Hardening Interface

Reference	0x6d69636b
Date	02/10/2021
Type	machine
Number of policies	330

# Apply Mode Name Severity UIX impact Default Value Recommended Value

Filter

Features

1000 Basic SMBv1 Support High No impact Disabled Disabled

SMBv1 Support

NetworkShareSMB

Introduction

In computer networking, Server Message Block (SMB), one version of which was also known as Common Internet File System (CIFS), is a communication protocol for providing shared access to files, printers, and serial ports between nodes on a network. It also provides an authenticated inter-process communication (IPC) mechanism.

Relevance indicator

100

Table of settings

UIX

No impact : 0

Method

Method :


        WindowsOptionalFeature

Method Argument :


          smb1protocol

Values

Type :

String

Possible Values :


                    
                       Enable
Disable
Not defined

Powershell Command

Getting Command :

Get-WindowsOptionalFeature -Online -FeatureName smb1protocol ;

Setting Command :

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol ;

More Informations

Advices

We recommend keeping SMBv2 and SMBv3 enabled, but you might find it useful to disable one temporarily for troubleshooting. For more information, see How to detect status, enable, and disable SMB protocols on the SMB Server.

Notes

There are a handful of vulnerabilities that exist within SMBv1, most of which allow for remote code execution on the target host.

OS

Windows 10

Account Policies

1100 Basic Account lockout threshold Low Potentially Never 10

Account lockout threshold

AuthenticationSign-inAttempts

Introduction

The Account lockout threshold policy setting determines the number of failed sign-in attempts that will cause a user account to be locked. A locked account cannot be used until you reset it or until the number of minutes specified by the Account lockout duration policy setting expires.

You can set a value from 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0.
If Account lockout threshold is set to a number greater than zero, Account lockout duration must be greater than or equal to the value of Reset account lockout counter after.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        accountpolicy

Values

Type :

Number

Possible Values :


                    
                       0-99 999 (Attempts)

Powershell Command

Getting Command :

C:\Windows\System32\net.exe accounts | Select-String «Lockout threshold » ;

Setting Command :

C:\Windows\System32\net.exe accounts /lockoutthreshold:10 ;

More Informations

Potential impact

Failed attempts to unlock a workstation can cause account lockout even if the Interactive logon: Require Domain Controller authentication to unlock workstation security option is disabled. Windows doesn’t need to contact a domain controller for an unlock if you enter the same password that you logged on with, but if you enter a different password, Windows has to contact a domain controller in case you had changed your password from another machine.

Advices

The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, Windows security baselines recommend a value of 10 could be an acceptable starting point for your organization.

OS

Windows 10

1101 Basic Account lockout duration Low Potentially 30 15

Account lockout duration

AuthenticationDuration

Introduction

The Account lockout duration policy setting determines the number of minutes that a locked-out account remains locked out before automatically becoming unlocked. The available range is from 1 through 99,999 minutes. A value of 0 specifies that the account will be locked out until an administrator explicitly unlocks it.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        accountpolicy

Values

Type :

Number

Possible Values :


                    
                       0 (Disable)
1-99 999 (Minutes)

Powershell Command

Getting Command :

C:\Windows\System32\net.exe accounts | Select-String «Lockout duration » ;

Setting Command :

C:\Windows\System32\net.exe accounts /lockoutduration:15 ;

More Informations

Potential impact

Configuring the Account lockout duration policy setting to 0 so that accounts cannot be automatically unlocked can increase the number of requests that your organization's Help Desk receives to unlock accounts that were locked by mistake.

Advices

It is advisable to set Account lockout duration to approximately 15 minutes. To specify that the account will never be locked out, set the Account lockout threshold value to 0.

OS

Windows 10

1102 Basic Reset account lockout counter Low Potentially 30 15

Reset account lockout counter

AuthenticationDuration

Introduction

The Reset account lockout counter after policy setting determines the number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        accountpolicy

Values

Type :

Number

Possible Values :


                    
                       0-99 999(Minutes)

Powershell Command

Getting Command :

C:\Windows\System32\net.exe accounts | Select-String «Lockout observation window » ;

Setting Command :

C:\Windows\System32\net.exe accounts /lockoutwindow:15 ;

More Informations

Potential impact

The disadvantage of a high setting is that users lock themselves out for an inconveniently long period if they exceed the account lockout threshold through logon errors. Users may make excessive Help Desk calls.

Advices

Windows security baselines recommend configuring the Reset account lockout counter after policy setting to 15, but as with other account lockeout settings, this value is more of a guideline than a rule or best practice because there is no "one size fits all."

Notes

If Account lockout threshold is set to a number greater than zero, this reset time must be less than or equal to the value of Account lockout duration.

OS

Windows 10

1103 Basic Store passwords using reversible encryption High No impact 0 0

Store passwords using reversible encryption

Authentication

Introduction

The Store password using reversible encryption policy setting provides support for applications that use protocols that require the user's password for authentication. Storing encrypted passwords in a way that is reversible means that the encrypted passwords can be decrypted.
A knowledgeable attacker who is able to break this encryption can then log on to network resources by using the compromised account.
For this reason, never enable Store password using reversible encryption for all users in the domain unless application requirements outweigh the need to protect password information.

Relevance indicator

100

Table of settings

UIX

No impact : 0

Method

Method :


        secedit

Method Argument :


          System Access\ClearTextPassword

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)
Not defined

Powershell Command

Getting Command :

C:\Windows\System32\secedit.exe /export /cfg  /areas USER_RIGHTS | Out-Null  ; Get-Content -Encoding unicode  | Select-String ClearTextPassword  ;

Setting Command :

 secedit.exe /export /cfg  /areas SECURITYPOLICY | Out-Null   ; $Data = Get-IniContent    ; Set-HashtableValueDeep $Data ClearTextPassword 0   ; Out-IniFile $Data  unicode $true   ; secedit.exe /import /cfg  /overwrite /areas SECURITYPOLICY /db [System.IO.Path]::GetTempFileName() /quiet | Out-Null  ;

More Informations

Potential impact

If your organization uses CHAP through remote access or IAS, or Digest Authentication in IIS, you must configure this policy setting to Enabled. This presents a security risk when you apply the setting through Group Policy on a user-by-user basis because it requires the appropriate user account object to be opened in Active Directory Users and Computers.

Advices

Set the value for Store password using reversible encryption to Disabled. If you use CHAP through remote access or IAS, or Digest Authentication in IIS, you must set this value to Enabled. This presents a security risk when you apply the setting by using Group Policy on a user-by-user basis because it requires opening the appropriate user account object in Active Directory Users and Computers.

Notes

Do not enable this policy setting unless business requirements outweigh the need to protect password information.

OS

Windows 10

User Rights Assignment

1200 Enterprise Access this computer from the network Medium Potentially BUILTIN\Backup Operators; BUILTIN\Users; BUILTIN\Administrators; Everyone BUILTIN\Administrators

Access this computer from the network

Network

Introduction

The Access this computer from the network policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+).

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        accesschk

Method Argument :


          SeNetworkLogonRight

Values

Type :

List

Possible Values :


                    
                       User-defined list of accounts

Powershell Command

Getting Command :

C:\Windows\System32\secedit.exe /export /cfg  /areas USER_RIGHTS | Out-Null  ; Get-Content -Encoding unicode  | Select-String SeNetworkLogonRight  ;

Setting Command :

(Add) ntrights +r SeNetworkLogonRight -u "" ; (Remove) ntrights -r SeNetworkLogonRight -u "" ;

More Informations

Potential impact

If you remove the Access this computer from the network user right on domain controllers for all users, no one can log on to the domain or use network resources.
If you remove this user right on member servers, users cannot connect to those servers through the network.
If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to additional accounts that are required by those components. It is important to verify that authorized users are assigned this user right for the devices that they need to access the network.

Advices

This setting includes the Everyone group to ensure backward compatibility. Upon Windows upgrade, after you have verified that all users and groups are correctly migrated, you should remove the Everyone group and use the Authenticated Users group instead.

OS

Windows 10

1201 Enterprise Allow log on locally Medium Potentially BUILTIN\Backup Operators; BUILTIN\Users; BUILTIN\Administrators; COMPUTERNAME\Guest BUILTIN\Users; BUILTIN\Administrators

Allow log on locally

NetworkRemote Desktop

Introduction

This policy setting determines which users can start an interactive session on the device. Users must have this user right to log on over a Remote Desktop Services session that is running on a Windows-based member device or domain controller.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        accesschk

Method Argument :


          SeInteractiveLogonRight

Values

Type :

List

Possible Values :


                    
                       User-defined list of accounts

Powershell Command

Getting Command :

C:\Windows\System32\secedit.exe /export /cfg  /areas USER_RIGHTS | Out-Null  ; Get-Content -Encoding unicode  | Select-String SeInteractiveLogonRight  ;

Setting Command :

(Add) ntrights +r SeInteractiveLogonRight -u "" ; (Remove) ntrights -r SeInteractiveLogonRight -u "" ;

More Informations

Potential impact

If you remove these default groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment.
If you have installed optional components such as ASP.NET or IIS, you may need to assign the Allow log on locally user right to additional accounts that are required by those components.

Advices

Restrict this user right to legitimate users who must log on to the console of the device.
If you selectively remove default groups, you can limit the abilities of users who are assigned to specific administrative roles in your organization.

Notes

Users who do not have this right are still able to start a remote interactive session on the device if they have the Allow logon through Remote Desktop Services right.

OS

Windows 10

1202 Enterprise Debug programs Medium Potentially BUILTIN\Administrators

Debug programs

DeveloperProcess

Introduction

This policy setting determines which users can attach to or open any process, even a process they do not own.

Developers who are debugging their own applications do not need this user right.
Developers who are debugging new system components need this user right. This user right provides access to sensitive and critical operating-system components.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        accesschk

Method Argument :


          SeDebugPrivilege

Values

Type :

List

Possible Values :


                    
                       User-defined list of accounts

Powershell Command

Getting Command :

C:\Windows\System32\secedit.exe /export /cfg  /areas USER_RIGHTS | Out-Null  ; Get-Content -Encoding unicode  | Select-String SeDebugPrivilege  ;

Setting Command :

(Add) ntrights +r SeDebugPrivilege -u "" ; (Remove) ntrights -r SeDebugPrivilege -u "" ;

More Informations

Potential impact

If you revoke this user right, no one can debug programs. However, typical circumstances rarely require this capability on production devices.
If an issue arises that requires an application to be debugged on a production server, you can move the server to a different organizational unit (OU) temporarily and assign the Debug programs user right to a separate Group Policy for that OU.

Advices

Assign this user right only to trusted users to reduce security vulnerabilities.

OS

Windows 10

1203 Enterprise Deny access to this computer from the network Medium Potentially COMPUTERNAME\Guest BUILTIN\Guests; NT AUTHORITY\Local account

Deny access to this computer from the network

NetworkAccess

Introduction

This security setting determines which users are prevented from accessing a device over the network.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        accesschk

Method Argument :


          SeDenyNetworkLogonRight

Values

Type :

List

Possible Values :


                    
                       User-defined list of accounts

Powershell Command

Getting Command :

C:\Windows\System32\secedit.exe /export /cfg  /areas USER_RIGHTS | Out-Null  ; Get-Content -Encoding unicode  | Select-String SeDenyNetworkLogonRight  ;

Setting Command :

(Add) ntrights +r SeDenyNetworkLogonRight -u "" ; (Remove) ntrights -r SeDenyNetworkLogonRight -u "" ;

More Informations

Potential impact

If you configure the Deny access to this computer from the network user right for other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment.
You should verify that delegated tasks are not negatively affected.

Advices

Because all Active Directory Domain Services programs use a network logon for access, use caution when you assign this user right on domain controllers.

OS

Windows 10

1204 Enterprise Deny log on as a batch job Medium Potentially BUILTIN\Guests

Deny log on as a batch job

Introduction

This policy setting determines which accounts are prevented from logging on by using a batch-queue tool to schedule and start jobs automatically in the future.
The ability to log on by using a batch-queue tool is needed for any account that is used to start scheduled jobs by means of the Task Scheduler.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        accesschk

Method Argument :


          SeDenyBatchLogonRight

Values

Type :

List

Possible Values :


                    
                       User-defined list of accounts

Powershell Command

Getting Command :

C:\Windows\System32\secedit.exe /export /cfg  /areas USER_RIGHTS | Out-Null  ; Get-Content -Encoding unicode  | Select-String SeDenyBatchLogonRight  ;

Setting Command :

(Add) ntrights +r SeDenyBatchLogonRight -u "" ; (Remove) ntrights -r SeDenyBatchLogonRight -u "" ;

More Informations

Potential impact

If you assign the Deny log on as a batch job user right to other accounts, you could deny the ability to perform required job activities to users who are assigned specific administrative roles.
Confirm that delegated tasks aren't affected adversely.

Advices

When you assign this user right, thoroughly test that the effect is what you intended.
Within a domain, modify this setting on the applicable Group Policy Object (GPO).
Deny log on as a batch job prevents administrators or operators from using their personal accounts to schedule tasks. This restriction helps with business continuity when that person transitions to other positions or responsibilities.

OS

Windows 10

1205 Enterprise Deny log on as a service Medium Potentially BUILTIN\Guests

Deny log on as a service

Introduction

This policy setting determines which users are prevented from logging on to the service applications on a device.
A service is an application type that runs in the system background without a user interface. It provides core operating system features, such as web serving, event logging, file serving, printing, cryptography, and error reporting.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        accesschk

Method Argument :


          SeDenyServiceLogonRight

Values

Type :

List

Possible Values :


                    
                       User-defined list of accounts

Powershell Command

Getting Command :

C:\Windows\System32\secedit.exe /export /cfg  /areas USER_RIGHTS | Out-Null  ; Get-Content -Encoding unicode  | Select-String SeDenyServiceLogonRight  ;

Setting Command :

(Add) ntrights +r SeDenyServiceLogonRight -u "" ; (Remove) ntrights -r SeDenyServiceLogonRight -u "" ;

More Informations

Potential impact

If you assign the Deny log on as a service user right to specific accounts, services may not start and a denial-of-service condition could result.

Advices

When you assign this user right, thoroughly test that the effect is what you intended.
Within a domain, modify this setting on the applicable Group Policy Object (GPO).

OS

Windows 10

1206 Enterprise Deny log on through Remote Desktop Services Medium Potentially BUILTIN\Guests; NT AUTHORITY\Local account

Deny log on through Remote Desktop Services

Remote Desktop

Introduction

This policy setting determines which users are prevented from logging on to the device through a Remote Desktop connection through Remote Desktop Services. It is possible for a user to establish a Remote Desktop connection to a particular server, but not be able to log on to the console of that server.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        accesschk

Method Argument :


          SeDenyRemoteInteractiveLogonRight

Values

Type :

List

Possible Values :


                    
                       User-defined list of accounts

Powershell Command

Getting Command :

C:\Windows\System32\secedit.exe /export /cfg  /areas USER_RIGHTS | Out-Null  ; Get-Content -Encoding unicode  | Select-String SeDenyRemoteInteractiveLogonRight  ;

Setting Command :

 (Add) ntrights +r SeDenyRemoteInteractiveLogonRight -u ""  ; (Remove) ntrights -r SeDenyRemoteInteractiveLogonRight -u ""  ;

More Informations

Potential impact

If you assign the Deny log on through Remote Desktop Services user right to other groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Accounts that have this user right cannot connect to the device through Remote Desktop Services or Remote Assistance.
You should confirm that delegated tasks are not negatively affected.

Advices

To control who can open a Remote Desktop connection and log on to the device, add the user account to or remove user accounts from the Remote Desktop Users group.

OS

Windows 10

Security Options

1300 StrongBox Accounts: Block Microsoft accounts Low Impact 0 3

Accounts: Block Microsoft accounts

Microsoft accounts

Introduction

This setting prevents using the Settings app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

RegistryItem :

NoConnectedUser

Values

Type :

Number

Possible Values :


                    
                       0 (Not defined)
 1 (This policy is disabled)
2 (Users can’t add Microsoft accounts)
3 (Users can’t add or log on with Microsoft accounts)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name 'NoConnectedUser'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name 'NoConnectedUser' -value 3

More Informations

Potential impact

There are two options if this setting is enabled:

Users can’t add Microsoft accounts means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the Settings app to add new connected accounts (or connect local accounts to Microsoft accounts).
Users can’t add or log on with Microsoft accounts means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through Settings.

Advices

By disabling or not configuring this policy setting on the client computer, users will be able to use their Microsoft account, local account, or domain account for their sign-in session to Windows. It also enables the user to connect a local or domain account to a Microsoft account. This provides a convenient option for your users.
If you need to limit the use of Microsoft accounts in your organization, click the Users can’t add Microsoft accounts setting option so that users will not be able to use the Settings app to add new connected accounts.

Notes

If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.

OS

Windows 10

1301 Enterprise Audit: Force audit policy subcategory settings to override audit policy category settings Low Potentially 1

Audit: Force audit policy subcategory settings to override audit policy category settings

Audit

Introduction

You can manage your audit policy in a more precise way by using audit policy subcategories.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Control\Lsa

RegistryItem :

SCENoApplyLegacyAuditPolicy

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)
Not defined

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'SCENoApplyLegacyAuditPolicy'

Set Value :

Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'SCENoApplyLegacyAuditPolicy' -value 1

More Informations

Potential impact

If you attempt to modify an audit setting by using Group Policy after enabling this setting through the command-line tools, the Group Policy audit setting is ignored in favor of the custom policy setting. To modify audit settings by using Group Policy, you must first disable the SCENoApplyLegacyAuditPolicy key.

Advices

Leave the setting enabled. This provides the ability to audit events at the category level without revising a policy.

Notes

Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events that are generated can make it difficult to find other types of entries in the security event log.
Such a configuration could also have a significant impact on system performance.

OS

Windows 10

1302 StrongBox Interactive logon: Do not require CTRL+ALT+DEL Low Impact 1 0

Interactive logon: Do not require CTRL+ALT+DEL

Interactive logon

Introduction

This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.

If this policy setting is enabled on a device, a user is not required to press CTRL+ALT+DEL to log on.
If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to the Windows operating system (unless they are using a smart card for logon).

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System

RegistryItem :

DisableCAD

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)
Not defined

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' -name 'DisableCAD'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' -name 'DisableCAD' -value 0

More Informations

Potential impact

Unless they use a smart card to log on, users must simultaneously press the three keys before the logon dialog box is displayed.

Advices

We recommend that you set Disable CTRL+ALT+DEL requirement for logon to Not configured.

OS

Windows 10

1303 StrongBox Interactive logon: Don't display last signed-in Low Impact 0 1

Interactive logon: Don't display last signed-in

Interactive logon

Introduction

This security policy setting determines whether the name of the last user to log on to the device is displayed on the Secure Desktop.

If this policy is enabled, the full name of the last user to successfully log on is not displayed on the Secure Desktop, nor is the user’s logon tile displayed. Additionally, if the Switch user feature is used, the full name and logon tile are not displayed. The logon screen requests a qualified domain account name (or local user name) and password.
If this policy is disabled, the full name of the last user to log on is displayed, and the user’s logon tile is displayed. This behavior is the same when the Switch user feature is used.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System

RegistryItem :

DontDisplayLastUserName

Values

Type :

Number

Possible Values :


                    
                       0 (Disabled)
1 (Enabled)
 (Not Defined)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' -name 'DontDisplayLastUserName'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' -name 'DontDisplayLastUserName' -value 1

More Informations

Potential impact

Users must always type their user names and passwords when they log on locally or to the domain. The logon tiles of all logged on users are not displayed.

Advices

Your implementation of this policy depends on your security requirements for displayed logon information.

If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy.

OS

Windows 10

1304 StrongBox Interactive logon: Don't display username at sign-in Low Impact 0 1

Interactive logon: Don't display username at sign-in

Interactive logon

Introduction

This security policy setting determines whether the username is displayed during sign in. This setting only affects the Other user tile.

If the policy is enabled and a user signs in as Other user, the full name of the user is not displayed during sign-in. In the same context, if users type their email address and password at the sign in screen and press Enter, the displayed text “Other user” remains unchanged, and is no longer replaced by the user’s first and last name, as in previous versions of Windows 10. Additionally,if users enter their domain user name and password and click Submit, their full name is not shown until the Start screen displays.
If the policy is disabled and a user signs in as Other user, the 'Other user' text is replaced by the user’s first and last name during sign-in.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System

RegistryItem :

DontDisplayUserName

Values

Type :

Number

Possible Values :


                    
                       0 (Disabled)
1 (Enabled)
 (Not Defined)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' -name 'DontDisplayUserName'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' -name 'DontDisplayUserName' -value 1

More Informations

Potential impact

Users must always type their usernames and passwords when they log on locally or to the domain. The logon tiles of all logged on users are not displayed.

Advices

Your implementation of this policy depends on your security requirements for displayed logon information.

If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy.

OS

Windows 10, Windows Server 2019

1305 Enterprise Microsoft network client: Digitally sign communications (always) Medium Impact 0 1

Microsoft network client: Digitally sign communications (always)

NetworkClientCommunication

Introduction

The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent ‘man-in-the-middle’ attacks that modify SMB packets in transit, the SMB protocol supports digital signing of SMB packets.
Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as ‘session hijacking’. Misuse of these policy settings is a common error that can cause data access failure.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters

RegistryItem :

RequireSecuritySignature

Values

Type :

Number

Possible Values :


                    
                       0 (Disable)
1 (Enable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' -name 'RequireSecuritySignature'

Set Value :

 Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' -name 'RequireSecuritySignature' -value 1

More Informations

Potential impact

Storage speeds affect performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage for signing. If you're using a 1-Gb Ethernet network or slower storage speed with a modern CPU, there's limited degradation in performance. If you're using a faster network (such as 10 Gb), the performance impact of signing may be greater.

Advices

Enable Microsoft network client: Digitally sign communications (always).

OS

Windows 10, Windows Server 2019

1306 Enterprise Microsoft network client: Digitally sign communications (if server agrees) Medium Potentially 1 1

Microsoft network client: Digitally sign communications (if server agrees)

NetworkClientCommunication

Introduction

For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set this policy. Computers that have this policy set will not be able to communicate with computers that do not have server-side packet signing enabled.
By default, server-side packet signing is enabled only on domain controllers running Windows 2000, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2. Server-side packet signing can be enabled on these computers by setting Microsoft network server: Digitally sign communications (if client agrees) [1308]

If server-side SMB signing is required, a client computer will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client computer will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters

RegistryItem :

EnableSecuritySignature

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)
 (Not defined)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' -name 'EnableSecuritySignature'

Set Value :

 Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' -name 'EnableSecuritySignature' -value 1

More Informations

Potential impact

Implementation of SMB signing may negatively affect performance because each packet must be signed and verified.

If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed.
Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems cannot connect.
However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks.

Advices

Configure the following security policy settings as follows:
Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client computers and prevent them from communicating with legacy SMB applications and operating systems.

Notes

Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.

OS

Windows XP
Windows Vista
Windows 7
Windows 8
Windows 8.1
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012 R2
Windows Server 2012

1307 Enterprise Microsoft network server: Digitally sign communications (always) Medium Potentially 0 1

Microsoft network server: Digitally sign communications (always)

SMBServerNetworkSign

Introduction

Beginning with SMBv2 clients and servers, signing can be either required or not required. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: Microsoft network server: Digitally sign communications (always) [1305].

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters

RegistryItem :

RequireSecuritySignature

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters' -name 'RequireSecuritySignature'

Set Value :

 Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters' -name 'RequireSecuritySignature' -value 1

More Informations

Potential impact

Storage speeds impact performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage of signing.

If you are using a 1 Gb Ethernet network or slower storage speed with a modern CPU, there is limited degradation in performance. If you are using a faster network (such as 10 Gb), the performance impact of signing may be greater.

Advices

This policy should be enabled on Windows Server.

Notes

Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings can cause data access failure.
Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.

OS

Windows 10
Windows Server

1308 Enterprise Microsoft network server: Digitally sign communications (if client agrees) Medium Potentially 0 1

Microsoft network server: Digitally sign communications (if client agrees)

CommunicationSMBServerNetworkSign

Introduction

The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets.
This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted.

Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters

RegistryItem :

EnableSecuritySignature

Values

Type :

Number

Possible Values :


                    
                       0 (Disabled)
 1 (Enabled)
 (Not defined)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters' -name 'EnableSecuritySignature'

Set Value :

 Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters' -name 'EnableSecuritySignature' -value 1

More Informations

Potential impact

Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.

Advices

For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). Computers that have this policy set will not be able to communicate with computers that do not have server-side packet signing enabled.
By default, server-side packet signing is enabled only on domain controllers running Windows 2000, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2. Server-side packet signing can be enabled on these computers by setting this policy.

If server-side SMB signing is required, a client computer will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client computer will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled.

Notes

There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:

OS

Windows Server 2003
Windows Vista
Windows XP
Windows Server 2008
Windows 7
Windows 8.1
Windows Server 2008 R2
Windows Server 2012 R2
Windows Server 2012
Windows 8

1309 Enterprise Network access: Do not allow anonymous enumeration of SAM accounts Medium Potentially 1 1

Network access: Do not allow anonymous enumeration of SAM accounts

DomainAccessSAM Accounts

Introduction

This policy setting determines which additional permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares.
This is convenient, for example, when an administrator wants to give access to users in a trusted domain that does not maintain a reciprocal trust.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Control\Lsa

RegistryItem :

RestrictAnonymousSAM

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)
 (Not defined)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'RestrictAnonymousSAM'

Set Value :

Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'RestrictAnonymousSAM' -value 1

More Informations

Potential impact

It is impossible to grant access to users of another domain across a one-way trust because administrators in the trusting domain are unable to enumerate lists of accounts in the other domain. Users who access file and print servers anonymously are unable to list the shared network resources on those servers; the users must be authenticated before they can view the lists of shared folders and printers.

OS

Windows 10

1310 Enterprise Network access: Do not allow anonymous enumeration of SAM accounts and shares Medium Potentially 0 1

Network access: Do not allow anonymous enumeration of SAM accounts and shares

DomainAccessSAM Accounts Shares

Introduction

This is convenient, for example, when an administrator wants to give access to users in a trusted domain that does not maintain a reciprocal trust.
However, even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Control\Lsa

RegistryItem :

RestrictAnonymous

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)
 (Not defined)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'RestrictAnonymous'

Set Value :

Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'RestrictAnonymous' -value 1

More Informations

Potential impact

Notes

This policy setting has no impact on domain controllers. Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.

OS

Windows 10

1311 Basic Network access: Do not allow storage of passwords and credentials for network authentication Medium Potentially 0 1

Network access: Do not allow storage of passwords and credentials for network authentication

Introduction

This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Control\Lsa

RegistryItem :

DisableDomainCreds

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)
 (Not defined)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'DisableDomainCreds'

Set Value :

Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'DisableDomainCreds' -value 1

More Informations

Potential impact

Users are forced to type passwords whenever they log on to their Microsoft Account or other network resources that are not accessible to their domain account. This policy setting should have no impact on users who access network resources that are configured to allow access with their Active Directory–based domain account.

Advices

It is a recommended practice to disable the ability of the Windows operating system to cache credentials on any device where credentials are not needed. Evaluate your servers and workstations to determine the requirements. Cached credentials are designed primarily to be used on laptops that require domain credentials when disconnected from the domain.

OS

Windows 10

1312 Enterprise Network security: Allow LocalSystem NULL session fallback Medium Potentially 0 0

Network security: Allow LocalSystem NULL session fallback

Introduction

This policy affects session security during the authentication process between devices running Windows Server 2008 R2 and Windows 7 and later and those devices running earlier versions of the Windows operating system.
For computers running Windows Server 2008 R2 and Windows 7 and later, services running as Local System require a service principal name (SPN) to generate the session key.
However, if Network security: Allow Local System to use computer identity for NTLM is set to disabled, services running as Local System will fall back to using NULL session authentication when they transmit data to servers running versions of Windows earlier than Windows Vista or Windows Server 2008.
NULL session does not establish a unique session key for each authentication; and thus, it cannot provide integrity or confidentiality protection. The setting Network security: Allow LocalSystem NULL session fallback determines whether services that request the use of session security are allowed to perform signature or encryption functions with a well-known key for application compatibility.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0

RegistryItem :

allownullsessionfallback

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)
 (Not defined)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0' -name 'allownullsessionfallback'

Set Value :

Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0' -name 'allownullsessionfallback' -value 0

More Informations

Potential impact

If you enable this policy, services that use NULL session with Local System could fail to authenticate because they will be prohibited from using signing and encryption.

Advices

When services connect with the device identity, signing and encryption are supported to provide data protection. When services connect with a NULL session, this level of data protection is not provided. However, you will need to evaluate your environment to determine the Windows operating system versions that you support. If this policy is enabled, some services may not be able to authenticate.

OS

Windows 10

1313 Enterprise Network security: LAN Manager authentication level Medium Potentially 3 5

Network security: LAN Manager authentication level

Introduction

This policy setting determines which challenge or response authentication protocol is used for network logons. LAN Manager (LM) includes client computer and server software from Microsoft that allows users to link personal devices together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory uses LM, NTLM, or NTLM version 2 (NTLMv2).

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Control\Lsa

RegistryItem :

LmCompatibilityLevel

Values

Type :

Number

Possible Values :


                    
                       0-5
Not Defined

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'LmCompatibilityLevel'

Set Value :

Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'LmCompatibilityLevel' -value 5

More Informations

Potential impact

Client devices that do not support NTLMv2 authentication cannot authenticate in the domain and access domain resources by using LM and NTLM.

Notes

0 : Send LM & NTLM responses
1 : Send LM & NTLM - use NTLMv2 session security if negotiated
2 : Send NTLM responses only;
3 : Send NTLMv2 responses only
4 : Send NTLMv2 responses only. Refuse LM
5 : Send NTLMv2 responses only. Refuse LM & NTLM

OS

Windows 10

1314 Enterprise Network security: LDAP client signing requirements Medium Potentially 1 1

Network security: LDAP client signing requirements

Introduction

This policy setting determines the level of data signing that is requested on behalf of client devices that issue LDAP BIND requests. The levels of data signing are described in the following list:

None. The LDAP BIND request is issued with the caller-specified options.
Negotiate signing. If Transport Layer Security/Secure Sockets Layer (TLS/SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the caller-specified options. If TLS/SSL has been started, the LDAP BIND request is initiated with the caller-specified options.
Require signing. This level is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is returned a message that the LDAP BIND command request failed.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Services\LDAP

RegistryItem :

LDAPClientIntegrity

Values

Type :

Number

Possible Values :


                    
                       0 (None)
1 (Negotiate signing)
2 (Require signature)
Not Defined

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\LDAP' -name 'LDAPClientIntegrity'

Set Value :

Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\LDAP' -name 'LDAPClientIntegrity' -value 1

More Informations

Potential impact

If you configure the client to require LDAP signatures, it may fail to communicate with the LDAP servers that do not require requests to be signed. To avoid this issue, make sure that both the Network security: LDAP client signing requirements and Domain controller: LDAP server signing requirements settings are set to Require signing.

Advices

Set both the Network security: LDAP client signing requirements and Domain controller: LDAP server signing requirements settings to Require signing. To avoid usage of unsigned traffic, set both client and server sides to require signing. Not setting one of the sides will prevent client computers from communicating with the server. This can cause many features to fail, including user authentication, Group Policy, and logon scripts.

Notes

Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.

OS

Windows 10

1315 Enterprise Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Medium Potentially 536870912 537395200

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients

Introduction

None checked:None. No security is used for session security.
Require message integrity:Message integrity. If the value of either this entry or the NtlmMinServerSec entry is 0x10, then the connection will fail unless message integrity is negotiated.
Require message confidentiality:Message confidentiality. If the value of either this entry or the NtlmMinServerSec entry is 0x20, then the connection will fail unless message confidentiality is negotiated.
Require NTLMv2 session security:NTLMv2 session security. If the value of either this entry or the NtlmMinServerSec entry is 0x80000, then the connection will fail unless NTLMv2 session security is negotiated.
Require 128-bit encryption:128-bit encryption. If the value of either this entry or the NtlmMinServerSec entry is 0x20000000, then the connection will fail unless 128-bit encryption is negotiated

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0

RegistryItem :

NTLMMinClientSec

Values

Type :

Number

Possible Values :


                    
                       0x0 (None checked)
0x10 (Require message integrity)
0x20 (Require message confidentiality)
0x80000 (Require NTLMv2 session security)
0x20000000 (Require 128-bit encryption)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0' -name 'NTLMMinClientSec'

Set Value :

Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0' -name 'NTLMMinClientSec' -value 537395200

More Informations

Potential impact

Client devices that enforce these settings cannot communicate with older servers that do not support them.

Notes

Hex value	Decimal value
`0x0`	`0`
`0x10`	`16`
`0x20`	`32`
`0x80000`	`524288`
`0x20000000`	`536870912`

OS

Windows 10

1316 Enterprise Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Medium Potentially 536870912 537395200

Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

NetworkEncryptionAudit

Introduction

This policy setting allows a client device to require the negotiation of 128-bit encryption or NTLMv2 session security. These values are dependent on the Network security: LAN Manager authentication level policy setting value.
Setting all of these values for this policy setting will help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by a malicious user who has gained access to the same network. That is, these settings help protect against man-in-the-middle attacks.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0

RegistryItem :

NTLMMinServerSec

Values

Type :

Number

Possible Values :


                    
                       0x0 (None checked)
0x10 (Require message integrity)
0x20 (Require message confidentiality)
0x80000 (Require NTLMv2 session security)
0x20000000 (Require 128-bit encryption)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0' -name 'NTLMMinServerSec'

Set Value :

Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0' -name 'NTLMMinServerSec' -value 537395200

More Informations

Potential impact

Older client devices that do not support these security settings cannot communicate with the computer on which this policy is set.

Advices

Enable all values that are available for this security policy. Legacy client devices that do not support these policy settings will be unable to communicate with the server.

Notes

Hex value	Decimal value
`0x0`	`0`
`0x10`	`16`
`0x20`	`32`
`0x80000`	`524288`
`0x20000000`	`536870912`

OS

Windows 10

1317 Enterprise Network security: Restrict NTLM: Audit Incoming NTLM Traffic Medium Potentially 0 2

Network security: Restrict NTLM: Audit Incoming NTLM Traffic

NetworkNTLMDomain

Introduction

The Network Security: Restrict NTLM: Audit incoming NTLM traffic policy setting allows you to audit incoming NTLM traffic.

When this audit policy is enabled within Group Policy, it is enforced on any server where that Group Policy is distributed. The events will be recorded in the operational event log located in Applications and Services Log\Microsoft\Windows\NTLM. Using an audit event collection system can help you collect the events for analysis more efficiently.
When you enable this policy on a server, only authentication traffic to that server will be logged.
When you enable this audit policy, it functions in the same way as the Network Security: Restrict NTLM: Incoming NTLM traffic policy, but it does not actually block any traffic. Therefore, you can use it effectively to understand the authentication traffic in your environment, and when you are ready to block that traffic, you can enable the Network Security: Restrict NTLM: Incoming NTLM traffic policy setting and select Deny all accounts or Deny all domain accounts.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0

RegistryItem :

AuditReceivingNTLMTraffic

Values

Type :

Number

Possible Values :


                    
                       0 (Disable)
 1 (Enable auditing for domain accounts)
 2 (Enable auditing for all accounts)
 Not defined

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0' -name 'AuditReceivingNTLMTraffic'

Set Value :

Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0' -name 'AuditReceivingNTLMTraffic' -value 2

More Informations

Potential impact

If you do not enable or configure this policy setting, no NTLM authentication traffic information will be logged.
If you do enable this policy setting, only auditing functions will occur; no security enhancements will be implemented.

OS

At least Windows 7 or Windows Server 2008 R2

1318 Enterprise Network security: Restrict NTLM: Audit NTLM authentication in this domain Medium Potentially 0 7

Network security: Restrict NTLM: Audit NTLM authentication in this domain

NetworkNTLMDomainServer

Introduction

This policy allows you to audit on the domain controller NTLM authentication in that domain.

When you enable this policy setting on the domain controller, only authentication traffic to that domain controller will be logged.
When you enable this audit policy, it functions in the same way as the Network Security: Restrict NTLM: NTLM authentication in this domain policy setting, but it does not actually block any traffic. Therefore, you can use it effectively to understand the authentication traffic to your domain controllers and when you are ready to block that traffic, you can enable the Network Security: Restrict NTLM: NTLM authentication in this domain policy setting and select Deny for domain accounts to domain servers, Deny for domain servers, or Deny for domain accounts.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters

RegistryItem :

AuditNTLMInDomain

Values

Type :

Number

Possible Values :


                    
                       0 (Disable)
 1 (Enable for domain accounts to domain servers)
 3 (Enable for domain accounts)
 5 (Enable for domain servers)
 7 (Enable all)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters' -name 'AuditNTLMInDomain'

Set Value :

Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters' -name 'AuditNTLMInDomain' -value 7

More Informations

Potential impact

If you do not enable or configure this policy setting, no NTLM authentication traffic information will be logged.
If you do enable this policy setting, only auditing functions will occur; no security enhancements will be implemented.

Notes

Disable : The domain controller on which this policy is set will not log events for incoming NTLM traffic.
Enable for domain accounts to domain servers : The domain controller on which this policy is set will log events for NTLM authentication logon attempts for accounts in the domain to domain servers when NTLM authentication would be denied because the Network security: Restrict NTLM: NTLM authentication in this domain policy setting is set to Deny for domain accounts to domain servers.
Enable for domain accounts : The domain controller will log events for NTLM authentication logon attempts that use domain accounts when NTLM authentication would be denied because the Network security: Restrict NTLM: NTLM authentication in this domain policy setting is set to Deny for domain accounts.
Enable for domain server : The domain controller will log events for NTLM authentication requests made to all servers in the domain when NTLM authentication would be denied because "Deny for domain servers" is selected in the "Network security: policy setting: Restrict NTLM: NTLM authentication in this domain".
Not defined : This is the same as Disable and results in no auditing of NTLM traffic.

OS

At least Windows Server 2008 R2

1319 Enterprise Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers Medium Potentially 0 1

Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers

NetworkNTLMAudit

Introduction

This policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0

RegistryItem :

RestrictSendingNTLMTraffic

Values

Type :

Number

Possible Values :


                    
                       0 (Allow all)
 1 (Audit all)
 2 (Deny all)
 Not defined

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0' -name 'RestrictSendingNTLMTraffic'

Set Value :

Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0' -name 'RestrictSendingNTLMTraffic' -value 1

More Informations

Potential impact

Modifying this policy setting may affect compatibility with client computers, services, and applications.

Advices

If you select Deny all, the client device cannot authenticate identities to a remote server by using NTLM authentication. First, select Audit all and then review the operational event log to understand which servers are involved in these authentication attempts. You can then add those server names to a server exception list by using the Network security: Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication

OS

Windows XP
Windows Vista
Windows 7
Windws 10
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2

1320 Basic Shutdown: Allow system to be shut down without having to log on Medium Impact 1 0

Shutdown: Allow system to be shut down without having to log on

Introduction

This policy setting determines whether you can shut down a device without having to sign in to Windows. When you enable it, the Shut Down option is available on the sign-in screen in Windows. If you disable this setting, the Shut Down option is removed from the screen. To use the option, the user must sign in on the device successfully and have the Shut down the system user right.
Users who access the console locally can shut down the system. Attackers or misguided users can connect to the server by using Remote Desktop Services, and then shut it down or restart it without having to identify themselves. A malicious user might also cause a temporary denial-of-service condition from a local console by restarting or shutting down the server.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System

RegistryItem :

ShutdownWithoutLogon

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)
Not defined

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' -name 'ShutdownWithoutLogon'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' -name 'ShutdownWithoutLogon' -value 0

More Informations

Potential impact

You must sign in on servers to shut them down or restart them.

Advices

On servers, set this policy to Disabled. You must sign in to servers to shut down or restart them.
On client devices, set this policy to Enabled. Define the list of users who have the right to shut them down or restart them with the User Rights Assignment policy Shut down the system.

Notes

Enabled : The shutdown command is available on the sign-in screen.
Disabled : The shut down option is removed from the sign-in screen. Users must have the Shut down the system user right to do a shutdown.

OS

Windows 10

1321 Enterprise User Account Control: Admin Approval Mode for the Built-in Administrator account Medium Impact 0 1

User Account Control: Admin Approval Mode for the Built-in Administrator account

Introduction

This policy setting determines the behavior of Admin Approval Mode for the built-in administrator account. When the Admin Approval Mode is enabled, the local administrator account functions like a standard user account, but it has the ability to elevate privileges without logging on by using a different account. In this mode, any operation that requires elevation of privilege displays a prompt that allows the administrator to permit or deny the elevation of privilege. If Admin Approval Mode is not enabled, the built-in Administrator account runs all applications by default with full administrative privileges.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

RegistryItem :

FilterAdministratorToken

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name 'FilterAdministratorToken'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name 'FilterAdministratorToken' -value 1

More Informations

Potential impact

Users who log on by using the local administrator account are prompted for consent whenever a program requests an elevation in privilege.

Advices

It is recommended not to enable the built-in Administrator account on the client computer, but to use the standard user account and User Account Control (UAC) instead. If you want to enable the built-in Administrator account to carry out administrative tasks, for security reasons you should also enable Admin Approval Mode.

Notes

Enabled : The built-in administrator account logs on in Admin Approval Mode so that any operation that requires elevation of privilege displays a prompt that provides the administrator the option to permit or deny the elevation of privilege.
Disabled : If Admin Approval Mode is not enabled, the built-in Administrator account runs all applications by default with full administrative privileges

OS

Windows 10

1322 Basic User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Medium Impact 5 5

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

Introduction

This policy setting determines the behavior of the elevation prompt for accounts that have administrative credentials.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

RegistryItem :

ConsentPromptBehaviorAdmin

Values

Type :

Number

Possible Values :


                    
                       0 (Elevate without prompting)
1 (Prompt for credentials on the secure desktop)
2 (Prompt for consent on the secure desktop)
3 (Prompt for credentials)
4 (Prompt for consent)
5 (Prompt for consent for non-Windows binaries)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name 'ConsentPromptBehaviorAdmin'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name 'ConsentPromptBehaviorAdmin' -value 5

More Informations

Potential impact

Administrators should be made aware that they will be prompted for consent when all binaries attempt to run.

Advices

Selecting the option Elevate without prompting minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure.
It is recommended not to enable the built-in Administrator account on the client computer, but to use the standard user account and User Account Control (UAC) instead. If you want to enable the built-in Administrator account to carry out administrative tasks, for security reasons you should also enable Admin Approval Mode.

Notes

Elevate without prompting : Assumes that the administrator will permit an operation that requires elevation, and additional consent or credentials are not required.
Prompt for credentials on the secure desktop : When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
Prompt for consent on the secure desktop : When an operation requires elevation of privilege, the user is prompted on the secure desktop to select Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
Prompt for credentials : An operation that requires elevation of privilege prompts the administrator to type the user name and password. If the administrator enters valid credentials, the operation continues with the applicable privilege.
Prompt for consent : An operation that requires elevation of privilege prompts the administrator to select Permit or Deny. If the administrator selects Permit, the operation continues with the administrator's highest available privilege.
Prompt for consent for non-Windows binaries : This is the default. When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.

OS

Windows 10

1323 Basic User Account Control: Behavior of the elevation prompt for standard users Medium Impact 0 1

User Account Control: Behavior of the elevation prompt for standard users

Elevation PromptStandard Users

Introduction

This policy setting determines the behavior of the elevation prompt for standard users.

Automatically deny elevation requests : This option returns an “Access denied” error message to standard users when they try to perform an operation that requires elevation of privilege. Most organizations that run desktops as standard users configure this policy to reduce Help Desk calls.
Prompt for credentials on the secure desktop : This is the default. When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
Prompt for credentials : An operation that requires elevation of privilege prompts the user to type an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

RegistryItem :

ConsentPromptBehaviorUser

Values

Type :

Number

Possible Values :


                    
                       0 (Automatically deny elevation requests)
1 (Prompt for credentials on the secure desktop)
3 (Prompt for credentials)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name 'ConsentPromptBehaviorUser'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name 'ConsentPromptBehaviorUser' -value 1

More Informations

Potential impact

Users must provide administrative passwords to run programs with elevated privileges. This could cause an increased load on IT staff while the programs that are affected are identified and standard operating procedures are modified to support least privilege operations.

Advices

Configure the User Account Control: Behavior of the elevation prompt for standard users to Automatically deny elevation requests. This setting requires the user to log on with an administrative account to run programs that require elevation of privilege.
As a security best practice, standard users should not have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, set Prompt for credentials so that the users do not choose to always log on with their administrator accounts, and they shift their behavior to use the standard user account.

Notes

Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.

OS

Windows 10

1324 Enterprise Network access: Restrict anonymous access to Named Pipes and Shares Medium Impact 1 1

Network access: Restrict anonymous access to Named Pipes and Shares

SharesNetwork

Introduction

This policy setting enables or disables the restriction of anonymous access to only those shared folders and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings.

The setting controls null session access to shared folders on your computers by adding RestrictNullSessAccess with the value 1 in the registry key
```
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters
```
This registry value toggles null session shared folders on or off to control whether the Server service restricts unauthenticated clients' access to named resources.
Null sessions are a weakness that can be exploited through the various shared folders on the devices in your environment.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters

RegistryItem :

RestrictNullSessAccess

Values

Type :

Number

Possible Values :


                    
                       0 (Disabled)
 1 (Enabled)
 Not defined

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters' -name 'RestrictNullSessAccess'

Set Value :

 Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters' -name 'RestrictNullSessAccess' -value 1

More Informations

Potential impact

You can enable this policy setting to restrict null-session access for unauthenticated users to all server pipes and shared folders except those that are listed in the NullSessionPipes and NullSessionShares entries.

Advices

Set this policy to Enabled. Enabling this policy setting restricts null session access to unauthenticated users to all server pipes and shared folders except those listed in the NullSessionPipes and NullSessionShares registry entries.

OS

Windows 10

1325 Enterprise Network access: Restrict clients allowed to make remote calls to SAM Medium No impact O:BAG:BAD:(A; ; RC; ; ; BA)

Network access: Restrict clients allowed to make remote calls to SAM

Network SAM

Introduction

The Network access: Restrict clients allowed to make remote calls to SAM security policy setting controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database and Active Directory.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Control\Lsa

RegistryItem :

RestrictRemoteSAM

Values

Type :

String

Possible Values :


                    
                        contain the SDDL of the security descriptor to be deployed (ex

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'RestrictRemoteSAM'

Set Value :

 Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'RestrictRemoteSAM' -value O:BAG:BAD:(A;;RC;;;BA)

More Informations

Advices

By default, computers beginning with Windows 10 version 1607 and Windows Server 2016 are more restrictive than earlier versions of Windows. This means that if you have a mix of computers, such as member servers that run both Windows Server 2016 and Windows Server 2012 R2, the servers that run Windows Server 2016 may fail to enumerate accounts by default where the servers that run Windows Server 2012 R2 succeed.

OS

Windows 10
Windows Server 2016
Windows Server 2019

1326 Basic Network security: Do not store LAN Manager hash value on next password change High Potentially 1 1

Network security: Do not store LAN Manager hash value on next password change

Introduction

This policy setting determines whether LAN Manager is prevented from storing hash values for the new password the next time the password is changed. Hash values are a representation of the password after the encryption algorithm is applied that corresponds to the format that is specified by the algorithm.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Control\Lsa

RegistryItem :

NoLMHash

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)
Not defined

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'NoLMHash'

Set Value :

Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'NoLMHash' -value 1

More Informations

Potential impact

Some non-Microsoft applications might not be able to connect to the system.

Advices

Set Network security: Do not store LAN Manager hash value on next password change to Enabled.
Require all users to set new passwords the next time they log on to the domain so that LAN Manager hashes are removed.

OS

Windows 10

Windows Firewall

1400 Enterprise EnableFirewall (Domain Profile, Policy) Medium Potentially 0 1

EnableFirewall (Domain Profile, Policy)

Introduction

[DOMAIN] Turns on Windows Defender Firewall.

If you enable this policy setting, Windows Defender Firewall runs and ignores the "Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting. →If you disable this policy setting, Windows Defender Firewall does not run. This is the only way to ensure that Windows Defender Firewall does not run and administrators who log on locally cannot start it.
If you do not configure this policy setting, administrators can use the Windows Defender Firewall component in Control Panel to turn Windows Defender Firewall on or off, unless the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting overrides.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile

RegistryItem :

EnableFirewall

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)
Not defined

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' -name 'EnableFirewall'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' -name 'EnableFirewall' -value 1

More Informations

OS

At least Windows XP Professional with SP2

1401 Enterprise Inbound Connections (Domain Profile, Policy) Medium Potentially 1 1

Inbound Connections (Domain Profile, Policy)

Introduction

[DOMAIN] In many cases, a next step for administrators will be to customize these profiles using rules (sometimes called filters) so that they can work with user apps or other types of software. For example, an administrator or user may choose to add a rule to accommodate a program, open a port or protocol, or allow a predefined type of traffic.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile

RegistryItem :

DefaultInboundAction

Values

Type :

Number

Possible Values :


                    
                       0  (Allow) 
 1 (Block)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' -name 'DefaultInboundAction'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' -name 'DefaultInboundAction' -value 1

More Informations

Notes

In many cases, allowing specific types of inbound traffic will be required for applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when allowing these inbound exceptions.

Explicitly defined allow rules will take precedence over the default block setting.
Explicit block rules will take precedence over any conflicting allow rules.
More specific rules will take precedence over less specific rules, except in the case of explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 includes an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.)

OS

At least Windows XP Professional with SP2

1402 Enterprise Outbound Connections (Domain Profile, Policy) Medium Potentially 0 0

Outbound Connections (Domain Profile, Policy)

Introduction

[DOMAIN] By default, outbound filtering is disabled. Because all outbound network traffic is permitted, outbound rules are typically used to block traffic that is not wanted on the network. However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organization’s network. If you do this, then you have the option to set the default outbound behavior to block, preventing any network traffic that is not specifically authorized by the rules you create.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile

RegistryItem :

DefaultOutboundAction

Values

Type :

Number

Possible Values :


                    
                       0  (Allow) 
 1 (Block)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' -name 'DefaultOutboundAction'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' -name 'DefaultOutboundAction' -value 0

More Informations

OS

At least Windows XP Professional with SP2

1403 Enterprise Log size limit (Domain Profile, Policy) Medium Potentially 4096 16384

Log size limit (Domain Profile, Policy)

Introduction

[DOMAIN] The firewall log file size for a domain connection will be set to ensure enough capacity is allocated for audit data.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging

RegistryItem :

LogFileSize

Values

Type :

Number

Possible Values :


                    
                       (Size limit in KB)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' -name 'LogFileSize'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' -name 'LogFileSize' -value 16384

More Informations

Notes

If the Windows Firewall is used and the system is not a member of a domain, the Domain Profile requirements can be marked NA.
If a third-party firewall is used, verify a comparable setting has been implemented.

OS

Windows 10

1404 Enterprise Log dropped packets (Domain Profile, Policy) Medium Potentially 0 1

Log dropped packets (Domain Profile, Policy)

Introduction

[DOMAIN] If you enable this policy setting, Windows Defender Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Defender Firewall does not provide an option to log successful incoming messages.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging

RegistryItem :

LogDroppedPackets

Values

Type :

Number

Possible Values :


                    
                       1 (True) 
 0 (False)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' -name 'LogDroppedPackets'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' -name 'LogDroppedPackets' -value 1

More Informations

OS

At least Windows XP Professional with SP2

1405 Enterprise Log successful connections (Domain Profile, Policy) Low Potentially 0 1

Log successful connections (Domain Profile, Policy)

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging

RegistryItem :

LogSuccessfulConnections

Values

Type :

Number

Possible Values :


                    
                       1 (True) 
 0 (False)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' -name 'LogSuccessfulConnections'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' -name 'LogSuccessfulConnections' -value 1

More Informations

OS

At least Windows XP Professional with SP2

1406 Basic EnableFirewall (Private Profile, Policy) Medium Potentially 0 1

EnableFirewall (Private Profile, Policy)

Introduction

[PRIVATE] Turns on Windows Defender Firewall.

If you enable this policy setting, Windows Defender Firewall runs and ignores the "Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting.
If you disable this policy setting, Windows Defender Firewall does not run. This is the only way to ensure that Windows Defender Firewall does not run and administrators who log on locally cannot start it.
If you do not configure this policy setting, administrators can use the Windows Defender Firewall component in Control Panel to turn Windows Defender Firewall on or off, unless the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting overrides.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile

RegistryItem :

EnableFirewall

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)
Not defined

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' -name 'EnableFirewall'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' -name 'EnableFirewall' -value 1

More Informations

OS

At least Windows XP Professional with SP2

1407 Basic Inbound Connections (Private Profile, Policy) Medium Potentially 1 1

Inbound Connections (Private Profile, Policy)

Introduction

[PRIVATE] In many cases, a next step for administrators will be to customize these profiles using rules (sometimes called filters) so that they can work with user apps or other types of software. For example, an administrator or user may choose to add a rule to accommodate a program, open a port or protocol, or allow a predefined type of traffic.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile

RegistryItem :

DefaultInboundAction

Values

Type :

Number

Possible Values :


                    
                       0  (Allow) 
 1 (Block)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' -name 'DefaultInboundAction'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' -name 'DefaultInboundAction' -value 1

More Informations

Notes

Explicitly defined allow rules will take precedence over the default block setting.
Explicit block rules will take precedence over any conflicting allow rules.
More specific rules will take precedence over less specific rules, except in the case of explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 includes an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.)

OS

At least Windows XP Professional with SP2

1408 Basic Outbound Connections (Private Profile, Policy) Medium Potentially 0 0

Outbound Connections (Private Profile, Policy)

Introduction

[PRIVATE] By default, outbound filtering is disabled. Because all outbound network traffic is permitted, outbound rules are typically used to block traffic that is not wanted on the network. However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organization’s network. If you do this, then you have the option to set the default outbound behavior to block, preventing any network traffic that is not specifically authorized by the rules you create.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile

RegistryItem :

DefaultOutboundAction

Values

Type :

Number

Possible Values :


                    
                       0  (Allow) 
 1 (Block)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' -name 'DefaultOutboundAction'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' -name 'DefaultOutboundAction' -value 0

More Informations

OS

At least Windows XP Professional with SP2

1409 Basic Log size limit (Private Profile, Policy) Medium Potentially 4096 16384

Log size limit (Private Profile, Policy)

Introduction

[PRIVATE] The firewall log file size for a domain connection will be set to ensure enough capacity is allocated for audit data.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging

RegistryItem :

LogFileSize

Values

Type :

Number

Possible Values :


                    
                       (Size limit in KB)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' -name 'LogFileSize'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' -name 'LogFileSize' -value 16384

More Informations

Notes

If the policy-based registry value does not exist, verify the following registry value. If it is not configured as specified, this is a finding.

OS

Windows 10

1410 Basic Log dropped packets (Private Profile, Policy) Medium Potentially 0 1

Log dropped packets (Private Profile, Policy)

Introduction

[PRIVATE] If you enable this policy setting, Windows Defender Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Defender Firewall does not provide an option to log successful incoming messages.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging

RegistryItem :

LogDroppedPackets

Values

Type :

Number

Possible Values :


                    
                       1 (True) 
 0 (False)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' -name 'LogDroppedPackets'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' -name 'LogDroppedPackets' -value 1

More Informations

OS

At least Windows XP Professional with SP2

1411 Basic Log successful connections (Private Profile, Policy) Low Potentially 0 1

Log successful connections (Private Profile, Policy)

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging

RegistryItem :

LogSuccessfulConnections

Values

Type :

Number

Possible Values :


                    
                       1 (True) 
 0 (False)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' -name 'LogSuccessfulConnections'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' -name 'LogSuccessfulConnections' -value 1

More Informations

OS

At least Windows XP Professional with SP2

1412 Basic EnableFirewall (Public Profile, Policy) Medium Potentially 0 1

EnableFirewall (Public Profile, Policy)

Introduction

[PUBLIC] Turns on Windows Defender Firewall.

If you enable this policy setting, Windows Defender Firewall runs and ignores the "Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting.
If you disable this policy setting, Windows Defender Firewall does not run. This is the only way to ensure that Windows Defender Firewall does not run and administrators who log on locally cannot start it.
If you do not configure this policy setting, administrators can use the Windows Defender Firewall component in Control Panel to turn Windows Defender Firewall on or off, unless the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting overrides.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile

RegistryItem :

EnableFirewall

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)
Not defined

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' -name 'EnableFirewall'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' -name 'EnableFirewall' -value 1

More Informations

OS

At least Windows XP Professional with SP2

1413 Basic Inbound Connections (Public Profile, Policy) Medium Potentially 1 1

Inbound Connections (Public Profile, Policy)

Introduction

[PUBLIC] In many cases, a next step for administrators will be to customize these profiles using rules (sometimes called filters) so that they can work with user apps or other types of software. For example, an administrator or user may choose to add a rule to accommodate a program, open a port or protocol, or allow a predefined type of traffic.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile

RegistryItem :

DefaultInboundAction

Values

Type :

Number

Possible Values :


                    
                       0  (Allow) 
 1 (Block)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' -name 'DefaultInboundAction'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' -name 'DefaultInboundAction' -value 1

More Informations

Notes

Explicitly defined allow rules will take precedence over the default block setting.
Explicit block rules will take precedence over any conflicting allow rules.
More specific rules will take precedence over less specific rules, except in the case of explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 includes an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.)

OS

At least Windows XP Professional with SP2

1414 Basic Outbound Connections (Public Profile, Policy) Medium Potentially 0 0

Outbound Connections (Public Profile, Policy)

Introduction

[PUBLIC] By default, outbound filtering is disabled. Because all outbound network traffic is permitted, outbound rules are typically used to block traffic that is not wanted on the network. However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organization’s network. If you do this, then you have the option to set the default outbound behavior to block, preventing any network traffic that is not specifically authorized by the rules you create.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile

RegistryItem :

DefaultOutboundAction

Values

Type :

Number

Possible Values :


                    
                       0  (Allow) 
 1 (Block)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' -name 'DefaultOutboundAction'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' -name 'DefaultOutboundAction' -value 0

More Informations

OS

At least Windows XP Professional with SP2

1415 Basic Log size limit (Public Profile, Policy) Medium Potentially 4096 16384

Log size limit (Public Profile, Policy)

Introduction

[PUBLIC] The firewall log file size for a domain connection will be set to ensure enough capacity is allocated for audit data.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging

RegistryItem :

LogFileSize

Values

Type :

Number

Possible Values :


                    
                       (Size limit in KB)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' -name 'LogFileSize'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' -name 'LogFileSize' -value 16384

More Informations

Notes

If the policy-based registry value does not exist, verify the following registry value. If it is not configured as specified, this is a finding.

OS

Windows 10

1416 Basic Log dropped packets (Public Profile, Policy) Medium Potentially 0 1

Log dropped packets (Public Profile, Policy)

Introduction

[PUBLIC] If you enable this policy setting, Windows Defender Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Defender Firewall does not provide an option to log successful incoming messages.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging

RegistryItem :

LogDroppedPackets

Values

Type :

Number

Possible Values :


                    
                       1 (True) 
 0 (False)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' -name 'LogDroppedPackets'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' -name 'LogDroppedPackets' -value 1

More Informations

OS

At least Windows XP Professional with SP2

1417 Basic Log successful connections (Public Profile, Policy) Low Potentially 0 1

Log successful connections (Public Profile, Policy)

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging

RegistryItem :

LogSuccessfulConnections

Values

Type :

Number

Possible Values :


                    
                       1 (True) 
 0 (False)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' -name 'LogSuccessfulConnections'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' -name 'LogSuccessfulConnections' -value 1

More Informations

OS

At least Windows XP Professional with SP2

1418 Enterprise EnableFirewall (Domain Profile) Medium Potentially 1 1

EnableFirewall (Domain Profile)

Introduction

[DOMAIN] Turns on Windows Defender Firewall.

If you enable this policy setting, Windows Defender Firewall runs and ignores the "Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting. →If you disable this policy setting, Windows Defender Firewall does not run. This is the only way to ensure that Windows Defender Firewall does not run and administrators who log on locally cannot start it.
If you do not configure this policy setting, administrators can use the Windows Defender Firewall component in Control Panel to turn Windows Defender Firewall on or off, unless the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting overrides.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

RegistryItem :

EnableFirewall

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)
Not defined

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile' -name 'EnableFirewall'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile' -name 'EnableFirewall' -value 1

More Informations

OS

At least Windows XP Professional with SP2

1419 Enterprise Inbound Connections (Domain Profile) Medium Potentially 1 1

Inbound Connections (Domain Profile)

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

RegistryItem :

DefaultInboundAction

Values

Type :

Number

Possible Values :


                    
                       0  (Allow) 
 1 (Block)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile' -name 'DefaultInboundAction'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile' -name 'DefaultInboundAction' -value 1

More Informations

Notes

Explicitly defined allow rules will take precedence over the default block setting.
Explicit block rules will take precedence over any conflicting allow rules.
More specific rules will take precedence over less specific rules, except in the case of explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 includes an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.)

OS

At least Windows XP Professional with SP2

1420 Enterprise Outbound Connections (Domain Profile) Medium Potentially 0 0

Outbound Connections (Domain Profile)

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

RegistryItem :

DefaultOutboundAction

Values

Type :

Number

Possible Values :


                    
                       0  (Allow) 
 1 (Block)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile' -name 'DefaultOutboundAction'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile' -name 'DefaultOutboundAction' -value 0

More Informations

OS

At least Windows XP Professional with SP2

1421 Enterprise Log size limit (Domain Profile) Medium Potentially 4096 16384

Log size limit (Domain Profile)

Introduction

[DOMAIN] The firewall log file size for a domain connection will be set to ensure enough capacity is allocated for audit data.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging

RegistryItem :

LogFileSize

Values

Type :

Number

Possible Values :


                    
                       (Size limit in KB)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging' -name 'LogFileSize'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging' -name 'LogFileSize' -value 16384

More Informations

Notes

If the Windows Firewall is used and the system is not a member of a domain, the Domain Profile requirements can be marked NA.
If a third-party firewall is used, verify a comparable setting has been implemented.

OS

Windows 10

1422 Enterprise Log dropped packets (Domain Profile) Medium Potentially 0 1

Log dropped packets (Domain Profile)

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging

RegistryItem :

LogDroppedPackets

Values

Type :

Number

Possible Values :


                    
                       1 (True) 
 0 (False)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging' -name 'LogDroppedPackets'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging' -name 'LogDroppedPackets' -value 1

More Informations

OS

At least Windows XP Professional with SP2

1423 Enterprise Log successful connections (Domain Profile) Low Potentially 0 1

Log successful connections (Domain Profile)

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging

RegistryItem :

LogSuccessfulConnections

Values

Type :

Number

Possible Values :


                    
                       1 (True) 
 0 (False)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging' -name 'LogSuccessfulConnections'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging' -name 'LogSuccessfulConnections' -value 1

More Informations

OS

At least Windows XP Professional with SP2

1424 Basic EnableFirewall (Private Profile) Medium Potentially 1 1

EnableFirewall (Private Profile)

Introduction

[STANDARD] Turns on Windows Defender Firewall.

If you enable this policy setting, Windows Defender Firewall runs and ignores the "Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting.
If you disable this policy setting, Windows Defender Firewall does not run. This is the only way to ensure that Windows Defender Firewall does not run and administrators who log on locally cannot start it.
If you do not configure this policy setting, administrators can use the Windows Defender Firewall component in Control Panel to turn Windows Defender Firewall on or off, unless the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting overrides.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

RegistryItem :

EnableFirewall

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)
Not defined

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile' -name 'EnableFirewall'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile' -name 'EnableFirewall' -value 1

More Informations

OS

At least Windows XP Professional with SP2

1425 Basic Inbound Connections (Private Profile) Medium Potentially 1 1

Inbound Connections (Private Profile)

Introduction

[STANDARD] In many cases, a next step for administrators will be to customize these profiles using rules (sometimes called filters) so that they can work with user apps or other types of software. For example, an administrator or user may choose to add a rule to accommodate a program, open a port or protocol, or allow a predefined type of traffic.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

RegistryItem :

DefaultInboundAction

Values

Type :

Number

Possible Values :


                    
                       0  (Allow) 
 1 (Block)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile' -name 'DefaultInboundAction'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile' -name 'DefaultInboundAction' -value 1

More Informations

Notes

Explicitly defined allow rules will take precedence over the default block setting.
Explicit block rules will take precedence over any conflicting allow rules.
More specific rules will take precedence over less specific rules, except in the case of explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 includes an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.)

OS

At least Windows XP Professional with SP2

1426 Basic Outbound Connections (Private Profile) Medium Potentially 0 0

Outbound Connections (Private Profile)

Introduction

[STANDARD] By default, outbound filtering is disabled. Because all outbound network traffic is permitted, outbound rules are typically used to block traffic that is not wanted on the network. However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organization’s network. If you do this, then you have the option to set the default outbound behavior to block, preventing any network traffic that is not specifically authorized by the rules you create.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

RegistryItem :

DefaultOutboundAction

Values

Type :

Number

Possible Values :


                    
                       0  (Allow) 
 1 (Block)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile' -name 'DefaultOutboundAction'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile' -name 'DefaultOutboundAction' -value 0

More Informations

OS

At least Windows XP Professional with SP2

1427 Basic Log size limit (Private Profile) Medium Potentially 4096 16384

Log size limit (Private Profile)

Introduction

[STANDARD] The firewall log file size for a domain connection will be set to ensure enough capacity is allocated for audit data.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging

RegistryItem :

LogFileSize

Values

Type :

Number

Possible Values :


                    
                       (Size limit in KB)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging' -name 'LogFileSize'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging' -name 'LogFileSize' -value 16384

More Informations

Notes

If the policy-based registry value does not exist, verify the following registry value. If it is not configured as specified, this is a finding.

OS

Windows 10

1428 Basic Log dropped packets (Private Profile) Medium Potentially 0 1

Log dropped packets (Private Profile)

Introduction

[STANDARD] If you enable this policy setting, Windows Defender Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Defender Firewall does not provide an option to log successful incoming messages.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging

RegistryItem :

LogDroppedPackets

Values

Type :

Number

Possible Values :


                    
                       1 (True) 
 0 (False)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging' -name 'LogDroppedPackets'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging' -name 'LogDroppedPackets' -value 1

More Informations

OS

At least Windows XP Professional with SP2

1429 Basic Log successful connections (Private Profile) Low Potentially 0 1

Log successful connections (Private Profile)

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging

RegistryItem :

LogSuccessfulConnections

Values

Type :

Number

Possible Values :


                    
                       1 (True) 
 0 (False)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging' -name 'LogSuccessfulConnections'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging' -name 'LogSuccessfulConnections' -value 1

More Informations

OS

At least Windows XP Professional with SP2

1430 Basic EnableFirewall (Public Profile) Medium Potentially 1 1

EnableFirewall (Public Profile)

Introduction

[PUBLIC] Turns on Windows Defender Firewall.

If you enable this policy setting, Windows Defender Firewall runs and ignores the "Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting.
If you disable this policy setting, Windows Defender Firewall does not run. This is the only way to ensure that Windows Defender Firewall does not run and administrators who log on locally cannot start it.
If you do not configure this policy setting, administrators can use the Windows Defender Firewall component in Control Panel to turn Windows Defender Firewall on or off, unless the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting overrides.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile

RegistryItem :

EnableFirewall

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)
Not defined

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile' -name 'EnableFirewall'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile' -name 'EnableFirewall' -value 1

More Informations

OS

At least Windows XP Professional with SP2

1431 Basic Inbound Connections (Public Profile) Medium Potentially 1 1

Inbound Connections (Public Profile)

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile

RegistryItem :

DefaultInboundAction

Values

Type :

Number

Possible Values :


                    
                       0  (Allow) 
 1 (Block)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile' -name 'DefaultInboundAction'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile' -name 'DefaultInboundAction' -value 1

More Informations

Notes

Explicitly defined allow rules will take precedence over the default block setting.
Explicit block rules will take precedence over any conflicting allow rules.
More specific rules will take precedence over less specific rules, except in the case of explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 includes an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.)

OS

At least Windows XP Professional with SP2

1432 Basic Outbound Connections (Public Profile) Medium Potentially 0 0

Outbound Connections (Public Profile)

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile

RegistryItem :

DefaultOutboundAction

Values

Type :

Number

Possible Values :


                    
                       0  (Allow) 
 1 (Block)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile' -name 'DefaultOutboundAction'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile' -name 'DefaultOutboundAction' -value 0

More Informations

OS

At least Windows XP Professional with SP2

1433 Basic Log size limit (Public Profile) Medium Potentially 4096 16384

Log size limit (Public Profile)

Introduction

[PUBLIC] The firewall log file size for a domain connection will be set to ensure enough capacity is allocated for audit data.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging

RegistryItem :

LogFileSize

Values

Type :

Number

Possible Values :


                    
                       (Size limit in KB)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging' -name 'LogFileSize'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging' -name 'LogFileSize' -value 16384

More Informations

Notes

If the policy-based registry value does not exist, verify the following registry value. If it is not configured as specified, this is a finding.

OS

Windows 10

1434 Basic Log dropped packets (Public Profile) Medium Potentially 0 1

Log dropped packets (Public Profile)

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging

RegistryItem :

LogDroppedPackets

Values

Type :

Number

Possible Values :


                    
                       1 (True) 
 0 (False)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging' -name 'LogDroppedPackets'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging' -name 'LogDroppedPackets' -value 1

More Informations

OS

At least Windows XP Professional with SP2

1435 Basic Log successful connections (Public Profile) Low Potentially 0 1

Log successful connections (Public Profile)

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging

RegistryItem :

LogSuccessfulConnections

Values

Type :

Number

Possible Values :


                    
                       1 (True) 
 0 (False)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging' -name 'LogSuccessfulConnections'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging' -name 'LogSuccessfulConnections' -value 1

More Informations

OS

At least Windows XP Professional with SP2

Advanced Audit Policy Configuration

1500 Enterprise Credential Validation Low No impact No Auditing Success and Failure

Credential Validation

AuditLogsLogonCredentialsEventsDomain

Introduction

Audit Credential Validation determines whether the operating system generates audit events on credentials that are submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials as follows:

For domain accounts, the domain controller is authoritative.
For local accounts, the local computer is authoritative.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE923F-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE923F-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE923F-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable | Out-Null ;

More Informations

Advices

The main reason to enable this auditing subcategory is to handle local accounts authentication attempts and, for domain accounts, NTLM authentication in the domain. It is especially useful for monitoring unsuccessful attempts, to find brute-force attacks, account enumeration, and potential account compromise events on domain controllers.

Notes

Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on separate computers from Logon and Logoff events.

OS

Windows 10
Windows Server 2016

1501 Enterprise Security Group Management Low No impact Success Success

Security Group Management

Audit Logs Groups

Introduction

Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed.

Event volume: Low.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE9237-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE9237-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE9237-69AE-11D9-BED3-505054503030}" /success:enable /failure:disable | Out-Null ;

More Informations

Notes

This subcategory allows you to audit events generated by changes to security groups such as the following:

Security group is created, changed, or deleted.
Member is added or removed from a security group.
Group type is changed.

OS

Windows 10
Windows Server 2016

1502 Enterprise User Account Management Low No impact Success Success and Failure

User Account Management

Audit Logs User

Introduction

Audit User Account Management determines whether the operating system generates audit events when specific user account management tasks are performed. Event volume: Low.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE9235-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE9235-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE9235-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable | Out-Null ;

More Informations

Notes

This policy setting allows you to audit changes to user accounts. Events include the following:

A user account is created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.
A user account’s password is set or changed.
A security identifier (SID) is added to the SID History of a user account, or fails to be added.
The Directory Services Restore Mode password is configured.
Permissions on administrative user accounts are changed.
A user's local group membership was enumerated.
Credential Manager credentials are backed up or restored.

OS

Windows 10
Windows Server 2016

1503 Enterprise DPAPI Activity Low No impact No Auditing Success and Failure

DPAPI Activity

Audit Logs DPAPI

Introduction

This topic for the IT professional describes the Advanced Security Audit policy setting, Audit DPAPI Activity, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI). DPAPI is used to protect secret information such as stored passwords and key information. For more information about DPAPI, see Windows Data Protection (https://go.microsoft.com/fwlink/?LinkID=121720).

Event volume: Low

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE922D-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE922D-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE922D-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable | Out-Null ;

More Informations

Notes

If this policy setting is configured, the following events appear on computers running the supported versions of the Windows operating system as designated in the Applies To list at the beginning of this topic, in addition to Windows Server 2008 and Windows Vista.

OS

Windows 7
Windows 8.1
Windows Server 2008 R2
Windows Server 2012 R2
Windows Server 2012
Windows 8

1504 Enterprise Plug and Play Events Low Potentially No Auditing Success

Plug and Play Events

Audit Logs PNP

Introduction

Audit PNP Activity determines when Plug and Play detects an external device. A PnP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a computer, a PnP event is triggered.

Event volume: Varies, depending on how the computer is used. Typically Low.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        auditpol

Method Argument :


          {0cce9248-69ae-11d9-bed3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE9248-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE9248-69AE-11D9-BED3-505054503030}" /success:enable /failure:disable | Out-Null ;

More Informations

OS

Windows 10
Windows Server 2016

1505 Enterprise Process Creation Low Potentially No Auditing Success

Process Creation

Audit Logs Process

Introduction

Audit Process Creation determines whether the operating system generates audit events when a process is created (starts). These audit events can help you track user activity and understand how a computer is being used.

Information includes the name of the program or the user that created the process.

Event volume: Low to Medium, depending on system usage.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        auditpol

Method Argument :


          {0CCE922B-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE922B-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE922B-69AE-11D9-BED3-505054503030}" /success:enable /failure:disable | Out-Null ;

More Informations

Notes

This subcategory allows you to audit events generated when a process is created or starts. The name of the application and user that created the process is also audited.

OS

Windows 10
Windows Server 2016

1506 Enterprise Account Lockout Low No impact Success Failure

Account Lockout

AuditLogsServerEvents

Introduction

This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Account Lockout, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.

If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and failure audits record unsuccessful attempts.
Account lockout events are essential for understanding user activity and detecting potential attacks.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE9217-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       Success
Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE9217-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE9217-69AE-11D9-BED3-505054503030}" /success:disable /failure:enable | Out-Null ;

More Informations

Notes

If this policy setting is configured, the following event appears on computers that run the supported versions of the Windows operating system as designated in the Applies To list at the beginning of this topic, in addition to Windows Server 2008 and Windows Vista.

OS

Windows 7
Windows 8.1
Windows Server 2008 R2
Windows Server 2012 R2
Windows Server 2012
Windows 8

1507 Enterprise Group Membership Low No impact No Auditing Success

Group Membership

AuditLogsGroups

Introduction

By using Audit Group Membership, you can audit group memberships when they're enumerated on the client computer. This policy allows you to audit the group membership information in the user's logon token.

Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to.

For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. You must also enable the Audit Logon subcategory. Multiple events are generated if the group membership information cannot fit in a single security audit event

Event volume:

Low on a client computer.
Medium on a domain controller or network servers.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0cce9249-69ae-11d9-bed3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0cce9249-69ae-11d9-bed3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0cce9249-69ae-11d9-bed3-505054503030}" /success:enable /failure:disable | Out-Null ;

More Informations

OS

Windows 10
Windows Server 2016

1508 Enterprise Logon Low No impact Success and Failure Success and Failure

Logon

AuditLogsUser

Introduction

This policy setting allows you to audit events generated by validation tests performed on user account logon credentials. Events in this subcategory only occur on the authoritative computer for this credential.

For domain accounts, the domain controller is authoritative.

For local accounts, the local computer is authoritative.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE9215-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE9215-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE9215-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable | Out-Null ;

More Informations

OS

Windows 10
Windows Server 2016

1509 Enterprise Other Logon/Logoff Events Low No impact No Auditing Success and Failure

Other Logon/Logoff Events

Audit logs User

Introduction

Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events. These other logon or logoff events include:

A Remote Desktop session connects or disconnects.
A workstation is locked or unlocked.
A screen saver is invoked or dismissed.
A replay attack is detected.
This event indicates that a Kerberos request was received twice with identical information.
This condition could also be caused by network misconfiguration.
A user is granted access to a wireless network.
It can be either a user account or the computer account.
A user is granted access to a wired 802.1x network.
It can be either a user account or the computer account.
Logon events are essential to understanding user activity and detecting potential attacks.

Event volume: Low

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE921C-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE921C-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE921C-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable | Out-Null ;

More Informations

OS

Windows 10
Windows Server 2016

1510 Enterprise Special Logon Low No impact Success Success

Special Logon

AuditLogsUser

Introduction

Audit Special Logon determines whether the operating system generates audit events under special sign on (or log on) circumstances. This subcategory allows you to audit events generated by special logons such as the following:

The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged.

Event volume:
Low on a client computer.
Medium on a domain controllers or network servers.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE921B-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE921B-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE921B-69AE-11D9-BED3-505054503030}" /success:enable /failure:disable | Out-Null ;

More Informations

OS

Windows 10
Windows Server 2016

1511 Enterprise Detailed File Share Low No impact No Auditing Failure

Detailed File Share

AuditLogsFileShare

Introduction

The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client computer and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.

Event volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE9244-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE9244-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE9244-69AE-11D9-BED3-505054503030}" /success:enable /failure:disable | Out-Null ;

More Informations

OS

Windows 7
Windows 8.1
Windows Server 2008 R2
Windows Server 2012 R2
Windows Server 2012
Windows 8

1512 Enterprise File Share Low No impact No Auditing Success and Failure

File Share

AuditLogsFileShare

Introduction

Audit File Share allows you to audit events related to file shares: creation, deletion, modification, and access attempts. Also, it shows failed SMB SPN checks. There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all shares on the system will be audited. Event volume:

High on file servers.
High on domain controllers because of SYSVOL network access required by Group Policy.
Low on member servers and workstations.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE9224-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE9224-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE9224-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable | Out-Null ;

More Informations

Notes

Combined with File System auditing, File Share auditing enables you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access.

OS

Windows 10
Windows Server 2016

1513 Enterprise Kernel Object Low Potentially No Auditing Success and Failure

Kernel Object

AuditLogsKernel

Introduction

Only kernel objects with a matching system access control list (SACL) generate security audit events. The audits generated are usually useful only to developers. Typically, kernel objects are given SACLs only if the AuditBaseObjects or AuditBaseDirectories auditing options are enabled.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        auditpol

Method Argument :


          {0CCE921F-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE921F-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE921F-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable | Out-Null ;

More Informations

OS

Windows 7
Windows 8.1
Windows Server 2008 R2
Windows Server 2012 R2
Windows Server 2012
Windows 8

1514 Enterprise Other Object Access Events Low No impact No Auditing Success and Failure

Other Object Access Events

AuditLogs

Introduction

This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Object Access Events, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects.
For scheduler jobs, the following actions are audited:

Job created.
Job deleted.
Job enabled.
Job disabled.
Job updated.
For COM+ objects, the following actions are audited:
Catalog object added.
Catalog object updated.
Catalog object deleted.

Event volume: Low

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE9227-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE9227-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE9227-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable | Out-Null ;

More Informations

OS

Windows 7
Windows 8.1
Windows Server 2008 R2
Windows Server 2012 R2
Windows Server 2012
Windows 8

1515 Enterprise Removable Storage Low No impact No Auditing Success and Failure

Removable Storage

AuditLogsUSB

Introduction

Audit Removable Storage allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested, with no dependency on object’s SACL.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE9245-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE9245-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE9245-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable | Out-Null ;

More Informations

OS

Windows 10
Windows Server 2016

1516 Enterprise SAM Low No impact No Auditing Success and Failure

SAM

AuditLogsSAM

Introduction

Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects. The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer. SAM objects include the following:

SAM_ALIAS: A local group
SAM_GROUP: A group that is not a local group
SAM_USER: A user account
SAM_DOMAIN: A domain → SAM_SERVER: A computer account

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE9220-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE9220-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE9220-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable | Out-Null ;

More Informations

Advices

Changes to user and group objects are tracked by the Account Management audit category. However, user accounts with enough privileges could potentially alter the files in which the account and password information is stored in the system, bypassing any Account Management events.

Notes

If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits record successful attempts, and failure audits record unsuccessful attempts.

OS

Windows 10
Windows Server 2016

1517 Enterprise Audit Policy Change Low No impact Success Success

Audit Policy Change

AuditLogs

Introduction

Audit Audit Policy Change determines whether the operating system generates audit events when changes are made to audit policy. Changes to audit policy that are audited include:

Changing permissions and audit settings on the audit policy object (by using “auditpol /set /sd” command).
Changing the system audit policy.
Registering and unregistering security event sources.
Changing per-user audit settings.
Changing the value of CrashOnAuditFail.
Changing audit settings on an object (for example, modifying the system access control list (SACL) for a file or registry key).

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE922F-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE922F-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE922F-69AE-11D9-BED3-505054503030}" /success:enable /failure:disable | Out-Null ;

More Informations

Notes

SACL change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change.

OS

Windows 10
Windows Server 2016

1518 Enterprise Authentication Policy Change Low No impact Success Success

Authentication Policy Change

AuditLogs

Introduction

This policy determines whether the operating system generates audit events when changes are made to authentication policy.

Changes made to authentication policy include: Creation, modification, and removal of forest and domain trusts.
Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy.
When any of the following user rights is granted to a user or group: Access this computer from the network, Allow logon locally, Allow logon through Remote Desktop, Logon as a batch job, Logon as a service
Namespace collision, such as when an added trust collides with an existing namespace name.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE9230-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE9230-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE9230-69AE-11D9-BED3-505054503030}" /success:enable /failure:disable | Out-Null ;

More Informations

Notes

This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups.

OS

Windows 7
Windows 8.1
Windows Server 2008 R2
Windows Server 2012 R2
Windows Server 2012
Windows 8

1519 Enterprise MPSSVC Rule-Level Policy Change Low No impact No Auditing Success and Failure

MPSSVC Rule-Level Policy Change

AuditLogs

Introduction

Audit MPSSVC Rule-Level Policy Change, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). The Microsoft Protection Service, which is used by Windows Firewall, is an integral part of the computer’s threat protection against Internet-bound threats such as Trojans and spyware. The tracked activities include:

Active policies when the Windows Firewall service starts.
Changes to Windows Firewall rules.
Changes to the Windows Firewall exception list.
Changes to Windows Firewall settings.
Rules ignored or not applied by the Windows Firewall service.
Changes to Windows Firewall Group Policy settings.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE9232-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE9232-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE9232-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable | Out-Null ;

More Informations

Notes

Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks.

OS

Windows 7
Windows 8.1
Windows Server 2008 R2
Windows Server 2012 R2
Windows Server 2012
Windows 8

1520 Enterprise Other Policy Change Events Low No impact No Auditing Failure

Other Policy Change Events

AuditLogs

Introduction

This policy determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category. These other activities in the Policy Change category that can be audited include:

Trusted Platform Module (TPM) configuration changes.
Kernel-mode cryptographic self tests.
Cryptographic provider operations.
Cryptographic context operations or modifications.

Event volume: Low

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE9234-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE9234-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE9234-69AE-11D9-BED3-505054503030}" /success:enable /failure:disable | Out-Null ;

More Informations

OS

Windows 7
Windows 8.1
Windows Server 2008 R2
Windows Server 2012 R2
Windows Server 2012
Windows 8

1521 Enterprise Sensitive Privilege Use Low Potentially No Auditing Success and Failure

Sensitive Privilege Use

AuditLogs

Introduction

Audit Sensitive Privilege Use contains events that show the usage of sensitive privileges. This is the list of sensitive privileges:

Act as part of the operating system
Back up files and directories
Restore files and directories
Create a token object Debug programs
Enable computer and user accounts to be trusted for delegation
Generate security audits Impersonate a client after authentication
Load and unload device drivers
Manage auditing and security log Modify firmware environment values
Replace a process-level token
Take ownership of files or other objects

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        auditpol

Method Argument :


          {0CCE9228-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE9228-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE9228-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable | Out-Null ;

More Informations

Notes

The use of two privileges, “Back up files and directories” and “Restore files and directories,” generate events only if the “Audit: Audit the use of Backup and Restore privilege” Group Policy setting is enabled on the computer or device. We do not recommend enabling this Group Policy setting because of the high number of events recorded.

This subcategory also contains informational events from the file system Transaction Manager.

OS

Windows 10
Windows Server 2016

1522 Enterprise Other System Events Low No impact Success and Failure Success and Failure

Other System Events

AuditLogs

Introduction

Audit Other System Events contains Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures. Audit Other System Events determines whether the operating system audits various system events. The system events in this category include:

Startup and shutdown of the Windows Firewall service and driver.
Security policy processing by the Windows Firewall service.
Cryptography key file and migration operations.
BranchCache events.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE9214-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE9214-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE9214-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable | Out-Null ;

More Informations

OS

Windows 10
Windows Server 2016

1523 Enterprise Security State Change Low No impact Success Success

Security State Change

AuditLogs

Introduction

Audit Security State Change contains Windows startup, recovery, and shutdown events, and information about changes in system time.

Event volume: Low.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE9210-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE9210-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE9210-69AE-11D9-BED3-505054503030}" /success:enable /failure:disable | Out-Null ;

More Informations

OS

Windows 10
Windows Server 2016

1524 Enterprise Security System Extension Low No impact No Auditing Success

Security System Extension

AuditLogs

Introduction

This policy determines whether the operating system generates audit events related to security system extensions. Changes to security system extensions in the operating system include the following activities: A security extension code is loaded (such as an authentication, notification, or security package). A security extension code registers with the Local Security Authority and will be used and trusted to authenticate logon attempts, submit logon requests, and be notified of any account or password changes. Examples of this extension code are Security Support Providers, such as Kerberos and NTLM. A service is installed. An audit log is generated when a service is registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE9211-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE9211-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE9211-69AE-11D9-BED3-505054503030}" /success:enable /failure:disable | Out-Null ;

More Informations

Potential impact

Attempts to install or load security system extensions or services are critical system events that could indicate a security breach.

Notes

These events are expected to appear more on a domain controller than on client computers or member servers.

OS

Windows 7
Windows 8.1
Windows Server 2008 R2
Windows Server 2012 R2
Windows Server 2012
Windows 8

1525 Enterprise System Integrity Low No impact Success and Failure Success and Failure

System Integrity

AuditLogs

Introduction

Audit System Integrity determines whether the operating system audits events that violate the integrity of the security subsystem. Activities that violate the integrity of the security subsystem include the following:

Audited events are lost due to a failure of the auditing system.
A process uses an invalid local procedure call (LPC) port in an attempt to impersonate a client, reply to a client address space, read to a client address space, or write from a client address space.
A remote procedure call (RPC) integrity violation is detected.
A code integrity violation with an invalid hash value of an executable file is detected.
Cryptographic tasks are performed.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        auditpol

Method Argument :


          {0CCE9212-69AE-11D9-BED3-505054503030}

Values

Type :

String

Possible Values :


                    
                       No Auditing
Success
Failure
Success and Failure

Powershell Command

Getting Command :

auditpol.exe /get /subcategory:"{0CCE9212-69AE-11D9-BED3-505054503030}" ;

Setting Command :

auditpol.exe /set /subcategory:"{0CCE9212-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable | Out-Null ;

More Informations

Potential impact

Violations of security subsystem integrity are critical and could indicate a potential security attack.

OS

Windows 10
Windows Server 2016

Administrative Templates: Control Panel

1600 Basic Personalization: Prevent enabling lock screen camera Low No impact 0 1

Personalization: Prevent enabling lock screen camera

Introduction

Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen.

If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera cannot be invoked on the lock screen.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\Personalization

RegistryItem :

NoLockScreenCamera

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\Personalization' -name 'NoLockScreenCamera'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\Personalization' -name 'NoLockScreenCamera' -value 1

More Informations

OS

At least Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1

Administrative Templates: Network

1601 Basic DNS Client: Turn off multicast name resolution (LLMNR) Medium No impact 1 0

DNS Client: Turn off multicast name resolution (LLMNR)

NetworkDNS

Introduction

Specifies that link local multicast name resolution (LLMNR) is disabled on client computers.

LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient

RegistryItem :

EnableMulticast

Values

Type :

Number

Possible Values :


                    
                       0 (Enable)
1 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient' -name 'EnableMulticast'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient' -name 'EnableMulticast' -value 0

More Informations

Notes

If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.

If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters.

OS

At least Windows Vista

1602 Enterprise Lanman Workstation: Enable insecure guest logons Medium Potentially 1 0

Lanman Workstation: Enable insecure guest logons

NetworkSMBGuestNAS

Introduction

This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. Insecure guest logons are used by file servers to allow unauthenticated access to shared folders.

If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons.
If you disable this policy setting, the SMB client will reject insecure guest logons.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation

RegistryItem :

AllowInsecureGuestAuth

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation' -name 'AllowInsecureGuestAuth'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation' -name 'AllowInsecureGuestAuth' -value 0

More Informations

Advices

Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access.

Notes

While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers.
Windows file servers require authentication and do not use insecure guest logons by default.
Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled.
As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware.
Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network.

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1603 Enterprise Turn off Microsoft Peer-to-Peer Networking Services Medium No impact 0 1

Turn off Microsoft Peer-to-Peer Networking Services

NetworkP2P

Introduction

This setting turns off Microsoft Peer-to-Peer Networking Services in its entirety, and will cause all dependent applications to stop working. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\policies\Microsoft\Peernet

RegistryItem :

Disabled

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\policies\Microsoft\Peernet' -name 'Disabled'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\policies\Microsoft\Peernet' -name 'Disabled' -value 1

More Informations

OS

At least Windows XP Professional with SP2

1604 Enterprise WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services Medium Impact 1 0

WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services

NetworkHotspotsWLAN

Introduction

This policy setting determines whether users can enable the following WLAN settings: 'Connect to suggested open hotspots' 'Connect to networks shared by my contacts' and 'Enable paid services'.

If this policy setting is disabled, both 'Connect to suggested open hotspots' 'Connect to networks shared by my contacts' and 'Enable paid services' will be turned off and users on this device will be prevented from enabling them.
If this policy setting is not configured or is enabled, users can choose to enable or disable either 'Connect to suggested open hotspots' or 'Connect to networks shared by my contacts'. Notes :
Connect to suggested open hotspots: enables Windows to automatically connect users to open hotspots it knows about by crowdsourcing networks that other people using Windows have connected to.
Connect to networks shared by my contacts: enables Windows to automatically connect to networks that the user's contacts have shared with them, and enables users on this device to share networks with their contacts.
Enable paid services: enables Windows to temporarily connect to open hotspots to determine if paid services are available.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config

RegistryItem :

AutoConnectAllowedOEM

Values

Type :

Number

Possible Values :


                    
                       0 (Disable)
 1 (Enable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config' -name 'AutoConnectAllowedOEM'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config' -name 'AutoConnectAllowedOEM' -value 0

More Informations

Notes

Connect to suggested open hotspots: enables Windows to automatically connect users to open hotspots it knows about by crowdsourcing networks that other people using Windows have connected to.
Connect to networks shared by my contacts: enables Windows to automatically connect to networks that the user's contacts have shared with them, and enables users on this device to share networks with their contacts.
Enable paid services: enables Windows to temporarily connect to open hotspots to determine if paid services are available.

OS

At least Windows 10 or Windows 10 RT

Administrative Templates: System

1605 Enterprise Credentials Delegation: Allow delegation default credentials Medium No impact 1 0

Credentials Delegation: Allow delegation default credentials

Introduction

This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos.

If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows). The policy becomes effective the next time the user signs on to a computer running Windows.
If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation

RegistryItem :

AllowDefaultCredentials

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation' -name 'AllowDefaultCredentials'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation' -name 'AllowDefaultCredentials' -value 0

More Informations

Advices

Applications depending upon this delegation behavior might fail authentication.

Notes

The "Allow delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example:

TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
TERMSRV/* Remote Desktop Session Host running on all machines.
TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com

OS

At least Windows Vista

1606 Enterprise Credentials Delegation: Encryption Oracle Remediation Medium No impact 0 0

Credentials Delegation: Encryption Oracle Remediation

Introduction

This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters

RegistryItem :

AllowEncryptionOracle

Values

Type :

Number

Possible Values :


                    
                       0 (Force Updated Clients) 
 1 (Mitigated) 
 2(Vulnerable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name 'AllowEncryptionOracle'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name 'AllowEncryptionOracle' -value 0

More Informations

Notes

For more information about the vulnerability and servicing requirements for protection, see here.

OS

At least Windows Vista

1607 Enterprise Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID Medium Potentially 0 1

Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID

Introduction

This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions

RegistryItem :

DenyDeviceIDs

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions' -name 'DenyDeviceIDs'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions' -name 'DenyDeviceIDs' -value 1

More Informations

Advices

To create a list of device classes, click Show. In the Show Contents dialog box, in the Value column, type a GUID that represents a device setup class (for example, {25DBCE51-6C8F-4A72-8A6D-B54C2B4FC835}).

Notes

If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.

OS

At least Windows Vista

1608 Enterprise Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID (Retroactive) Medium Potentially 0 1

Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID (Retroactive)

Introduction

This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from current install. This policy setting takes precedence over any other policy setting that allows Windows to install a device.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions

RegistryItem :

DenyDeviceIDsRetroactive

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions' -name 'DenyDeviceIDsRetroactive'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions' -name 'DenyDeviceIDsRetroactive' -value 1

More Informations

Advices

Notes

If you enable this policy setting, Windows is prevented from using whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.

OS

At least Windows Vista

1609 StrongBox Device Installation: Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0010 (Firewire) Medium Impact 0 PCI\CC_0C0010

Device Installation: Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0010 (Firewire)

FireWire Port Driver

Introduction

Communications interfaces that use Direct Memory Access (DMA) can allow an adversary with physical access to a workstation to directly access the contents of a workstation’s memory. This can be used to read sensitive contents such as cryptographic keys or to write malicious code directly into memory. To reduce this risk, communications interfaces that allow DMA (e.g. FireWire and Thunderbolt) should be disabled.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        RegistryList

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs

RegistryItem :

PCI\CC_0C0010

Values

Type :

String

Possible Values :


                    
                       PCI\CC_0C0010

More Informations

Advices

This option deactivate the FireWire port(s).

OS

At least Windows 8 or at least Windows Server 2012

1610 StrongBox Device Installation: Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0A (Thunderbolt) Medium Impact 0 PCI\CC_0C0A

Device Installation: Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0A (Thunderbolt)

Thunderbolt Port Driver

Introduction

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        RegistryList

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs

RegistryItem :

PCI\CC_0C0A

Values

Type :

String

Possible Values :


                    
                       PCI\CC_0C0A

More Informations

Advices

This option deactivate the Thunderbolt port(s).

OS

At least Windows 8 or at least Windows Server 2012

1611 Enterprise Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class Medium Potentially 0 1

Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class

Introduction

This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions

RegistryItem :

DenyDeviceClasses

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions' -name 'DenyDeviceClasses'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions' -name 'DenyDeviceClasses' -value 1

More Informations

Advices

Notes

If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.

OS

At least Windows Vista

1612 Enterprise Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class (Retroactive) Medium Potentially 0 1

Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class (Retroactive)

Driver

Introduction

This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for installed device drivers that Windows disable. This policy setting takes precedence over any other policy setting that allows Windows to install a device.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions

RegistryItem :

DenyDeviceClassesRetroactive

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions' -name 'DenyDeviceClassesRetroactive'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions' -name 'DenyDeviceClassesRetroactive' -value 1

More Informations

Advices

Notes

If you enable this policy setting, Windows is prevented from using installed device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.

OS

At least Windows Vista

1613 StrongBox Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive) Medium Impact 0 d48179be-ec20-11d1-b6b8-00c04fa372a7

Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)

FireWire Port Driver

Introduction

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        RegistryList

Registry

RegistryPath :

HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses

RegistryItem :

d48179be-ec20-11d1-b6b8-00c04fa372a7

Values

Type :

String

Possible Values :


                    
                       d48179be-ec20-11d1-b6b8-00c04fa372a7

More Informations

Advices

Notes

If you enable this policy setting, Windows is prevented from using FireWire Port.

OS

At least Windows 8 or at least Windows Server 2012

1614 Enterprise Device Guard: Virtualization Based Security Status Medium No impact Not available 2

Device Guard: Virtualization Based Security Status

Introduction

Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot, and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        CimInstance

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Getting Command :

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard ;

Setting Command :

 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 2 /f  ;

More Informations

Notes

Devices without the UEFI Memory Attributes Table may have firmware that is incompatible with Virtualization Based Protection of Code Integrity which in some cases can lead to crashes or data loss or incompatibility with certain plug-in cards. If not setting this option the targeted devices should be tested to ensure compatibility. Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible.

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1615 Enterprise Device Guard: Available Security Properties: Secure Boot Medium No impact 2 2

Device Guard: Available Security Properties: Secure Boot

Introduction

Required if Virtualization Based Security is activated. (Secure Boot is a technology in which the system firmware verifies that the system boot loader is signed with an encrypted key authorized by a database contained in the firmware. With signature compliance checks in the following phases of running the boot loader(s), in the kernel and, perhaps, even in user space, it is possible to prevent the execution of unsigned code.)

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        CimInstance

Values

Type :

Number

Possible Values :


                    
                       1 (Secure Boot)
3 (Secure Boot and DMA Protection )

Powershell Command

Getting Command :

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard ;

More Informations

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1616 Enterprise Device Guard: Available Security Properties: DMA protection Medium No impact 3 3

Device Guard: Available Security Properties: DMA protection

Introduction

Virtualization Based Security can optionally be enabled with the use of DMA Protections. (DMA Protection protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (for example, Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (for example, M.2 slots))

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        CimInstance

Values

Type :

Number

Possible Values :


                    
                       1 (Secure Boot)
3 (Secure Boot and DMA Protection )

Powershell Command

Getting Command :

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard ;

More Informations

Notes

DMA protections require hardware support and will only be enabled on correctly configured devices.

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1617 Enterprise Device Guard: Security Services Configured: Credential Guard Medium No impact Not available 1

Device Guard: Security Services Configured: Credential Guard

Introduction

This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        CimInstance

Values

Type :

Number

Possible Values :


                    
                       0 (Disabled)
1(Windows Defender Credential Guard is configured)
2(HVCI is configured.)
3(System Guard Secure Launch is configured.)
4(SMM Firmware Measurement is configured.)

Powershell Command

Getting Command :

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard ;

More Informations

Notes

Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1618 Enterprise Device Guard: Security Services Configured: HVCI Medium No impact Not available 2

Device Guard: Security Services Configured: HVCI

Introduction

This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        CimInstance

Values

Type :

Number

Possible Values :


                    
                       0 (Disabled)
1(Windows Defender Credential Guard is configured)
2(HVCI is configured.)
3(System Guard Secure Launch is configured.)
4(SMM Firmware Measurement is configured.)

Powershell Command

Getting Command :

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard ;

More Informations

Notes

Hypervisor-Protected Code Integrity can use hardware technology and virtualization to isolate the Code Integrity (CI) decision-making function from the rest of the Windows operating system. When using virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification.

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1619 Enterprise Device Guard: Security Services Running: Credential Guard Medium No impact Not available 1

Device Guard: Security Services Running: Credential Guard

Introduction

This field indicates whether the Windows Defender Credential Guard or HVCI service is running.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        CimInstance

Values

Type :

Number

Possible Values :


                    
                       0 (Not running)
1(Windows Defender Credential Guard is not running)
2(HVCI is running.)
3(System Guard Secure Launch is running.)
4(SMM Firmware Measurement is running.)

Powershell Command

Getting Command :

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard ;

More Informations

Notes

Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1620 Enterprise Device Guard: Security Services Running: HVCI Medium No impact Not available 2

Device Guard: Security Services Running: HVCI

Introduction

This field indicates whether the Windows Defender Credential Guard or HVCI service is running.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        CimInstance

Values

Type :

Number

Possible Values :


                    
                       0 (Not running)
1(Windows Defender Credential Guard is not running)
2(HVCI is running.)
3(System Guard Secure Launch is running.)
4(SMM Firmware Measurement is running.)

Powershell Command

Getting Command :

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard ;

More Informations

Notes

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1621 Enterprise Device Guard: Secure Launch Configuration (Policy) Medium No impact 0 1

Device Guard: Secure Launch Configuration (Policy)

Introduction

This setting sets the configuration of Secure Launch to secure the boot chain.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard

RegistryItem :

ConfigureSystemGuardLaunch

Values

Type :

Number

Possible Values :


                    
                       0 (Not configured) 
 1 (Enabled) 
 2 (Disabled)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' -name 'ConfigureSystemGuardLaunch'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' -name 'ConfigureSystemGuardLaunch' -value 1

More Informations

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1622 Enterprise Device Guard: Windows Defender Application Control deployed (Policy) Medium No impact 0 1

Device Guard: Windows Defender Application Control deployed (Policy)

Introduction

Windows Defender Application Control is designed to protect PCs against malware and other untrusted software. It prevents malicious code from running by ensuring that only approved code, that you know, can be run. Windows Defender Application Control is a software-based security layer that enforces an explicit list of software that is allowed to run on a PC. On its own, Application Control does not have any hardware or firmware prerequisites.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard

RegistryItem :

DeployConfigCIPolicy

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' -name 'DeployConfigCIPolicy'

Set Value :

Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' -name 'DeployConfigCIPolicy' -value 1

More Informations

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1623 Enterprise Device Guard: Require UEFI Memory Attributes Table (Policy) Medium No impact 1

Device Guard: Require UEFI Memory Attributes Table (Policy)

Introduction

The "Require UEFI Memory Attributes Table" option will only enable Virtualization Based Protection of Code Integrity on devices with UEFI firmware support for the Memory Attributes Table. Devices without the UEFI Memory Attributes Table may have firmware that is incompatible with Virtualization Based Protection of Code Integrity which in some cases can lead to crashes or data loss or incompatibility with certain plug-in cards. If not setting this option the targeted devices should be tested to ensure compatibility.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard

RegistryItem :

HVCIMATRequired

Values

Type :

Number

Possible Values :


                    
                       1 (True)
0 (False)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' -name 'HVCIMATRequired'

Set Value :

Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' -name 'HVCIMATRequired' -value 1

More Informations

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1630 Basic Early Launch Antimalware: Boot-Start Driver Initialization Policy Medium Potentially 0 3

Early Launch Antimalware: Boot-Start Driver Initialization Policy

Boot-startDriverAntimalwareEarly Launch Antimalware

Introduction

This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver.

If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started.
If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:
Good: The driver has been signed and has not been tampered with.
Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.
Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Policies\EarlyLaunch

RegistryItem :

DriverLoadPolicy

Values

Type :

String

Possible Values :


                    
                       Boot-start
Driver
Antimalware
Early Launch Antimalware

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Policies\EarlyLaunch' -name 'DriverLoadPolicy'

Set Value :

Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Policies\EarlyLaunch' -name 'DriverLoadPolicy' -value 3

More Informations

Notes

If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized.

OS

At least Windows Server 2012, Windows 8 or Windows RT

1631 Enterprise Group Policy: Process even if the Group Policy objects have not changed Low No impact 1 0

Group Policy: Process even if the Group Policy objects have not changed

Introduction

This policy setting determines when registry policies are updated. This policy setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when it was installed.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}

RegistryItem :

NoBackgroundPolicy

Values

Type :

Number

Possible Values :


                    
                       1 (True)
0 (False)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' -name 'NoBackgroundPolicy'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' -name 'NoBackgroundPolicy' -value 0

More Informations

Notes

The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.

OS

At least Windows 2000

1632 Enterprise Group Policy: Do not apply during periodic background processing Low Potentially 0 0

Group Policy: Do not apply during periodic background processing

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}

RegistryItem :

NoGPOListChanges

Values

Type :

Number

Possible Values :


                    
                       0 (True)
1 (False)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' -name 'NoGPOListChanges'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' -name 'NoGPOListChanges' -value 0

More Informations

OS

At least Windows 2000

1640 Basic Internet Communication Management: Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program Medium No impact 0 2

Internet Communication Management: Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program

Introduction

This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used. This information is used to improve the product in future releases.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Messenger\Client

RegistryItem :

CEIP

Values

Type :

Number

Possible Values :


                    
                       2 (Enable)
1 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Messenger\Client' -name 'CEIP'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Messenger\Client' -name 'CEIP' -value 2

More Informations

OS

At least Windows Server 2003 operating systems or Windows XP Professional with SP2

1641 Enterprise Internet Communication Management: Internet Communication settings: Turn off downloading of print drivers over HTTP Medium No impact 0 1

Internet Communication Management: Internet Communication settings: Turn off downloading of print drivers over HTTP

Introduction

This policy setting specifies whether to allow this client to download print driver packages over HTTP. To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows NT\Printers

RegistryItem :

DisableWebPnPDownload

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows NT\Printers' -name 'DisableWebPnPDownload'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows NT\Printers' -name 'DisableWebPnPDownload' -value 1

More Informations

Notes

This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally.

OS

At least Windows XP Professional with SP2

1642 Enterprise Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 1 Medium No impact 1 0

Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 1

Introduction

This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\PCHealth\ErrorReporting

RegistryItem :

DoReport

Values

Type :

Number

Possible Values :


                    
                       0 (Enable)
1 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\PCHealth\ErrorReporting' -name 'DoReport'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\PCHealth\ErrorReporting' -name 'DoReport' -value 0

More Informations

Notes

This policy setting overrides any user setting made from the Control Panel for error reporting.

OS

At least Windows Server 2003 operating systems or Windows XP Professional with SP2

1643 Enterprise Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 2 Medium No impact 0 1

Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 2

Introduction

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting

RegistryItem :

Disabled

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting' -name 'Disabled'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting' -name 'Disabled' -value 1

More Informations

Notes

This policy setting overrides any user setting made from the Control Panel for error reporting.

OS

At least Windows Server 2003 operating systems or Windows XP Professional with SP2

1644 Enterprise Internet Communication Management: Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards Medium No impact 0 1

Internet Communication Management: Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards

Introduction

This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

RegistryItem :

NoWebServices

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -name 'NoWebServices'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -name 'NoWebServices' -value 1

More Informations

OS

At least Windows Server 2003 operating systems or Windows XP Professional with SP2

1645 Basic Internet Communication Management: Internet Communication settings: Turn off Windows Customer Experience Improvement Program Medium No impact 1 0

Internet Communication Management: Internet Communication settings: Turn off Windows Customer Experience Improvement Program

Introduction

This policy setting turns off the Windows Customer Experience Improvement Program. The Windows Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and services to identify trends and usage patterns. Microsoft will not collect your name, address, or any other personally identifiable information.

There are no surveys to complete, no salesperson will call, and you can continue working without interruption. It is simple and user-friendly.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\SQMClient\Windows

RegistryItem :

CEIPEnable

Values

Type :

Number

Possible Values :


                    
                       0 (Enable)
1 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\SQMClient\Windows' -name 'CEIPEnable'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\SQMClient\Windows' -name 'CEIPEnable' -value 0

More Informations

OS

At least Windows Vista

1650 Basic Kernel DMA Protection: Enumeration policy for external devices incompatible with Kernel DMA Protection Medium No impact 2 0

Kernel DMA Protection: Enumeration policy for external devices incompatible with Kernel DMA Protection

Introduction

Enumeration policy for external DMA-capable devices incompatible with DMA remapping. This policy only takes effect when Kernel DMA Protection is enabled and supported by the system.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection

RegistryItem :

DeviceEnumerationPolicy

Values

Type :

Number

Possible Values :


                    
                       0 (Block all) 
 1 (Only while logged in) 
 2 (Allow all)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection' -name 'DeviceEnumerationPolicy'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection' -name 'DeviceEnumerationPolicy' -value 0

More Informations

Notes

This policy does not apply to 1394, PCMCIA or ExpressCard devices.

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1660 StrongBox Logon: Turn on convenience PIN sign-in Medium Potentially 1 0

Logon: Turn on convenience PIN sign-in

LockscreenForcePIN

Introduction

This policy setting allows you to control whether a domain user can sign in using a convenience PIN.

If you enable this policy setting, a domain user can set up and sign in with a convenience PIN.
If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\System

RegistryItem :

AllowDomainPINLogon

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\System' -name 'AllowDomainPINLogon'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\System' -name 'AllowDomainPINLogon' -value 0

More Informations

OS

At least Windows Server 2012, Windows 8 or Windows RT

1661 StrongBox Logon: Turn off app notifications on the lock screen Medium Impact 0 1

Logon: Turn off app notifications on the lock screen

LockscreenForceNotifications

Introduction

This policy setting allows you to prevent app notifications from appearing on the lock screen.

If you enable this policy setting, no app notifications are displayed on the lock screen.
If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\System

RegistryItem :

DisableLockScreenAppNotifications

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\System' -name 'DisableLockScreenAppNotifications'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\System' -name 'DisableLockScreenAppNotifications' -value 1

More Informations

OS

At least Windows Server 2012, Windows 8 or Windows RT

1662 StrongBox Logon: Do not display network selection UI Medium Impact 0 1

Logon: Do not display network selection UI

LockscreenForceNetworkUI

Introduction

This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.

If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.
If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\System

RegistryItem :

DontDisplayNetworkSelectionUI

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\System' -name 'DontDisplayNetworkSelectionUI'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\System' -name 'DontDisplayNetworkSelectionUI' -value 1

More Informations

OS

At least Windows Server 2012, Windows 8 or Windows RT

1670 Enterprise Mitigation Options: Untrusted Font Blocking Medium Potentially 0 1000000000000

Mitigation Options: Untrusted Font Blocking

FontsForce

Introduction

This security feature provides a global setting to prevent programs from loading untrusted fonts.

Untrusted fonts are any font installed outside of the %windir%\Fonts directory.
This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions

RegistryItem :

MitigationOptions_FontBocking

Values

Type :

Number

Possible Values :


                    
                       1000000000000 (On)
2000000000000 (Off)
3000000000000 (Audit)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions' -name 'MitigationOptions_FontBocking'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions' -name 'MitigationOptions_FontBocking' -value 1000000000000

More Informations

Advices

If you aren't quite ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues.

Notes

On : Block untrusted fonts and log events
Off : Do not block untrusted fonts
Audit : Log events without blocking untrusted fonts

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1680 Basic OS Policies: Allow Clipboard synchronization across devices Medium Potentially 1 0

OS Policies: Allow Clipboard synchronization across devices

Clipboard Sync

Introduction

This policy setting determines whether Clipboard contents can be synchronized across devices.

If you enable this policy setting, Clipboard contents are allowed to be synchronized across devices logged in under the same Microsoft account or Azure AD account.
If you disable this policy setting, Clipboard contents cannot be shared to other devices.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows\System

RegistryItem :

AllowCrossDeviceClipboard

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' -name 'AllowCrossDeviceClipboard'

Set Value :

Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' -name 'AllowCrossDeviceClipboard' -value 0

More Informations

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1685 Basic Sleep Settings: Require a password when a computer wakes (plugged in) Medium Impact 0 1

Sleep Settings: Require a password when a computer wakes (plugged in)

SleepPassword

Introduction

This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.

If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.
If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51

RegistryItem :

ACSettingIndex

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' -name 'ACSettingIndex'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' -name 'ACSettingIndex' -value 1

More Informations

OS

At least Windows Vista

1686 Basic Sleep Settings: Require a password when a computer wakes (on battery) Medium Impact 0 1

Sleep Settings: Require a password when a computer wakes (on battery)

SleepPassword

Introduction

This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.

If you enable or do not configure this policy setting the user is prompted for a password when the system resumes from sleep.
If you disable this policy setting the user is not prompted for a password when the system resumes from sleep.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51

RegistryItem :

DCSettingIndex

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' -name 'DCSettingIndex'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' -name 'DCSettingIndex' -value 1

More Informations

OS

At least Windows Vista

1687 Basic Sleep Settings: Allow standby states (S1-S3) when sleeping (plugged in) Medium Potentially 1 0

Sleep Settings: Allow standby states (S1-S3) when sleeping (plugged in)

Sleep Standby

Introduction

This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.

If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state.
If you disable this policy setting, standby states (S1-S3) are not allowed.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab

RegistryItem :

ACSettingIndex

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab' -name 'ACSettingIndex'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab' -name 'ACSettingIndex' -value 0

More Informations

OS

At least Windows Vista

1688 Basic Sleep Settings: Allow standby states (S1-S3) when sleeping (on battery) Medium Potentially 1 0

Sleep Settings: Allow standby states (S1-S3) when sleeping (on battery)

Sleep Standby

Introduction

This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. → If you enable this policy setting Windows uses standby states to put the computer in a sleep state.

If you disable or do not configure this policy setting the only sleep state a computer may enter is hibernate.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab

RegistryItem :

DCSettingIndex

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab' -name 'DCSettingIndex'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab' -name 'DCSettingIndex' -value 0

More Informations

OS

At least Windows Vista

1690 Enterprise Remote Assistance: Configure Offer Remote Assistance Medium Potentially 1 0

Remote Assistance: Configure Offer Remote Assistance

Remote

Introduction

This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services

RegistryItem :

fAllowUnsolicited

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services' -name 'fAllowUnsolicited'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services' -name 'fAllowUnsolicited' -value 0

More Informations

Advices

If you disable this policy setting, users on this computer cannot get help from their corporate technical.

OS

At least Windows Server 2003 operating systems or Windows XP Professional

1691 Basic Remote Assistance: Configure Solicited Remote Assistance Medium Potentially 1 0

Remote Assistance: Configure Solicited Remote Assistance

Remote

Introduction

This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.

If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings.
If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services

RegistryItem :

fAllowToGetHelp

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services' -name 'fAllowToGetHelp'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services' -name 'fAllowToGetHelp' -value 0

More Informations

Potential impact

Advices

Users on this computer cannot use email or file transfer to ask someone for help.

OS

At least Windows Server 2003 operating systems or Windows XP Professional

1692 Basic Remote Procedure Call: Enable RPC Endpoint Mapper Client Authentication Medium No impact 0 1

Remote Procedure Call: Enable RPC Endpoint Mapper Client Authentication

RPC

Introduction

This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows NT\Rpc

RegistryItem :

EnableAuthEpResolution

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows NT\Rpc' -name 'EnableAuthEpResolution'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows NT\Rpc' -name 'EnableAuthEpResolution' -value 1

More Informations

Notes

This policy will not be applied until the system is rebooted.

OS

At least Windows XP Professional with SP2

1693 Basic Remote Procedure Call: Restrict Unauthenticated RPC clients Medium No impact 0 2

Remote Procedure Call: Restrict Unauthenticated RPC clients

RPC

Introduction

This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.

This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows NT\Rpc

RegistryItem :

RestrictRemoteClients

Values

Type :

Number

Possible Values :


                    
                       0 (None) 
 1 (Authenticated) 
 2 (Authenticated without exceptions )

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows NT\Rpc' -name 'RestrictRemoteClients'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows NT\Rpc' -name 'RestrictRemoteClients' -value 2

More Informations

Notes

This policy will not be applied until the system is rebooted.

→ "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied.

"Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them.
"Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed.

OS

At least Windows XP Professional with SP2

1694 Basic Security Settings: Enable svchost.exe mitigation options Medium No impact 0 1

Security Settings: Enable svchost.exe mitigation options

svchost

Introduction

This policy setting enables process mitigation options on svchost.exe processes.

If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code.
If you disable or do not configure this policy setting, these stricter security settings will not be applied.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Control\SCMConfig

RegistryItem :

EnableSvchostMitigationPolicy

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SCMConfig' -name 'EnableSvchostMitigationPolicy'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SCMConfig' -name 'EnableSvchostMitigationPolicy' -value 1

More Informations

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1695 Basic Windows Performance PerfTrack: Enable/Disable PerfTrack Medium No impact 1 0

Windows Performance PerfTrack: Enable/Disable PerfTrack

PerfTrack

Introduction

This policy setting specifies whether to enable or disable tracking of responsiveness events.

If you enable this policy setting, responsiveness events are processed and aggregated. The aggregated data will be transmitted to Microsoft through SQM.
if you disable this policy setting, responsiveness events are not processed. → If you do not configure this policy setting, the DPS will enable Windows Performance PerfTrack by default.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}

RegistryItem :

ScenarioExecutionEnabled

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' -name 'ScenarioExecutionEnabled'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' -name 'ScenarioExecutionEnabled' -value 0

More Informations

OS

At least Windows Vista

1696 Basic User Profiles: Turn of the advertising ID Medium No impact 0 1

User Profiles: Turn of the advertising ID

AdvertisingForce

Introduction

This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps.

If you enable this policy setting, the advertising ID is turned off. Apps can't use the ID for experiences across apps.
If you disable or do not configure this policy setting, users can control whether apps can use the advertising ID for experiences across apps.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo

RegistryItem :

DisabledByGroupPolicy

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' -name 'DisabledByGroupPolicy'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' -name 'DisabledByGroupPolicy' -value 1

More Informations

Potential impact

The user will can’t change this parameter after setting

OS

At least Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1

1697 Basic Time Providers: Enable Windows NTP Client Medium No impact 0 1

Time Providers: Enable Windows NTP Client

Introduction

This policy setting specifies whether to enable or disable tracking of responsiveness events.

If you enable this policy setting, responsiveness events are processed and aggregated. The aggregated data will be transmitted to Microsoft through SQM.
if you disable this policy setting, responsiveness events are not processed. → If you do not configure this policy setting, the DPS will enable Windows Performance PerfTrack by default.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient

RegistryItem :

Enabled

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient' -name 'Enabled'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient' -name 'Enabled' -value 1

More Informations

OS

At least Windows Server 2003 operating systems or Windows XP Professional

1698 Basic Time Providers: Enable Windows NTP Server Medium No impact 0 0

Time Providers: Enable Windows NTP Server

Introduction

This policy setting allows you to specify whether the Windows NTP Server is enabled. → If you enable this policy setting for the Windows NTP Server, your computer can service NTP requests from other computers.

If you disable or do not configure this policy setting, your computer cannot service NTP requests from other computers.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer

RegistryItem :

Enabled

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer' -name 'Enabled'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer' -name 'Enabled' -value 0

More Informations

OS

At least Windows Server 2003 operating systems or Windows XP Professional

Administrative Templates: Windows Components

1700 Basic App Package Deployment: Allow a Windows app to share application data between users Medium No impact 1 0

App Package Deployment: Allow a Windows app to share application data between users

Introduction

Manages a Windows app's ability to share data between users who have installed the app.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager

RegistryItem :

AllowSharedLocalAppData

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager' -name 'AllowSharedLocalAppData'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager' -name 'AllowSharedLocalAppData' -value 0

More Informations

Notes

If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows.Storage API.
If you disable this policy, a Windows app can't share app data with other instances of that app. If this policy was previously enabled, any previously shared app data will remain in the SharedLocal folder.

OS

Windows 10
Windows Server
Windows 10 RT

1701 Basic App Privacy: Let Windows apps activate with voice while the system is locked Medium Potentially 0 2

App Privacy: Let Windows apps activate with voice while the system is locked

Introduction

This policy setting specifies whether Windows apps can be activated by voice while the system is locked.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy

RegistryItem :

LetAppsActivateWithVoiceAboveLock

Values

Type :

Number

Possible Values :


                    
                       0 (User is in control)
1 (Force Allow)
2 (Force Deny)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy' -name 'LetAppsActivateWithVoiceAboveLock'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy' -name 'LetAppsActivateWithVoiceAboveLock' -value 2

More Informations

Advices

This policy is applied to Windows apps and Cortana. It takes precedence of the "Allow Cortana above lock" policy. This policy is applicable only when "Allow voice activation" policy is configured to allow applications to be activated with voice.

Notes

If you choose the "User is in control" option, employees in your organization can decide whether users can interact with applications using speech while the system is locked by using Settings > Privacy on the device.
If you choose the "Force Allow" option, users can interact with applications using speech while the system is locked and employees in your organization cannot change it.
If you choose the "Force Deny" option, users cannot interact with applications using speech while the system is locked and employees in your organization cannot change it.
If you disable or do not configure this policy setting, employees in your organization can decide whether users can interact with applications using speech while the system is locked by using Settings > Privacy on the device.

OS

Windows 10
Windows Server
Windows 10 RT

1702 Basic App runtime: Block launching Universal Windows apps with Windows Runtime API access from hosted content Medium Potentially 0 1

App runtime: Block launching Universal Windows apps with Windows Runtime API access from hosted content

Introduction

This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

RegistryItem :

BlockHostedAppAccessWinRT

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name 'BlockHostedAppAccessWinRT'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name 'BlockHostedAppAccessWinRT' -value 1

More Informations

Potential impact

This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues.

Notes

If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected.
If you disable or do not configure this policy setting, all Universal Windows apps can be launched.

OS

Windows 10
Windows Server
Windows 10 RT

1703 Basic Application Compatibility: Turn off Application Telemetry Medium No impact 1 0

Application Compatibility: Turn off Application Telemetry

Introduction

The policy controls the state of the Application Telemetry engine in the system.
Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\AppCompat

RegistryItem :

AITEnable

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\AppCompat' -name 'AITEnable'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\AppCompat' -name 'AITEnable' -value 0

More Informations

Notes

Disabling telemetry will take effect on any newly launched applications. To ensure that telemetry collection has stopped for all applications, please reboot your machine.

Turning Application Telemetry off by selecting "enable" will stop the collection of usage data.
If the customer Experience Improvement program is turned off, Application Telemetry will be turned off regardless of how this policy is set.

OS

At least Windows 7

1704 Basic AutoPlay Policies: Turn off Autoplay Medium Impact 0 255

AutoPlay Policies: Turn off Autoplay

Introduction

This policy setting allows you to turn off the Autoplay feature. Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately.

If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives.
This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default.
If you disable or do not configure this policy setting, AutoPlay is enabled.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

RegistryItem :

NoDriveTypeAutoRun

Values

Type :

Number

Possible Values :


                    
                       181 (CD-ROM and removable media drives)
255 (All drives)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -name 'NoDriveTypeAutoRun'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -name 'NoDriveTypeAutoRun' -value 255

More Informations

Notes

This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.

OS

At least Windows 2000

1705 Basic AutoPlay Policies: Disallow Autoplay for non-volume devices Medium Potentially 0 1

AutoPlay Policies: Disallow Autoplay for non-volume devices

Introduction

This policy setting disallows AutoPlay for MTP (Media Transfer Protocol) devices like cameras or phones.

If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones.
If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\Explorer

RegistryItem :

NoAutoplayfornonVolume

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\Explorer' -name 'NoAutoplayfornonVolume'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\Explorer' -name 'NoAutoplayfornonVolume' -value 1

More Informations

OS

At least Windows 7

1706 Basic AutoPlay Policies: Set the default behavior for AutoRun Medium Potentially 0 1

AutoPlay Policies: Set the default behavior for AutoRun

Introduction

This policy setting sets the default behavior for Autorun commands.

Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines.
This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

RegistryItem :

NoAutorun

Values

Type :

Number

Possible Values :


                    
                       0 (Not defined)
 1 (Do not execute any autorun commands)
2 (Automatically execute autorun commands)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -name 'NoAutorun'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -name 'NoAutorun' -value 1

More Informations

Notes

If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run. If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to:

Completely disable autorun commands, or
Revert back to pre-Windows Vista behavior of automatically executing the autorun command.

OS

At least Windows Vista

1707 StrongBox Biometrics: Allow the use of biometrics Medium Impact 1 0

Biometrics: Allow the use of biometrics

Introduction

This policy setting allows or prevents the Windows Biometric Service to run on this computer.

If you enable or do not configure this policy setting, the Windows Biometric Service is available, and users can run applications that use biometrics on Windows. If you want to enable the ability to log on with biometrics, you must also configure the "Allow users to log on using biometrics" policy setting.
If you disable this policy setting, the Windows Biometric Service is unavailable, and users cannot use any biometric feature in Windows.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Biometrics

RegistryItem :

Enabled

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Biometrics' -name 'Enabled'

Set Value :

Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Biometrics' -name 'Enabled' -value 0

More Informations

Notes

Users who log on using biometrics should create a password recovery disk; this will prevent data loss in the event that someone forgets their logon credentials.

OS

At least Windows 7

1708 Basic BitLocker Drive Encryption: Volume status High No impact FullyDecrypted FullyEncrypted

BitLocker Drive Encryption: Volume status

Bitlocker Encryption

Introduction

This policy setting allows you to see if your disk is encrypted by bitlocker or not.

Relevance indicator

100

Table of settings

UIX

No impact : 0

Method

Method :


        BitLockerVolume

Method Argument :


          VolumeStatus

Values

Type :

No values

Possible Values :

Powershell Command

Getting Command :

Get-BitLockerVolume -MountPoint C: ;

More Informations

Notes

🔒 / 🔓

OS

At least Windows 8

1709 Basic BitLocker Drive Encryption: Disable new DMA devices when this computer is locked Medium No impact 0 1

BitLocker Drive Encryption: Disable new DMA devices when this computer is locked

Introduction

This policy setting allows you to block direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host Thunderbolt PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug Thunderbolt PCI ports with no children devices, until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged or the system is rebooted or hibernated.

This policy setting is only enforced when BitLocker or device encryption is enabled.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\FVE

RegistryItem :

DisableExternalDMAUnderLock

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'DisableExternalDMAUnderLock'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'DisableExternalDMAUnderLock' -value 1

More Informations

OS

At least Windows Server 2016, Windows 10 Version 1703

1710 Basic BitLocker Drive Encryption: Operating System Drives: Allow Secure Boot for integrity validation Medium No impact 0 1

BitLocker Drive Encryption: Operating System Drives: Allow Secure Boot for integrity validation

Introduction

This policy setting allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.

Secure Boot ensures that the PC's pre-boot environment only loads firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing pre-boot configuration than legacy BitLocker integrity checks.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\FVE

RegistryItem :

OSAllowSecureBootForIntegrity

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'OSAllowSecureBootForIntegrity'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'OSAllowSecureBootForIntegrity' -value 1

More Informations

Potential impact

Disabling this policy may result in BitLocker recovery when firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates.

Notes

If the group policy setting "Configure TPM platform validation profile for native UEFI firmware configurations" is enabled and has PCR 7 omitted, Bitlocker will be prevented from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.

OS

At least Windows Server 2012, Windows 8 or Windows RT

1711 Basic BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup Medium Potentially 0 1

BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup

Introduction

This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM).

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\FVE

RegistryItem :

UseAdvancedStartup

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'UseAdvancedStartup'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'UseAdvancedStartup' -value 1

More Informations

Notes

Only one of the additional authentication options can be required at startup, otherwise a policy error occurs. If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.

OS

At least Windows 7

1712 Basic BitLocker Drive Encryption: Operating System Drives: Allow enhanced PINs for startup Medium Potentially 0 1

BitLocker Drive Encryption: Operating System Drives: Allow enhanced PINs for startup

Introduction

This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker.

Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\FVE

RegistryItem :

UseEnhancedPin

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'UseEnhancedPin'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'UseEnhancedPin' -value 1

More Informations

Notes

Not all computers may support enhanced PINs in the pre-boot environment. It is strongly recommended that the administrator evaluate if their systems are compatible with this feature prior to enabling its use.

OS

At least Windows 7

1713 Basic BitLocker Drive Encryption: Operating System Drives: Configure use of hardware-based encryption for operating system drives Medium No impact 0 1

BitLocker Drive Encryption: Operating System Drives: Configure use of hardware-based encryption for operating system drives

Introduction

This policy setting allows you to manage BitLocker's use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\FVE

RegistryItem :

OSHardwareEncryption

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'OSHardwareEncryption'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'OSHardwareEncryption' -value 1

More Informations

Notes

The "Choose drive encryption method and cipher strength" policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive. The "Restrict encryption algorithms and cipher suites allowed for hardware-based encryption" option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-based encryption.

Encryption algorithms are specified by object identifiers (OID). For example:

AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2
AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42

OS

At least Windows Server 2012, Windows 8 or Windows RT

1714 Basic BitLocker Drive Encryption: Operating System Drives: Use BitLocker software-based encryption when hardware encryption is not available Medium No impact 0 1

BitLocker Drive Encryption: Operating System Drives: Use BitLocker software-based encryption when hardware encryption is not available

Introduction

If hardware-based encryption is not available, BitLocker software-based encryption is used instead.

The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The Restrict encryption algorithms and cipher suites allowed for hardware-based encryption option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\FVE

RegistryItem :

OSAllowSoftwareEncryptionFailover

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'OSAllowSoftwareEncryptionFailover'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'OSAllowSoftwareEncryptionFailover' -value 1

More Informations

Notes

The Choose drive encryption method and cipher strength policy setting does not apply to hardware-based encryption.

OS

At least Windows Server 2012, Windows 8 or Windows RT

1715 Basic BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Allow BitLocker without a compatible TPM Medium Impact 1 0

BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Allow BitLocker without a compatible TPM

Introduction

Requires a password or a startup key on a USB flash drive.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\FVE

RegistryItem :

EnableBDEWithNoTPM

Values

Type :

Number

Possible Values :


                    
                       1 (True) 
 0 (False)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'EnableBDEWithNoTPM'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'EnableBDEWithNoTPM' -value 0

More Informations

1716 Basic BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup Medium Impact 0 0

BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup

Introduction

Configure TPM startup

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\FVE

RegistryItem :

UseTPM

Values

Type :

Number

Possible Values :


                    
                       0 (Do not allow TPM) 
 1 (Require TPM) 
 2 (Allow TPM)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'UseTPM'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'UseTPM' -value 0

More Informations

1717 Basic BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup PIN Medium Impact 0 1

BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup PIN

Introduction

Configure TPM startup PIN

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\FVE

RegistryItem :

UseTPMPIN

Values

Type :

Number

Possible Values :


                    
                       0 (Do not allow startup PIN with TPM) 
 1 (Require startup PIN with TPM) 
 2 (Allow startup PIN with TPM)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'UseTPMPIN'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'UseTPMPIN' -value 1

More Informations

1718 Basic BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup key Medium Impact 0 0

BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup key

Introduction

Configure TPM startup key

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\FVE

RegistryItem :

UseTPMKey

Values

Type :

Number

Possible Values :


                    
                       0 (Do not allow startup key with TPM) 
 1 (Require startup key with TPM) 
 2 (Allow startup key with TPM)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'UseTPMKey'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'UseTPMKey' -value 0

More Informations

1719 Basic BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup key and PIN Medium Impact 0 0

BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup key and PIN

Introduction

Configure TPM startup PIN and key

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\FVE

RegistryItem :

UseTPMKeyPIN

Values

Type :

Number

Possible Values :


                    
                       0 (Do not allow startup key and PIN with TPM) 
 1 (Require startup key and PIN with TPM) 
 2 (Allow startup key and PIN with TPM)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'UseTPMKeyPIN'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'UseTPMKeyPIN' -value 0

More Informations

1720 Basic Cloud Content: Do not show Windows tips Medium Impact 0 1

Cloud Content: Do not show Windows tips

Introduction

This policy setting prevents Windows tips from being shown to users.

If you enable this policy setting, users will no longer see Windows tips.
If you disable or do not configure this policy setting, users may see contextual popups explaining how to use Windows. Microsoft uses diagnostic data to determine which tips to show.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\CloudContent

RegistryItem :

DisableSoftLanding

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\CloudContent' -name 'DisableSoftLanding'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\CloudContent' -name 'DisableSoftLanding' -value 1

More Informations

Notes

If you disable or do not configure this policy setting, but enable the "Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Allow Telemetry" policy setting with a level of "Basic" or below, users may see a limited set of tips.
Also, this setting only applies to Enterprise and Education SKUs.

OS

At least Windows 10 or Windows 10 RT

1721 Basic Cloud Content: Turn off Microsoft consumer experiences Medium Impact 0 1

Cloud Content: Turn off Microsoft consumer experiences

Introduction

This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account.

If you enable this policy setting, users will no longer see personalized recommendations from Microsoft and notifications about their Microsoft account.
If you disable or do not configure this policy setting, users may see suggestions from Microsoft and notifications about their Microsoft account.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\CloudContent

RegistryItem :

DisableWindowsConsumerFeatures

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\CloudContent' -name 'DisableWindowsConsumerFeatures'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\CloudContent' -name 'DisableWindowsConsumerFeatures' -value 1

More Informations

Notes

This setting only applies to Enterprise and Education SKUs.

OS

At least Windows 10 or Windows 10 RT

1722 Enterprise Credential User Interface: Do not display the password reveal button Medium Impact 0 1

Credential User Interface: Do not display the password reveal button

Introduction

This policy setting allows you to configure the display of the password reveal button in password entry user experiences.

If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box.
If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\CredUI

RegistryItem :

DisablePasswordReveal

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\CredUI' -name 'DisablePasswordReveal'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\CredUI' -name 'DisablePasswordReveal' -value 1

More Informations

Notes

By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button.
The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.

OS

At least Windows Server 2012, Windows 8 or Windows RT or at least Internet Explorer 10

1723 StrongBox Credential User Interface: Require trusted path for credential entry Medium Impact 0 1

Credential User Interface: Require trusted path for credential entry

Introduction

This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user's Windows credentials.

If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism.
If you disable or do not configure this policy setting, users will enter Windows credentials within the user's desktop session, potentially allowing malicious code access to the user's Windows credentials.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI

RegistryItem :

EnableSecureCredentialPrompting

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' -name 'EnableSecureCredentialPrompting'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' -name 'EnableSecureCredentialPrompting' -value 1

More Informations

Advices

This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled.

OS

At least Windows Vista

1724 Enterprise Credential User Interface: Enumerate administrator accounts on elevation Medium Impact 1 0

Credential User Interface: Enumerate administrator accounts on elevation

Introduction

This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application.

If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password.
If you disable this policy setting, users will always be required to type a user name and password to elevate.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI

RegistryItem :

EnumerateAdministrators

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' -name 'EnumerateAdministrators'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' -name 'EnumerateAdministrators' -value 0

More Informations

OS

At least Windows Vista

1725 Basic Data Collection and Preview Builds: Allow Telemetry Medium Potentially 2 1

Data Collection and Preview Builds: Allow Telemetry

Introduction

By configuring this setting in Windows 10, end users will not be able to opt into a higher level of telemetry collection than the level you have set for your organization. This limitation applies only to the Windows operating system and apps included with Windows, and does not apply to third-party apps running on Windows 10. Diagnostic data is categorized into four levels, as follows:

0 (Security). Information that's required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
1 (Required). Basic device info, including: quality-related data, app compatibility, and data from the Security level.
2 (Enhanced). Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Required and the Security levels.
3 (Optional). All data necessary to identify and help to fix problems, plus data from the Security, Required, and Enhanced levels.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\DataCollection

RegistryItem :

AllowTelemetry

Values

Type :

Number

Possible Values :


                    
                       0 (Security)
 1 (Required)
 2 (Enhanced)
3 (Optional)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\DataCollection' -name 'AllowTelemetry'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\DataCollection' -name 'AllowTelemetry' -value 1

More Informations

Notes

Options available to users in the Settings app are changed by configuring this setting, and even if not set, may be impacted by other group policy settings. Note that if this policy is configured to allow a telemetry setting of Security or Basic, end users will be unable to select a higher level.

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1726 Enterprise Data Collection and Preview Builds: Allow device name to be sent in Windows diagnostic data Medium No impact 1 0

Data Collection and Preview Builds: Allow device name to be sent in Windows diagnostic data

Introduction

This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data.

If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\DataCollection

RegistryItem :

AllowDeviceNameInTelemetry

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\DataCollection' -name 'AllowDeviceNameInTelemetry'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\DataCollection' -name 'AllowDeviceNameInTelemetry' -value 0

More Informations

OS

At least Windows Server, Windows 10 Version 1803

1727 Basic Delivery Optimization: Download Mode Medium Potentially 1 99

Delivery Optimization: Download Mode

Introduction

Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The following list shows the supported values:

0 = HTTP only, no peering.
1 = HTTP blended with peering behind the same NAT.
2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
3 = HTTP blended with Internet Peering.
99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services.
100 = Bypass mode. Do not use Delivery Optimization and use BITS instead.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization

RegistryItem :

DODownloadMode

Values

Type :

Number

Possible Values :


                    
                       0 (HTTP only)
1 (LAN)
2 (Group)
3 (Internet)
99 (Simple)
100 (Bypass)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization' -name 'DODownloadMode'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization' -name 'DODownloadMode' -value 99

More Informations

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1728 Basic Event Log Service: Specify the maximum Application log file size (KB) Medium Potentially 4096 32768

Event Log Service: Specify the maximum Application log file size (KB)

Introduction

This policy setting specifies the maximum size of the application log file in kilobytes.

If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. → If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application

RegistryItem :

MaxSize

Values

Type :

Number

Possible Values :


                    
                       1024 < x < 2147483647

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application' -name 'MaxSize'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application' -name 'MaxSize' -value 32768

More Informations

OS

At least Windows Vista

1729 Basic Event Log Service: Specify the maximum Security log file size (KB) Medium Potentially 4096 196608

Event Log Service: Specify the maximum Security log file size (KB)

Introduction

This policy setting specifies the maximum size of the security log file in kilobytes.

If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. → If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security

RegistryItem :

MaxSize

Values

Type :

Number

Possible Values :


                    
                       1024 < x < 2147483647

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security' -name 'MaxSize'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security' -name 'MaxSize' -value 196608

More Informations

OS

At least Windows Vista

1730 Basic Event Log Service: Specify the maximum System log file size (KB) Medium Potentially 4096 32768

Event Log Service: Specify the maximum System log file size (KB)

Introduction

This policy setting specifies the maximum size of the system log file in kilobytes.

If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. → If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\EventLog\System

RegistryItem :

MaxSize

Values

Type :

Number

Possible Values :


                    
                       1024 < x < 2147483647

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\EventLog\System' -name 'MaxSize'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\EventLog\System' -name 'MaxSize' -value 32768

More Informations

OS

At least Windows Vista

1731 Basic File Explorer: Allow the use of remote paths in file shortcut icons Medium Potentially 0 0

File Explorer: Allow the use of remote paths in file shortcut icons

Introduction

This policy setting determines whether remote paths can be used for file shortcut (.lnk file) icons.

If you enable this policy setting, file shortcut icons are allowed to be obtained from remote paths. → If you disable or do not configure this policy setting, file shortcut icons that use remote paths are prevented from being displayed.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\Explorer

RegistryItem :

EnableShellShortcutIconRemotePath

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\Explorer' -name 'EnableShellShortcutIconRemotePath'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\Explorer' -name 'EnableShellShortcutIconRemotePath' -value 0

More Informations

Notes

Allowing the use of remote paths in file shortcut icons can expose users' computers to security risks.

OS

At least Windows Server 2012, Windows 8 or Windows RT

1732 Basic HomeGroup: Prevent the computer from joining a homegroup Medium Potentially 0 1

HomeGroup: Prevent the computer from joining a homegroup

Introduction

This policy setting specifies whether users can add computers to a homegroup. By default, users can add their computer to a homegroup on a private network.

If you enable this policy setting, users cannot add computers to a homegroup. This policy setting does not affect other network sharing features. → If you disable or do not configure this policy setting, users can add computers to a homegroup. However, data on a domain-joined computer is not shared with the homegroup.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\HomeGroup

RegistryItem :

DisableHomeGroup

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\HomeGroup' -name 'DisableHomeGroup'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\HomeGroup' -name 'DisableHomeGroup' -value 1

More Informations

Notes

You must restart the computer for this policy setting to take effect.

OS

At least Windows 7

1733 Basic OneDrive: Prevent the usage of OneDrive for file storage Medium Impact 0 1

OneDrive: Prevent the usage of OneDrive for file storage

Introduction

This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting:

Users can't access OneDrive from the OneDrive app and file picker.
Windows Store apps can't access OneDrive using the WinRT API.
OneDrive doesn't appear in the navigation pane in File Explorer.
OneDrive files aren't kept in sync with the cloud.
Users can't automatically upload photos and videos from the camera roll folder.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\OneDrive

RegistryItem :

DisableFileSyncNGSC

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\OneDrive' -name 'DisableFileSyncNGSC'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\OneDrive' -name 'DisableFileSyncNGSC' -value 1

More Informations

Potential impact

If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.

OS

At least Windows 7

1734 Enterprise Remote Desktop Connection Client: Do not allow passwords to be saved Medium No impact 0 1

Remote Desktop Connection Client: Do not allow passwords to be saved

Introduction

Controls whether passwords can be saved on this computer from Remote Desktop Connection.

If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. → If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

RegistryItem :

DisablePasswordSaving

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -name 'DisablePasswordSaving'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -name 'DisablePasswordSaving' -value 1

More Informations

OS

At least Windows Server 2003 operating systems with SP1 or Windows XP Professional with SP2

1735 Enterprise Remote Desktop Session Host: Allow users to connect remotely by using Remote Desktop Services Medium Potentially 0 1

Remote Desktop Session Host: Allow users to connect remotely by using Remote Desktop Services

Introduction

This policy setting allows you to configure remote access to computers by using Remote Desktop Services.

If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services. → If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

RegistryItem :

fDenyTSConnections

Values

Type :

Number

Possible Values :


                    
                       0 (Enable)
1 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -name 'fDenyTSConnections'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -name 'fDenyTSConnections' -value 1

More Informations

Notes

You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.

OS

At least Windows Server 2003 operating systems or Windows XP Professional

1736 Enterprise Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection Medium No impact 0 1

Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection

Introduction

This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).

By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format on . You can use this policy setting to override this behavior.

If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP.
If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

RegistryItem :

fDisableCdm

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -name 'fDisableCdm'

Set Value :

Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -name 'fDisableCdm' -value 1

More Informations

OS

At least Windows Server 2003 operating systems or Windows XP Professional

1737 Enterprise Remote Desktop Session Host: Security: Always prompt for password upon connection Medium No impact 0 1

Remote Desktop Session Host: Security: Always prompt for password upon connection

Introduction

This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.

You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.

By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.

If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on. → If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

RegistryItem :

fPromptForPassword

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -name 'fPromptForPassword'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -name 'fPromptForPassword' -value 1

More Informations

Notes

At least Windows Server 2003 operating systems or Windows XP Professional

OS

At least Windows Server 2003 operating systems or Windows XP Professional

1738 Basic Remote Desktop Session Host: Security: Require secure RPC communication Medium No impact 0 1

Remote Desktop Session Host: Security: Require secure RPC communication

Introduction

Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.

You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.

If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.
If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

RegistryItem :

fEncryptRPCTraffic

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -name 'fEncryptRPCTraffic'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -name 'fEncryptRPCTraffic' -value 1

More Informations

Notes

The RPC interface is used for administering and configuring Remote Desktop Services

OS

At least Windows Server 2003

1739 Basic Remote Desktop Session Host: Security: Set client connection encryption level Medium No impact 0 3

Remote Desktop Session Host: Security: Set client connection encryption level

Introduction

Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

RegistryItem :

MinEncryptionLevel

Values

Type :

Number

Possible Values :


                    
                       1 (Low level) 
 2 (Client compatible) 
 3 (High level)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -name 'MinEncryptionLevel'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -name 'MinEncryptionLevel' -value 3

More Informations

Notes

FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.

OS

At least Windows Server 2003 operating systems or Windows XP Professional

1740 Basic Search: Allow Cloud Search Medium Impact 1 0

Search: Allow Cloud Search

Introduction

Allow search and Cortana to search cloud sources like OneDrive and SharePoint

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search

RegistryItem :

AllowCloudSearch

Values

Type :

Number

Possible Values :


                    
                       (0)Disable Cloud Search
(1)Enable Cloud Search
(2)User Selected

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' -name 'AllowCloudSearch'

Set Value :

Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' -name 'AllowCloudSearch' -value 0

More Informations

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1741 Basic Search: Allow Cortana Medium Impact 1 0

Search: Allow Cortana

ServicesSearchCortana

Introduction

This policy setting specifies whether Cortana is allowed on the device.

If you enable or don't configure this setting, Cortana will be allowed on the device. If you disable this setting, Cortana will be turned off.
When Cortana is off, users will still be able to use search to find things on the device.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search

RegistryItem :

AllowCortana

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' -name 'AllowCortana'

Set Value :

Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' -name 'AllowCortana' -value 0

More Informations

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1742 Basic Search: Allow Cortana above lock screen Medium Impact 1 0

Search: Allow Cortana above lock screen

ServicesSearchCortanaLockScreen

Introduction

This policy setting determines whether or not the user can interact with Cortana using speech while the system is locked.

If you enable or don't configure this setting, the user can interact with Cortana using speech while the system is locked.
If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search

RegistryItem :

AllowCortanaAboveLock

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' -name 'AllowCortanaAboveLock'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' -name 'AllowCortanaAboveLock' -value 0

More Informations

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1743 Basic Search: Allow indexing of encrypted files Medium Impact 1 0

Search: Allow indexing of encrypted files

SearchEncrypt

Introduction

This policy setting allows encrypted items to be indexed.

If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply).
If you disable this policy setting, the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search

RegistryItem :

AllowIndexingEncryptedStoresOrItems

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' -name 'AllowIndexingEncryptedStoresOrItems'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' -name 'AllowIndexingEncryptedStoresOrItems' -value 0

More Informations

Advices

Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files.

Notes

This policy setting is not configured by default. If you do not configure this policy setting, the local setting, configured through Control Panel, will be used. By default, the Control Panel setting is set to not index encrypted content.
When this setting is enabled or disabled, the index is rebuilt completely.

OS

Microsoft Windows Vista, or any version of Windows with Windows Search 4.0 or later

1744 Basic Search: Allow search and Cortana to use location Medium Potentially 1 0

Search: Allow search and Cortana to use location

ServicesSearchCortanaLocation

Introduction

This policy setting specifies whether search and Cortana can provide location aware search and Cortana results.

If this is enabled, search and Cortana can access location information.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search

RegistryItem :

AllowSearchToUseLocation

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' -name 'AllowSearchToUseLocation'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' -name 'AllowSearchToUseLocation' -value 0

More Informations

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1745 Basic Search: Set what information is shared in Search Medium Potentially 1 3

Search: Set what information is shared in Search

Introduction

This policy setting allows you to control what information is shared with Bing in Search. If you enable this policy setting, you can specify one of four settings, which users won't be able to change:

User info and location: Share a user's search history, some Microsoft account info, and specific location to personalize their search and other Microsoft experiences.
User info only: Share a user's search history and some Microsoft account info to personalize their search and other Microsoft experiences.
Anonymous info: Share usage information but don't share search history, Microsoft account info or specific location. If you disable or don't configure this policy setting, users can choose what information is shared in Search.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search

RegistryItem :

ConnectedSearchPrivacy

Values

Type :

Number

Possible Values :


                    
                       (0)Disable
(1)User info and location
(2)User info only
(3)Anonymous info

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' -name 'ConnectedSearchPrivacy'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' -name 'ConnectedSearchPrivacy' -value 3

More Informations

Notes

If this policy setting is set to disabled, than the user can choose what information is shared, but sadly we can't disable this completely. Therefore setting it to disable has no advantage.

OS

Microsoft Windows 8.1. Not supported on Windows 10 or later

1746 Basic Windows Error Reporting: Disable Windows Error Reporting Medium Potentially 0 1

Windows Error Reporting: Disable Windows Error Reporting

Introduction

If you enable this policy setting, users are not given the option to report errors.
If you disable or do not configure this policy setting, the errors may be reported to Microsoft via the Internet or to a corporate file share.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting

RegistryItem :

Disabled

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' -name 'Disabled'

Set Value :

Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' -name 'Disabled' -value 1

More Informations

Notes

This policy setting overrides any user setting made from the Control Panel for error reporting.
Also see the "Configure Error Reporting", "Display Error Notification" and "Disable Windows Error Reporting" policy settings under Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting.

OS

At least Windows Server 2003 operating systems or Windows XP Professional

1747 Basic Windows Game Recording and Broadcasting: Enables or disables Windows Game Recording and Broadcasting Low Impact 1 0

Windows Game Recording and Broadcasting: Enables or disables Windows Game Recording and Broadcasting

Introduction

This setting enables or disables the Windows Game Recording and Broadcasting features.

If you disable this setting, Windows Game Recording will not be allowed.
If the setting is enabled or not configured, then Recording and Broadcasting (streaming) will be allowed.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\GameDVR

RegistryItem :

AllowGameDVR

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\GameDVR' -name 'AllowGameDVR'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\GameDVR' -name 'AllowGameDVR' -value 0

More Informations

OS

At least Windows 10 or Windows 10 RT

1748 Enterprise Windows Ink Workspace: Allow Windows Ink Workspace Medium Impact 1 0

Windows Ink Workspace: Allow Windows Ink Workspace

Introduction

Allow Windows Ink Workspace

If this policy is enabled, you can Share your ideas or draw on screenshots with your pen in the Windows Ink Workspace.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace

RegistryItem :

AllowWindowsInkWorkspace

Values

Type :

Number

Possible Values :


                    
                       (0)Disabled
(1)On, but disallow access above lock
(2)On

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace' -name 'AllowWindowsInkWorkspace'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace' -name 'AllowWindowsInkWorkspace' -value 0

More Informations

OS

At least Windows 10 Redstone

1749 Basic Windows Installer: Always install with elevated privileges Medium Potentially 1 0

Windows Installer: Always install with elevated privileges

Install

Introduction

This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system.

If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers.
If you disable or do not configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\Installer

RegistryItem :

AlwaysInstallElevated

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\Installer' -name 'AlwaysInstallElevated'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\Installer' -name 'AlwaysInstallElevated' -value 0

More Informations

Potential impact

Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be secure.

Advices

This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders.

OS

At least Windows 2000

1750 Basic Windows Installer: Allow user control over installs Medium Impact 1 0

Windows Installer: Allow user control over installs

Introduction

This policy setting permits users to change installation options that typically are available only to system administrators.

If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation.
If you disable or do not configure this policy setting, the security features of Windows Installer prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\Installer

RegistryItem :

EnableUserControl

Values

Type :

Possible Values :

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\Installer' -name 'EnableUserControl'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\Installer' -name 'EnableUserControl' -value 0

More Informations

Advices

This policy setting is designed for less restrictive environments. It can be used to circumvent errors in an installation program that prevents software from being installed.

Notes

If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user.

OS

At least Windows 2000

1751 Basic Windows Installer: Prevent Internet Explorer security prompt for Windows Installer scripts Medium Potentially 1 0

Windows Installer: Prevent Internet Explorer security prompt for Windows Installer scripts

Introduction

This policy setting allows Web-based programs to install software on the computer without notifying the user.

If you disable or do not configure this policy setting, by default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation.
If you enable this policy setting, the warning is suppressed and allows the installation to proceed.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\Installer

RegistryItem :

SafeForScripting

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\Installer' -name 'SafeForScripting'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\Installer' -name 'SafeForScripting' -value 0

More Informations

Advices

This policy setting is designed for enterprises that use Web-based tools to distribute programs to their employees. However, because this policy setting can pose a security risk, it should be applied cautiously.

OS

At least Windows 2000

1752 Basic Windows Logon Options: Sign-in and lock last interactive user automatically after a restart Medium Potentially 0 1

Windows Logon Options: Sign-in and lock last interactive user automatically after a restart

Introduction

This policy setting controls whether a device will automatically sign in and lock the last interactive user after the system restarts or after a shutdown and cold boot.

If you don't configure this policy setting, it is disabled by default. When the policy is disabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots. After disabling this policy, you can configure its settings through the ConfigAutomaticRestartSignOn policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot.
If you enable this policy setting, the device does not configure automatic sign in. The user's lock screen apps are not restarted after the system restarts.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

RegistryItem :

DisableAutomaticRestartSignOn

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name 'DisableAutomaticRestartSignOn'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name 'DisableAutomaticRestartSignOn' -value 1

More Informations

Notes

This only occurs if the last interactive user didn't sign out before the restart or shutdown.
If the device is joined to Active Directory or Azure Active Directory, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.

OS

At least Windows 10 Version 1903

1753 Enterprise WinRM Client: Allow Basic authentication Medium No impact 1 0

WinRM Client: Allow Basic authentication

Introduction

This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.

If you enable this policy setting, the WinRM client uses Basic authentication. If WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text.
If you disable or do not configure this policy setting, the WinRM client does not use Basic authentication.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client

RegistryItem :

AllowBasic

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client' -name 'AllowBasic'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client' -name 'AllowBasic' -value 0

More Informations

OS

At least Windows Vista

1754 Enterprise WinRM Client: Allow unencrypted traffic Medium No impact 1 0

WinRM Client: Allow unencrypted traffic

Introduction

This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network.

If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network.
If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client

RegistryItem :

AllowUnencryptedTraffic

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client' -name 'AllowUnencryptedTraffic'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client' -name 'AllowUnencryptedTraffic' -value 0

More Informations

OS

At least Windows Vista

1755 Enterprise WinRM Client: Disallow Digest authentication Medium Potentially 1 0

WinRM Client: Disallow Digest authentication

Introduction

This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication.

If you disable this policy setting, the WinRM client does not use Digest authentication.
If you enable or do not configure this policy setting, the WinRM client uses Digest authentication.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client

RegistryItem :

AllowDigest

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client' -name 'AllowDigest'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client' -name 'AllowDigest' -value 0

More Informations

OS

At least Windows Vista

1756 Enterprise WinRM Service: Allow remote server management through WinRM Medium No impact 1 0

WinRM Service: Allow remote server management through WinRM

Introduction

This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port.

If you enable this policy setting, the WinRM service automatically listens on the network for requests on the HTTP transport over the default HTTP port. (To allow WinRM service to receive requests over the network, configure the Windows Firewall policy setting with exceptions for Port 5985 (default port for HTTP).)
If you disable or do not configure this policy setting, the WinRM service will not respond to requests from a remote computer, regardless of whether or not any WinRM listeners are configured.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:Software\Policies\Microsoft\Windows\WinRM\Service

RegistryItem :

AllowAutoConfig

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:Software\Policies\Microsoft\Windows\WinRM\Service' -name 'AllowAutoConfig'

Set Value :

Set-ItemProperty -path 'HKLM:Software\Policies\Microsoft\Windows\WinRM\Service' -name 'AllowAutoConfig' -value 0

More Informations

Notes

The service listens on the addresses specified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ranges.

You should use an asterisk (*) to indicate that the service listens on all available IP addresses on the computer. When * is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses. For example, if you want the service to listen only on IPv4 addresses, leave the IPv6 filter empty. Ranges are specified using the syntax IP1-IP2. Multiple ranges are separated using "," (comma) as the delimiter. Examples :

IPv4filter: 2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22
IPv6filter : n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562

OS

At least Windows Vista

1757 Enterprise WinRM Service: Allow Basic authentication Medium No impact 1 0

WinRM Service: Allow Basic authentication

Introduction

This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.

If you enable this policy setting, the WinRM client uses Basic authentication. If WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text. → If you disable or do not configure this policy setting, the WinRM client does not use Basic authentication.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service

RegistryItem :

AllowBasic

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service' -name 'AllowBasic'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service' -name 'AllowBasic' -value 0

More Informations

OS

At least Windows Vista

1758 Enterprise WinRM Service: Allow unencrypted traffic Medium No impact 1 0

WinRM Service: Allow unencrypted traffic

Introduction

This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network.

If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. → If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service

RegistryItem :

AllowUnencryptedTraffic

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service' -name 'AllowUnencryptedTraffic'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service' -name 'AllowUnencryptedTraffic' -value 0

More Informations

OS

At least Windows Vista

1759 Enterprise WinRM Service: Disallow WinRM from storing RunAs credentials Medium No impact 0 1

WinRM Service: Disallow WinRM from storing RunAs credentials

Introduction

This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. → If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer.

If you disable or do not configure this policy setting, the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAsPassword value will be stored securely.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service

RegistryItem :

DisableRunAs

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service' -name 'DisableRunAs'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service' -name 'DisableRunAs' -value 1

More Informations

OS

At least Windows Vista

1760 Enterprise Windows Remote Shell: Allow Remote Shell Access Medium Potentially 1 0

Windows Remote Shell: Allow Remote Shell Access

Introduction

This policy setting configures access to remote shells.

If you enable or do not configure this policy setting, new remote shell connections are accepted by the server.
If you set this policy to ‘disabled', new remote shell connections are rejected by the server.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS

RegistryItem :

AllowRemoteShellAccess

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS' -name 'AllowRemoteShellAccess'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS' -name 'AllowRemoteShellAccess' -value 0

More Informations

OS

At least Windows Vista

1761 Basic BitLocker Drive Encryption: Choose drive encryption method and cipher strength (for operating system drives) Medium No impact 6 6

BitLocker Drive Encryption: Choose drive encryption method and cipher strength (for operating system drives)

Introduction

This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.

If you enable this policy setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10 (Version 1511). → If you disable or do not configure this policy setting, BitLocker will use AES with the same bit strength (128-bit or 256-bit) as the "Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7)" and "Choose drive encryption method and cipher strength" policy settings (in that order), if they are set. If none of the policies are set, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by the setup script."

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\FVE

RegistryItem :

EncryptionMethodWithXtsOs

Values

Type :

Number

Possible Values :


                    
                       3 (AES-CBC 128-bit) 
 4 (AES-CBC 256-bit ) 
 6 (XTS-AES 128-bit (default)) 
 7 (XTS-AES 256-bit )

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'EncryptionMethodWithXtsOs'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'EncryptionMethodWithXtsOs' -value 6

More Informations

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

1762 Basic BitLocker Drive Encryption: Drive encryption method (for operating system drives) Medium No impact None XtsAes128

BitLocker Drive Encryption: Drive encryption method (for operating system drives)

Introduction

This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.

If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard. → If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        BitLockerVolume

Method Argument :


          EncryptionMethod

Values

Type :

Number

Possible Values :


                    
                       0 (Allow user to choose (default) ) 
 1 (Full encryption) 
 2 (Used Space Only encryption )

More Informations

OS

At least Windows 8

1763 Basic BitLocker Drive Encryption: Operating System Drives: Configure minimum PIN length for startup Medium Impact 8

BitLocker Drive Encryption: Operating System Drives: Configure minimum PIN length for startup

BitLockerPINTMPStratup

Introduction

This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.

If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN.
If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\FVE

RegistryItem :

MinimumPIN

Values

Type :

Number

Possible Values :


                    
                       [4
20]

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'MinimumPIN'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\FVE' -name 'MinimumPIN' -value 8

More Informations

Notes

If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset.

OS

MicrosoftWindows7

Administrative Templates: Printer

1764 Basic Point and Print Restrictions: When installing drivers for a new connection (CVE-2021-34527) High No impact 0 0

Point and Print Restrictions: When installing drivers for a new connection (CVE-2021-34527)

Print Drivers

Introduction

A remote code execution vulnerability exists when the Windows Print Spooler service incorrectly performs privileged operations on files. An attacker who successfully exploited this vulnerability could execute arbitrary code with SYSTEM privileges. He could then install programs, view, modify or delete data, or create accounts with full privileges.

Relevance indicator

100

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint

RegistryItem :

NoWarningNoElevationOnInstall

Values

Type :

Number

Possible Values :


                    
                       0 (Show warning and elevation prompt) 
 1 (Do not show warning or elevation prompt)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint' -name 'NoWarningNoElevationOnInstall'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint' -name 'NoWarningNoElevationOnInstall' -value 0

More Informations

Notes

Resolution here :

OS

At least Windows Vista

1765 Basic Point and Print Restrictions: When updating drivers for an existing connection (CVE-2021-34527) High No impact 0 0

Point and Print Restrictions: When updating drivers for an existing connection (CVE-2021-34527)

Print Drivers

Introduction

Relevance indicator

100

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint

RegistryItem :

UpdatePromptSettings

Values

Type :

Number

Possible Values :


                    
                       0 (Show warning and elevation prompt) 
 1 (Show warning only) 
 2 (Do not show warning or elevation prompt)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint' -name 'UpdatePromptSettings'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint' -name 'UpdatePromptSettings' -value 0

More Informations

Notes

Resolution here :

OS

At least Windows Vista

1766 Basic Point and Print Restrictions: Only administrators can install printer drivers on a print server (CVE-2021-34527) Medium No impact 0 1

Point and Print Restrictions: Only administrators can install printer drivers on a print server (CVE-2021-34527)

Print Drivers

Introduction

Restrict the installation of new printer drivers

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint

RegistryItem :

RestrictDriverInstallationToAdministrators

Values

Type :

Number

Possible Values :


                    
                       1 (Override All Restrictions Point and Print Group policy settings)
0 (Not override Point and Print Group Policy settings)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint' -name 'RestrictDriverInstallationToAdministrators'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint' -name 'RestrictDriverInstallationToAdministrators' -value 1

More Informations

Notes

Setting the value to 0, or leaving the value undefined, allows non-administrators to install signed and unsigned drivers to a print server but does not override the Point and Print Group Policy settings.

Setting this value to 1 or any non-zero value will override all Point and Print Restrictions Group policy settings and ensures that only administrators can install printer drivers on a print server.

OS

At least Windows Vista

Administrative Templates: Windows Components

1767 Basic News and interests: Enable news and interests on the taskbar Medium Potentially 0

News and interests: Enable news and interests on the taskbar

Taskbar

Introduction

This policy setting specifies whether news and interests is allowed on the device.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\Windows Feeds

RegistryItem :

EnableFeeds

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\Windows Feeds' -name 'EnableFeeds'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\Windows Feeds' -name 'EnableFeeds' -value 0

More Informations

OS

At least Windows 10 Server, Windows 10 or Windows 10 RT

Administrative Templates: Printer

1768 Basic Only use Package Point and Print (CVE-2021-36958) Medium No impact 1

Only use Package Point and Print (CVE-2021-36958)

Introduction

This policy restricts clients computers to use package point and print only.

If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. → If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint

RegistryItem :

PackagePointAndPrintOnly

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint' -name 'PackagePointAndPrintOnly'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint' -name 'PackagePointAndPrintOnly' -value 1

More Informations

OS

Windows Server 2008 and Windows Vista

1769 Basic Package Point and Print - Approved servers (CVE-2021-36958) Medium No impact 1

Package Point and Print - Approved servers (CVE-2021-36958)

Introduction

Restricts package point and print to approved servers. This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint

RegistryItem :

PackagePointAndPrintServerList

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint' -name 'PackagePointAndPrintServerList'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint' -name 'PackagePointAndPrintServerList' -value 1

More Informations

OS

At least Windows Vista

Microsoft Defender Antivirus

1800 Basic Turn off Windows Defender Antivirus Medium No impact 0 0

Turn off Windows Defender Antivirus

Introduction

DisableAntiSpyware specifies whether to disable Microsoft Defender Antivirus. Microsoft Defender Antivirus is an application that can prevent, remove, and quarantine malicious software, including spyware.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows Defender

RegistryItem :

DisableAntiSpyware

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender' -name 'DisableAntiSpyware'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender' -name 'DisableAntiSpyware' -value 0

More Informations

OS

Windows Server

1801 Basic Configure detection for potentially unwanted applications Medium Potentially 0 1

Configure detection for potentially unwanted applications

Introduction

Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows Defender

RegistryItem :

PUAProtection

Values

Type :

Number

Possible Values :


                    
                       (0)Disable
(1)Enable
(2)AuditMode

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender' -name 'PUAProtection'

Set Value :

Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender' -name 'PUAProtection' -value 1

More Informations

Notes

Block: Potentially unwanted software will be blocked.
Audit Mode: Potentially unwanted software will not be blocked, however if this feature would have blocked access if it were set to Block, then a record of the event will be in the event logs.

OS

Windows 10
Windows Server 2019
Windows Server 2016

1802 Basic Cloud-delivered protection Medium No impact 2 2

Cloud-delivered protection

Introduction

Specifies the type of membership in Microsoft Active Protection Service. Microsoft Active Protection Service is an online community that helps you choose how to respond to potential threats. The community also helps prevent the spread of new malicious software.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        MpPreference

Method Argument :


          MAPSReporting

Values

Type :

Number

Possible Values :


                    
                       (0)Disable
(1)Basic
(2)Advanced

Powershell Command

Getting Command :

Get-MPPreference | Select-Object MAPSReporting ;

Setting Command :

Set-MpPreference -MAPSReporting ;

More Informations

Notes

Disabled : Send no information to Microsoft. This is the default value.
Basic membership : Send basic information to Microsoft about detected software, including where the software came from, the actions that you apply or that apply automatically, and whether the actions succeeded.
Advanced membership : In addition to basic information, send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it affects your computer.

OS

Windows 10

1803 Basic Automatic sample submission Medium Impact 1 2

Automatic sample submission

Defender Telemetry

Introduction

Specifies how Windows Defender checks for user consent for certain samples. If consent has previously been granted, Windows Defender submits the samples. Otherwise, if the MAPSReporting parameter does not have a value of Disabled, Windows Defender prompts the user for consent.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        MpPreference

Method Argument :


          SubmitSamplesConsent

Values

Type :

Number

Possible Values :


                    
                       (0)AlwaysPrompt
 (1)SendSafeSamples
 (2)NeverSend
 (3)SendAllSamples

Powershell Command

Getting Command :

Get-MPPreference | Select-Object SubmitSamplesConsent ;

Setting Command :

Set-MpPreference -SubmitSamplesConsent ;

More Informations

Notes

0: Always prompt
1: Send safe samples automatically
2: Never send
3: Send all samples automatically

1804 StrongBox Controlled folder access Medium Impact 0 1

Controlled folder access

Introduction

Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        MpPreference

Method Argument :


          EnableControlledFolderAccess

Values

Type :

Number

Possible Values :


                    
                       (0)Disable
(1)Enable
(2)AuditMode

Powershell Command

Getting Command :

Get-MPPreference | Select-Object EnableControlledFolderAccess ;

Setting Command :

Set-MpPreference -EnableControlledFolderAccess ;

More Informations

Potential impact

Can cause some problems during saving files.

OS

Windows 10
Windows Server 2019

1805 Basic Real time monitoring High Potentially False False

Real time monitoring

Introduction

Indicates whether to use real-time protection. If you specify a value of False or do not specify a value, Windows Defender uses real-time protection. We recommend that you enable Windows Defender to use real-time protection.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        MpPreference

Method Argument :


          DisableRealtimeMonitoring

Values

Type :

Boolean

Possible Values :


                    
                       True
False

Powershell Command

Getting Command :

Get-MPPreference | Select-Object DisableRealtimeMonitoring ;

Setting Command :

Set-MpPreference -DisableRealtimeMonitoring ;

More Informations

1806 Basic Exclusions: Extension Exclusions (Policy) Medium No impact

Exclusions: Extension Exclusions (Policy)

Defender Extension Exclusion

Introduction

This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib").

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions

RegistryItem :

Exclusions_Extensions

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions' -name 'Exclusions_Extensions'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions' -name 'Exclusions_Extensions' -value

More Informations

OS

At least Windows Server 2012
Windows 8
Windows RT

1807 Basic Exclusions: List Extension Exclusions Medium No impact

Exclusions: List Extension Exclusions

Defender Extension Exclusion

Introduction

This policy setting allows you, from powershell, specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added after « -ExclusionExtension » tag.

Example :Add-MpPreference -ExclusionExtension .log, .xml, .cfg

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        MpPreferenceExclusion

Method Argument :


          ExclusionExtension

Values

Type :

String

Possible Values :


                    
                       Extensions (.log, .xml, .docx, …)

Powershell Command

Getting Command :

Get-MPPreference | Select-Object ExclusionExtension ;

Setting Command :

Add-MpPreference -ExclusionExtension ;

More Informations

OS

At least Windows Server 2012
Windows 8
Windows RT

1808 Basic Exclusions: Path Exclusions (Policy) Medium No impact

Exclusions: Path Exclusions (Policy)

Defender Path Exclusion

Introduction

This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions

RegistryItem :

Exclusions_Paths

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions' -name 'Exclusions_Paths'

Set Value :

Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions' -name 'Exclusions_Paths' -value

More Informations

OS

At least Windows Server 2012
Windows 8
Windows RT

1809 Basic Exclusions: List Path Exclusions Medium No impact

Exclusions: List Path Exclusions

Defender Path Exclusion

Introduction

This policy setting allows you, from powershell, to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified.

Example : Add-MpPreference -ExclusionPath %SystemDrive%\Dossier-1, %SystemRoot%\Dossier-2

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        MpPreferenceExclusion

Method Argument :


          ExclusionPath

Values

Type :

String

Possible Values :


                    
                       Folder (%SystemRoot%\Dossier-2, "%ProgramFiles(x86)%\folder with space-3", ...)

Powershell Command

Getting Command :

Get-MPPreference | Select-Object ExclusionPath ;

Setting Command :

Add-MpPreference -ExclusionPath ;

More Informations

OS

At least Windows Server 2012
Windows 8
Windows RT

1810 Basic Exclusions: Process Exclusions (Policy) Medium No impact

Exclusions: Process Exclusions (Policy)

Defender Process Exclusion

Introduction

This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. Note that only executables can be excluded.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions

RegistryItem :

Exclusions_Processes

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions' -name 'Exclusions_Processes'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions' -name 'Exclusions_Processes' -value

More Informations

OS

At least Windows Server 2012
Windows 8
Windows RT

1811 Basic Exclusions: List Process Exclusions Medium No impact

Exclusions: List Process Exclusions

Defender Process Exclusion

Introduction

This policy setting allows you, from powershell, to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself will not be excluded. To exclude the process, use the Path exclusion.

Example : Add-MpPreference -ExclusionProcess process-1.exe, process-2.exe, process-3.exe

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        MpPreferenceExclusion

Method Argument :


          ExclusionProcess

Values

Type :

String

Possible Values :


                    
                       Executable file (application.exe, …)

Powershell Command

Getting Command :

Get-MPPreference | Select-Object ExclusionProcess ;

Setting Command :

Add-MpPreference -ExclusionProcess ;

More Informations

Notes

Note that only executables can be excluded.

OS

At least Windows Server 2012
Windows 8
Windows RT

1812 Basic Enable sandboxing for Microsoft Defender Antivirus Medium Potentially 0 1

Enable sandboxing for Microsoft Defender Antivirus

Defender Sandbox

Introduction

Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine.

A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

RegistryItem :

MP_FORCE_USE_SANDBOX

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -name 'MP_FORCE_USE_SANDBOX'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -name 'MP_FORCE_USE_SANDBOX' -value 1

More Informations

Potential impact

Your computer might be slower to start up

OS

At least Windows 10 version 1703

Microsoft Defender Exploit Guard

1900 Basic Attack Surface Reduction rules Medium No impact 0 1

Attack Surface Reduction rules

Defender ASR

Introduction

Set the state for each Attack Surface Reduction (ASR) rule.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR

RegistryItem :

ExploitGuard_ASR_Rules

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR' -name 'ExploitGuard_ASR_Rules'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR' -name 'ExploitGuard_ASR_Rules' -value 1

More Informations

OS

At least Windows Server, Windows 10 Version 1709

1901 Basic ASR: Block executable content from email client and webmail (Policy) Medium Impact 0 1

ASR: Block executable content from email client and webmail (Policy)

Defender Email

Introduction

This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:

Executable files (such as .exe, .dll, or .scr)
Script files (such as a PowerShell .ps, Visual Basic .vbs, or JavaScript .js file)

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules

RegistryItem :

be9ba2d9-53ea-4cdc-84e5-9b1eeee46550

Values

Type :

Number

Possible Values :


                    
                       1 (Block) 
 0 (Off) 
 2 (Audit)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name 'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name 'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550' -value 1

More Informations

Advices

The rule Block executable content from email client and webmail has the following alternative descriptions, depending on which application you use: Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions). Endpoint Manager: Block executable content download from email and webmail clients. Group Policy: Block executable content from email client and webmail.

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1902 Basic ASR: Block Office applications from creating child processes (Policy) Medium Potentially 0 1

ASR: Block Office applications from creating child processes (Policy)

Defender Office Process Outlook

Introduction

This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.
This rule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in Outlook. It also protects against Outlook rules and forms exploits that attackers can use when a user's credentials are compromised.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules

RegistryItem :

d4f940ab-401b-4efc-aadc-ad5f3c50688a

Values

Type :

Number

Possible Values :


                    
                       1 (Block) 
 0 (Off) 
 2 (Audit)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name 'd4f940ab-401b-4efc-aadc-ad5f3c50688a'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name 'd4f940ab-401b-4efc-aadc-ad5f3c50688a' -value 1

More Informations

Potential impact

This policy can block some plugins like iSpring QuizMaker on PowerPoint

Advices

Do not enable this policy if you use plugins in Office

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1903 Basic ASR: Block Office applications from creating executable content (Policy) Medium Potentially 0 1

ASR: Block Office applications from creating executable content (Policy)

Defender Office Executable

Introduction

This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules

RegistryItem :

3b576869-a4ec-4529-8536-b80a7769e899

Values

Type :

Number

Possible Values :


                    
                       1 (Block) 
 0 (Off) 
 2 (Audit)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name '3b576869-a4ec-4529-8536-b80a7769e899'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name '3b576869-a4ec-4529-8536-b80a7769e899' -value 1

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1904 Basic ASR: Block Office applications from injecting into other processes (Policy) Medium Potentially 0 1

ASR: Block Office applications from injecting into other processes (Policy)

Defender Office Inject

Introduction

This rule blocks code injection attempts from Office apps into other processes.
Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process.
There are no known legitimate business purposes for using code injection. This rule applies to Word, Excel, and PowerPoint.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules

RegistryItem :

75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84

Values

Type :

Number

Possible Values :


                    
                       1 (Block) 
 0 (Off) 
 2 (Audit)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name '75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name '75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84' -value 1

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1905 Basic ASR: Impede JavaScript and VBScript to launch executables (Policy) Medium Potentially 0 1

ASR: Impede JavaScript and VBScript to launch executables (Policy)

Defender Javascript VBScript

Introduction

This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules

RegistryItem :

d3e037e1-3eb8-44c8-a917-57927947596d

Values

Type :

Number

Possible Values :


                    
                       1 (Block) 
 0 (Off) 
 2 (Audit)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name 'd3e037e1-3eb8-44c8-a917-57927947596d'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name 'd3e037e1-3eb8-44c8-a917-57927947596d' -value 1

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1906 Basic ASR: Block execution of potentially obfuscated scripts (Policy) Medium Potentially 0 1

ASR: Block execution of potentially obfuscated scripts (Policy)

Defender Script Obfuscated

Introduction

This rule detects suspicious properties within an obfuscated script.
Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times.
Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules

RegistryItem :

5beb7efe-fd9a-4556-801d-275e5ffc04cc

Values

Type :

Number

Possible Values :


                    
                       1 (Block) 
 0 (Off) 
 2 (Audit)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name '5beb7efe-fd9a-4556-801d-275e5ffc04cc'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name '5beb7efe-fd9a-4556-801d-275e5ffc04cc' -value 1

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1907 Basic ASR: Block Win32 imports from Macro code in Office (Policy) Medium Potentially 0 1

ASR: Block Win32 imports from Macro code in Office (Policy)

Defender Office Win32 Macro

Introduction

This rule prevents VBA macros from calling Win32 APIs.
Office VBA enables Win32 API calls. Malware can abuse this capability, such as calling Win32 APIs to launch malicious shellcode without writing anything directly to disk.
Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules

RegistryItem :

92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b

Values

Type :

Number

Possible Values :


                    
                       1 (Block) 
 0 (Off) 
 2 (Audit)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name '92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name '92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b' -value 1

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1908 Basic ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria (Policy) Medium Impact 0 1

ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria (Policy)

Defender Executable Criterias

Introduction

This rule blocks executable files, such as .exe, .dll, or .scr, from launching unless any of the following conditions are met:

Prevalence: The executable files are found on more than 1,000 endpoints
Age: The executable files were released more than 24 hours ago
Location: The executable files are included in a trusted list or an exclusion list

Launching untrusted or unknown executable files can be risky, as it might not be initially clear if the files are malicious.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules

RegistryItem :

01443614-cd74-433a-b99e-2ecdc07bfc25

Values

Type :

Number

Possible Values :


                    
                       1 (Block) 
 0 (Off) 
 2 (Audit)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name '01443614-cd74-433a-b99e-2ecdc07bfc25'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name '01443614-cd74-433a-b99e-2ecdc07bfc25' -value 1

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1909 Basic ASR: Use advanced protection against ransomware (Policy) Medium No impact 0 1

ASR: Use advanced protection against ransomware (Policy)

Defender Ransomware

Introduction

This rule provides an extra layer of protection against ransomware. It uses both client and cloud heuristics to determine whether a file resembles ransomware. This rule does not block files that have one or more of the following characteristics: → The file has already been found to be unharmful in the Microsoft cloud.

The file is a valid signed file.
The file is prevalent enough to not be considered as ransomware.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules

RegistryItem :

c1db55ab-c21a-4637-bb3f-a12568109d35

Values

Type :

Number

Possible Values :


                    
                       1 (Block) 
 0 (Off) 
 2 (Audit)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name 'c1db55ab-c21a-4637-bb3f-a12568109d35'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name 'c1db55ab-c21a-4637-bb3f-a12568109d35' -value 1

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1910 Basic ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy) Medium No impact 0 1

ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)

Defender Credential

Introduction

This rule helps prevent credential stealing by locking down Local Security Authority Subsystem Service (LSASS). LSASS authenticates users who sign in on a Windows computer.
Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS.
However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules

RegistryItem :

9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

Values

Type :

Number

Possible Values :


                    
                       1 (Block) 
 0 (Off) 
 2 (Audit)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name '9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name '9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2' -value 1

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1911 Basic ASR: Block process creations originating from PSExec and WMI commands (Policy) Medium Potentially 0 1

ASR: Block process creations originating from PSExec and WMI commands (Policy)

Defender WMI PSExec

Introduction

This rule blocks processes created through PsExec and WMI from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules

RegistryItem :

d1e49aac-8f56-4280-b9ba-993a6d77406c

Values

Type :

Number

Possible Values :


                    
                       1 (Block) 
 0 (Off) 
 2 (Audit)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name 'd1e49aac-8f56-4280-b9ba-993a6d77406c'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name 'd1e49aac-8f56-4280-b9ba-993a6d77406c' -value 1

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

At least Windows 10 1803
Windows Server

1912 Basic ASR: Block untrusted and unsigned processes that run from USB (Policy) Medium Potentially 0 1

ASR: Block untrusted and unsigned processes that run from USB (Policy)

Defender USB Process

Introduction

With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr)

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules

RegistryItem :

b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4

Values

Type :

Number

Possible Values :


                    
                       1 (Block) 
 0 (Off) 
 2 (Audit)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name 'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name 'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4' -value 1

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1913 Basic ASR: Block Office communication applications from creating child processes (Policy) Medium Potentially 0 1

ASR: Block Office communication applications from creating child processes (Policy)

Defender Office

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules

RegistryItem :

26190899-1602-49e8-8b27-eb1d0a1ce869

Values

Type :

Number

Possible Values :


                    
                       1 (Block) 
 0 (Off) 
 2 (Audit)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name '26190899-1602-49e8-8b27-eb1d0a1ce869'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name '26190899-1602-49e8-8b27-eb1d0a1ce869' -value 1

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1914 Basic ASR: Block Adobe Reader from creating child processes (Policy) Medium Potentially 0 1

ASR: Block Adobe Reader from creating child processes (Policy)

Defender Adobe Process

Introduction

This rule prevents attacks by blocking Adobe Reader from creating processes. Through social engineering or exploits, malware can download and launch payloads, and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules

RegistryItem :

7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c

Values

Type :

Number

Possible Values :


                    
                       1 (Block) 
 0 (Off) 
 2 (Audit)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name '7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name '7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c' -value 1

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1915 Basic ASR: Block persistence through WMI event subscription (Policy) Medium Potentially 0 1

ASR: Block persistence through WMI event subscription (Policy)

Defender WMI

Introduction

This rule prevents malware from abusing WMI to attain persistence on a device. Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules

RegistryItem :

e6db77e5-3df2-4cf1-b95a-636979351e5b

Values

Type :

Number

Possible Values :


                    
                       1 (Block) 
 0 (Off) 
 2 (Audit)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name 'e6db77e5-3df2-4cf1-b95a-636979351e5b'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name 'e6db77e5-3df2-4cf1-b95a-636979351e5b' -value 1

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1916 Basic ASR: Block executable content from email client and webmail Medium Impact 0 1

ASR: Block executable content from email client and webmail

Defender Email

Introduction

This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:

Executable files (such as .exe, .dll, or .scr)
Script files (such as a PowerShell .ps, Visual Basic .vbs, or JavaScript .js file)

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        MpPreferenceAsr

Method Argument :


          be9ba2d9-53ea-4cdc-84e5-9b1eeee46550

Values

Type :

String

Possible Values :


                    
                       Enabled 
 AuditMode 
 Warn 
 Disabled

Powershell Command

Getting Command :

Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids ;

Setting Command :

 Add-MpPreference -AttackSurfaceReductionRules_Ids be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 -AttackSurfaceReductionRules_Actions Enabled  ;

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1917 Basic ASR: Block Office applications from creating child processes Medium Potentially 0 1

ASR: Block Office applications from creating child processes

Defender Office Process

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        MpPreferenceAsr

Method Argument :


          d4f940ab-401b-4efc-aadc-ad5f3c50688a

Values

Type :

String

Possible Values :


                    
                       Enabled 
 AuditMode 
 Warn 
 Disabled

Powershell Command

Getting Command :

Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids ;

Setting Command :

 Add-MpPreference -AttackSurfaceReductionRules_Ids d4f940ab-401b-4efc-aadc-ad5f3c50688a -AttackSurfaceReductionRules_Actions Enabled  ;

More Informations

Potential impact

This policy can block some plugins like iSpring QuizMaker on PowerPoint

Advices

Do not enable this policy if you use plugins in Office

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1918 Basic ASR: Block Office applications from creating executable content Medium Potentially 0 1

ASR: Block Office applications from creating executable content

Defender Office Executable

Introduction

This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        MpPreferenceAsr

Method Argument :


          3b576869-a4ec-4529-8536-b80a7769e899

Values

Type :

String

Possible Values :


                    
                       Enabled 
 AuditMode 
 Warn 
 Disabled

Powershell Command

Getting Command :

Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids ;

Setting Command :

 Add-MpPreference -AttackSurfaceReductionRules_Ids 3b576869-a4ec-4529-8536-b80a7769e899 -AttackSurfaceReductionRules_Actions Enabled  ;

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1919 Basic ASR: Block Office applications from injecting into other processes Medium Potentially 0 1

ASR: Block Office applications from injecting into other processes

Defender Office Inject

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        MpPreferenceAsr

Method Argument :


          75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84

Values

Type :

String

Possible Values :


                    
                       Enabled 
 AuditMode 
 Warn 
 Disabled

Powershell Command

Getting Command :

Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids ;

Setting Command :

 Add-MpPreference -AttackSurfaceReductionRules_Ids 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 -AttackSurfaceReductionRules_Actions Enabled  ;

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1920 Basic ASR: Impede JavaScript and VBScript to launch executables Medium Potentially 0 1

ASR: Impede JavaScript and VBScript to launch executables

Defender Javascript VBScript

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        MpPreferenceAsr

Method Argument :


          d3e037e1-3eb8-44c8-a917-57927947596d

Values

Type :

String

Possible Values :


                    
                       Enabled 
 AuditMode 
 Warn 
 Disabled

Powershell Command

Getting Command :

Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids ;

Setting Command :

 Add-MpPreference -AttackSurfaceReductionRules_Ids d3e037e1-3eb8-44c8-a917-57927947596d -AttackSurfaceReductionRules_Actions Enabled  ;

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1921 Basic ASR: Block execution of potentially obfuscated scripts Medium Potentially 0 1

ASR: Block execution of potentially obfuscated scripts

Defender Script Obfuscated

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        MpPreferenceAsr

Method Argument :


          5beb7efe-fd9a-4556-801d-275e5ffc04cc

Values

Type :

String

Possible Values :


                    
                       Enabled 
 AuditMode 
 Warn 
 Disabled

Powershell Command

Getting Command :

Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids ;

Setting Command :

 Add-MpPreference -AttackSurfaceReductionRules_Ids 5beb7efe-fd9a-4556-801d-275e5ffc04cc -AttackSurfaceReductionRules_Actions Enabled  ;

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1922 Basic ASR: Block Win32 imports from Macro code in Office Medium Potentially 0 1

ASR: Block Win32 imports from Macro code in Office

Defender Office Win32 Macro

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        MpPreferenceAsr

Method Argument :


          92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b

Values

Type :

String

Possible Values :


                    
                       Enabled 
 AuditMode 
 Warn 
 Disabled

Powershell Command

Getting Command :

Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids ;

Setting Command :

 Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions Enabled  ;

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1923 Basic ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria Medium Impact 0 1

ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criteria

Defender Executable Criterias

Introduction

This rule blocks executable files, such as .exe, .dll, or .scr, from launching unless any of the following conditions are met:

Prevalence: The executable files are found on more than 1,000 endpoints
Age: The executable files were released more than 24 hours ago
Location: The executable files are included in a trusted list or an exclusion list

Launching untrusted or unknown executable files can be risky, as it might not be initially clear if the files are malicious.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        MpPreferenceAsr

Method Argument :


          01443614-cd74-433a-b99e-2ecdc07bfc25

Values

Type :

String

Possible Values :


                    
                       Enabled 
 AuditMode 
 Warn 
 Disabled

Powershell Command

Getting Command :

Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids ;

Setting Command :

 Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-cd74-433a-b99e-2ecdc07bfc25 -AttackSurfaceReductionRules_Actions Enabled  ;

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1924 Basic ASR: Use advanced protection against ransomware Medium No impact 0 1

ASR: Use advanced protection against ransomware

Defender Ransomware

Introduction

The file is a valid signed file.
The file is prevalent enough to not be considered as ransomware.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        MpPreferenceAsr

Method Argument :


          c1db55ab-c21a-4637-bb3f-a12568109d35

Values

Type :

String

Possible Values :


                    
                       Enabled 
 AuditMode 
 Warn 
 Disabled

Powershell Command

Getting Command :

Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids ;

Setting Command :

 Add-MpPreference -AttackSurfaceReductionRules_Ids c1db55ab-c21a-4637-bb3f-a12568109d35 -AttackSurfaceReductionRules_Actions Enabled  ;

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1925 Basic ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) Medium No impact 0 1

ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)

Defender Credential

Introduction

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        MpPreferenceAsr

Method Argument :


          9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

Values

Type :

String

Possible Values :


                    
                       Enabled 
 AuditMode 
 Warn 
 Disabled

Powershell Command

Getting Command :

Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids ;

Setting Command :

 Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled  ;

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1926 Basic ASR: Block process creations originating from PSExec and WMI commands Medium Potentially 0 1

ASR: Block process creations originating from PSExec and WMI commands

Defender WMI PSExec

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        MpPreferenceAsr

Method Argument :


          d1e49aac-8f56-4280-b9ba-993a6d77406c

Values

Type :

String

Possible Values :


                    
                       Enabled 
 AuditMode 
 Warn 
 Disabled

Powershell Command

Getting Command :

Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids ;

Setting Command :

 Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Enabled  ;

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

At least Windows 10 1803
Windows Server

1927 Basic ASR: Block untrusted and unsigned processes that run from USB Medium Potentially 0 1

ASR: Block untrusted and unsigned processes that run from USB

Defender USB Process

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        MpPreferenceAsr

Method Argument :


          b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4

Values

Type :

String

Possible Values :


                    
                       Enabled 
 AuditMode 
 Warn 
 Disabled

Powershell Command

Getting Command :

Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids ;

Setting Command :

 Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Enabled  ;

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1928 Basic ASR: Block Office communication applications from creating child processes Medium Potentially 0 1

ASR: Block Office communication applications from creating child processes

Defender Office

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        MpPreferenceAsr

Method Argument :


          26190899-1602-49e8-8b27-eb1d0a1ce869

Values

Type :

String

Possible Values :


                    
                       Enabled 
 AuditMode 
 Warn 
 Disabled

Powershell Command

Getting Command :

Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids ;

Setting Command :

 Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49e8-8b27-eb1d0a1ce869 -AttackSurfaceReductionRules_Actions Enabled  ;

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1929 Basic ASR: Block Adobe Reader from creating child processes Medium Potentially 0 1

ASR: Block Adobe Reader from creating child processes

Defender Adobe Process

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        MpPreferenceAsr

Method Argument :


          7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c

Values

Type :

String

Possible Values :


                    
                       Enabled 
 AuditMode 
 Warn 
 Disabled

Powershell Command

Getting Command :

Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids ;

Setting Command :

 Add-MpPreference -AttackSurfaceReductionRules_Ids 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions Enabled  ;

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1930 Basic ASR: Block persistence through WMI event subscription Medium Potentially 0 1

ASR: Block persistence through WMI event subscription

Defender WMI

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        MpPreferenceAsr

Method Argument :


          e6db77e5-3df2-4cf1-b95a-636979351e5b

Values

Type :

String

Possible Values :


                    
                       Enabled 
 AuditMode 
 Warn 
 Disabled

Powershell Command

Getting Command :

Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids ;

Setting Command :

 Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Enabled  ;

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1931 Basic ASR: Block abuse of exploited vulnerable signed drivers (Policy) Medium Potentially 0 1

ASR: Block abuse of exploited vulnerable signed drivers (Policy)

Defender Drivers

Introduction

This rule prevents an application from writing a vulnerable signed driver to disk. In-the-wild, vulnerable signed drivers can be exploited by local applications - that have sufficient privileges - to gain access to the kernel. Vulnerable signed drivers enable attackers to disable or circumvent security solutions, eventually leading to system compromise. The Block abuse of exploited vulnerable signed drivers rule does not block a driver already existing on the system from being loaded.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules

RegistryItem :

56a863a9-875e-4185-98a7-b882c64b5ce5

Values

Type :

Possible Values :

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name '56a863a9-875e-4185-98a7-b882c64b5ce5'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules' -name '56a863a9-875e-4185-98a7-b882c64b5ce5' -value 1

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

1932 Basic ASR: Block abuse of exploited vulnerable signed drivers Medium Potentially 0 1

ASR: Block abuse of exploited vulnerable signed drivers

Defender Drivers

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        MpPreferenceAsr

Method Argument :


          56a863a9-875e-4185-98a7-b882c64b5ce5

Values

Type :

String

Possible Values :


                    
                       Block 
 Audit 
 Warn 
 Not configured

Powershell Command

Getting Command :

Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids ;

Setting Command :

 Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled  ;

More Informations

Notes

Enable : Enable the ASR rule
AuditMode : Evaluate how the ASR rule would impact your org if enabled
Warn : Enable the ASR rule but Allow the end user to bypass the block
Disabled : Disable the rule

OS

Windows 10
Windows Server

1950 Basic Exploit protection: Control flow guard (CFG) Medium Potentially On ON

Exploit protection: Control flow guard (CFG)

Defender Exploit CFG

Introduction

Control Flow Guard (CFG) is a highly-optimized platform security feature that was created to combat memory corruption vulnerabilities. By placing tight restrictions on where an application can execute code from, it makes it much harder for exploits to execute arbitrary code through vulnerabilities such as buffer overflows. CFG extends previous exploit mitigation technologies such as /GS, DEP, and ASLR.

This feature is available in Microsoft Visual Studio 2015, and runs on "CFG-Aware" versions of Windows—the x86 and x64 releases for Desktop and Server of Windows 10 and Windows 8.1 Update (KB3000850).

We strongly encourage developers to enable CFG for their applications. You don't have to enable CFG for every part of your code, as a mixture of CFG enabled and non-CFG enabled code will execute fine. But failing to enable CFG for all code can open gaps in the protection. Furthermore, CFG enabled code works fine on "CFG-Unaware" versions of Windows and is therefore fully compatible with them.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Processmitigation

Method Argument :


          Cfg.Enable

Values

Type :

String

Possible Values :


                    
                       Enable 
 Disable

Powershell Command

Getting Command :

Get-ProcessMitigation -System ;

Setting Command :

Set-ProcessMitigation -System -Enable CFG ;

More Informations

OS

Windows 10

1951 Basic Exploit protection: Data Execution Prevention (DEP) Medium Potentially On ON

Exploit protection: Data Execution Prevention (DEP)

Defender DEP

Introduction

Data Execution Prevention (DEP) is a system-level memory protection feature that is built into the operating system starting with Windows XP and Windows Server 2003. DEP enables the system to mark one or more pages of memory as non-executable. Marking memory regions as non-executable means that code cannot be run from that region of memory, which makes it harder for the exploitation of buffer overruns.

DEP prevents code from being run from data pages such as the default heap, stacks, and memory pools. If an application attempts to run code from a data page that is protected, a memory access violation exception occurs, and if the exception is not handled, the calling process is terminated.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Processmitigation

Method Argument :


          DEP.Enable

Values

Type :

String

Possible Values :


                    
                       Enable 
 Disable

Powershell Command

Getting Command :

Get-ProcessMitigation -System ;

Setting Command :

Set-ProcessMitigation -System -Enable DEP ;

More Informations

OS

At least Windows XP
Windows server 2003

1952 Basic Exploit protection: Override Data Execution Prevention (DEP) Medium Potentially False False

Exploit protection: Override Data Execution Prevention (DEP)

Defender DEP

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Processmitigation

Method Argument :


          DEP.OverrideDEP

Values

Type :

Possible Values :

Powershell Command

Getting Command :

Get-ProcessMitigation -System ;

Setting Command :

Set-ProcessMitigation -System -Enable DEP -False ;

More Informations

1953 Basic Force use of Data Execution Prevention (DEP) Medium Potentially OptIn AlwaysOn

Force use of Data Execution Prevention (DEP)

Defender DEP

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        bcdedit

Method Argument :

nx

Values

Type :

String

Possible Values :


                    
                       AlwaysOn 
 AlwaysOff 
 OptIn 
 Optout

Powershell Command

Getting Command :

bcdedit /enum | Select-String nx ;

Setting Command :

bcdedit.exe /set {current} nx AlwaysOn ;

More Informations

OS

At least Windows XP
Windows server 2003

1954 Enterprise Exploit protection: Force randomization for images (Mandatory ASLR) Medium Impact Off ON

Exploit protection: Force randomization for images (Mandatory ASLR)

ASLR Exploit

Introduction

Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable.

This can mitigate the risk of an attacker using techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Processmitigation

Method Argument :


          ASLR.ForceRelocateImages

Values

Type :

String

Possible Values :


                    
                       Enable 
 Disable

Powershell Command

Getting Command :

Get-ProcessMitigation -System ;

Setting Command :

Set-ProcessMitigation -System -Enable ForceRelocateImages ;

More Informations

Potential impact

Can't use portable apps.

OS

1955 Enterprise Exploit protection: Override force randomization for images (Mandatory ASLR) Medium Impact False False

Exploit protection: Override force randomization for images (Mandatory ASLR)

ASLR Exploit

Introduction

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Processmitigation

Method Argument :


          ASLR.OverrideForceRelocateImages

Values

Type :

String

Possible Values :


                    
                       Enable 
 Disable

More Informations

Potential impact

Can't use portable apps.

OS

1956 Enterprise Exploit protection: Randomize memory allocations (Bottom-up ASLR) Medium No impact On ON

Exploit protection: Randomize memory allocations (Bottom-up ASLR)

ASLR Exploit

Introduction

Randomize memory allocations (Bottom-up ASLR) adds entropy to relocations, so their location is randomized and therefore less predictable. This mitigation requires Mandatory ASLR to take effect.
The size of the 32-bit address space places practical constraints on the entropy that can be added, and therefore 64-bit applications make it more difficult for an attacker to guess a location in memory.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Processmitigation

Method Argument :


          ASLR.BottomUp

Values

Type :

String

Possible Values :


                    
                       Enable 
 Disable

Powershell Command

Getting Command :

Get-ProcessMitigation -System ;

Setting Command :

Set-ProcessMitigation -System -Enable BottomUp ;

More Informations

OS

1957 Enterprise Exploit protection: Override randomize memory allocations (Bottom-up ASLR) Medium No impact False False

Exploit protection: Override randomize memory allocations (Bottom-up ASLR)

ASLR Exploit

Introduction

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Processmitigation

Method Argument :


          ASLR.OverrideBottomUp

Values

Type :

String

Possible Values :


                    
                       Enable 
 Disable

More Informations

OS

1958 Enterprise Exploit protection: High-entropy ASLR Medium No impact On ON

Exploit protection: High-entropy ASLR

ASLR Exploit

Introduction

This feature introduces 1 TB of variance into the address that bottom-up allocations start from. This equates to 24 bits of entropy, or a 1 in 16,777,216 chance of guessing the start address correctly. Since heaps, stacks, and most other memory regions are allocated bottom-up, this has the effect of making traditional address space spraying attacks impractical (such as heap and JIT spraying). This is because systems today do not have enough memory available to spray the amount that would be needed to achieve even small degrees of reliability. In addition, executable images that are randomized by the Force ASLR feature receive high degrees of entropy as a result of the high entropy bottom-up randomization feature being enabled for an application. As a result, exploits for vulnerabilities in 64-bit applications that rely on address space spraying will first need to disclose the address at least one bottom-up allocation in order to determine where data may have been placed relative to that address.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Processmitigation

Method Argument :


          ASLR.HighEntropy

Values

Type :

String

Possible Values :


                    
                       Enable 
 Disable

Powershell Command

Getting Command :

Get-ProcessMitigation -System ;

Setting Command :

Set-ProcessMitigation -System -Enable HighEntropy ;

More Informations

OS

1959 Enterprise Exploit protection: Override high-entropy ASLR Medium No impact False False

Exploit protection: Override high-entropy ASLR

ASLR Exploit

Introduction

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Processmitigation

Method Argument :


          ASLR.OverrideHighEntropy

Values

Type :

String

Possible Values :


                    
                       Enable 
 Disable

More Informations

OS

1960 Enterprise Exploit protection: Validate exception chains (SEHOP) Medium Potentially On ON

Exploit protection: Validate exception chains (SEHOP)

SEHOP Exploit

Introduction

Validate exception chains (SEHOP) is a mitigation against the Structured Exception Handler (SEH) overwrite exploitation technique. Structured exception handling is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can use a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Processmitigation

Method Argument :


          SEHOP.Enable

Values

Type :

String

Possible Values :


                    
                       Enable 
 Disable

Powershell Command

Getting Command :

Get-ProcessMitigation -System ;

Setting Command :

Set-ProcessMitigation -System -Enable SEHOP ;

More Informations

Potential impact

Compatibility issues with SEHOP are relatively rare. It's uncommon for an application to take a dependency on corrupting the exception chain. However, some applications are impacted by the subtle changes in timing, which may manifest as a race condition that reveals a latent multi-threading bug in the application.

OS

1961 Enterprise Exploit protection: Validate exception chains (SEHOP (Telemetry only) Medium Potentially NOTSET OFF

Exploit protection: Validate exception chains (SEHOP (Telemetry only)

SEHOP Exploit

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Processmitigation

Method Argument :


          SEHOP.TelemetryOnly

Values

Type :

String

Possible Values :


                    
                       Enable 
 Disable

More Informations

Potential impact

OS

1962 Enterprise Exploit protection: Override validate exception chains (SEHOP) Medium Potentially False False

Exploit protection: Override validate exception chains (SEHOP)

SEHOP Exploit

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Processmitigation

Method Argument :


          SEHOP.OverrideSEHOP

Values

Type :

String

Possible Values :


                    
                       Enable 
 Disable

More Informations

Potential impact

OS

1963 Enterprise Exploit protection: Validate heap integrity Medium Potentially On ON

Exploit protection: Validate heap integrity

HEAP Exploit

Introduction

The validate heap integrity mitigation increases the protection level of heap mitigations in Windows, by causing the application to terminate if a heap corruption is detected. The mitigations include:

Preventing a HEAP handle from being freed
Performing another validation on extended block headers for heap allocations
Verifying that heap allocations are not already flagged as in-use
Adding guard pages to large allocations, heap segments, and subsegments above a minimum size

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Processmitigation

Method Argument :


          HEAP.TerminateOnError

Values

Type :

String

Possible Values :


                    
                       Enable 
 Disable

Powershell Command

Getting Command :

Get-ProcessMitigation -System ;

Setting Command :

Set-ProcessMitigation -System -Enable TerminateOnError ;

More Informations

Potential impact

This mitigation is already applied by default for 64-bit applications and for 32-bit applications targeting Windows Vista or later. Legacy applications from Windows XP or earlier are most at-risk, though compatibility issues are rare.

OS

1964 Enterprise Exploit protection: Override validate heap integrity Medium Potentially False False

Exploit protection: Override validate heap integrity

HEAP Exploit

Introduction

Preventing a HEAP handle from being freed
Performing another validation on extended block headers for heap allocations
Verifying that heap allocations are not already flagged as in-use
Adding guard pages to large allocations, heap segments, and subsegments above a minimum size

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Processmitigation

Method Argument :


          HEAP.OverrideHEAP

Values

Type :

String

Possible Values :


                    
                       Enable 
 Disable

More Informations

Potential impact

OS

1965 Basic Network Protection: Prevent users and apps from accessing dangerous websites Medium Potentially 1

Network Protection: Prevent users and apps from accessing dangerous websites

Network

Introduction

Enable or disable Microsoft Defender Exploit Guard network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection

RegistryItem :

EnableNetworkProtection

Values

Type :

Number

Possible Values :


                    
                       0(Disable) 
 1(Block) 
 2(Audit Mode)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection' -name 'EnableNetworkProtection'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection' -name 'EnableNetworkProtection' -value 1

More Informations

OS

At least Windows Server, Windows 10 Version 1709

1966 Basic ASR: Exclude files and paths from Attack Surface Reduction Rules (Policy) Medium No impact

ASR: Exclude files and paths from Attack Surface Reduction Rules (Policy)

Exclusion ASR

Introduction

Exclude files and paths from Attack Surface Reduction (ASR) rules.

Enabled:
Specify the folders or files and resources that should be excluded from ASR rules in the Options section.
Enter each rule on a new line as a name-value pair:
- Name column: Enter a folder path or a fully qualified resource name. For example, ""C:\Windows"" will exclude all files in that directory. ""C:\Windows\App.exe"" will exclude only that specific file in that specific folder
- Value column: Enter ""0"" for each item

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR

RegistryItem :

ExploitGuard_ASR_ASROnlyExclusions

Values

Type :

Number

Possible Values :


                    
                       0(Disable) 
 1(Enable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR' -name 'ExploitGuard_ASR_ASROnlyExclusions'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR' -name 'ExploitGuard_ASR_ASROnlyExclusions' -value

More Informations

OS

At least Windows Server, Windows 10 Version 1709

1967 Basic ASR: List of excluded files and paths from Attack Surface Reduction Rules Medium No impact 0

ASR: List of excluded files and paths from Attack Surface Reduction Rules

Exclusion ASR

Introduction

Name column: Enter a folder path or a fully qualified resource name. For example, ""C:\Windows"" will exclude all files in that directory. ""C:\Windows\App.exe"" will exclude only that specific file in that specific folder
Value column: Enter ""0"" for each item

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        MpPreferenceExclusion

Method Argument :


          AttackSurfaceReductionOnlyExclusions

Values

Type :

Number

Possible Values :


                    
                       0(Disable) 
 1(Enable)

Powershell Command

Getting Command :

Get-MPPreference | Select-Object AttackSurfaceReductionOnlyExclusions ;

Setting Command :

Add-MpPreference -AttackSurfaceReductionOnlyExclusions ;

More Informations

OS

At least Windows Server, Windows 10 Version 1709

Microsoft Defender Application Guard

1980 Enterprise Support for Microsoft Defender Application Guard Medium No impact Disabled Enabled

Support for Microsoft Defender Application Guard

Edge Office

Introduction

For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container.

For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        WindowsOptionalFeature

Method Argument :


          Windows-Defender-ApplicationGuard

Values

Type :

Number

Possible Values :


                    
                       0(Disable) 
 1(Enable)

Powershell Command

Getting Command :

Get-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard ;

Setting Command :

Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard ;

More Informations

Advices

Need a reboot

Notes

Application Guard is only available for Edge and Office Apps.

OS

At least Windows 10 version 1809

1981 Enterprise Turn on Microsoft Defender Application Guard in Managed Mode Medium No impact 3

Turn on Microsoft Defender Application Guard in Managed Mode

Edge Office

Introduction

This policy setting allows the application to be isolated via Microsoft Defender Application Guard.

Application Guard uses the Windows hypervisor to create a virtualized environment for applications configured to use virtualization-based security isolation. During isolation, incorrect user interactions and application vulnerabilities cannot compromise the kernel or other applications running outside the virtualized environment.

If you enable this setting, Application Guard will be enabled for your organization.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI

RegistryItem :

AllowAppHVSI_ProviderSet

Values

Type :

Number

Possible Values :


                    
                       0(Disable) 
 1(Enable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI' -name 'AllowAppHVSI_ProviderSet'

Set Value :

Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI' -name 'AllowAppHVSI_ProviderSet' -value 3

More Informations

Notes

Application Guard is only available for Edge and Office Apps.

OS

At least Windows 10 version 1809 (Enterprise or education)

1982 Enterprise Allow auditing events in Microsoft Defender Application Guard Medium Potentially 1

Allow auditing events in Microsoft Defender Application Guard

Edge Office

Introduction

This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.

If you enable this setting, Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.

If you disable or don't configure this setting, event logs aren't collected from your Application Guard container.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI

RegistryItem :

AuditApplicationGuard

Values

Type :

Number

Possible Values :


                    
                       0(Disable) 
 1(Enable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI' -name 'AuditApplicationGuard'

Set Value :

Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI' -name 'AuditApplicationGuard' -value 1

More Informations

Notes

Application Guard is only available for Edge and Office Apps.

OS

At least Windows 10 version 1809 (Enterprise or education)

Administrative Templates: Windows Components

2000 Basic File Explorer: Configure Windows Defender SmartScreen Medium Impact 1 1

File Explorer: Configure Windows Defender SmartScreen

Edge Office

Introduction

This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious.

If you disable this policy, SmartScreen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet.
If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows\System

RegistryItem :

EnableSmartScreen

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' -name 'EnableSmartScreen'

Set Value :

Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' -name 'EnableSmartScreen' -value 1

More Informations

Notes

Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.

OS

At least Windows Server 2012, Windows 8 or Windows RT

2001 Basic File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass Medium Impact Warn Warn

File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass

Edge Office

Introduction

This policy depend on the previously policy (2000). SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious.

If you configure this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app.
If you configure this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Policies\Microsoft\Windows\System

RegistryItem :

ShellSmartScreenLevel

Values

Type :

String

Possible Values :


                    
                       Block
Warn

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' -name 'ShellSmartScreenLevel'

Set Value :

Set-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' -name 'ShellSmartScreenLevel' -value Warn

More Informations

OS

At least Windows Server 2012, Windows 8 or Windows RT

PowerShell

2100 Basic Turn on PowerShell Script Block Logging Medium Potentially 0 1

Turn on PowerShell Script Block Logging

Powershell

Introduction

This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log.

If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation.
If you disable this policy setting, logging of PowerShell script input is disabled.
If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invocation of a command, script block, function, or script starts or stops. Enabling Invocation Logging generates a high volume of event logs.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

RegistryItem :

EnableScriptBlockLogging

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -name 'EnableScriptBlockLogging'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -name 'EnableScriptBlockLogging' -value 1

More Informations

Notes

This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.

OS

At least Microsoft Windows 7 or Windows Server 2008 family

2101 Basic Turn on PowerShell Script Block Logging (Invocation) Low Potentially 0 1

Turn on PowerShell Script Block Logging (Invocation)

Powershell

Introduction

Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Enabling PowerShell script block logging will record detailed information from the processing of PowerShell commands and scripts. Additionally, enabling invocation logging will log events when the invocation of commands and scripts start or stop. This can provide additional detail when malware has run on a system. This may result in a high volume of events.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

RegistryItem :

EnableScriptBlockInvocationLogging

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -name 'EnableScriptBlockInvocationLogging'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -name 'EnableScriptBlockInvocationLogging' -value 1

More Informations

OS

At least Microsoft Windows 7 or Windows Server 2008 family

2102 Basic Turn on PowerShell Transcription Low Potentially 0 1

Turn on PowerShell Transcription

Powershell

Introduction

This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts.

If you enable this policy setting, Windows PowerShell will enable transcripting for Windows PowerShell, the Windows PowerShell ISE, and any other applications that leverage the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each users' My Documents directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each Windows PowerShell session.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription

RegistryItem :

EnableTranscripting

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription' -name 'EnableTranscripting'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription' -name 'EnableTranscripting' -value 1

More Informations

OS

At least Microsoft Windows 7 or Windows Server 2008 family

2103 Basic Turn on PowerShell Transcription (Location) Low Potentially ${env:HOMEPATH}\Documents\ ${env:LOCALAPPDATA}

Turn on PowerShell Transcription (Location)

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription

RegistryItem :

OutputDirectory

Values

Type :

Possible Values :

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription' -name 'OutputDirectory'

Set Value :

 Set-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription' -name 'OutputDirectory' -value ${env:LOCALAPPDATA}

More Informations

2104 Basic Disable PowerShell version 2 Medium Potentially Enabled Disabled

Disable PowerShell version 2

Powershell

Introduction

Windows PowerShell 5.0 added advanced logging features which can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.0 script block logging feature.

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        WindowsOptionalFeature

Method Argument :


          MicrosoftWindowsPowerShellV2

Values

Type :

String

Possible Values :


                    
                       Enable 
 Disable

Powershell Command

Getting Command :

Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 ;

Setting Command :

Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 ;

More Informations

OS

2105 Basic Disable PowerShell version 2 (root) Medium Potentially Enabled Disabled

Disable PowerShell version 2 (root)

Powershell

Introduction

Relevance indicator

Table of settings

UIX

Potentially : 1

Method

Method :


        WindowsOptionalFeature

Method Argument :


          MicrosoftWindowsPowerShellV2Root

Values

Type :

String

Possible Values :


                    
                       Enable 
 Disable

Powershell Command

Getting Command :

Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root ;

Setting Command :

Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root ;

More Informations

OS

MS Security Guide

2200 Basic LSA Protection Medium No impact 1

LSA Protection

LSA

Introduction

The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies.
The Windows 8.1 operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages.
The protected process setting for LSA can be configured in Windows 8.1, but it cannot be configured in Windows RT 8.1.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Control\Lsa

RegistryItem :

RunAsPPL

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -name 'RunAsPPL'

Set Value :

Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -name 'RunAsPPL' -value 1

More Informations

Notes

When this setting is used in conjunction with Secure Boot, additional protection is achieved because disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key has no effect.

OS

At least Windows 8.1

2201 Basic Lsass.exe audit mode Low No impact 8

Lsass.exe audit mode

LSA

Introduction

The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. The Windows 8.1 operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages. The protected process setting for LSA can be configured in Windows 8.1, but it cannot be configured in Windows RT 8.1. When this setting is used in conjunction with Secure Boot, additional protection is achieved because disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key has no effect.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe

RegistryItem :

AuditLevel

Values

Type :

Number

Possible Values :


                    
                       8 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe' -name 'AuditLevel'

Set Value :

 Set-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe' -name 'AuditLevel' -value 8

More Informations

OS

Supported on: At least Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1

2202 Basic NetBT NodeType configuration Medium No impact 0 2

NetBT NodeType configuration

NetBIOS

Introduction

Sets the NetBIOS node type. When WINS servers are used, the default is hybrid (h), otherwise broadcast (b).This policy settings allows you to manage the computer's NetBIOS node type. The selected NetBIOS node type determines what methods NetBT will use to register and resolve names.

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

RegistryItem :

NodeType

Values

Type :

Number

Possible Values :


                    
                       1 (B-node) 
 2 (P-node) 
 4 (M-node) 
 8 (H-node)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' -name 'NodeType'

Set Value :

Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' -name 'NodeType' -value 2

More Informations

Notes

If you enable this policy setting, you must choose a node type:

A b-node system uses broadcasts (default when no WINS servers are configured).
A h-node system queries the name server first, then broadcasts (default when a WINS server is configured).
A m-node system broadcasts first, then queries the name server.
A p-node system uses only point-to-point name queries to a name server (WINS).

OS

At least Windows 2000

2203 Basic WDigest Authentication High No impact 0 0

WDigest Authentication

Introduction

When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. Microsoft recommends disabling WDigest authentication unless it is needed.

Relevance indicator

100

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest

RegistryItem :

UseLogonCredential

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)
Not defined

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -name 'UseLogonCredential'

Set Value :

 Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -name 'UseLogonCredential' -value 0

More Informations

Advices

Disables WDigest authentication. For this setting to work on Windows 7, Windows 8, Windows Server 2008 R2 or Windows Server 2012, KB2871997 must first be installed.

Notes

If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server.
Update KB2871997 must first be installed to disable WDigest authentication using this setting in Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012.

OS

At least Windows 7

MSS (Legacy)

2204 Basic MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Medium No impact 0 1

MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)

DLL

Introduction

Enable Safe DLL search mode

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager

RegistryItem :

SafeDLLSearchMode

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager' -name 'SafeDLLSearchMode'

Set Value :

Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager' -name 'SafeDLLSearchMode' -value 1

More Informations

OS

At least Windows Vista

2205 Basic MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Medium No impact 2

MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)

IP Network

Introduction

IPv6 source routing protection level (protects against packet spoofing)

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters

RegistryItem :

DisableIPSourceRouting

Values

Type :

Number

Possible Values :


                    
                       0 (No additional protection, source routed packets are allowed ) 
 1 (Medium, source routed packets ignored when IP forwarding is enabled) 
 2 (Highest protection, source routing is completely disabled )

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters' -name 'DisableIPSourceRouting'

Set Value :

 Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters' -name 'DisableIPSourceRouting' -value 2

More Informations

OS

At least Windows Vista

2206 Basic MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Medium No impact 2

MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)

IP Network

Introduction

IPv4 source routing protection level (protects against packet spoofing)

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters

RegistryItem :

DisableIPSourceRouting

Values

Type :

Number

Possible Values :


                    
                       0 (No additional protection, source routed packets are allowed ) 
 1 (Medium, source routed packets ignored when IP forwarding is enabled) 
 2 (Highest protection, source routing is completely disabled )

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters' -name 'DisableIPSourceRouting'

Set Value :

 Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters' -name 'DisableIPSourceRouting' -value 2

More Informations

OS

At least Windows Vista

2207 Enterprise MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Medium No impact 0

MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes

OSPF Network ICMP

Introduction

Allow ICMP redirects to override OSPF generated routes

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters

RegistryItem :

EnableICMPRedirect

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters' -name 'EnableICMPRedirect'

Set Value :

Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters' -name 'EnableICMPRedirect' -value 0

More Informations

OS

At least Windows Vista

2208 Basic MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Medium No impact 0 1

MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers

NetBios

Introduction

Allow the computer to ignore NetBIOS name release requests except from WINS servers

Relevance indicator

Table of settings

UIX

No impact : 0

Method

Method :


        Registry

Registry

RegistryPath :

HKLM:\System\CurrentControlSet\Services\Netbt\Parameters

RegistryItem :

NoNameReleaseOnDemand

Values

Type :

Number

Possible Values :


                    
                       1 (Enable)
0 (Disable)

Powershell Command

Get Value :

Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\Netbt\Parameters' -name 'NoNameReleaseOnDemand'

Set Value :

 Set-ItemProperty -path 'HKLM:\System\CurrentControlSet\Services\Netbt\Parameters' -name 'NoNameReleaseOnDemand' -value 1

More Informations

OS

At least Windows Vista

Windows Firewall

2300 StrongBox HardeningKitty-Block-TCP-NetBIOS Low Impact False True

HardeningKitty-Block-TCP-NetBIOS

NetBios

Introduction

This policy disable Netbios over TCP/IP by blocking TCP on ports 137 and 139.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Inbound|Block|TCP|137,138,139||

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

Notes

It blocks network browsing, Exchange 2000/2003 for full function, forest trust or programs that need network browsing or NetBIOS over TCP/IP to work

2301 StrongBox HardeningKitty-Block-TCP-RDP Low Impact False True

HardeningKitty-Block-TCP-RDP

RDP

Introduction

This policy disable Remote Desktop Protocol with a firewall rule (blocking inbound and outbound connection TCP on port 3389).

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Inbound|Block|TCP|3389||

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

2302 StrongBox HardeningKitty-Block-TCP-RPC Low Impact False True

HardeningKitty-Block-TCP-RPC

RPC

Introduction

This policy disable Remote Procedure Call (RPC) by blocking inbound and outbound connection on TCP port 135 and 593.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Inbound|Block|TCP|135,593||

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

2303 StrongBox HardeningKitty-Block-TCP-SMB Low Impact False True

HardeningKitty-Block-TCP-SMB

SMB

Introduction

This policy disable Server Message Block (SMB) protocol by blocking TCP port 445 from inbound and outbound connection.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Inbound|Block|TCP|445||

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

Notes

Windows supports file and printer sharing traffic by using the SMB protocol directly hosted on TCP.

2304 StrongBox HardeningKitty-Block-TCP-WinRM Low Impact False True

HardeningKitty-Block-TCP-WinRM

WinRM

Introduction

This policy disable WinRM by blocking TCP ports 5985 and 5986.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Inbound|Block|TCP|5985,5986||

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

Notes

Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different vendors, to interoperate.

2305 StrongBox HardeningKitty-Block-UDP-NetBIOS Low Impact False True

HardeningKitty-Block-UDP-NetBIOS

Introduction

This policy disable Netbios by blocking UDP on ports 137 and 139.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Inbound|Block|UDP|137,138,139||

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

2306 StrongBox HardeningKitty-Block-UDP-RPC Low Impact False True

HardeningKitty-Block-UDP-RPC

NetBios Block

Introduction

This policy disable Remote Procedure Call (RPC) by blocking inbound and outbound connection on UDP port 135 and 593.

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Inbound|Block|UDP|135,593||

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

2307 StrongBox HardeningKitty-Block-calc-x64 Low Impact False True

HardeningKitty-Block-calc-x64

Calculator Block

Introduction

This policy avoid the execution of the calculator application (x64).

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Outbound|Block|||%SystemRoot%\System32\calc.exe|

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

Notes

This application is commonly abused by default behaviors for process migration and injection techniques.

2308 StrongBox HardeningKitty-Block-calc-x86 Low Impact False True

HardeningKitty-Block-calc-x86

Calculator Block

Introduction

This policy avoid the execution of the calculator application (x86).

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Outbound|Block|||%SystemRoot%\Syswow64\calc.exe|

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

Notes

This application is commonly abused by default behaviors for process migration and injection techniques.

2309 StrongBox HardeningKitty-Block-certutil-x64 Low Impact False True

HardeningKitty-Block-certutil-x64

Certificate Block

Introduction

This policy avoid the execution of certutil (x64).

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Outbound|Block|||%SystemRoot%\System32\certutil.exe|

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

Notes

This application is commonly abused by default behaviors for process migration and injection techniques.

2310 StrongBox HardeningKitty-Block-certutil-x86 Low Impact False True

HardeningKitty-Block-certutil-x86

Certificate Block

Introduction

This policy avoid the execution of certutil (x86).

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Outbound|Block|||%SystemRoot%\Syswow64\certutil.exe|

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

Notes

This application is commonly abused by default behaviors for process migration and injection techniques.

2311 StrongBox HardeningKitty-Block-conhost-x64 Low Impact False True

HardeningKitty-Block-conhost-x64

Console Block

Introduction

This policy avoid the execution of Console Host Process (x64).

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Outbound|Block|||%SystemRoot%\System32\conhost.exe|

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

Notes

This application is commonly abused by default behaviors for process migration and injection techniques.

2312 StrongBox HardeningKitty-Block-conhost-x86 Low Impact False True

HardeningKitty-Block-conhost-x86

Console Block

Introduction

This policy avoid the execution of Console Host Process (x86).

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Outbound|Block|||%SystemRoot%\Syswow64\conhost.exe|

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

Notes

This application is commonly abused by default behaviors for process migration and injection techniques.

2313 StrongBox HardeningKitty-Block-cscript-x64 Low Impact False True

HardeningKitty-Block-cscript-x64

Script Block

Introduction

This policy avoid the execution of cscript (x64).

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Outbound|Block|||%SystemRoot%\System32\cscript.exe|

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

Notes

This application is commonly abused by default behaviors for process migration and injection techniques.

2314 StrongBox HardeningKitty-Block-cscript-x86 Low Impact False True

HardeningKitty-Block-cscript-x86

Script Block

Introduction

This policy avoid the execution of cscript (x86).

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Outbound|Block|||%SystemRoot%\Syswow64\cscript.exe|

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

Notes

This application is commonly abused by default behaviors for process migration and injection techniques.

2315 StrongBox HardeningKitty-Block-mshta-x64 Low Impact False True

HardeningKitty-Block-mshta-x64

Introduction

This policy avoid the execution of Microsoft HTML Application Host (x64).

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Outbound|Block|||%SystemRoot%\System32\mshta.exe|

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

Notes

This application is commonly abused by default behaviors for process migration and injection techniques.

2316 StrongBox HardeningKitty-Block-mshta-x86 Low Impact False True

HardeningKitty-Block-mshta-x86

Introduction

This policy avoid the execution of Microsoft HTML Application Host (x86).

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Outbound|Block|||%SystemRoot%\Syswow64\mshta.exe|

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

Notes

This application is commonly abused by default behaviors for process migration and injection techniques.

2317 StrongBox HardeningKitty-Block-notepad-x64 Low Impact False True

HardeningKitty-Block-notepad-x64

Notepad Block

Introduction

This policy avoid the notepad execution (x64).

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Outbound|Block|||%SystemRoot%\System32\notepad.exe|

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

Notes

This application is commonly abused by default behaviors for process migration and injection techniques.

2318 StrongBox HardeningKitty-Block-notepad-x86 Low Impact False True

HardeningKitty-Block-notepad-x86

Notepad Block

Introduction

This policy avoid the notepad execution (x86).

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Outbound|Block|||%SystemRoot%\Syswow64\notepad.exe|

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

Notes

This application is commonly abused by default behaviors for process migration and injection techniques.

2319 StrongBox HardeningKitty-Block-RunScriptHelper-x64 Low Impact False True

HardeningKitty-Block-RunScriptHelper-x64

Script Block

Introduction

This policy avoid the RunScriptHelper execution (x64).

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Outbound|Block|||%SystemRoot%\System32\RunScriptHelper.exe|

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

Notes

This application is commonly abused by default behaviors for process migration and injection techniques.

2320 StrongBox HardeningKitty-Block-RunScriptHelper-x86 Low Impact False True

HardeningKitty-Block-RunScriptHelper-x86

Script Block

Introduction

This policy avoid the RunScriptHelper execution (x86).

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Outbound|Block|||%SystemRoot%\Syswow64\RunScriptHelper.exe|

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

Notes

This application is commonly abused by default behaviors for process migration and injection techniques.

2321 StrongBox HardeningKitty-Block-wscript-x64 Low Impact False True

HardeningKitty-Block-wscript-x64

Introduction

This policy avoid the Windows Script Host Execution (x64).

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Outbound|Block|||%SystemRoot%\System32\wscript.exe|

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

Notes

This application is commonly abused by default behaviors for process migration and injection techniques.

2322 StrongBox HardeningKitty-Block-wscript-x86 Low Impact False True

HardeningKitty-Block-wscript-x86

Introduction

This policy avoid the Windows Script Host Execution (x86).

Relevance indicator

Table of settings

UIX

Impact : 2

Method

Method :


        FirewallRule

Method Argument :


          Any|Outbound|Block|||%SystemRoot%\Syswow64\wscript.exe|

Values

Type :

Boolean

Possible Values :


                    
                       True 
 false

More Informations

Notes

This application is commonly abused by default behaviors for process migration and injection techniques.

Welcome to the Windows Hardening Interface

Features

SMBv1 Support

Introduction

Relevance indicator

Table of settings

UIX

Method

Method :

Method Argument :

Values

Type :

Possible Values :

Powershell Command

Getting Command :

Setting Command :

More Informations

Advices

Notes

OS

Account Policies

Account lockout threshold

Introduction

Relevance indicator

Table of settings

UIX

Method

Method :

Values

Type :

Possible Values :

Powershell Command

Getting Command :

Setting Command :

More Informations

Potential impact

Advices

OS

Account lockout duration

Introduction

Relevance indicator

Table of settings

UIX

Method

Method :

Values

Type :

Possible Values :

Powershell Command

Getting Command :

Setting Command :

More Informations

Potential impact

Advices

OS

Reset account lockout counter

Introduction

Relevance indicator

Table of settings

UIX

Method

Method :

Values

Type :

Possible Values :

Powershell Command

Getting Command :

Setting Command :

More Informations

Potential impact

Advices

Notes

OS

Store passwords using reversible encryption

Introduction

Relevance indicator

Table of settings

UIX

Method

Method :