2.3.11.12 (L1) Ensure 'Network security: Restrict NTLM: Audit NTLM authentication in this domain' is set to 'Enable all' (DC only)
Informational Update
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'
1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'
1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'
17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'
17.3.2 (L1) Ensure 'Audit Process Creation' is set to include 'Success'
18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
18.1.1.2 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
18.1.2.2 (L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'
18.10.12.2 (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'
18.10.13.1 (L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'
18.10.14.1 (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'
18.10.15.1 (L1) Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'
18.10.15.8 (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'
18.10.25.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
18.10.25.1.2 (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
18.10.25.2.1 (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
18.10.25.2.2 (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'
18.10.25.3.1 (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
18.10.25.3.2 (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
18.10.25.4.1 (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
18.10.25.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
18.10.28.2 (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
18.10.41.1 (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'
18.10.42.10.1 (L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'
18.10.42.10.2 (L1) Ensure 'Turn off real-time protection' is set to 'Disabled'
18.10.42.10.3 (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'
18.10.42.13.2 (L1) Ensure 'Scan removable drives' is set to 'Enabled'
18.10.42.13.3 (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'
18.10.42.16 (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'
18.10.42.17 (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'
18.10.42.5.1 (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'
18.10.42.6.1.2 (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured
18.10.42.7.1 (L1) Ensure 'Enable file hash computation feature' is set to 'Enabled'
18.10.5.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
18.10.50.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'
18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'
18.10.56.3.9.1 (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'
18.10.56.3.9.3 (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'
18.10.56.3.9.4 (L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'
18.10.57.1 (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
18.10.7.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
18.10.7.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'
18.10.75.2.1 (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'
18.10.79.2 (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'
18.10.8.1.1 (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'
18.10.80.1 (L1) Ensure 'Allow user control over installs' is set to 'Disabled'
18.10.81.1 (L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'
18.10.88.2.4 (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
18.10.92.1.1 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'
18.10.92.2.1 (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'
18.10.92.4.1 (L1) Ensure 'Manage preview builds' is set to 'Disabled'
18.10.92.4.2 (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'
18.10.92.4.3 (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'
18.4.2 (L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'
18.4.3 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'
18.4.4 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'
18.4.5 (L1) Ensure 'Enable Certificate Padding' is set to 'Enabled'
18.4.6 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'
18.4.7 (L1) Ensure 'LSA Protection' is set to 'Enabled'
18.4.8 (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'
18.4.9 (L1) Ensure 'WDigest Authentication' is set to 'Disabled'
18.5.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon' is set to 'Disabled'
18.5.12 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'
18.5.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'
18.5.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'
18.5.4 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'
18.5.6 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'
18.5.8 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode' is set to 'Enabled'
18.5.9 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires' is set to 'Enabled: 5 or fewer seconds'
18.6.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'
18.6.11.4 (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'
18.6.21.1 (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'
18.6.4.1 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'
18.6.4.2 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'
18.6.8.1 (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'
18.7.1 (L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'
18.7.10 (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'
18.7.11 (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'
18.7.8 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'
18.7.9 (L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'
18.9.13.1 (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'
18.9.19.2 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
18.9.19.3 (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
18.9.19.4 (L1) Ensure 'Configure security policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
18.9.19.5 (L1) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
18.9.19.6 (L1) Ensure 'Continue experiences on this device' is set to 'Disabled'
18.9.24.1 (L1) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'
18.9.28.1 (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'
18.9.28.2 (L1) Ensure 'Do not display network selection UI' is set to 'Enabled'
18.9.28.3 (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'
18.9.28.5 (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
18.9.28.6 (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'
18.9.28.7 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
18.9.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Enabled'
18.9.33.6.3 (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'
18.9.33.6.4 (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'
18.9.35.1 (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
18.9.35.2 (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
18.9.4.1 (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'
18.9.4.2 (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'
18.9.7.2 (L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'
19.5.1.1 (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'
19.7.5.1 (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'
19.7.8.1 (L1) Ensure 'Configure Windows spotlight on lock screen' is set to 'Disabled'
19.7.8.2 (L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'
2.2.11 (L1) Ensure 'Back up files and directories' is set to 'Administrators'
2.2.15 (L1) Ensure 'Create a token object' is set to 'No One'
2.2.16 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'
2.2.20 (L1) Ensure 'Debug programs' is set to 'Administrators'
2.2.21 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests' (DC only)
2.2.23 (L1) Ensure 'Deny log on as a batch job' to include 'Guests'
2.2.26 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only)
2.2.28 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only)
2.2.31 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'
2.2.32 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only)
2.2.35 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators'
2.2.38 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' and (when Exchange is running in the environment) 'Exchange Servers' (DC only)
2.2.4 (L1) Ensure 'Act as part of the operating system' is set to 'No One'
2.2.41 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators'
2.2.45 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'
2.2.46 (L1) Ensure 'Restore files and directories' is set to 'Administrators'
2.2.49 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'
2.2.5 (L1) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only)
2.2.6 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'
2.2.9 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only)
2.3.10.6 (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only)
2.3.10.9 (L1) Configure 'Network access: Remotely accessible registry paths and sub-paths' is configured
2.3.11.10 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
2.3.11.6 (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'
2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
2.3.11.8 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher
2.3.11.9 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'
2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'
2.3.5.2 (L1) Ensure 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' (DC Only)
2.3.5.3 (L1) Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only)
2.3.5.4 (L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)
2.3.7.2 (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'
2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'
2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'
2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'
2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'
2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'
5.1 (L1) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only)
Miscellaneous
References updated.
Added
'18.6.14.1 (L1) Ensure \'Hardened UNC Paths\' is set to \'Enabled, with \'Require Mutual Authentication\', \'Require Integrity\', and \'Require Privacy\' set for all NETLOGON and SYSVOL shares\''
Removed
18.6.14.1 (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication', 'Require Integrity', and 'Require Privacy' set for all NETLOGON and SYSVOL shares'
