| 1.1 Set 'Allow software to run or install even if the signature is invalid' to 'Disabled' | CIS IE 9 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2 Set 'Prevent Bypassing SmartScreen Filter Warnings' to 'Enabled' | CIS IE 9 v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 1.3 Enable 'Prevent users from bypassing SmartScreen Filter's application reputation warnings about files that are not commonly downloaded' | CIS IE 9 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.2.2 Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only) | CIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT |
| 2.2.2 Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users' | CIS Microsoft Windows 8.1 v2.4.1 L1 | Windows | CONFIGURATION MANAGEMENT |
| 2.3.5.5 (L1) Ensure 'Domain controller: LDAP server signing requirements Enforcement' is set to 'Enabled' (DC only) | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.9.5 Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (MS only) - Accept if provided by client or higher | CIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 MS | Windows | CONFIGURATION MANAGEMENT |
| 2.5 Ensure firewall filters contain explicit deny and log term | CIS Juniper OS Benchmark v2.1.0 L2 | Juniper | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.2.2 Ensure minimum password age is configured | CIS IBM AIX 7 v1.0.0 L2 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 7.1 Set 'Restrict File Download' to 'Enabled' - explorer.exe | CIS IE 9 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 7.2 Set 'Notification bar' to 'Enabled' -explorer.exe | CIS IE 9 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 7.4 Set 'Consistent Mime Handling' to 'Enabled' - iexplore.exe | CIS IE 9 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.8 Set 'MK Protocol Security Restriction' to 'Enabled' - explorer.exe | CIS IE 9 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 8.1.2 Set 'Allow drag and drop or copy and paste files' to 'Enabled:Disable' | CIS IE 9 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 8.1.2 Set 'Allow paste operations via script' to 'Enabled:Disable' | CIS IE 11 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 8.1.6 Set 'Allow script- initiated windows without size or position constraints' to 'Enabled:Disable' | CIS IE 9 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 8.1.8 Set 'Download signed ActiveX controls' to 'Enabled:Disable' | CIS IE 9 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.1.9 Set 'Download unsigned ActiveX controls' to 'Enabled:Disable' | CIS IE 9 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.1.26 Set 'Enable dragging of content from different domains within a window' to 'Enabled:Disable' | CIS IE 11 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.2.1 Set 'Intranet Sites: Include all network paths (UNCs)' to 'Disabled' | CIS IE 9 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 8.2.2 Set 'Initialize and script ActiveX controls not marked as safe' to 'Enabled:Disable' | CIS IE 11 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.2.3 Set 'Intranet Sites: Include all network paths (UNCs)' to 'Disabled' | CIS IE 11 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 8.3.5 Set 'Allow file downloads' to 'Enabled:Disable' | CIS IE 9 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 8.3.10 Set 'Protected Mode' to 'Enabled:Enable' | CIS IE 11 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.3.11 Set 'Automatic prompting for file downloads' to 'Enabled:Disable' | CIS IE 9 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 8.3.12 Set 'Download signed ActiveX controls' to 'Enabled:Disable' | CIS IE 9 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.3.13 Set 'Automatic prompting for file downloads' to 'Enabled:Disable' | CIS IE 11 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 8.3.15 Set 'Allow font downloads' to 'Enabled:Disable' | CIS IE 11 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.3.15 Set 'Initialize and script ActiveX controls not marked as safe' to 'Enabled:Disable' | CIS IE 9 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.3.18 Set 'Allow Binary and Script Behaviors' to 'Enabled:Disable' | CIS IE 11 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 8.3.22 Set 'Run .NET Framework- reliant components signed with Authenticode' to 'Enabled:Disable' | CIS IE 9 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.3.26 Set 'Software channel permissions' to 'Enabled:High safety' | CIS IE 9 v1.0.0 | Windows | ACCESS CONTROL |
| 8.3.29 Set 'Web sites in less privileged Web content zones can navigate into this zone' to 'Enabled:Disable' | CIS IE 9 v1.0.0 | Windows | ACCESS CONTROL |
| 8.3.30 Set 'Allow META REFRESH' to 'Enabled:Disable' | CIS IE 11 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 8.3.35 Set 'Enable dragging of content from different domains within a window' to 'Enabled:Disable' | CIS IE 11 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.3.42 Set 'Don't run antimalware programs against ActiveX controls' to 'Enabled:Disabled' | CIS IE 11 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.4.1 Set 'Use SmartScreen Filter' to 'Enabled:Enable' | CIS IE 9 v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 8.5.1 Set 'Java permissions' to 'Enabled:High safety' | CIS IE 11 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 8.6.1 Set 'Use SmartScreen Filter' to 'Enabled:Enable' | CIS IE 11 v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 8.7.2 Set 'Use SmartScreen Filter' to 'Enabled:Enable' | CIS IE 9 v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 8.8.2 Set 'Only allow approved domains to use ActiveX controls without prompt' to 'Enabled:Enable' | CIS IE 11 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.11 Set 'Security Zones: Use only machine settings' to 'Enabled' | CIS IE 9 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 8.12 Set 'Security Zones: Do not allow users to add/delete sites' to 'Enabled' | CIS IE 11 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 9.2 Set 'Disable the Advanced page' to 'Enabled' | CIS IE 11 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 9.11 Configure 'Disable changing connection settings' | CIS IE 11 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.14 Set 'Turn on the auto-complete feature for user names and passwords on forms' to 'Disabled' | CIS IE 11 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 9.15 Set 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' to 'Enabled' | CIS IE 11 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.8.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' | CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker | Windows | MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.9.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' | CIS Microsoft Windows 10 Enterprise v4.0.0 BL | Windows | MEDIA PROTECTION |
| 18.9.25.7 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 60 or fewer' (STIG only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | IDENTIFICATION AND AUTHENTICATION |
