CIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL

Audit Details

Name: CIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL

Updated: 4/25/2022

Authority: CIS

Plugin: Windows

Revision: 1.7

Estimated Item Count: 66

File Details

Filename: CIS_MS_Windows_10_Enterprise_Bitlocker_v1.6.1.audit

Size: 199 kB

MD5: d42a0e9dbcfa7c6294e85afd21951976
SHA256: 05bb4fab629417487447f13d3231d1f125049bc30c159e0c99ff8ca24e2ebe63

Audit Items

DescriptionCategories
2.3.7.3 Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'

ACCESS CONTROL

18.8.7.1.1 Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'

MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION

18.8.7.1.2 Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'

MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION

18.8.7.1.3 Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)

MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION

18.8.7.1.4 Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'

MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION

18.8.7.1.5 Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes'

MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION

18.8.7.1.6 Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)

MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION

18.8.26.1 Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'

CONFIGURATION MANAGEMENT

18.8.34.6.3 Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'

ACCESS CONTROL

18.8.34.6.4 Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'

ACCESS CONTROL

18.9.11.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'

ACCESS CONTROL

18.9.11.1.2 Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'

ACCESS CONTROL, CONTINGENCY PLANNING

18.9.11.1.3 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'

ACCESS CONTROL, CONTINGENCY PLANNING

18.9.11.1.4 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'

ACCESS CONTROL, CONTINGENCY PLANNING

18.9.11.1.5 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key'

ACCESS CONTROL, CONTINGENCY PLANNING

18.9.11.1.6 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'

ACCESS CONTROL, CONTINGENCY PLANNING

18.9.11.1.7 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'

ACCESS CONTROL, CONTINGENCY PLANNING

18.9.11.1.8 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'

ACCESS CONTROL, CONTINGENCY PLANNING

18.9.11.1.9 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'

ACCESS CONTROL, CONTINGENCY PLANNING

18.9.11.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Enabled'

ACCESS CONTROL

18.9.11.1.11 Ensure 'Configure use of hardware-based encryption for fixed data drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True'

ACCESS CONTROL

18.9.11.1.12 Ensure 'Configure use of hardware-based encryption for fixed data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False'

ACCESS CONTROL

18.9.11.1.13 Ensure 'Configure use of hardware-based encryption for fixed data drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'

ACCESS CONTROL

18.9.11.1.14 Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'

CONTINGENCY PLANNING, SYSTEM AND COMMUNICATIONS PROTECTION

18.9.11.1.15 Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

18.9.11.1.16 Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

18.9.11.2.1 Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

18.9.11.2.2 Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'

SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

18.9.11.2.3 Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'

ACCESS CONTROL, CONTINGENCY PLANNING

18.9.11.2.4 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'

ACCESS CONTROL, CONTINGENCY PLANNING

18.9.11.2.5 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'

ACCESS CONTROL, CONTINGENCY PLANNING

18.9.11.2.6 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'

ACCESS CONTROL, CONTINGENCY PLANNING

18.9.11.2.7 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'

ACCESS CONTROL, CONTINGENCY PLANNING

18.9.11.2.8 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'

ACCESS CONTROL, CONTINGENCY PLANNING

18.9.11.2.9 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'

ACCESS CONTROL, CONTINGENCY PLANNING

18.9.11.2.10 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'

ACCESS CONTROL, CONTINGENCY PLANNING

18.9.11.2.11 Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Enabled'

ACCESS CONTROL

18.9.11.2.12 Ensure 'Configure use of hardware-based encryption for operating system drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True'

ACCESS CONTROL

18.9.11.2.13 Ensure 'Configure use of hardware-based encryption for operating system drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False'

ACCESS CONTROL

18.9.11.2.14 Ensure 'Configure use of hardware-based encryption for operating system drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'

ACCESS CONTROL

18.9.11.2.15 Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'

ACCESS CONTROL

18.9.11.2.16 Ensure 'Require additional authentication at startup' is set to 'Enabled'

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

18.9.11.2.17 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

18.9.11.3.1 Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled'

ACCESS CONTROL

18.9.11.3.2 Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'

ACCESS CONTROL, CONTINGENCY PLANNING

18.9.11.3.3 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'

ACCESS CONTROL, CONTINGENCY PLANNING

18.9.11.3.4 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password'

CONTINGENCY PLANNING, SYSTEM AND COMMUNICATIONS PROTECTION

18.9.11.3.5 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'

ACCESS CONTROL, CONTINGENCY PLANNING

18.9.11.3.6 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'

ACCESS CONTROL, CONTINGENCY PLANNING

18.9.11.3.7 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'

ACCESS CONTROL, CONTINGENCY PLANNING