Feb 12, 2024 Miscellaneous- Audit deprecated.
- Metadata updated.
- References updated.
|
Jan 9, 2024 Functional Update- 18.3.2 Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'
- 18.4.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' - Enabled: Highest protection, source routing is completely disabled
- 18.4.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' - Enabled: Highest protection, source routing is completely disabled
- 18.5.14.1 Ensure 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication' and 'Require Integrity' set for all NETLOGON and SYSVOL shares' - set for all NETLOGON and SYSVOL shares
- 18.8.14.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'
- 18.8.37.2 Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'
- 18.9.27.1.2 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' - Enabled: 32,768 or greater
- 18.9.27.2.2 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' - Enabled: 196,608 or greater
- 18.9.27.4.2 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' - Enabled: 32,768 or greater
- 18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'
- 18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'
|
Dec 8, 2023 Functional Update- 18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
- 18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
- 18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'
- 18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'
- 18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'
- 18.3.3 Ensure 'Configure SMB v1 server' is set to 'Disabled'
- 18.3.4 Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'
- 18.3.5 Ensure 'WDigest Authentication' is set to 'Disabled'
- 18.4.5 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' - Disabled
- 18.4.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' - Enabled
- 18.5.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
- 18.5.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'
- 18.8.22.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' - Enabled
- 18.8.22.1.4 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' - Enabled
- 18.8.28.2 Ensure 'Do not display network selection UI' is set to 'Enabled' - Enabled
- 18.8.28.4 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' - Disabled
- 18.8.28.5 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' - Enabled
- 18.8.28.6 Ensure 'Turn off picture password sign-in' is set to 'Enabled' - Enabled
- 18.8.28.7 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' - Disabled
- 18.8.34.6.5 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' - Enabled
- 18.8.34.6.6 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' - Enabled
- 18.8.36.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
- 18.8.36.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
- 18.8.37.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'
- 18.8.4.1 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'
- 18.9.102.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled' - Disabled
- 18.9.102.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled' - Disabled
- 18.9.102.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled' - Enabled
- 18.9.102.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled' - Disabled
- 18.9.102.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled' - Disabled
- 18.9.102.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' - Enabled
- 18.9.16.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' - Disabled
- 18.9.31.2 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' - Disabled
- 18.9.31.3 Ensure 'Turn off heap termination on corruption' is set to 'Disabled' - Disabled
- 18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
- 18.9.65.2.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled' - Enabled
- 18.9.66.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled' - Enabled
- 18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
- 18.9.91.1 Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' - Disabled
- 19.7.4.2 Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'
|
Dec 4, 2023 Miscellaneous- Platform check updated.
- Variables updated.
|
Nov 3, 2023 Functional Update- 18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
- 18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
- 18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'
- 18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'
- 18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'
- 18.3.3 Ensure 'Configure SMB v1 server' is set to 'Disabled'
- 18.3.4 Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'
- 18.3.5 Ensure 'WDigest Authentication' is set to 'Disabled'
- 18.4.5 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' - Disabled
- 18.4.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' - Enabled
- 18.5.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
- 18.5.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'
- 18.8.22.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' - Enabled
- 18.8.22.1.4 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' - Enabled
- 18.8.28.2 Ensure 'Do not display network selection UI' is set to 'Enabled' - Enabled
- 18.8.28.4 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' - Disabled
- 18.8.28.5 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' - Enabled
- 18.8.28.6 Ensure 'Turn off picture password sign-in' is set to 'Enabled' - Enabled
- 18.8.28.7 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' - Disabled
- 18.8.34.6.5 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' - Enabled
- 18.8.34.6.6 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' - Enabled
- 18.8.36.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
- 18.8.36.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
- 18.8.37.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'
- 18.8.4.1 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'
- 18.9.102.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled' - Disabled
- 18.9.102.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled' - Disabled
- 18.9.102.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled' - Enabled
- 18.9.102.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled' - Disabled
- 18.9.102.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled' - Disabled
- 18.9.102.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' - Enabled
- 18.9.16.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' - Disabled
- 18.9.31.2 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' - Disabled
- 18.9.31.3 Ensure 'Turn off heap termination on corruption' is set to 'Disabled' - Disabled
- 18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
- 18.9.65.2.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled' - Enabled
- 18.9.66.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled' - Enabled
- 18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
- 18.9.91.1 Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' - Disabled
- 19.7.4.2 Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'
- 2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'
- 2.2.10 Ensure 'Create permanent shared objects' is set to 'No One'
- 2.2.11 Configure 'Create symbolic links' is set to 'Administrators'
- 2.2.12 Ensure 'Debug programs' is set to 'Administrators'
- 2.2.13 Ensure 'Deny access to this computer from the network' to include 'Guests, Local account'
- 2.2.15 Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'
- 2.2.16 Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'
- 2.2.18 Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'
- 2.2.19 Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'
- 2.2.2 Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'
- 2.2.20 Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'
- 2.2.21 Ensure 'Load and unload device drivers' is set to 'Administrators'
- 2.2.22 Ensure 'Lock pages in memory' is set to 'No One'
- 2.2.23 Ensure 'Manage auditing and security log' is set to 'Administrators'
- 2.2.24 Ensure 'Modify an object label' is set to 'No One'
- 2.2.25 Ensure 'Modify firmware environment values' is set to 'Administrators'
- 2.2.26 Ensure 'Perform volume maintenance tasks' is set to 'Administrators'
- 2.2.27 Ensure 'Profile single process' is set to 'Administrators'
- 2.2.28 Ensure 'Restore files and directories' is set to 'Administrators'
- 2.2.29 Ensure 'Take ownership of files or other objects' is set to 'Administrators'
- 2.2.3 Ensure 'Act as part of the operating system' is set to 'No One'
- 2.2.4 Ensure 'Allow log on locally' is set to 'Administrators, Users'
- 2.2.5 Ensure 'Back up files and directories' is set to 'Administrators'
- 2.2.6 Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'
- 2.2.7 Ensure 'Create a pagefile' is set to 'Administrators'
- 2.2.8 Ensure 'Create a token object' is set to 'No One'
- 2.2.9 Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'
|
Sep 27, 2023 Miscellaneous- Platform check updated.
- References updated.
- Variables updated.
|
Aug 24, 2023 Added- 18.9.108.2.2 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'
Removed- 18.9.108.2.2 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' - Every day'
|
Apr 12, 2023 Miscellaneous- Metadata updated.
- Platform check updated.
- Variables updated.
|
Mar 7, 2023 Miscellaneous- Metadata updated.
- References updated.
|