CIS Windows Server 2012 DC L2 v2.2.0

Audit Details

Name: CIS Windows Server 2012 DC L2 v2.2.0

Updated: 4/25/2022

Authority: CIS

Plugin: Windows

Revision: 1.5

Estimated Item Count: 55

File Details

Filename: CIS_DC_SERVER_2012_Level_2_v2.2.0.audit

Size: 129 kB

MD5: 7a6951edd4acbcc1ac4d087d877e79ac
SHA256: b19968077ead5e5a1294eddcdb1390872ec08bb4a136014e0bba441c755e5d6a

Audit Items

DescriptionCategories
2.2.36 Ensure 'Log on as a batch job' is set to 'Administrators' (DC Only)

ACCESS CONTROL

2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'

IDENTIFICATION AND AUTHENTICATION

18.4.5 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'

SYSTEM AND INFORMATION INTEGRITY

18.4.7 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'

SYSTEM AND INFORMATION INTEGRITY

18.4.10 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'

SYSTEM AND INFORMATION INTEGRITY

18.4.11 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'

SYSTEM AND INFORMATION INTEGRITY

18.5.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' - AllowLLTDIOOnDomain

SYSTEM AND INFORMATION INTEGRITY

18.5.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' - AllowLLTDIOOnPublicNet

SYSTEM AND INFORMATION INTEGRITY

18.5.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' - EnableLLTDIO

SYSTEM AND INFORMATION INTEGRITY

18.5.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' - ProhibitLLTDIOOnPrivateNet

SYSTEM AND INFORMATION INTEGRITY

18.5.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' - AllowRspndrOnDomain

SYSTEM AND INFORMATION INTEGRITY

18.5.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' - AllowRspndrOnPublicNet

SYSTEM AND INFORMATION INTEGRITY

18.5.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' - EnableRspndr

SYSTEM AND INFORMATION INTEGRITY

18.5.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' - ProhibitRspndrOnPrivateNet

SYSTEM AND INFORMATION INTEGRITY

18.5.10.1 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'

SYSTEM AND INFORMATION INTEGRITY

18.5.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')

SYSTEM AND INFORMATION INTEGRITY

18.5.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableFlashConfigRegistrar

ACCESS CONTROL

18.5.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableInBand802DOT11Registrar

ACCESS CONTROL

18.5.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableUPnPRegistrar

ACCESS CONTROL

18.5.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableWPDRegistrar

ACCESS CONTROL

18.5.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - EnableRegistrars

ACCESS CONTROL

18.5.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'

ACCESS CONTROL

18.7.1.1 Ensure 'Turn off notifications network usage' is set to 'Enabled'

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

18.8.22.1.2 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'

SECURITY ASSESSMENT AND AUTHORIZATION

18.8.22.1.3 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'

SECURITY ASSESSMENT AND AUTHORIZATION

18.8.22.1.4 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'

SECURITY ASSESSMENT AND AUTHORIZATION

18.8.22.1.6 Ensure 'Turn off printing over HTTP' is set to 'Enabled'

SECURITY ASSESSMENT AND AUTHORIZATION

18.8.22.1.7 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'

ACCESS CONTROL

18.8.22.1.8 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'

SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT

18.8.22.1.9 Ensure 'Turn off the 'Order Prints' picture task' is set to 'Enabled'

SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT

18.8.22.1.10 Ensure 'Turn off the 'Publish to Web' task for files and folders' is set to 'Enabled'

SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT

18.8.22.1.11 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'

SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT

18.8.22.1.12 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'

SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT

18.8.22.1.13 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'

SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT

18.8.27.1 Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'

ACCESS CONTROL

18.8.47.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'

SECURITY ASSESSMENT AND AUTHORIZATION

18.8.47.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'

SECURITY ASSESSMENT AND AUTHORIZATION

18.8.52.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled'

AUDIT AND ACCOUNTABILITY

18.9.39.1.1 Ensure 'Turn off Windows Location Provider' is set to 'Enabled'

CONFIGURATION MANAGEMENT

18.9.39.2 Ensure 'Turn off location' is set to 'Enabled'

CONFIGURATION MANAGEMENT

18.9.59.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

18.9.59.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled'

SYSTEM AND INFORMATION INTEGRITY

18.9.59.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled'

SYSTEM AND INFORMATION INTEGRITY

18.9.59.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'

SYSTEM AND INFORMATION INTEGRITY

18.9.59.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'

ACCESS CONTROL

18.9.59.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'

ACCESS CONTROL

18.9.66.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'

SECURITY ASSESSMENT AND AUTHORIZATION

18.9.77.3.2 Ensure 'Join Microsoft MAPS' is set to 'Disabled'

SECURITY ASSESSMENT AND AUTHORIZATION

18.9.77.9.1 Ensure 'Configure Watson events' is set to 'Disabled'

SECURITY ASSESSMENT AND AUTHORIZATION

18.9.85.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'

SYSTEM AND COMMUNICATIONS PROTECTION