote Desktop Services (formerly Terminal Services)
## 18.7.39.1 RD Licensing
## 18.7.39.2 Remote Desktop Connection Client
type : REGISTRY_SETTING
description : "18.7.39.2.2 Set 'Do not allow passwords to be saved' to 'Enabled'"
info : "This control defines whether the Terminal Services client will save passwords."
solution : "Make sure 'Do not allow passwords to be saved' is set to 'Enabled'"
reference : "800-53|IA-5,CCE|CCE-34506-6,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
reg_item : "DisablePasswordSaving"
value_data : 1
## 18.7.39.3 Remote Desktop Session Host
## 18.7.39.3.1 Application Compatibility
## 18.7.39.3.2 Connections
## 18.7.39.3.3 Device and Resource Redirection
type : REGISTRY_SETTING
description : "18.7.39.3.3.1 Set 'Do not allow drive redirection' to 'Enabled'"
info : "This control defines whether a user is allowed to share the local drives on their client computers to Terminal Servers"
info : "that they access."
solution : "Set 'Do not allow drive redirection' is set to 'Enabled'"
reference : "CCE|CCE-34697-3,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
reg_item : "fDisableCdm"
value_data : 1
## 18.7.39.3.4 Licensing
## 18.7.39.3.5 Printer Redirection
## 18.7.39.3.6 Profiles
## 18.7.39.3.7 RD Connection Broker
## 18.7.39.3.8 Remote Session Environment
## 18.7.39.3.9 Security
type : REGISTRY_SETTING
description : "18.7.39.3.9.1 Set 'Always prompt for password upon connection' to 'Enabled'"
info : "This policy setting specifies whether Terminal Services always prompts the client computer for a"
info : "password upon connection."
solution : "Make sure 'Always prompt for password upon connection' is set to 'Enabled'"
reference : "CCE|CCE-33960-6,800-53|CM-7,PCI|2.2.3,800-53|AC-1,800-53|CM-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
reg_item : "fPromptForPassword"
value_data : 1
type : REGISTRY_SETTING
description : "18.7.39.3.9.2 Set 'Set client connection encryption level:Encryption Level' to 'Enabled:High Level'"
info : "This policy setting specifies whether the computer that is about to host the remote"
info : "connection will enforce an encryption level for all data sent between it and the client computer for the remote session."
solution : "Set 'Set client connection encryption level:Encryption Level' to 'Enabled:High Level'"
reference : "CCE|CCE-35578-4,800-53|CM-7,PCI|2.2.3,800-53|AC-1,800-53|CM-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
reg_item : "MinEncryptionLevel"
value_data : 3
## 18.7.40 RSS Feeds
## 18.7.41 Search
type : REGISTRY_SETTING
description : "18.7.41.2 Set 'Allow indexing of encrypted files' to 'Disabled'"
info : "This policy setting allows encrypted items to be indexed."
solution : "Set 'Allow indexing of encrypted files' to 'Disabled'"
reference : "CCE|CCE-35314-4,800-53|CM-7,PCI|2.2.3,800-53|AC-1,800-53|CM-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search\"
reg_item : "AllowIndexingEncryptedStoresOrItems"
value_data : 0
## 18.7.42 Security Center
## 18.7.43 Server for NIS
## 18.7.44 Shutdown Options
## 18.7.45 Smart Card
## 18.7.46 Sound Recorder
## 18.7.47 Store
## 18.7.48 Sync your settings
## 18.7.49 Tablet PC
## 18.7.50 Task Scheduler
## 18.7.51 Windows Calendar
## 18.7.52 Windows Color System
## 18.7.53 Windows Customer Experience Improvement Program
## 18.7.54 Windows Defender
## 18.7.55 Windows Error Reporting
## 18.7.56 Windows Installer
type : REGISTRY_SETTING
description : "18.7.56.1 Set 'Always install with elevated privileges' to 'Disabled'"
info : "This setting extends elevated privileges to all programs."
solution : "Make sure 'Always install with elevated privileges' is set to Disabled."
reference : "CCE|CCE-35400-1,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\Installer\"
reg_item : "AlwaysInstallElevated"
value_data : 0
## 18.7.57 Windows Logon Options
type : REGISTRY_SETTING
description : "18.7.57.1 Set 'Sign-in last interactive user automatically after a system-initiated restart' to 'Disabled'"
info : "This policy setting controls whether a device will automatically sign-in the last interactive"
info : "user after Windows Update restarts the system."
solution : "Make sure 'Sign-in last interactive user automatically after a system-initiated restart' to 'Disabled'"
reference : "CCE|CCE-33891-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System"
reg_item : "DisableAutomaticRestartSignOn"
value_data : 1
## 18.7.58 Windows Mail
## 18.7.59 Windows Media Center
## 18.7.60 Windows Media Digital Rights Management
## 18.7.61 Windows Media Player
## 18.7.62 Windows Messenger
## 18.7.63 Windows Mobility Center
## 18.7.64 Windows Movie Maker
## 18.7.65 Windows PowerShell
## 18.7.66 Windows Reliability Analysis
## 18.7.67 Windows Remote Management (WinRM)
## 18.7.67.1 WinRM Client
type : REGISTRY_SETTING
description : "18.7.67.1.1 Set 'Allow Basic authentication' to 'Disabled'"
info : "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication."
solution : "Make sure 'Allow Basic authentication' is set to 'Disabled'"
reference : "CCE|CCE-35258-3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\"
reg_item : "AllowBasic"
value_data : 0
type : REGISTRY_SETTING
description : "18.7.67.1.2 Set 'Allow unencrypted traffic' to 'Disabled'"
info : "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives"
info : "unencrypted messages over the network."
solution : "Make sure 'Allow unencrypted traffic' is set to 'Disabled'"
reference : "CCE|CCE-34458-0,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\WinRM\Client\"
reg_item : "AllowUnencryptedTraffic"
value_data : 0
type : REGISTRY_SETTING
description : "18.7.67.1.3 Set 'Disallow Digest authentication' to 'Enabled'"
info : "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client"
info : "will not use Digest authentication."
solution : "Make sure 'Disallow Digest authentication' is set to 'Enabled'"
reference : "CCE|CCE-34778-1,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\"
reg_item : "AllowDigest"
value_data : 0
## 18.7.67.2 WinRM Service
type : REGISTRY_SETTING
description : "18.7.67.2.1 Set 'Allow Basic authentication' to 'Disabled'"
info : "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication."
solution : "Make sure 'Allow Basic authentication' is set to 'Disabled'"
reference : "CCE|CCE-34779-9,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\"
reg_item : "AllowBasic"
value_data : 0
type : REGISTRY_SETTING
description : "18.7.67.2.2 Set 'Allow unencrypted traffic' to 'Disabled'"
info : "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives"
info : "unencrypted messages over the network."
solution : "Make sure 'Allow unencrypted traffic' is set to 'Disabled'"
reference : "CCE|CCE-35054-6,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\"
reg_item : "AllowUnencryptedTraffic"
value_data : 0
type : REGISTRY_SETTING
description : "18.7.67.2.3 Set 'Disallow WinRM from storing RunAs credentials' to 'Enabled'"
info : "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow"
info : "RunAs credentials to be stored for any plug-ins."
solution : "Make sure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'"
reference : "CCE|CCE-35416-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\"
reg_item : "DisableRunAs"
value_data : 1
## 18.7.68 Windows Remote Shell
## 18.7.69 Windows SideShow
## 18.7.70 Windows System Resource Manager
## 18.7.71 Windows Update
type : REGISTRY_SETTING
description : "18.7.71.1 Set 'Configure Automatic Updates' to 'Enabled'"
info : "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS."
solution : "Make sure 'Configure Automatic Updates' is set to 'Enabled'"
reference : "800-53|SI-2,800-53|CM-3,PCI|2.2.3,CCE|CCE-35111-4,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\"
reg_item : "NoAutoUpdate"
value_data : 0
type : REGISTRY_SETTING
description : "18.7.71.2 Set 'Configure Automatic Updates: Scheduled install day' to '0 - Every day'"
info : "This policy setting specifies whether computers in your environment will receive security"
info : "updates from Windows Update or WSUS."
solution : "Make sure 'Configure Automatic Updates: Scheduled install day' to '0 - Every day'"
reference : "800-53|SI-2,800-53|CM-3,PCI|2.2.3,CCE|CCE-35111-4,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\"
reg_item : "ScheduledInstallDay"
value_data : 0
type : REGISTRY_SETTING
description : "18.7.71.3 Set 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' to 'Disabled'"
info : "This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default"
info : "choice in the Shut Down Windows dialog."
solution : "Make sure 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' is set to 'Disabled'"
reference : "CCE|CCE-34491-1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\"
reg_item : "NoAUAsDefaultShutdownOption"
value_data : 0
type : REGISTRY_SETTING
description : "18.7.71.4 Set 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' to 'Disabled'"
info : "This policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the"
info : "Shut Down Windows dialog box."
solution : "Make sure 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' is set to 'Disabled'"
reference : "800-53|SI-2,PCI|2.2.3,800-53|CM-6,CCE|CCE-34520-7,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\"
reg_item : "NoAUShutdownOption"
value_data : 0
type : REGISTRY_SETTING
description : "18.7.71.5 Set 'No auto-restart with logged on users for scheduled automatic updates installations' to 'Disabled'"
info : "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are"
info : "logged on to them to complete a scheduled installation."
solution : "Make sure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'"
reference : "CCE|CCE-33813-7,800-53|IA-2,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\"
reg_item : "NoAutoRebootWithLoggedOnUsers"
value_data : 0
type : REGISTRY_SETTING
description : "18.7.71.6 Set 'Reschedule Automatic Updates scheduled installations' to 'Enabled'"
info : "This policy setting determines the amount of time before previously scheduled Automatic Update installations"
info : "will proceed after system startup."
solution : "Make sure 'Reschedule Automatic Updates scheduled installations' is set to 'Enabled'"
reference : "800-53|SI-2,PCI|2.2.3,CCE|CCE-33027-4,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\"
reg_item : "RescheduleWaitTimeEnabled"
value_data : 1
## 19 Administrative Templates (User)
## 19.1 Control Panel
## 19.1.1 Add or Remove Programs
## 19.1.2 Display
## 19.1.3 Personalization
type : REGISTRY_SETTING
description : "19.1.3.1 Set 'Enable screen saver' to 'Enabled'"
info : "This policy setting allows you to manage whether or not screen savers run."
solution : "Make sure 'Enable screen saver' is set to 'Enabled'"
reference : "CCE|CCE-33164-5,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKU\Software\Policies\Microsoft\Windows\Control Panel\Desktop"
reg_item : "ScreenSaveActive"
value_data : 1
reg_ignore_hku_users : "S-1-5-18,S-1-5-19,S-1-5-20"
reg_option : CAN_NOT_BE_NULL
type : REGISTRY_SETTING
description : "19.1.3.2 Set 'Force specific screen saver: Screen saver executable name' to 'Enabled:scrnsave.scr'"
info : "This policy setting allows you to manage whether or not screen savers run."
solution : "Make sure 'Screen saver executable name' is set to 'Enabled:scrnsave.scr'"
reference : "PCI|2.2.3,800-53|AC-1,CCE|CCE-33105-8,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_TEXT
value_data : "scrnsave.scr"
reg_key : "HKU\Software\Policies\Microsoft\Windows\Control Panel\Desktop"
reg_item : "SCRNSAVE.EXE"
reg_ignore_hku_users : "S-1-5-18,S-1-5-19,S-1-5-20"
reg_option : CAN_NOT_BE_NULL
type : REGISTRY_SETTING
description : "19.1.3.3 Set 'Password protect the screen saver' to 'Enabled'"
info : "This control enforces password protection on the system when screen saver is enabled."
solution : "Make sure 'Password protect the screen saver' is Enabled."
reference : "800-53|IA-5,800-53|AC-1,800-53|CM-6,CCE|CCE-32938-3,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_TEXT
value_data : "1"
reg_key : "HKU\Software\Policies\Microsoft\Windows\Control Panel\Desktop"
reg_item : "ScreenSaverIsSecure"
reg_ignore_hku_users : "S-1-5-18,S-1-5-19,S-1-5-20"
reg_option : CAN_NOT_BE_NULL
type : REGISTRY_SETTING
description : "19.1.3.4 Set 'Screen saver timeout:Seconds' to 'Enabled:900 or fewer seconds'"
info : "This control defines the timeout setting for screen saver."
solution : "Make sure 'Seconds' is set to 'Enabled:900 or fewer seconds'"
reference : "800-53|AC-1,CCE|CCE-33168-6,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_TEXT
reg_key : "HKU\Software\Policies\Microsoft\Windows\Control Panel\Desktop"
reg_item : "ScreenSaveTimeOut"
value_data : "900"
reg_ignore_hku_users : "S-1-5-18,S-1-5-19,S-1-5-20"
reg_option : CAN_NOT_BE_NULL
check_type : CHECK_LESS_THAN_OR_EQUAL
## 19.2 Desktop
## 19.3 Network
## 19.4 Shared Folders
## 19.5 Start Menu and Taskbar
## 19.5.1 Notifications
type : REGISTRY_SETTING
description : "19.5.1.1 Set 'Turn off toast notifications on the lock screen' to 'Enabled'"
info : "This policy setting turns off toast notifications on the lock screen."
solution : "Set 'Turn off toast notifications on the lock screen' to 'Enabled'"
reference : "CCE|CCE-33727-9,Level|1N"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\"
reg_item : "NoToastApplicationNotificationOnLockScreen"
reg_ignore_hku_users : "S-1-5-18,S-1-5-19,S-1-5-20"
value_data : 1
reg_option : CAN_NOT_BE_NULL
## 19.6 System
## 19.7 Windows Components
## 19.7.1 Add features to Windows 8.1
## 19.7.2 App runtime
## 19.7.3 Application Compatibility
## 19.7.4 Attachment Manager
type : REGISTRY_SETTING
description : "19.7.4.1 Set 'Do not preserve zone information in file attachments' to 'Disabled'"
info : "This control defines whether the zone of origin of the file attachments is preserved."
solution : "Make sure 'Do not preserve zone information in file attachments' is Disabled."
reference : "800-53|CM-6,CCE|CCE-34810-2,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments"
reg_item : "SaveZoneInformation"
value_data : 2
type : REGISTRY_SETTING
description : "19.7.4.2 Set 'Notify antivirus programs when opening attachments' to 'Enabled'"
info : "This control defines whether antivirus program to be notified when opening attachments."
solution : "Make sure 'Notify antivirus programs when opening attachments' is Enabled."
reference : "800-53|SI-3,PCI|5.1.1,CCE|CCE-33799-8,PCI|5.1,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments"
reg_item : "ScanWithAntiVirus"
value_data : 3
type : REGISTRY_SETTING
description : "19.7.35.1 Set 'Always install with elevated privileges' to 'Disabled'"
info : "This setting extends elevated privileges to all programs."
solution : "Make sure 'Always install with elevated privileges' is set to Disabled."
reference : "CCE|CCE-22116-8,PCI|2.2.3,Level|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8.1_Benchmark_v1.1.0.pdf"
value_type : POLICY_DWORD
reg_key : "HKLM\Software\Policies\Microsoft\Windows\Installer\"
reg_item : "AlwaysInstallElevated"
value_data : 0
description : "Windows 8.1 is not installed or remote registry service is disabled."