'18.10.93.2.4 (L1) Ensure \'Remove access to \'Pause updates\' feature\' is set to \'Enabled\''
'18.6.14.1 (L1) Ensure \'Hardened UNC Paths\' is set to \'Enabled, with \'Require Mutual Authentication\', \'Require Integrity\', and \'Require Privacy\' set for all NETLOGON and SYSVOL shares\''
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'
1.1.2 (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'
1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'
1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'
1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'
1.1.6 (L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'
1.1.7 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'
1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'
1.2.2 (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'
1.2.3 (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'
1.2.4 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'
17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'
17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'
17.2.2 (L1) Ensure 'Audit Security Group Management' is set to include 'Success'
17.2.3 (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'
17.3.1 (L1) Ensure 'Audit PNP Activity' is set to include 'Success'
17.3.2 (L1) Ensure 'Audit Process Creation' is set to include 'Success'
17.5.1 (L1) Ensure 'Audit Account Lockout' is set to include 'Failure'
17.5.2 (L1) Ensure 'Audit Group Membership' is set to include 'Success'
17.5.3 (L1) Ensure 'Audit Logoff' is set to include 'Success'
17.5.4 (L1) Ensure 'Audit Logon' is set to 'Success and Failure'
17.5.5 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'
17.5.6 (L1) Ensure 'Audit Special Logon' is set to include 'Success'
17.6.1 (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'
17.6.2 (L1) Ensure 'Audit File Share' is set to 'Success and Failure'
17.6.3 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'
17.6.4 (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'
17.7.1 (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'
17.7.2 (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'
17.7.3 (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'
17.7.4 (L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'
17.7.5 (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'
17.8.1 (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'
17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'
17.9.3 (L1) Ensure 'Audit Security State Change' is set to include 'Success'
17.9.4 (L1) Ensure 'Audit Security System Extension' is set to include 'Success'
17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'
18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
18.1.1.2 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
18.1.2.2 (L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'
18.10.10.1.1 (BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'
18.10.10.1.10 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'
18.10.10.1.11 (BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'
18.10.10.1.12 (BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'
18.10.10.1.13 (BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'
18.10.10.1.2 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'
18.10.10.1.3 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'
18.10.10.1.4 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password' or higher
18.10.10.1.5 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key' or higher
18.10.10.1.6 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'
18.10.10.1.7 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'
18.10.10.1.8 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'
18.10.10.1.9 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'
18.10.10.2.1 (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'
18.10.10.2.10 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'
18.10.10.2.11 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'
18.10.10.2.12 (BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'
18.10.10.2.13 (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled'
18.10.10.2.14 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'
18.10.10.2.2 (BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'
18.10.10.2.3 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'
18.10.10.2.4 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'
18.10.10.2.5 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'
18.10.10.2.6 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'
18.10.10.2.7 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'
18.10.10.2.8 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'
18.10.10.2.9 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'
18.10.10.3.1 (BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled'
18.10.10.3.10 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled'
18.10.10.3.11 (BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'
18.10.10.3.12 (BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'
18.10.10.3.13 (BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True'
18.10.10.3.14 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'
18.10.10.3.15 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'
18.10.10.3.2 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'
18.10.10.3.3 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'
18.10.10.3.4 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password'
18.10.10.3.5 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'
18.10.10.3.6 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'
18.10.10.3.7 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'
18.10.10.3.8 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'
18.10.10.3.9 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'
18.10.10.4 (BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'
18.10.13.1 (L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'
18.10.13.3 (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'
18.10.14.1 (L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'
18.10.15.1 (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'
18.10.15.2 (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'
18.10.15.3 (L1) Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'
18.10.16.1 (L1) Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'
18.10.16.3 (L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled'
18.10.16.4 (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'
18.10.16.5 (L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled'
18.10.16.6 (L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'
18.10.16.7 (L1) Ensure 'Limit Dump Collection' is set to 'Enabled'
18.10.17.1 (L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet'
18.10.18.2 (L1) Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'
18.10.18.3 (L1) Ensure 'Enable App Installer Hash Override' is set to 'Disabled'
18.10.18.4 (L1) Ensure 'Enable App Installer Local Archive Malware Scan Override' is set to 'Disabled'
18.10.18.5 (L1) Ensure 'Enable App Installer Microsoft Store Source Certificate Validation Bypass' is set to 'Disabled'
18.10.18.6 (L1) Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'
18.10.26.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
18.10.26.1.2 (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
18.10.26.2.1 (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
18.10.26.2.2 (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'
18.10.26.3.1 (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
18.10.26.3.2 (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
18.10.26.4.1 (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
18.10.26.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
18.10.29.3 (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
18.10.29.4 (L1) Ensure 'Do not apply the Mark of the Web tag to files copied from insecure sources' is set to 'Disabled'
18.10.29.5 (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'
18.10.29.6 (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'
18.10.4.2 (L1) Ensure 'Not allow per-user unsigned packages to install by default (requires explicitly allow per install)' is set to 'Enabled'
18.10.4.3 (L1) Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'
18.10.42.1 (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'
18.10.43.10.1 (L1) Ensure 'Configure real-time protection and Security Intelligence Updates during OOBE' is set to 'Enabled'
18.10.43.10.2 (L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'
18.10.43.10.3 (L1) Ensure 'Turn off real-time protection' is set to 'Disabled'
18.10.43.10.4 (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'
18.10.43.10.5 (L1) Ensure 'Turn on script scanning' is set to 'Enabled'
18.10.43.11.1.1.2 (L1) Ensure 'Configure Remote Encryption Protection Mode' is set to 'Enabled: Audit' or higher
18.10.43.13.1 (L1) Ensure 'Scan excluded files and directories during quick scans' is set to 'Enabled: 1'
18.10.43.13.2 (L1) Ensure 'Scan packed executables' is set to 'Enabled'
18.10.43.13.3 (L1) Ensure 'Scan removable drives' is set to 'Enabled'
18.10.43.13.4 (L1) Ensure 'Trigger a quick scan after X days without any scans' is set to 'Enabled: 7'
18.10.43.13.5 (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'
18.10.43.16 (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'
18.10.43.17 (L1) Ensure 'Control whether exclusions are visible to local users' is set to 'Enabled'
18.10.43.4.1 (L1) Ensure 'Enable EDR in block mode' is set to 'Enabled'
18.10.43.5.1 (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'
18.10.43.6.1.1 (L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'
18.10.43.6.1.2 (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured
18.10.43.6.3.1 (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'
18.10.43.7.1 (L1) Ensure 'Enable file hash computation feature' is set to 'Enabled'
18.10.44.1 (L1) Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set to 'Enabled'
18.10.44.2 (L1) Ensure 'Allow camera and microphone access in Microsoft Defender Application Guard' is set to 'Disabled'
18.10.44.3 (L1) Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to 'Disabled'
18.10.44.4 (L1) Ensure 'Allow files to download and save to the host operating system from Microsoft Defender Application Guard' is set to 'Disabled'
18.10.44.5 (L1) Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'
18.10.44.6 (L1) Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled: 1'
18.10.5.1 (L1) Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny'
18.10.51.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'
18.10.57.2.3 (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
18.10.57.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'
18.10.57.3.3.3 (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'
18.10.57.3.9.1 (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'
18.10.57.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'
18.10.57.3.9.3 (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'
18.10.57.3.9.4 (L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'
18.10.57.3.9.5 (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'
18.10.58.1 (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
18.10.58.2 (L1) Ensure 'Turn on Basic feed authentication over HTTP' is set to 'Disabled'
18.10.59.3 (L1) Ensure 'Allow Cortana' is set to 'Disabled'
18.10.59.4 (L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled'
18.10.59.5 (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'
18.10.59.6 (L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'
18.10.6.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
18.10.66.2 (L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'
18.10.66.3 (L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'
18.10.72.1 (L1) Ensure 'Allow widgets' is set to 'Disabled'
18.10.76.1.1 (L1) Ensure 'Automatic Data Collection' is set to 'Enabled'
18.10.76.1.2 (L1) Ensure 'Notify Malicious' is set to 'Enabled'
18.10.76.1.3 (L1) Ensure 'Notify Password Reuse' is set to 'Enabled'
18.10.76.1.4 (L1) Ensure 'Notify Unsafe App' is set to 'Enabled'
18.10.76.1.5 (L1) Ensure 'Service Enabled' is set to 'Enabled'
18.10.76.2.1 (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'
18.10.78.1 (L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'
18.10.79.1 (L1) Ensure 'Enable ESS with Supported Peripherals' is set to 'Enabled: 1'
18.10.8.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
18.10.8.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'
18.10.8.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'
18.10.80.2 (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'
18.10.81.1 (L1) Ensure 'Allow user control over installs' is set to 'Disabled'
18.10.81.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'
18.10.82.1 (L1) Ensure 'Configure the transmission of the user's password in the content of MPR notifications sent by winlogon.' is set to 'Disabled'
18.10.82.2 (L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'
18.10.89.1.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled'
18.10.89.1.2 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'
18.10.89.1.3 (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled'
18.10.89.2.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled'
18.10.89.2.3 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'
18.10.89.2.4 (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
18.10.9.1.1 (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'
18.10.91.1 (L1) Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'
18.10.91.3 (L1) Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'
18.10.92.2.1 (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'
18.10.93.1.1 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'
18.10.93.2.1 (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'
18.10.93.2.2 (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'
18.10.93.2.3 (L1) Ensure 'Enable features introduced via servicing that are off by default' is set to 'Disabled'
18.10.93.4.1 (L1) Ensure 'Manage preview builds' is set to 'Disabled'
18.10.93.4.2 (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'
18.10.93.4.3 (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'
18.10.93.4.4 (L1) Ensure 'Enable optional updates' is set to 'Disabled'
18.4.1 (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'
18.4.2 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'
18.4.3 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'
18.4.4 (L1) Ensure 'Enable Certificate Padding' is set to 'Enabled'
18.4.5 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'
18.4.6 (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'
18.4.7 (L1) Ensure 'WDigest Authentication' is set to 'Disabled'
18.5.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon' is set to 'Disabled'
18.5.10 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires' is set to 'Enabled: 5 or fewer seconds'
18.5.13 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'
18.5.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'
18.5.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'
18.5.5 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'
18.5.7 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'
18.5.9 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode' is set to 'Enabled'
18.6.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
18.6.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'
18.6.11.4 (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'
18.6.21.1 (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'
18.6.21.2 (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'
18.6.23.2.1 (L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'
18.6.4.1 (L1) Ensure 'Configure multicast DNS (mDNS) protocol' is set to 'Disabled'
18.6.4.2 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'
18.6.4.4 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'
18.6.7.1 (L1) Ensure 'Audit client does not support encryption' is set to 'Enabled'
18.6.7.2 (L1) Ensure 'Audit client does not support signing' is set to 'Enabled'
18.6.7.3 (L1) Ensure 'Audit insecure guest logon' is set to 'Enabled'
18.6.7.4 (L1) Ensure 'Enable authentication rate limiter' is set to 'Enabled'
18.6.7.5 (L1) Ensure 'Enable remote mailslots' is set to 'Disabled'
18.6.7.6 (L1) Ensure 'Mandate the minimum version of SMB' is set to 'Enabled: 3.1.1'
18.6.7.7 (L1) Ensure 'Set authentication rate limiter delay (milliseconds)' is set to 'Enabled: 2000' or more
18.6.8.1 (L1) Ensure 'Audit insecure guest logon' is set to 'Enabled'
18.6.8.2 (L1) Ensure 'Audit server does not support encryption' is set to 'Enabled'
18.6.8.3 (L1) Ensure 'Audit server does not support signing' is set to 'Enabled'
18.6.8.4 (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'
18.6.8.5 (L1) Ensure 'Enable remote mailslots' is set to 'Disabled'
18.6.8.6 (L1) Ensure 'Mandate the minimum version of SMB' is set to 'Enabled: 3.1.1'
18.6.8.7 (L1) Ensure 'Require Encryption' is set to 'Enabled'
18.7.1 (L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'
18.7.10 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'
18.7.11 (L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'
18.7.12 (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'
18.7.13 (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'
18.7.2 (L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'
18.7.3 (L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'
18.7.4 (L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'
18.7.5 (L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'
18.7.6 (L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher
18.7.7 (L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'
18.7.8 (L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'
18.9.13.1 (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'
18.9.19.2 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
18.9.19.3 (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
18.9.19.4 (L1) Ensure 'Configure security policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
18.9.19.5 (L1) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
18.9.19.6 (L1) Ensure 'Continue experiences on this device' is set to 'Disabled'
18.9.19.7 (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'
18.9.20.1.2 (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
18.9.20.1.6 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
18.9.24.1 (BL) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'
18.9.25.1 (L1) Ensure 'Configure password backup directory' is set to 'Enabled: Active Directory' or 'Enabled: Azure Active Directory'
18.9.25.2 (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'
18.9.25.3 (L1) Ensure 'Enable password encryption' is set to 'Enabled'
18.9.25.4 (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'
18.9.25.5 (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'
18.9.25.6 (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'
18.9.25.7 (L1) Ensure 'Post-authentication actions: Grace period (hours)' is set to 'Enabled: 8 or fewer hours, but not 0'
18.9.25.8 (L1) Ensure 'Post-authentication actions: Actions' is set to 'Enabled: Reset the password and logoff the managed account' or higher
18.9.26.1 (L1) Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'
18.9.26.2 (L1) Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'
18.9.28.1 (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'
18.9.28.2 (L1) Ensure 'Do not display network selection UI' is set to 'Enabled'
18.9.28.3 (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'
18.9.28.4 (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'
18.9.28.5 (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
18.9.28.6 (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'
18.9.28.7 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
18.9.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Enabled'
18.9.30.1.1 (L1) Ensure 'Block NetBIOS-based discovery for domain controller location' is set to 'Enabled'
18.9.33.6.1 (L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'
18.9.33.6.2 (L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'
18.9.33.6.3 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'
18.9.33.6.4 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'
18.9.33.6.5 (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'
18.9.33.6.6 (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'
18.9.35.1 (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
18.9.35.2 (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
18.9.36.1 (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'
18.9.36.2 (L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'
18.9.39.1 (L1) Ensure 'Configure SAM change password RPC methods policy' is set to 'Enabled: Block all change password RPC methods'
18.9.4.1 (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'
18.9.4.2 (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'
18.9.5.1 (L1) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'
18.9.5.2 (L1) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot' or higher
18.9.5.3 (L1) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'
18.9.5.4 (L1) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'
18.9.5.5 (L1) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'
18.9.5.6 (L1) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'
18.9.5.7 (L1) Ensure 'Turn On Virtualization Based Security: Kernel-mode Hardware-enforced Stack Protection' is set to 'Enabled: Enabled in enforcement mode'
18.9.51.1.1 (L1) Ensure 'Enable Windows NTP Client' is set to 'Enabled'
18.9.51.1.2 (L1) Ensure 'Enable Windows NTP Server' is set to 'Disabled'
18.9.52 (L1) Ensure 'Configure the behavior of the sudo command' is set to 'Enabled: Disabled'
18.9.7.1.1 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'
18.9.7.1.2 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes'
18.9.7.1.3 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)
18.9.7.2 (L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'
19.5.1.1 (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'
19.7.26.1 (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'
19.7.40.1 (L1) Ensure 'Turn off Windows Copilot' is set to 'Enabled'
19.7.44.1 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'
19.7.5.1 (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'
19.7.5.2 (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'
19.7.8.1 (L1) Ensure 'Configure Windows spotlight on lock screen' is set to 'Disabled'
19.7.8.2 (L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'
19.7.8.5 (L1) Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'
2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'
2.2.10 (L1) Ensure 'Create a pagefile' is set to 'Administrators'
2.2.11 (L1) Ensure 'Create a token object' is set to 'No One'
2.2.12 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'
2.2.13 (L1) Ensure 'Create permanent shared objects' is set to 'No One'
2.2.14 (L1) Ensure 'Create symbolic links' is set to 'Administrators'
2.2.15 (L1) Ensure 'Debug programs' is set to 'Administrators'
2.2.16 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account'
2.2.17 (L1) Ensure 'Deny log on as a batch job' to include 'Guests'
2.2.18 (L1) Ensure 'Deny log on as a service' to include 'Guests'
2.2.19 (L1) Ensure 'Deny log on locally' to include 'Guests'
2.2.2 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'
2.2.20 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'
2.2.21 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'
2.2.22 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'
2.2.23 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'
2.2.24 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'
2.2.25 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'
2.2.26 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators'
2.2.27 (L1) Ensure 'Lock pages in memory' is set to 'No One'
2.2.3 (L1) Ensure 'Act as part of the operating system' is set to 'No One'
2.2.30 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators'
2.2.31 (L1) Ensure 'Modify an object label' is set to 'No One'
2.2.32 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators'
2.2.33 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'
2.2.34 (L1) Ensure 'Profile single process' is set to 'Administrators'
2.2.35 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'
2.2.36 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'
2.2.37 (L1) Ensure 'Restore files and directories' is set to 'Administrators'
2.2.38 (L1) Ensure 'Shut down the system' is set to 'Administrators, Users'
2.2.39 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'
2.2.4 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'
2.2.5 (L1) Ensure 'Allow log on locally' is set to 'Administrators, Users'
2.2.6 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'
2.2.7 (L1) Ensure 'Back up files and directories' is set to 'Administrators'
2.2.8 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'
2.2.9 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'
2.3.1.1 (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled'
2.3.1.2 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'
2.3.10.8 (L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured
2.3.10.9 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'
2.3.11.1 (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'
2.3.11.10 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
2.3.11.11 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
2.3.11.12 (L1) Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'
2.3.11.13 (L1) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Audit all' or higher
2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'
2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'
2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'
2.3.11.6 (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'
2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
2.3.11.8 (L1) Ensure 'Network security: LDAP client encryption requirements' is set to 'Negotiate sealing' or higher
2.3.11.9 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher
2.3.15.1 (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'
2.3.15.2 (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'
2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'
2.3.17.2 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' or higher
2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'
2.3.17.4 (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'
2.3.17.5 (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'
2.3.17.6 (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'
2.3.17.7 (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'
2.3.17.8 (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'
2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'
2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'
2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'
2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'
2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'
2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'
2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'
2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'
2.3.7.1 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'
2.3.7.2 (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'
2.3.7.3 (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'
2.3.7.4 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'
2.3.7.5 (L1) Configure 'Interactive logon: Message text for users attempting to log on'
2.3.7.6 (L1) Configure 'Interactive logon: Message title for users attempting to log on'
2.3.7.8 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'
2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher
2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'
2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'
2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'
2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'
2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'
2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'
2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'
2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher
5.10 (L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'
5.11 (L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'
5.13 (L1) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'
5.20 (L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'
5.22 (L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'
5.24 (L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'
5.26 (L1) Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed'
5.27 (L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'
5.28 (L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'
5.29 (L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'
5.3 (L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'
5.32 (L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'
5.33 (L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'
5.38 (L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'
5.39 (L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'
5.40 (L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'
5.41 (L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'
5.42 (L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'
5.7 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'
5.8 (L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'
9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'
9.1.2 (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'
9.1.3 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'
9.1.4 (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'
9.1.5 (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'
9.1.6 (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'
9.1.7 (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'
9.2.2 (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'
9.2.3 (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'
9.2.4 (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'
9.2.5 (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'
9.2.6 (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'
9.2.7 (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'
9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'
9.3.2 (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'
9.3.3 (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'
9.3.4 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'
9.3.5 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'
9.3.6 (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'
9.3.7 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'
9.3.8 (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'
9.3.9 (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'
