UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Windows 8 Security Technical Implementation Guide


Overview

Date Finding Count (408)
2012-11-21 CAT I (High): 34 CAT II (Med): 278 CAT III (Low): 96
STIG Description
The Windows 8 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
WN08-SO-000058 High Anonymous access to Named Pipes and Shares must be restricted.
WN08-SO-000059 High Network shares that can be accessed anonymously must not be allowed.
WN08-SO-000052 High Anonymous enumeration of shares must be restricted.
WN08-SO-000050 High Anonymous SID/Name translation must not be allowed.
WN08-SO-000051 High Anonymous enumeration of SAM accounts must not be allowed.
WN08-SO-000056 High Unauthorized remotely accessible registry paths must not be configured.
WN08-SO-000057 High Unauthorized remotely accessible registry paths and sub-paths must not be configured.
WN08-SO-000055 High Named pipes that can be accessed anonymously must be configured to contain no values.
WN08-GE-000014 High Anonymous access to the registry must be restricted.
WN08-GE-000016 High Internet Information System (IIS) or its subcomponents must not be installed on a workstation.
WN08-GE-000018 High DoD information system access must require the use of a password.
WN08-00-000007 High Unencrypted remote access to system services must not be permitted.
WN08-FW-000011 High The Windows Firewall must block unsolicited inbound connections for the Private Profile.
WN08-SO-000067 High The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM & NTLM.
WN08-SO-000065 High The system must be configured to prevent the storage of the LAN Manager hash of passwords.
WN08-FW-000020 High The Windows Firewall must block unsolicited inbound connections for the Public Profile.
WN08-SO-000004 High Local accounts with blank passwords must be restricted to prevent access from the network.
WN08-CC-000074 High Autoplay must be disabled for all drives.
WN08-UR-000003 High Unauthorized accounts must not be granted the "Act as part of the operating system" user right.
WN08-RG-000001 High Standard user accounts must only have Read permissions to the Winlogon registry key.
WN08-RG-000002 High Standard user accounts must only have Read permissions to the Active Setup\Installed Components registry key.
WN08-00-000015 High Policy must require that no web browser be run by an administrative user account, except as necessary for local service administration.
WN08-UR-000017 High The "Deny Access to this computer from the network" user right must be configured to include Guests.
WN08-UR-000016 High Unauthorized accounts must not have the "Debug programs" user right.
WN08-UR-000012 High Unauthorized accounts must not have the "Create a token object" user right.
WN08-SO-000071 High The Recovery Console option must be set to prevent automatic logon to the system.
WN08-CC-000116 High The Windows Installer "Always install with elevated privileges" must be disabled.
WN08-CC-000059 High Solicited Remote Assistance must not be allowed.
WN08-FW-000002 High The Windows Firewall must block unsolicited inbound connections for the Domain Profile.
WN08-GE-000002 High An approved DoD virus scan program must be used and kept updated.
WN08-00-000012 High The system must not use removable media as the boot loader.
WN08-00-000013 High Mobile systems must encrypt all data per the DoD Data at Rest policy.
WN08-GE-000001 High Systems must be maintained at a supported service pack level.
WN08-GE-000005 High Local volumes must be formatted using NTFS.
WN08-CC-000019 Medium Remote access to the Plug and Play interface must be disabled for device installation.
WN08-CC-000012 Medium The configuration of wireless devices using Windows Connect Now must be disabled.
WN08-CC-000013 Medium The Windows Connect Now wizards must be disabled.
WN08-CC-000010 Medium The Teredo IPv6 transition technology must be disabled.
WN08-CC-000014 Medium Simultaneous connections to the Internet or a Windows domain must be blocked.
WN08-CC-000015 Medium Connections to non-domain networks when connected to a domain authenticated network must be blocked.
WN08-GE-000035 Medium The Windows 8 Video app must be removed from the system.
WN08-MO-000007 Medium The system must notify the user when a Bluetooth device attempts to connect.
WN08-MO-000006 Medium Bluetooth must be turned off when not in use.
WN08-MO-000005 Medium Bluetooth must be turned off unless approved by the organization.
WN08-MO-000004 Medium Mobile devices beyond standard laptops must be managed with a mobile device manager per MDM requirements.
WN08-MO-000003 Medium The VPN client on mobile devices must use either IPSec or SSL/TLS when connecting to DoD networks.
WN08-MO-000002 Medium The VPN client on mobile devices must disable split tunneling.
WN08-CC-000126 Medium The WinRM service must not use Basic authentication.
WN08-SO-000062 Medium NTLM must be prevented from falling back to a Null session.
WN08-SO-000061 Medium Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.
WN08-SO-000060 Medium The system must be configured to use the Classic security model.
WN08-CC-000122 Medium Media Player must be configured to prevent automatic checking for updates.
WN08-CC-000123 Medium The WinRM client must not use Basic authentication.
WN08-CC-000120 Medium Windows Media Digital Rights Management must be prevented from accessing the Internet.
WN08-SO-000069 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
WN08-SO-000068 Medium The system must be configured to the required LDAP client signing level.
WN08-CC-000128 Medium The WinRM service must not store RunAs credentials.
WN08-CC-000129 Medium Automatic Updates must not be used (unless configured to point to a DoD server).
WN08-CC-000081 Medium EMET Default Protections for other popular software must be enabled.
WN08-CC-000080 Medium EMET Default Protections for MS Works, Office, Adobe Reader, and Acrobat must be enabled.
WN08-CC-000083 Medium EMET system-wide Structured Exception Handler Overwrite Protection (SEHOP) must be enabled and configured to Application Opt-in.
WN08-CC-000082 Medium EMET system-wide Data Execution Prevention (DEP) must be enabled and configured to Application Opt-in.
WN08-CC-000085 Medium The Security event log must be configured to a minimum size requirement.
WN08-CC-000084 Medium The Application event log must be configured to a minimum size requirement.
WN08-CC-000087 Medium The System event log must be configured to a minimum size requirement.
WN08-CC-000086 Medium The Setup event log must be configured to a minimum size requirement.
WN08-CC-000089 Medium Explorer Data Execution Prevention must be enabled.
WN08-SO-000085 Medium User Account Control must virtualize file and registry write failures to per-user locations.
WN08-SO-000084 Medium User Account Control must switch to the secure desktop when prompting for elevation.
WN08-SO-000081 Medium Windows must elevate all applications in User Account Control, not just signed ones.
WN08-SO-000080 Medium User Account Control must be configured to detect application installations and prompt for elevation.
WN08-SO-000083 Medium User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
WN08-SO-000082 Medium User Account Control must only elevate UIAccess applications that are installed in secure locations.
WN08-UR-000037 Medium Unauthorized accounts must not have the "Profile system performance" user right.
WN08-SO-000017 Medium The system must be configured to require a strong session key.
WN08-SO-000014 Medium Outgoing secure channel traffic must be signed when possible.
WN08-SO-000012 Medium Outgoing secure channel traffic must be encrypted or signed.
WN08-SO-000013 Medium Outgoing secure channel traffic must be encrypted when possible.
WN08-SO-000011 Medium Ejection of removable NTFS media must be restricted to Administrators.
WN08-SO-000019 Medium The Ctrl+Alt+Del security attention sequence for logons must be enabled.
WN08-AU-000005 Medium The system must be configured to audit "Account Management - Security Group Management" failures.
WN08-AU-000004 Medium The system must be configured to audit "Account Management - Other Account Management Events" successes.
WN08-AU-000007 Medium The system must be configured to audit "Account Management - User Account Management" failures.
WN08-AU-000006 Medium The system must be configured to audit "Account Management - Security Group Management" successes.
WN08-AU-000001 Medium The system must be configured to audit "Account Logon - Credential Validation" failures.
WN08-AU-000003 Medium The system must be configured to audit "Account Management - Other Account Management Events" failures.
WN08-AU-000002 Medium The system must be configured to audit "Account Logon - Credential Validation" successes.
WN08-UR-000039 Medium Unauthorized accounts must not have the "Replace a process level token" user right.
WN08-AU-000009 Medium The system must be configured to audit "Detailed Tracking - Process Creation" successes.
WN08-AU-000008 Medium The system must be configured to audit "Account Management - User Account Management" successes.
WN08-CC-000045 Medium The Windows Customer Experience Improvement Program must be disabled.
WN08-CC-000044 Medium Windows Messenger must be prevented from collecting anonymous information about how the service is used.
WN08-CC-000047 Medium Windows must be prevented from using Windows Update to search for drivers.
WN08-CC-000046 Medium The system must be configured to prevent automatic forwarding of error information.
WN08-CC-000041 Medium Search Companion must be prevented from automatically downloading content updates.
WN08-CC-000043 Medium File and folder Publish to Web option must be unavailable in Windows folders.
WN08-CC-000048 Medium Copying of user input methods to the system account for sign-in must be prevented.
WN08-MO-000009 Medium Built-in cameras must be disabled unless allowed by physical security policies.
WN08-MO-000008 Medium Wireless connections must conform to DoD policy and Wireless STIG Guidance.
WN08-UR-000035 Medium Unauthorized accounts must not have the "Perform volume maintenance tasks" user right.
WN08-UR-000034 Medium Unauthorized accounts must not have the "Modify firmware environment values" user right.
WN08-UC-000009 Medium Zone information must be preserved when saving attachments.
WN08-UR-000036 Medium Unauthorized accounts must not have the "Profile single process" user right.
WN08-UR-000031 Medium Unauthorized users must not have the "Log on as a service" user right.
WN08-UR-000030 Medium Unauthorized accounts must not have the "Log on as a batch job" user right.
WN08-UR-000033 Medium Unauthorized accounts must not have the "Modify an object label" user right.
WN08-UR-000032 Medium Unauthorized accounts must not have the "Manage auditing and security log" user right.
WN08-UC-000003 Medium The screen saver must be password protected.
WN08-UC-000001 Medium A screen saver must be enabled on the system.
WN08-UC-000007 Medium The Windows Help Experience Improvement Program must be disabled.
WN08-SO-000053 Medium The system must be configured to prevent the storage of passwords and credentials.
WN08-SO-000054 Medium The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
WN08-GE-000010 Medium ACLs for system files and directories must conform to minimum requirements.
WN08-GE-000011 Medium Password complexity software that enforces DoD requirements must be installed.
WN08-GE-000012 Medium An Auditors group must be created to restrict access to the Windows Event Logs.
WN08-GE-000015 Medium File shares must be limited on a system.
WN08-GE-000017 Medium System mechanisms must be implemented to enforce automatic expiration of passwords.
WN08-GE-000019 Medium The HBSS McAfee Agent must be installed.
WN08-00-000009 Medium Administrator passwords must be changed as required.
WN08-00-000008 Medium The system must have an emergency administrator account.
WN08-00-000006 Medium Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
WN08-00-000005 Medium Users with Administrative privilege must be documented and have separate accounts for administrative duties and normal operational tasks.
WN08-00-000002 Medium Shared user accounts must not be permitted on the system.
WN08-00-000001 Medium Systems must be physically secured.
WN08-FW-000019 Medium The Windows Firewall must be enabled for the Public Profile.
WN08-FW-000014 Medium The Windows Firewall must block unicast response to multicast or broadcast messages for the Private Profile.
WN08-FW-000012 Medium The Windows Firewall must allow outbound connections, unless a rule explicitly blocks the connection for the Private Profile.
WN08-FW-000010 Medium The Windows Firewall must be enabled for the Private Profile.
WN08-SO-000063 Medium PKU2U authentication using online identities must be prevented.
WN08-CC-000127 Medium The WinRM service must not allow unencrypted traffic.
WN08-CC-000124 Medium The WinRM client must not allow unencrypted traffic.
WN08-CC-000009 Medium The ISATAP IPv6 transition technology must be disabled.
WN08-CC-000008 Medium The IP-HTTPS IPv6 transition technology must be disabled.
WN08-CC-000125 Medium The WinRM client must not use Digest authentication.
WN08-CC-000001 Medium The Mapper I/O network protocol driver must be disabled.
WN08-CC-000003 Medium Windows Peer-to-Peer networking services must be turned off.
WN08-CC-000002 Medium The Responder network protocol driver must be disabled.
WN08-CC-000004 Medium Network Bridges must be prohibited in Windows.
WN08-CC-000007 Medium The 6to4 IPv6 transition technology must be disabled.
WN08-SO-000064 Medium Kerberos encryption types must be configured to prevent the use of DES encryption suites.
WN08-FW-000024 Medium The Windows Firewall local connection rules must not be merged with Group Policy settings for the Public Profile.
WN08-FW-000025 Medium The Windows Firewall local firewall rules must not be merged with group policy settings for the Public Profile.
WN08-FW-000023 Medium The Windows Firewall must block unicast response to multicast or broadcast messages for the Public Profile.
WN08-FW-000021 Medium The Windows Firewall must allow outbound connections, unless a rule explicitly blocks the connection for the Public Profile.
WN08-SO-000005 Medium The built-in administrator account must be renamed.
WN08-SO-000007 Medium Auditing Access to Global System Objects must be turned off.
WN08-SO-000006 Medium The built-in guest account must be renamed.
WN08-SO-000001 Medium The built-in administrator account must be disabled.
WN08-SO-000003 Medium The built-in guest account must be disabled.
WN08-SO-000002 Medium Use of Microsoft accounts to log on must be blocked.
WN08-SO-000009 Medium Audit policy using subcategories must be enabled.
WN08-SO-000008 Medium Auditing of Backup and Restore Privileges must be turned off.
WN08-AU-000030 Medium The system must be configured to audit "System - System Integrity" successes.
WN08-AU-000100 Medium Audit data must be reviewed on a regular basis.
WN08-AU-000101 Medium Audit data must be retained for at least one year and SAMI audit data must be retained for at least five years.
WN08-AU-000102 Medium Audit records must be backed up on an organization defined frequency onto a different system or media than the system being audited.
WN08-UC-000012 Medium Users must be prevented from sharing files in their profiles.
WN08-UC-000013 Medium Media Player must be configured to prevent automatic Codec downloads.
WN08-FW-000005 Medium The Windows Firewall must block unicast response to multicast or broadcast messages for the Domain Profile.
WN08-CC-000072 Medium Autoplay must be turned off for non-volume devices.
WN08-CC-000073 Medium The default autorun behavior must be configured to prevent autorun commands.
WN08-CC-000075 Medium The use of biometrics must be disabled.
WN08-CC-000076 Medium The password reveal button must not be displayed.
WN08-CC-000077 Medium The system must require username and password to elevate a running application.
WN08-CC-000078 Medium EMET system-wide Address Space Layout Randomization (ASLR) must be enabled and configured to Application Opt-in.
WN08-CC-000079 Medium EMET Default Protections for Internet Explorer must be enabled.
WN08-UR-000001 Medium Unauthorized accounts must not have the "Access Credential Manager as a trusted caller" user right.
WN08-UR-000002 Medium Unauthorized accounts must not have the "Access this computer from the network" user right.
WN08-UR-000004 Medium Unauthorized accounts must not have the "Adjust memory quotas for a process" user right.
WN08-UR-000005 Medium Unauthorized accounts must not have the "Allow log on locally" user right.
WN08-UR-000006 Medium Unauthorized accounts must not have the "Allow log on through Remote Desktop Services" user right.
WN08-UR-000007 Medium Unauthorized accounts must not have the "Back up files and directories" user right.
WN08-UR-000009 Medium Unauthorized accounts must not have the "Change the system time" user right.
WN08-GE-000009 Medium A non-administrator account must not have administrator rights on the system.
WN08-GE-000008 Medium Alternate non-STIG-compliant operating systems must not be permitted on the same system.
WN08-GE-000004 Medium File auditing configuration must meet minimum requirements.
WN08-SO-000045 Medium The system must be configured to use Safe DLL Search Mode.
WN08-UC-000008 Medium Windows Help Ratings feedback must be turned off.
WN08-SO-000066 Medium The system must be configured to force users to log off when their allowed logon hours expire.
WN08-CC-000037 Medium Web publishing and online ordering wizards must be prevented from downloading a list of providers.
WN08-CC-000030 Medium Access to the Windows Store must be turned off.
WN08-CC-000032 Medium Downloading print driver packages over HTTP must be prevented.
WN08-CC-000038 Medium The Internet File Association service must be turned off.
WN08-CC-000039 Medium Printing over HTTP must be prevented.
WN08-UR-000040 Medium Unauthorized accounts must not have the "Restore files and directories" user right.
WN08-UR-000041 Medium Unauthorized accounts must not have the "Shut down the system" user right.
WN08-UR-000042 Medium Unauthorized accounts must not have the "Take ownership of files or other objects" user right.
WN08-GE-000024 Medium The Telnet Client must not be installed on the system.
WN08-CC-000100 Medium Remote Desktop Services must be configured with the client connection encryption set to the required level.
WN08-CC-000101 Medium Remote Desktop Services must be configured to disconnect an idle session after the specified time period.
WN08-CC-000102 Medium Remote Desktop Services must be configured to set a time limit for disconnected sessions.
WN08-CC-000103 Medium Remote Desktop Services must delete temporary folders when a session is terminated.
WN08-CC-000104 Medium Remote Desktop Services must be configured to use session-specific temporary folders.
WN08-CC-000105 Medium Attachments must be prevented from being downloaded from RSS feeds.
WN08-CC-000106 Medium Basic authentication for RSS feeds over HTTP must be turned off.
WN08-CC-000107 Medium Indexing of encrypted files must be turned off.
WN08-PK-000002 Medium The External CA Root Certificate must be installed.
WN08-PK-000003 Medium The DoD Interoperability Root CA to DoD Root CA 2 cross certificate must be installed.
WN08-PK-000001 Medium The DoD Root Certificate must be installed.
WN08-SO-000030 Medium Unencrypted passwords must not be sent to third-party SMB Server.
WN08-SO-000032 Medium The Windows SMB server must be enabled to always perform SMB packet signing.
WN08-SO-000033 Medium The Windows SMB server must perform SMB packet signing when possible.
WN08-GE-000032 Medium The Windows 8 SkyDrive app must be removed from the system.
WN08-GE-000033 Medium The Windows 8 Games app must be removed from the system.
WN08-SO-000036 Medium Automatic logons must be disabled.
WN08-GE-000031 Medium Any default Windows 8 style apps must be maintained and updated at current releases.
WN08-AU-000029 Medium The system must be configured to audit "System - System Integrity" failures.
WN08-AU-000028 Medium The system must be configured to audit "System - Security System Extension" successes.
WN08-AU-000027 Medium The system must be configured to audit "System - Security System Extension" failures.
WN08-AU-000026 Medium The system must be configured to audit "System - Security State Change" successes.
WN08-AU-000025 Medium The system must be configured to audit "System - Security State Change" failures.
WN08-AU-000024 Medium The system must be configured to audit "System - IPSec Driver" successes.
WN08-AU-000023 Medium The system must be configured to audit "System - IPSec Driver" failures.
WN08-AU-000022 Medium The system must be configured to audit "Privilege Use - Sensitive Privilege Use" successes.
WN08-AU-000021 Medium The system must be configured to audit "Privilege Use - Sensitive Privilege Use" failures.
WN08-AU-000020 Medium The system must be configured to audit "Policy Change - Authentication Policy Change" successes.
WN08-AC-000009 Medium Reversible password encryption must be disabled.
WN08-AC-000007 Medium Passwords must, at a minimum, be 14 characters.
WN08-AC-000006 Medium The minimum password age must meet requirements.
WN08-AC-000005 Medium The maximum password age must meet DoD requirements.
WN08-AC-000004 Medium The password uniqueness must meet minimum requirements.
WN08-AC-000003 Medium The period of time before the bad logon counter is reset must meet minimum requirements.
WN08-AC-000002 Medium The number of allowed bad logon attempts must meet minimum requirements.
WN08-AC-000001 Medium The lockout duration must meet minimum requirements.
WN08-MO-000001 Medium The VPN client on mobile devices must use CAC authentication when connecting to DoD networks.
WN08-CC-000064 Medium Unauthenticated RPC clients must be restricted from connecting to the RPC server.
WN08-CC-000063 Medium Client computers must be required to authenticate for RPC communication.
WN08-UR-000019 Medium The "Deny log on as a service" user right must be configured to include no one (blank).
WN08-UR-000018 Medium The "Deny log on as a batch job" user right must be configured to include Guests.
WN08-UR-000015 Medium Unauthorized accounts must not have the "Create symbolic links" user right.
WN08-UR-000014 Medium Unauthorized accounts must not have the "Create permanent shared objects" user right.
WN08-UR-000013 Medium Unauthorized accounts must not have the "Create global objects" user right.
WN08-UR-000011 Medium Unauthorized accounts must not have the "Create a pagefile" user right.
WN08-SO-000074 Medium The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
WN08-SO-000075 Medium The system must be configured to require case insensitivity for non-Windows subsystems.
WN08-SO-000077 Medium User Account Control approval mode for the built-in Administrator must be enabled.
WN08-SO-000070 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
WN08-SO-000078 Medium User Account Control must, at minimum, prompt administrators for consent.
WN08-SO-000079 Medium User Account Control must automatically deny standard user requests for elevation.
WN08-CC-000091 Medium File Explorer shell protocol must run in protected mode.
WN08-CC-000096 Medium Passwords must not be saved in the Remote Desktop Client.
WN08-CC-000097 Medium Users must be prevented from connecting using Remote Desktop Services.
WN08-CC-000094 Medium The system must be prevented from joining a homegroup.
WN08-CC-000095 Medium The location feature must be turned off.
WN08-CC-000098 Medium Local drives must be prevented from sharing with Remote Desktop Session Hosts.
WN08-CC-000099 Medium Remote Desktop Services must always prompt a client for passwords upon connection.
WN08-AU-000016 Medium The system must be configured to audit "Object Access - Removable Storage" failures.
WN08-AU-000017 Medium The system must be configured to audit "Object Access - Removable Storage" successes.
WN08-AU-000014 Medium The system must be configured to audit "Object Access - File System" failures.
WN08-AU-000015 Medium The system must be configured to audit "Object Access - Registry" failures.
WN08-AU-000012 Medium The system must be configured to audit "Logon/Logoff - Logon" successes.
WN08-AU-000013 Medium The system must be configured to audit "Logon/Logoff - Special Logon" successes.
WN08-AU-000010 Medium The system must be configured to audit "Logon/Logoff - Logoff" successes.
WN08-AU-000011 Medium The system must be configured to audit "Logon/Logoff - Logon" failures.
WN08-AU-000018 Medium The system must be configured to audit "Policy Change - Audit Policy Change" failures.
WN08-AU-000019 Medium The system must be configured to audit "Policy Change - Audit Policy Change" successes.
WN08-CC-000027 Medium Early Launch Antimalware, Boot-Start Driver Initialization Policy must be enabled and configured to only Good and Unknown.
WN08-CC-000029 Medium Group Policies must be refreshed in the background if the user is logged on.
WN08-CC-000028 Medium Group Policy objects must be reprocessed even if they have not changed.
WN08-CC-000117 Medium Users must be notified if a web-based program attempts to install software.
WN08-CC-000115 Medium Users must be prevented from changing installation options.
WN08-CC-000113 Medium Windows Error Reporting to Microsoft must be disabled.
WN08-CC-000111 Medium Windows Defender SpyNet membership must be disabled.
WN08-CC-000110 Medium The Windows Store application must be turned off.
WN08-CC-000054 Medium Users must be prompted for a password on resume from sleep (on battery).
WN08-CC-000055 Medium The user must be prompted for a password on resume from sleep (plugged in).
WN08-CC-000052 Medium App notifications on the lock screen must be turned off.
WN08-CC-000053 Medium Signing in using a PIN must be turned off.
WN08-CC-000050 Medium Connected users on domain-joined computers must not be enumerated.
WN08-CC-000051 Medium Local users on domain-joined computers must not be enumerated.
WN08-MO-000010 Medium Built-in microphones must be disabled on mobile devices unless required and approved by the organization.
WN08-MO-000011 Medium Global Positioning System (GPS) must be disabled unless required and approved by the organization.
WN08-MO-000012 Medium Near Field Communications (NFC) chips must be disabled.
WN08-MO-000013 Medium Infrared (IR) ports must be disabled.
WN08-GE-000034 Medium The Windows 8 Music app must be removed from the system.
WN08-CC-000058 Medium The system must be configured to prevent unsolicited remote assistance offers.
WN08-UR-000026 Medium Unauthorized accounts must not have the "Increase a process working set" user right.
WN08-UR-000027 Medium Unauthorized accounts must not have the "Increase scheduling priority" user right.
WN08-UR-000024 Medium Unauthorized accounts must not have the "Generate security audits" user right.
WN08-UR-000025 Medium Unauthorized accounts must not have the "Impersonate a client after authentication" user right.
WN08-UR-000022 Medium Unauthorized accounts must not have the "Enable computer and user accounts to be trusted for delegation" user right.
WN08-UR-000023 Medium Unauthorized accounts must not have the "Force shutdown from a remote system" user right.
WN08-UR-000020 Medium The "Deny log on locally" user right must be configured to include Guests.
WN08-UR-000021 Medium The "Deny log on through Remote Desktop Services" user right must be configured to include Guests.
WN08-UC-000010 Medium Mechanisms for removing zone information from file attachments must be hidden.
WN08-UC-000011 Medium The system must notify antivirus when file attachments are opened.
WN08-UR-000028 Medium Unauthorized accounts must not have the "Load and unload device drivers" user right.
WN08-UR-000029 Medium Unauthorized accounts must not have the "Lock pages in memory" user right.
WN08-FW-000001 Medium The Windows Firewall must be enabled for the Domain Profile.
WN08-FW-000003 Medium The Windows Firewall must allow outbound connections, unless a rule explicitly blocks the connection for the Domain Profile.
WN08-GE-000030 Medium The system must query the certification authority to determine whether a public key certificate has been revoked before accepting the certificate for authentication purposes.
WN08-SO-000035 Medium The service principal name (SPN) target name validation level must be turned off.
WN08-SO-000029 Medium The Windows SMB client must be enabled to perform SMB packet signing when possible.
WN08-SO-000028 Medium The Windows SMB client must be enabled to always perform SMB packet signing.
WN08-SO-000027 Medium The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
WN08-SO-000022 Medium The required legal notice must be configured to display before console logon.
WN08-SO-000021 Medium The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
WN08-SO-000020 Medium The machine account lockout threshold must be set to 10 on systems with BitLocker enabled.
WN08-GE-000025 Medium Telnet Server must not be installed on the system.
WN08-GE-000027 Medium User-level information must be backed up per organization defined frequency consistent with recovery time and recovery point objectives.
WN08-GE-000026 Medium The TFTP Client must not be installed on the system.
WN08-GE-000021 Medium Hyper-V must not be installed on a workstation.
WN08-GE-000020 Medium Software certificate installation files must be removed from a system.
WN08-GE-000023 Medium Simple TCIPIP Services must not be installed on the system.
WN08-GE-000022 Medium Simple Network Management Protocol (SNMP) must not be installed on the system.
WN08-GE-000029 Medium The system must support automated patch management tools to facilitate flaw remediation to organization defined information system components.
WN08-GE-000028 Medium The system must employ automated mechanisms or must have an application installed that, on an organization defined frequency determines the state of information system components with regard to flaw remediation.
WN08-GE-000003 Medium ACLs for event logs must conform to minimum requirements.
WN08-00-000010 Medium Application account passwords must meet DoD requirements for length, complexity, and changes.
WN08-00-000011 Medium System BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others.
WN08-00-000014 Medium Policy must require that system administrators (SAs) be trained for the operating systems used by systems under their control.
WN08-GE-000006 Medium Registry key auditing configuration must meet minimum requirements.
WN08-CC-000018 Low Optional component installation and component repair must be prevented from using Windows Update.
WN08-CC-000011 Low IP stateless autoconfiguration limits state must be enabled.
WN08-CC-000016 Low Windows Update must be prevented from searching for point and print drivers.
WN08-CC-000017 Low Users must only be allowed to point and print to machines in their forest.
WN08-CC-000121 Low Users must not be presented with Privacy and Installation options on first use of Windows Media Player.
WN08-CC-000088 Low The Windows SmartScreen must be turned off.
WN08-SO-000016 Low The maximum age for machine account passwords must be set to requirements.
WN08-SO-000015 Low The computer account password must not be prevented from being reset.
WN08-SO-000010 Low The system must not halt when the security event log has reached its maximum size.
WN08-SO-000018 Low The system must be configured to prevent the display of the last username on the logon screen.
WN08-UR-000038 Low Unauthorized accounts must not have the "Remove computer from docking station" user right.
WN08-CC-000040 Low Windows Registration Wizard must be turned off.
WN08-CC-000042 Low The Order Prints Online wizard must be turned off.
WN08-CC-000049 Low The classic logon screen must be required for user logons.
WN08-UC-000002 Low A screen saver must be defined.
WN08-UC-000006 Low Toast notifications to the lock screen must be turned off.
WN08-UC-000005 Low Notifications from Windows Push Network Service must be turned off.
WN08-UC-000004 Low Changing the screen saver must be prevented.
WN08-GE-000013 Low Local users must not exist on a system in a domain.
WN08-00-000004 Low Security configuration tools or equivalent processes must be used to configure and maintain platforms for security compliance.
WN08-00-000003 Low System information backups must be created, updated, and protected.
WN08-FW-000018 Low The Windows Firewall must log successful connections for the Private Profile.
WN08-FW-000017 Low The Windows Firewall must log dropped packets for the Private Profile.
WN08-FW-000016 Low The Windows Firewall log size must be configured for the Private Profile.
WN08-FW-000015 Low The Windows Firewall log file name and location must be configured for the Private Profile.
WN08-FW-000013 Low The Windows Firewall must display notifications when a program is blocked from receiving an inbound connection for the Private Profile.
WN08-CC-000005 Low Domain users must be required to elevate when setting a network's location.
WN08-CC-000006 Low All Direct Access traffic must be routed through the internal network.
WN08-FW-000026 Low The Windows Firewall log file name and location must be configured for the Public Profile.
WN08-FW-000027 Low The Windows Firewall log size must be configured for the Public Profile.
WN08-FW-000022 Low The Windows Firewall must display notifications when a program is blocked from receiving an inbound connection for the Public Profile.
WN08-FW-000028 Low The Windows Firewall must log dropped packets for the Public Profile.
WN08-FW-000029 Low The Windows Firewall must log successful connections for the Public Profile.
WN08-CC-000070 Low Trusted app installation must be enabled to allow for signed enterprise line of business apps.
WN08-CC-000071 Low The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
WN08-UR-000008 Low Unauthorized accounts must not have the "Bypass traverse checking" user right.
WN08-SO-000049 Low The system must generate an audit event when the audit log reaches a percent full threshold.
WN08-SO-000048 Low The system must limit how many times unacknowledged TCP data is retransmitted.
WN08-GE-000007 Low Outdated or unused accounts must be removed from the system.
WN08-SO-000040 Low The system must be configured to hide the computer from the browse list.
WN08-SO-000043 Low The system must be configured to ignore NetBIOS name release requests except from WINS servers.
WN08-SO-000044 Low The system must be configured to disable the Internet Router Discovery Protocol (IRDP).
WN08-SO-000047 Low IPv6 TCP data retransmissions must be configured to prevent resources from becoming exhausted.
WN08-SO-000046 Low The system must be configured to have password protection take effect within a limited time frame when the screen saver becomes active.
WN08-CC-000034 Low Handwriting personalization data sharing with Microsoft must be prevented.
WN08-CC-000035 Low Errors in handwriting recognition on tablet PCs must not be reported to Microsoft.
WN08-CC-000036 Low The Internet Connection Wizard must not download a list of Internet Service Providers (ISPs) from Microsoft.
WN08-CC-000031 Low Root Certificates must not be updated automatically from the Microsoft site.
WN08-CC-000033 Low Event Viewer Events.asp links must be turned off.
WN08-CC-000108 Low Indexing of mail items in Exchange Folder when Outlook is running in uncached mode must be turned off.
WN08-CC-000109 Low Automatic download of updates from the Windows Store must be turned off.
WN08-SO-000031 Low The amount of idle time required before suspending a session must be properly set.
WN08-SO-000038 Low The system must be configured to prevent IP source routing.
WN08-SO-000039 Low The system must be configured to prevent ICMP redirects from overriding OSPF generated routes.
WN08-AC-000008 Low The built-in Microsoft password complexity filter must be enabled.
WN08-CC-000069 Low If the time service is configured, it must use an authorized time server.
WN08-CC-000068 Low Responsiveness events must be prevented from being aggregated and sent to Microsoft.
WN08-CC-000067 Low Access to Windows Online Troubleshooting Service (WOTS) must be prevented.
WN08-CC-000066 Low Microsoft Support Diagnostic Tool (MSDT) interactive communication with Microsoft must be prevented.
WN08-CC-000065 Low The detection of compatibility issues for applications and drivers must be turned off.
WN08-CC-000062 Low Remote Assistance log files must be generated.
WN08-CC-000061 Low Remote assistance must display a warning message when allowing helpdesk personnel to connect to a system.
WN08-CC-000060 Low Remote assistance must display a warning message when allowing helpdesk personnel to control a system.
WN08-UR-000010 Low Unauthorized accounts must not have the "Change the time zone" user right.
WN08-SO-000076 Low The default permissions of global system objects must be increased.
WN08-SO-000072 Low The Recovery Console SET command must be disabled.
WN08-SO-000073 Low The shutdown option must be available from the logon dialog box.
WN08-CC-000092 Low Game explorer information must not be downloaded from Windows Metadata Services.
WN08-CC-000093 Low Downloading of game update information must be turned off.
WN08-CC-000090 Low Turning off File Explorer heap termination on corruption must be disabled.
WN08-CC-000023 Low Windows must be prevented from sending an error report when a device driver requests additional software during installation.
WN08-CC-000022 Low Device metadata retrieval from the Internet must be prevented.
WN08-CC-000021 Low A system restore point must be created when a new device driver is installed.
WN08-CC-000020 Low An Error Report must not be sent when a generic device driver is installed.
WN08-CC-000026 Low Users must not be prompted to search Windows Update for device drivers.
WN08-CC-000025 Low Device driver updates must only search managed servers, not Windows Update.
WN08-CC-000024 Low Device driver searches using Windows Update must be prevented.
WN08-CC-000119 Low Users must be notified if the logon server was inaccessible and cached credentials were used.
WN08-CC-000118 Low Non-administrators must be prevented from applying vendor-signed updates.
WN08-CC-000114 Low Additional data requests in response to Error Reporting must be declined.
WN08-CC-000112 Low Error Reporting events must be logged in the system event log.
WN08-CC-000056 Low The display must turn off after 20 minutes of inactivity when the system is running on battery.
WN08-CC-000057 Low The display must turn off after 20 minutes of inactivity when the system is plugged in.
WN08-SO-000034 Low Users must be forcibly disconnected when their logon hours expire.
WN08-FW-000004 Low The Windows Firewall must display notifications when a program is blocked from receiving an inbound connection for the Domain Profile.
WN08-FW-000006 Low The Windows Firewall log file name and location must be configured for the Domain Profile.
WN08-FW-000007 Low The Windows Firewall log size must be configured for the Domain Profile.
WN08-FW-000008 Low The Windows Firewall must log dropped packets for the Domain Profile.
WN08-FW-000009 Low The Windows Firewall must log successful connections for the Domain Profile.
WN08-SO-000037 Low IPv6 source routing must be configured to highest protection.
WN08-SO-000026 Low Domain Controller authentication must not be required to unlock the workstation.
WN08-SO-000025 Low Users must be warned in advance of their passwords expiring.
WN08-SO-000024 Low Caching of logon credentials must be limited.
WN08-SO-000023 Low The Windows dialog box title for the legal banner must be configured.
WN08-SO-000041 Low The system must be configured to limit how often keep-alive packets are sent.
WN08-SO-000042 Low IPSec Exemptions must be limited.