CSCv6|10.3

Title

Ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network.

Description

Ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network. This includes remote backups and cloud services.

Reference Item Details

Category: Data Recovery Capability

Family: System

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.4.2.1.4 Set 'Recovery Key' to 'Allow 256-bit recovery key'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.1.5 Set 'Recovery Password' to 'Allow 48-digit recovery password'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.1.9 Set 'Allow data recovery agent' to 'True'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.1.10 Set 'Choose how BitLocker-protected fixed drives can be recovered' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.1.11 Set 'Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' to 'False'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.1.12 Set 'Configure storage of BitLocker recovery information to AD DS:' to 'Backup recovery passwords and key packages'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.1.13 Set 'Save BitLocker recovery information to AD DS for fixed data drives' to 'False'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.1.14 Set 'Omit recovery options from the BitLocker setup wizard' to 'True'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.4 Set 'Recovery Key' to 'Do not allow 256-bit recovery key'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.5 Set 'Recovery Password' to 'Require 48-digit recovery password'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.9 Set 'Allow data recovery agent' to 'False'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.10 Set 'Choose how BitLocker-protected operating system drives can be recovered' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.11 Set 'Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' to 'True'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.12 Set 'Configure storage of BitLocker recovery information to AD DS:' to 'Store recovery passwords and key packages'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.13 Set 'Save BitLocker recovery information to AD DS for operating system drives' to 'True'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.14 Set 'Omit recovery options from the BitLocker setup wizard' to 'True'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.3.4 Set 'Recovery Key' to 'Do not allow 256-bit recovery key'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.3.9 Set 'Allow data recovery agent' to 'True'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.3.10 Set 'Choose how BitLocker-protected removable drives can be recovered' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.3.11 Set 'Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' to 'False'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.3.12 Set 'Configure storage of BitLocker recovery information to AD DS:' to 'Backup recovery passwords and key packages'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.3.13 Set 'Save BitLocker recovery information to AD DS for removable data drives' to 'False'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.3.14 Set 'Omit recovery options from the BitLocker setup wizard' to 'True'WindowsCIS Windows 8 L1 v1.0.0
18.9.11.1.2 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.11.1.2 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.1.2 Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 BL
18.9.11.1.2 Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L2 + BL
18.9.11.1.2 Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.1.2 Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL
18.9.11.1.2 Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L2 + BL + NG
18.9.11.1.2 Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL
18.9.11.1.2 Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.1.2 Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.1.2 Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG
18.9.11.1.3 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.11.1.3 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.1.3 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 BL
18.9.11.1.3 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L2 + BL
18.9.11.1.3 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL
18.9.11.1.3 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG
18.9.11.1.3 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.1.3 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L2 + BL + NG
18.9.11.1.3 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.1.3 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.1.3 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL
18.9.11.1.4 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.1.4 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.11.1.4 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 BL
18.9.11.1.4 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.1.4 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L2 + BL + NG