CSCv6|16.11

Title

Require multi-factor authentication for all user accounts that have access to sensitive data or systems.

Description

Require multi-factor authentication for all user accounts that have access to sensitive data or systems. Multi-factor authentication can be achieved using smart cards, certificates, One Time Password (OTP) tokens, or biometrics.

Reference Item Details

Category: Account Monitoring and Control

Family: Application

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.4.2.1.15 Set 'Configure use of smart cards on fixed data drives' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.1.16 Set 'Require use of smart cards on fixed data drives' to 'True'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.16 Set 'Allow BitLocker without a compatible TPM' to 'False'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.18 Set 'Configure TPM startup PIN:' to 'Require startup PIN with TPM'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.19 Set 'Configure TPM startup:' to 'Do not allow TPM'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.20 Set 'Configure TPM startup key:' to 'Do not allow startup key with TPM'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.25 Set 'Allow enhanced PINs for startup' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.3.15 Set 'Configure use of smart cards on removable data drives' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.3.16 Set 'Require use of smart cards on removable data drives' to 'True'WindowsCIS Windows 8 L1 v1.0.0
18.9.11.1.11 Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.1.11 Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.1.11 Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.1.12 Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.1.12 Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.1.12 Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.1.15 (BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.11.1.15 (BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.1.15 Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL
18.9.11.1.16 (BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.1.16 (BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.11.1.16 Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL
18.9.11.2.1 (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.2.1 (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.11.2.1 Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.2.1 Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 BL
18.9.11.2.1 Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L2 + BL
18.9.11.2.1 Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL
18.9.11.2.1 Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG
18.9.11.2.1 Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.2.1 Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.2.1 Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L2 + BL + NG
18.9.11.2.1 Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL
18.9.11.2.12 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.2.12 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.2.12 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.2.13 Ensure 'Require additional authentication at startup: Configure TPM startup:' is set to 'Enabled: Do not allow TPM'WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.2.13 Ensure 'Require additional authentication at startup: Configure TPM startup:' is set to 'Enabled: Do not allow TPM'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.2.13 Ensure 'Require additional authentication at startup: Configure TPM startup:' is set to 'Enabled: Do not allow TPM'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.2.14 Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.2.14 Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.2.14 Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.2.15 Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM'WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.2.15 Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.2.15 Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.2.16 Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.2.16 Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.2.16 Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM'WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.2.17 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL
18.9.11.2.18 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.2.18 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker