UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Windows 8 Security Technical Implementation Guide


Overview

Date Finding Count (423)
2013-07-03 CAT I (High): 40 CAT II (Med): 287 CAT III (Low): 96
STIG Description
The Windows 8 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-36718 High The Windows Remote Management (WinRM) service must not use Basic authentication.
V-36712 High The Windows Remote Management (WinRM) client must not use Basic authentication.
V-6834 High Anonymous access to Named Pipes and Shares must be restricted.
V-18010 High Unauthorized accounts must not have the Debug programs user right.
V-1093 High Anonymous enumeration of shares must be restricted.
V-17418 High The Windows Firewall must block unsolicited inbound connections for the Domain Profile.
V-26283 High Anonymous enumeration of SAM accounts must not be allowed.
V-1127 High Only accounts responsible for the administration of a system must have Administrator rights on the system.
V-1159 High The Recovery Console option must be set to prevent automatic logon to the system.
V-1152 High Anonymous access to the registry must be restricted.
V-1153 High The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
V-2372 High Reversible password encryption must be disabled.
V-2374 High Autoplay must be disabled for all drives.
V-22692 High The default autorun behavior must be configured to prevent autorun commands.
V-17438 High The Windows Firewall must block unsolicited inbound connections for the Public Profile.
V-2908 High Unencrypted remote access to system services must not be permitted.
V-3338 High Named pipes that can be accessed anonymously must be configured to contain no values.
V-3339 High Unauthorized remotely accessible registry paths must not be configured.
V-3337 High Anonymous SID/Name translation must not be allowed.
V-26070 High Standard user accounts must only have Read permissions to the Winlogon registry key.
V-3343 High Solicited Remote Assistance must not be allowed.
V-3340 High Network shares that can be accessed anonymously must not be allowed.
V-3347 High Internet Information System (IIS) or its subcomponents must not be installed on a workstation.
V-3344 High Local accounts with blank passwords must be restricted to prevent access from the network.
V-1102 High No accounts must be granted the Act as part of the operating system user right.
V-1074 High An approved DoD virus scan program must be used and kept updated.
V-1073 High Systems must be maintained at a supported service pack level.
V-34974 High The Windows Installer Always install with elevated privileges must be disabled.
V-26479 High No accounts must have the Create a token object user right.
V-36659 High Users with Administrative privilege must have separate accounts for administrative duties and normal operational tasks.
V-1081 High Local volumes must be formatted using NTFS.
V-32282 High Standard user accounts must only have Read permissions to the Active Setup\Installed Components registry key.
V-17428 High The Windows Firewall must block unsolicited inbound connections for the Private Profile.
V-3379 High The system must be configured to prevent the storage of the LAN Manager hash of passwords.
V-7002 High Local accounts must require passwords.
V-21973 High Autoplay must be turned off for non-volume devices.
V-36665 High Mobile systems must encrypt all data per the DoD Data at Rest policy.
V-36664 High The system must not use removable media as the boot loader.
V-36660 High Policy must require that administrative user accounts not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.
V-4443 High Unauthorized remotely accessible registry paths and sub-paths must not be configured.
V-39137 Medium The Enhanced Mitigation Experience Toolkit (EMET) must be installed on the system.
V-36719 Medium The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
V-36714 Medium The Windows Remote Management (WinRM) client must not use Digest authentication.
V-36713 Medium The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
V-36711 Medium The Windows Store application must be turned off.
V-16008 Medium Windows must elevate all applications in User Account Control, not just signed ones.
V-26503 Medium Unauthorized accounts must not have the Replace a process level token user right.
V-26501 Medium Unauthorized accounts must not have the Profile system performance user right.
V-26500 Medium Unauthorized accounts must not have the Profile single process user right.
V-1168 Medium Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
V-26505 Medium Unauthorized accounts must not have the Shut down the system user right.
V-26504 Medium Unauthorized accounts must not have the Restore files and directories user right.
V-1164 Medium Outgoing secure channel traffic must be signed when possible.
V-1166 Medium The Windows SMB client must be enabled to perform SMB packet signing when possible.
V-1163 Medium Outgoing secure channel traffic must be encrypted when possible.
V-1162 Medium The Windows SMB server must perform SMB packet signing when possible.
V-26469 Medium Unauthorized accounts must not have the Access Credential Manager as a trusted caller user right.
V-6836 Medium Passwords must, at a minimum, be 14 characters.
V-6832 Medium The Windows SMB client must be configured to always perform SMB packet signing.
V-6833 Medium The Windows SMB server must be configured to always perform SMB packet signing.
V-6831 Medium Outgoing secure channel traffic must be encrypted or signed.
V-1099 Medium The lockout duration must be configured to require an administrator to unlock an account.
V-1098 Medium The period of time before the bad logon counter is reset must meet minimum requirements.
V-1097 Medium The number of allowed bad logon attempts must meet minimum requirements.
V-6840 Medium System mechanisms must be implemented to enforce automatic expiration of passwords.
V-14270 Medium The system must notify antivirus when file attachments are opened.
V-17415 Medium The Windows Firewall must be enabled for the Domain Profile.
V-17417 Medium The Windows Firewall must be enabled for the Public Profile.
V-17416 Medium The Windows Firewall must be enabled for the Private Profile.
V-17419 Medium The Windows Firewall must allow outbound connections, unless a rule explicitly blocks the connection for the Domain Profile.
V-36689 Medium Signing in using a PIN must be turned off.
V-15706 Medium The user must be prompted for a password on resume from sleep (plugged in).
V-36753 Medium The VPN client on mobile devices must disable split tunneling.
V-36752 Medium The VPN client on mobile devices must use DoD approved multi-factor authentication tokens (e.g., Common Access Card (CAC) for unclassified systems) when connecting to DoD networks.
V-14243 Medium The system must require username and password to elevate a running application.
V-36750 Medium The Windows 8 default Communications apps (Mail, People, Messaging and Calendar) must be removed from the system.
V-36757 Medium Bluetooth must be turned off unless approved by the organization.
V-36756 Medium Mobile devices beyond standard laptops must be managed with a mobile device manager per Mobile Device Management (MDM) Security Requirements Guide (SRG).
V-14247 Medium Passwords must not be saved in the Remote Desktop Client.
V-36754 Medium The VPN client on mobile devices must use either IPSec or SSL/TLS when connecting to DoD networks.
V-14248 Medium Users must be prevented from connecting using Remote Desktop Services.
V-36759 Medium Bluetooth must be turned off when not in use.
V-36683 Medium Connected users on domain-joined computers must not be enumerated.
V-15666 Medium Windows Peer-to-Peer networking services must be turned off.
V-15667 Medium Network Bridges must be prohibited in Windows.
V-21980 Medium Explorer Data Execution Prevention must be enabled.
V-26495 Medium Unauthorized accounts must not have the Log on as a batch job user right.
V-26494 Medium Unauthorized accounts must not have the Lock pages in memory user right.
V-26497 Medium Unauthorized accounts must not have the Modify an object label user right.
V-26496 Medium Unauthorized accounts must not have the Manage auditing and security log user right.
V-26558 Medium The system must be configured to audit System - System Integrity failures.
V-26490 Medium Unauthorized accounts must not have the Impersonate a client after authentication user right.
V-26493 Medium Unauthorized accounts must not have the Load and unload device drivers user right.
V-26492 Medium Unauthorized accounts must not have the Increase scheduling priority user right.
V-26554 Medium The system must be configured to audit System - Security State Change failures.
V-26556 Medium The system must be configured to audit System - Security System Extension failures.
V-26557 Medium The system must be configured to audit System - System Integrity successes.
V-26499 Medium Unauthorized accounts must not have the Perform volume maintenance tasks user right.
V-26551 Medium The system must be configured to audit System - IPSec Driver successes.
V-26552 Medium The system must be configured to audit System - IPSec Driver failures.
V-26553 Medium The system must be configured to audit System - Security State Change successes.
V-16047 Medium The built-in administrator account must be disabled.
V-15700 Medium Remote access to the Plug and Play interface must be disabled for device installation.
V-36670 Medium Audit data must be reviewed on a regular basis.
V-36671 Medium Audit data must be retained for at least one year. If system contains sources and methods intelligence (SAMI), audit data must be retained for at least five years.
V-15705 Medium Users must be prompted for a password on resume from sleep (on battery).
V-36772 Medium The machine account lockout threshold must be set to 10 on systems with BitLocker enabled.
V-36679 Medium Early Launch Antimalware, Boot-Start Driver Initialization Policy must be enabled and configured to only Good and Unknown.
V-26491 Medium Unauthorized accounts must not have the Increase a process working set user right.
V-26555 Medium The system must be configured to audit System - Security System Extension successes.
V-26506 Medium Unauthorized accounts must not have the Take ownership of files or other objects user right.
V-26550 Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
V-26498 Medium Unauthorized accounts must not have the Modify firmware environment values user right.
V-3385 Medium The system must be configured to require case insensitivity for non-Windows subsystems.
V-3383 Medium The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
V-3382 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
V-3381 Medium The system must be configured to the required LDAP client signing level.
V-3380 Medium The system must be configured to force users to log off when their allowed logon hours expire.
V-36674 Medium Simultaneous connections to the Internet or a Windows domain must be limited.
V-36675 Medium Connections to non-domain networks when connected to a domain authenticated network must be blocked.
V-17442 Medium The Windows Firewall local firewall rules must not be merged with group policy settings for the Public Profile.
V-17443 Medium The Windows Firewall local connection rules must not be merged with Group Policy settings for the Public Profile.
V-17441 Medium The Windows Firewall must block unicast response to multicast or broadcast messages for the Public Profile.
V-36672 Medium Audit records must be backed up on an organization defined frequency onto a different system or media than the system being audited.
V-36708 Medium The location feature must be turned off.
V-36709 Medium Basic authentication for RSS feeds over HTTP must be turned off.
V-36704 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Popular Software must be enabled.
V-36705 Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Data Execution Prevention (DEP) must be enabled and configured to at least Application Opt Out.
V-36706 Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Structured Exception Handler Overwrite Protection (SEHOP) must be configured to Application Opt Out.
V-36700 Medium The password reveal button must not be displayed.
V-36701 Medium EMET system-wide Address Space Layout Randomization (ASLR) must be enabled and configured to Application Opt In.
V-36702 Medium EMET Default Protections for Internet Explorer must be enabled.
V-36703 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Recommended Software must be enabled.
V-36773 Medium The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
V-15697 Medium The Responder network protocol driver must be disabled.
V-15696 Medium The Mapper I/O network protocol (LLTDIO) driver must be disabled.
V-15699 Medium The Windows Connect Now wizards must be disabled.
V-15698 Medium The configuration of wireless devices using Windows Connect Now must be disabled.
V-1154 Medium The Ctrl+Alt+Del security attention sequence for logons must be enabled.
V-1155 Medium The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local administrator accounts on domain systems and unauthenticated access on all systems.
V-1157 Medium The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
V-3458 Medium Remote Desktop Services must be configured to disconnect an idle session after the specified time period.
V-3453 Medium Remote Desktop Services must always prompt a client for passwords upon connection.
V-3457 Medium Remote Desktop Services must be configured to set a time limit for disconnected sessions.
V-3456 Medium Remote Desktop Services must delete temporary folders when a session is terminated.
V-3455 Medium Remote Desktop Services must be configured to use session-specific temporary folders.
V-3454 Medium Remote Desktop Services must be configured with the client connection encryption set to the required level.
V-36440 Medium Inbound exceptions to the firewall on domain workstations must only allow authorized remote management hosts.
V-36740 Medium The Windows 8 Video app must be removed from the system.
V-36741 Medium The Windows 8 default Bing app must be removed from the system.
V-36742 Medium The Windows 8 default Finance app must be removed from the system.
V-36743 Medium The Windows 8 default Maps app must be removed from the system.
V-36744 Medium The Windows 8 default News app must be removed from the system.
V-36745 Medium The Windows 8 default Sports app must be removed from the system.
V-36746 Medium The Windows 8 default Travel app must be removed from the system.
V-14259 Medium Printing over HTTP must be prevented.
V-36748 Medium The Windows 8 default Camera app must be removed from the system.
V-36749 Medium The Windows 8 default Reader app must be removed from the system.
V-14254 Medium Client computers must be required to authenticate for RPC communication.
V-14255 Medium File and folder Publish to Web option must be unavailable in Windows folders.
V-14253 Medium Unauthenticated RPC clients must be restricted from connecting to the RPC server.
V-14250 Medium Automatic Updates must not be used (unless configured to point to a DoD server).
V-1119 Medium Alternate operating systems must not be permitted on the same system.
V-1114 Medium The built-in guest account must be renamed.
V-1115 Medium The built-in administrator account must be renamed.
V-1113 Medium The built-in guest account must be disabled.
V-16021 Medium The Windows Help Experience Improvement Program must be disabled.
V-16020 Medium The Windows Customer Experience Improvement Program must be disabled.
V-21951 Medium Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.
V-21950 Medium The service principal name (SPN) target name validation level must be configured to Accept if provided by client.
V-21953 Medium PKU2U authentication using online identities must be prevented.
V-21952 Medium NTLM must be prevented from falling back to a Null session.
V-21954 Medium Kerberos encryption types must be configured to prevent the use of DES encryption suites.
V-28285 Medium Unauthorized users must not have the Log on as a service user right.
V-26482 Medium Unauthorized accounts must not have the Create symbolic links user right.
V-26483 Medium The Deny log on as a batch job user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
V-26480 Medium Unauthorized accounts must not have the Create global objects user right.
V-26481 Medium Unauthorized accounts must not have the Create permanent shared objects user right.
V-26486 Medium The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local administrator accounts on domain systems and unauthenticated access on all systems.
V-26487 Medium Unauthorized accounts must not have the Enable computer and user accounts to be trusted for delegation user right.
V-26484 Medium The Deny log on as a service user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
V-26485 Medium The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
V-26488 Medium Unauthorized accounts must not have the Force shutdown from a remote system user right.
V-26489 Medium Unauthorized accounts must not have the Generate security audits user right.
V-15711 Medium Indexing of encrypted files must be turned off.
V-15713 Medium Windows Defender SpyNet membership must be disabled.
V-14258 Medium Search Companion must be prevented from automatically downloading content updates.
V-36747 Medium The Windows 8 default Weather app must be removed from the system.
V-14256 Medium Web publishing and online ordering wizards must be prevented from downloading a list of providers.
V-14257 Medium Windows Messenger must be prevented from collecting anonymous information about how the service is used.
V-3469 Medium Group Policies must be refreshed in the background if the user is logged on.
V-15823 Medium Software certificate installation files must be removed from a system.
V-17439 Medium The Windows Firewall must allow outbound connections, unless a rule explicitly blocks the connection for the Public Profile.
V-17431 Medium The Windows Firewall must block unicast response to multicast or broadcast messages for the Private Profile.
V-1145 Medium Automatic logons must be disabled.
V-14261 Medium Windows must be prevented from using Windows Update to search for drivers.
V-14260 Medium Downloading print driver packages over HTTP must be prevented.
V-14269 Medium Mechanisms for removing zone information from file attachments must be hidden.
V-14268 Medium Zone information must be preserved when saving attachments.
V-36739 Medium The Windows 8 Music app must be removed from the system.
V-36738 Medium The Windows 8 Games app must be removed from the system.
V-15684 Medium Users must be notified if a web-based program attempts to install software.
V-36731 Medium Telnet Server must not be installed on the system.
V-36730 Medium The Telnet Client must not be installed on the system.
V-36733 Medium User-level information must be backed up per organization defined frequency consistent with recovery time and recovery point objectives.
V-36732 Medium The TFTP Client must not be installed on the system.
V-36735 Medium The system must support automated patch management tools to facilitate flaw remediation to organization defined information system components.
V-36734 Medium The system must employ automated mechanisms or must have an application installed that, on an organization defined frequency determines the state of information system components with regard to flaw remediation.
V-36737 Medium The Windows 8 SkyDrive app must be removed from the system.
V-36736 Medium The system must query the certification authority to determine whether a public key certificate has been revoked before accepting the certificate for authentication purposes.
V-26579 Medium The Application event log must be configured to a minimum size requirement.
V-15682 Medium Attachments must be prevented from being downloaded from RSS feeds.
V-15683 Medium File Explorer shell protocol must run in protected mode.
V-1141 Medium Unencrypted passwords must not be sent to third-party SMB Server.
V-15685 Medium Users must be prevented from changing installation options.
V-26529 Medium The system must be configured to audit Account Logon - Credential Validation successes.
V-4447 Medium The Remote Desktop Session Host must require secure RPC communications.
V-3480 Medium Media Player must be configured to prevent automatic checking for updates.
V-3481 Medium Media Player must be configured to prevent automatic Codec downloads.
V-32274 Medium The DoD Interoperability Root CA to DoD Root CA 2 cross certificate must be installed into the Untrusted Certificates Store.
V-36698 Medium The use of biometrics must be disabled.
V-32272 Medium The DoD Root Certificate must be installed into the Trusted Root Store.
V-32273 Medium The External CA Root Certificate must be installed into the Trusted Root Store.
V-17429 Medium The Windows Firewall must allow outbound connections, unless a rule explicitly blocks the connection for the Private Profile.
V-14229 Medium Auditing of Backup and Restore Privileges must be turned off.
V-14228 Medium Auditing Access to Global System Objects must be turned off.
V-36771 Medium Use of Microsoft accounts to log on must be blocked.
V-36770 Medium Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
V-14225 Medium Administrator passwords must be changed as required.
V-14224 Medium The site must have a contingency for emergency administration of the system.
V-1107 Medium The password uniqueness must meet minimum requirements.
V-1105 Medium The minimum password age must meet requirements.
V-1104 Medium The maximum password age must meet requirements.
V-14241 Medium User Account Control must switch to the secure desktop when prompting for elevation.
V-1072 Medium Shared user accounts must not be permitted on the system.
V-1070 Medium Systems must be physically secured.
V-26576 Medium The IP-HTTPS IPv6 transition technology must be disabled.
V-26577 Medium The ISATAP IPv6 transition technology must be disabled.
V-26575 Medium The 6to4 IPv6 transition technology must be disabled.
V-26578 Medium The Teredo IPv6 transition technology must be disabled.
V-1171 Medium Ejection of removable NTFS media must be restricted to Administrators.
V-26478 Medium Unauthorized accounts must not have the Create a pagefile user right.
V-26476 Medium Unauthorized accounts must not have the Change the system time user right.
V-26474 Medium Unauthorized accounts must not have the Back up files and directories user right.
V-26473 Medium Unauthorized accounts must not have the Allow log on through Remote Desktop Services user right.
V-26472 Medium Unauthorized accounts must not have the Allow log on locally user right.
V-26471 Medium Unauthorized accounts must not have the Adjust memory quotas for a process user right.
V-26470 Medium Unauthorized accounts must not have the Access this computer from the network user right.
V-36658 Medium Users with Administrative privilege must be documented.
V-36656 Medium A screen saver must be enabled on the system.
V-36657 Medium The screen saver must be password protected.
V-15727 Medium Users must be prevented from sharing files in their profiles.
V-15722 Medium Windows Media Digital Rights Management must be prevented from accessing the Internet.
V-1089 Medium The required legal notice must be configured to display before console logon.
V-3471 Medium The system must be configured to prevent automatic forwarding of error information.
V-3470 Medium The system must be configured to prevent unsolicited remote assistance offers.
V-1088 Medium The registry must be audited for failed access attempts.
V-14240 Medium User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
V-3479 Medium The system must be configured to use Safe DLL Search Mode.
V-1080 Medium The file system must be audited for failed access attempts.
V-36751 Medium The Windows 8 default Photos app must be removed from the system.
V-14242 Medium User Account Control must virtualize file and registry write failures to per-user locations.
V-26582 Medium The System event log must be configured to a minimum size requirement.
V-26581 Medium The Setup event log must be configured to a minimum size requirement.
V-26580 Medium The Security event log must be configured to a minimum size requirement.
V-14249 Medium Local drives must be prevented from sharing with Remote Desktop Session Hosts.
V-3376 Medium The system must be configured to prevent the storage of passwords and credentials.
V-3377 Medium The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
V-3374 Medium The system must be configured to require a strong session key.
V-17421 Medium The Windows Firewall must block unicast response to multicast or broadcast messages for the Domain Profile.
V-3378 Medium The system must be configured to use the Classic security model.
V-36727 Medium Hyper-V must not be installed on a workstation.
V-36724 Medium Permissions for the System event log must prevent access by non-privileged accounts.
V-36722 Medium Permissions for the Application event log must prevent access by non-privileged accounts.
V-36723 Medium Permissions for the Security event log must prevent access by non-privileged accounts.
V-36720 Medium The Windows Remote Management (WinRM) service must not store RunAs credentials.
V-36684 Medium Local users on domain-joined computers must not be enumerated.
V-36687 Medium App notifications on the lock screen must be turned off.
V-36681 Medium Copying of user input methods to the system account for sign-in must be prevented.
V-36680 Medium Access to the Windows Store must be turned off.
V-36728 Medium Simple Network Management Protocol (SNMP) must not be installed on the system.
V-36729 Medium Simple TCPIP Services must not be installed on the system.
V-1130 Medium ACLs for system files and directories must conform to minimum requirements.
V-1131 Medium Password complexity software that enforces DoD requirements must be installed.
V-15674 Medium The Internet File Association service must be turned off.
V-14230 Medium Audit policy using subcategories must be enabled.
V-26538 Medium The system must be configured to audit Account Management - User Account Management failures.
V-26539 Medium The system must be configured to audit Detailed Tracking - Process Creation successes.
V-26533 Medium The system must be configured to audit Account Management - Other Account Management Events successes.
V-26530 Medium The system must be configured to audit Account Logon - Credential Validation failures.
V-26536 Medium The system must be configured to audit Account Management - Security Group Management failures.
V-26537 Medium The system must be configured to audit Account Management - User Account Management successes.
V-26534 Medium The system must be configured to audit Account Management - Other Account Management Events failures.
V-26535 Medium The system must be configured to audit Account Management - Security Group Management successes.
V-14235 Medium User Account Control must, at minimum, prompt administrators for consent on the secure desktop.
V-14237 Medium User Account Control must be configured to detect application installations and prompt for elevation.
V-21975 Medium The system must be prevented from joining a homegroup.
V-26549 Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
V-26548 Medium The system must be configured to audit Policy Change - Authentication Policy Change successes.
V-26547 Medium The system must be configured to audit Policy Change - Audit Policy Change failures.
V-26546 Medium The system must be configured to audit Policy Change - Audit Policy Change successes.
V-26545 Medium The system must be configured to audit Object Access - Registry failures.
V-26544 Medium The system must be configured to audit Object Access - File System failures.
V-26543 Medium The system must be configured to audit Logon/Logoff - Special Logon successes.
V-26542 Medium The system must be configured to audit Logon/Logoff - Logon failures.
V-26541 Medium The system must be configured to audit Logon/Logoff - Logon successes.
V-26540 Medium The system must be configured to audit Logon/Logoff - Logoff successes.
V-36667 Medium The system must be configured to audit Object Access - Removable Storage failures.
V-36666 Medium Policy must require that system administrators (SAs) be trained for the operating systems used by systems under their control.
V-36663 Medium System BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others.
V-36662 Medium Application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
V-36661 Medium Application account passwords must be at least 15 characters in length.
V-16048 Medium Windows Help Ratings feedback must be turned off.
V-36669 Medium The system must be configured to audit Object Access - Handle Manipulation failures.
V-36668 Medium The system must be configured to audit Object Access - Removable Storage successes.
V-4448 Medium Group Policy objects must be reprocessed even if they have not changed.
V-3666 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
V-14239 Medium User Account Control must only elevate UIAccess applications that are installed in secure locations.
V-36768 Medium Near Field Communications (NFC) chips must be disabled.
V-36769 Medium Infrared (IR) ports must be disabled.
V-36762 Medium The system must notify the user when a Bluetooth device attempts to connect.
V-36763 Medium Built-in cameras must be disabled unless allowed by physical security policies.
V-14234 Medium User Account Control approval mode for the built-in Administrator must be enabled.
V-36767 Medium Global Positioning System (GPS) must be disabled unless required and approved by the organization.
V-14236 Medium User Account Control must, at minimum, prompt users for credentials on the secure desktop.
V-36765 Medium Built-in microphones must be disabled on mobile devices unless required and approved by the organization.
V-3245 Medium File shares must be limited on a system.
V-36710 Low Automatic download of updates from the Windows Store must be turned off.
V-3375 Low Domain Controller authentication must not be required to unlock the workstation.
V-26502 Low Unauthorized accounts must not have the Remove computer from docking station user right.
V-1165 Low The computer account password must not be prevented from being reset.
V-1091 Low The system must not halt when the security event log has reached its maximum size.
V-1090 Low Caching of logon credentials must be limited.
V-15701 Low A system restore point must be created when a new device driver is installed.
V-15707 Low Remote Assistance log files must be generated.
V-36692 Low Remote assistance must display a warning message when allowing helpdesk personnel to control a system.
V-36691 Low The display must turn off after 20 minutes of inactivity when the system is plugged in.
V-36696 Low The detection of compatibility issues for applications and drivers must be turned off.
V-36697 Low Trusted app installation must be enabled to allow for signed enterprise line of business apps.
V-36694 Low Remote assistance must display a warning message when allowing helpdesk personnel to connect to a system.
V-1128 Low Security configuration tools or equivalent processes must be used to configure and maintain platforms for security compliance.
V-21964 Low Device metadata retrieval from the Internet must be prevented.
V-21965 Low Device driver searches using Windows Update must be prevented.
V-21966 Low Handwriting personalization data sharing with Microsoft must be prevented.
V-21967 Low Microsoft Support Diagnostic Tool (MSDT) interactive communication with Microsoft must be prevented.
V-21960 Low Domain users must be required to elevate when setting a networks location.
V-21961 Low All Direct Access traffic must be routed through the internal network.
V-21963 Low Windows Update must be prevented from searching for point and print drivers.
V-21969 Low Access to Windows Online Troubleshooting Service (WOTS) must be prevented.
V-28504 Low Windows must be prevented from sending an error report when a device driver requests additional software during installation.
V-15703 Low Users must not be prompted to search Windows Update for device drivers.
V-15702 Low An Error Report must not be sent when a generic device driver is installed.
V-36673 Low IP stateless autoconfiguration limits state must be enabled.
V-15709 Low Game explorer information must not be downloaded from Windows Metadata Services.
V-36678 Low Device driver updates must only search managed servers, not Windows Update.
V-36676 Low Users must only be allowed to point and print to machines in their forest.
V-36677 Low Optional component installation and component repair must be prevented from using Windows Update.
V-17446 Low The Windows Firewall must log dropped packets for the Public Profile.
V-17447 Low The Windows Firewall must log successful connections for the Public Profile.
V-17444 Low The Windows Firewall log file name and location must be configured for the Public Profile.
V-17445 Low The Windows Firewall log size must be configured for the Public Profile.
V-17440 Low The Windows Firewall must display notifications when a program is blocked from receiving an inbound connection for the Public Profile.
V-15704 Low Errors in handwriting recognition on tablet PCs must not be reported to Microsoft.
V-36707 Low The Windows SmartScreen must be turned off.
V-11806 Low The system must be configured to prevent the display of the last username on the logon screen.
V-1158 Low The Recovery Console SET command must be disabled.
V-1150 Low The built-in Microsoft password complexity filter must be enabled.
V-4438 Low The system must limit how many times unacknowledged TCP data is retransmitted.
V-1112 Low Outdated or unused accounts must be removed from the system.
V-21955 Low IPv6 source routing must be configured to highest protection.
V-21956 Low IPv6 TCP data retransmissions must be configured to prevent resources from becoming exhausted.
V-15712 Low Indexing of mail items in Exchange Folder when Outlook is running in uncached mode must be turned off.
V-15714 Low Error Reporting events must be logged in the system event log.
V-15717 Low Additional data requests in response to Error Reporting must be declined.
V-15718 Low Turning off File Explorer heap termination on corruption must be disabled.
V-15719 Low Users must be notified if the logon server was inaccessible and cached credentials were used.
V-17430 Low The Windows Firewall must display notifications when a program is blocked from receiving an inbound connection for the Private Profile.
V-17437 Low The Windows Firewall must log successful connections for the Private Profile.
V-17436 Low The Windows Firewall must log dropped packets for the Private Profile.
V-17435 Low The Windows Firewall log size must be configured for the Private Profile.
V-17434 Low The Windows Firewall log file name and location must be configured for the Private Profile.
V-15680 Low The classic logon screen must be required for user logons.
V-15686 Low Non-administrators must be prevented from applying vendor-signed updates.
V-15687 Low Users must not be presented with Privacy and Installation options on first use of Windows Media Player.
V-1148 Low Local users must not exist on a system in a domain.
V-4108 Low The system must generate an audit event when the audit log reaches a percentage of full threshold.
V-36775 Low Changing the screen saver must be prevented.
V-36774 Low A screen saver must be defined.
V-36777 Low Toast notifications to the lock screen must be turned off.
V-36776 Low Notifications from Windows Push Network Service must be turned off.
V-1076 Low System information backups must be created, updated, and protected.
V-1075 Low The shutdown option must be available from the logon dialog box.
V-1174 Low The amount of idle time required before suspending a session must be properly set.
V-1172 Low Users must be warned in advance of their passwords expiring.
V-1173 Low The default permissions of global system objects must be increased.
V-26477 Low Unauthorized accounts must not have the Change the time zone user right.
V-26475 Low Unauthorized accounts must not have the Bypass traverse checking user right.
V-3472 Low If the time service is configured, it must use an authorized time server.
V-36690 Low The display must turn off after 20 minutes of inactivity when the system is running on battery.
V-3373 Low The maximum age for machine account passwords must be set to requirements.
V-26359 Low The Windows dialog box title for the legal banner must be configured.
V-17420 Low The Windows Firewall must display notifications when a program is blocked from receiving an inbound connection for the Domain Profile.
V-17424 Low The Windows Firewall log file name and location must be configured for the Domain Profile.
V-17425 Low The Windows Firewall log size must be configured for the Domain Profile.
V-17426 Low The Windows Firewall must log dropped packets for the Domain Profile.
V-17427 Low The Windows Firewall must log successful connections for the Domain Profile.
V-1136 Low Users must be forcibly disconnected when their logon hours expire.
V-15676 Low The Order Prints Online wizard must be turned off.
V-15675 Low Windows Registration Wizard must be turned off.
V-15673 Low The Internet Connection Wizard must not download a list of Internet Service Providers (ISPs) from Microsoft.
V-15672 Low Event Viewer Events.asp links must be turned off.
V-15671 Low Root Certificates must not be updated automatically from the Microsoft site.
V-14231 Low The system must be configured to hide the computer from the browse list.
V-21974 Low Downloading of game update information must be turned off.
V-21971 Low The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
V-21970 Low Responsiveness events must be prevented from being aggregated and sent to Microsoft.
V-4113 Low The system must be configured to limit how often keep-alive packets are sent.
V-4112 Low The system must be configured to disable the Internet Router Discovery Protocol (IRDP).
V-4111 Low The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
V-4110 Low The system must be configured to prevent IP source routing.
V-4116 Low The system must be configured to ignore NetBIOS name release requests except from WINS servers.
V-4442 Low The system must be configured to have password protection take effect within a limited time frame when the screen saver becomes active.
V-14232 Low IPSec Exemptions must be limited.