Skip to content

Baselines

CloudInfra Secure ships 7 baselines. Each is a curated collection of control IDs.

CloudInfra Secure Domain Controller - Role tier

Baseline for Active Directory Domain Controllers.

ID: CloudInfraSecure-DomainController   Controls: 181   Supported OS: WindowsServer2022, WindowsServer2025

Control Name Severity
WIN-FW-001 Windows Firewall Enabled (All Profiles) High
WIN-SMB-001 Disable SMBv1 High
WIN-TLS-010 Disable TLS 1.0 (Server) High
WIN-TLS-011 Disable TLS 1.1 (Server) High
WIN-PWD-001 Minimum Password Length High
WIN-PWD-002 Password Complexity Enabled High
WIN-LOCK-001 Account Lockout Threshold Medium
WIN-AUD-001 Audit Logon Failures Medium
WIN-AUD-002 Audit Account Lockout Events Medium
WIN-UAC-001 User Account Control Enabled High
WIN-DEF-001 Microsoft Defender Antivirus Enabled High
WIN-PWD-003 Maximum Password Age Medium
WIN-PWD-004 Minimum Password Age Low
WIN-PWD-005 Enforce Password History Medium
WIN-PWD-006 Disable Reversible Password Encryption High
WIN-LOCK-002 Account Lockout Duration Medium
WIN-LOCK-003 Reset Account Lockout Counter Medium
WIN-NTLM-001 LAN Manager Authentication Level (NTLMv2 Only) High
WIN-LSA-001 Do Not Store LAN Manager Hash High
WIN-LSA-002 Restrict Anonymous SID Enumeration Medium
WIN-WDIGEST-001 Disable WDigest Credential Caching High
WIN-LSA-003 Enable LSASS Protection (RunAsPPL) High
WIN-AUD-004 Audit Credential Validation Medium
WIN-AUD-005 Audit Security Group Management Medium
WIN-AUD-003 Audit Process Creation Medium
WIN-SMB-004 Disable SMBv1 Client High
WIN-SMB-005 Require SMB Client Signing Medium
WIN-LDAP-001 LDAP Client Signing Medium
WIN-NET-001 Disable LLMNR Medium
WIN-TLS-012 Disable SSL 3.0 (Server) High
WIN-TLS-013 Disable SSL 2.0 (Server) High
WIN-LOGON-001 Machine Inactivity Limit Medium
WIN-LOGON-002 Do Not Display Last Signed-In User Low
WIN-AUD-006 Audit Special Logon Medium
WIN-AUD-007 Audit Sensitive Privilege Use Medium
WIN-AUD-008 Audit System Integrity Medium
WIN-SVC-001 Disable Remote Registry Service Medium
WIN-DEF-002 Enable Potentially Unwanted Application (PUA) Protection High
WIN-DEF-003 Enable Defender Real-Time Protection High
WIN-DEF-004 Enable Cloud-Delivered Protection Medium
WIN-NET-002 Disable IPv4 Source Routing Medium
WIN-NET-003 Disable ICMP Redirects Low
WIN-NET-004 Disable IPv6 Source Routing Medium
WIN-SMB-006 Restrict Anonymous Access to Named Pipes and Shares Medium
WIN-LSA-004 Do Not Allow Anonymous Enumeration of SAM Accounts Medium
WIN-LSA-005 Enable Structured Exception Handling Overwrite Protection (SEHOP) Medium
WIN-LOGON-003 Limit Number of Cached Logons Medium
WIN-UAC-004 Deny UAC Elevation Prompt for Standard Users Medium
WIN-UAC-005 UAC Switch to the Secure Desktop for Elevation Medium
WIN-AUD-009 Audit Logoff Medium
WIN-AUD-010 Audit Removable Storage Medium
WIN-AUD-011 Audit Authentication Policy Change Medium
WIN-AUD-012 Audit User Account Management Medium
WIN-AUD-013 Audit Computer Account Management Medium
WIN-AUD-014 Audit Audit Policy Change Medium
WIN-AUD-015 Audit Other Logon/Logoff Events Medium
WIN-AUD-016 Audit MPSSVC Rule-Level Policy Change Medium
WIN-NTLM-002 Minimum NTLM Session Security (Clients) Medium
WIN-NTLM-003 Minimum NTLM Session Security (Servers) Medium
WIN-LSA-006 Digitally Encrypt or Sign Secure Channel Data (Always) Medium
WIN-LSA-007 Do Not Apply Everyone Permissions to Anonymous Users Medium
WIN-LOGON-004 Require Ctrl+Alt+Del at Logon Low
WIN-WINRM-001 Disable WinRM Client Basic Authentication Medium
WIN-WINRM-002 Disallow WinRM Unencrypted Traffic Medium
WIN-LSA-008 Restrict Clients Allowed to Make Remote SAM Calls Medium
WIN-LSA-009 Limit Local Account Use of Blank Passwords High
WIN-LSA-010 Sharing and Security Model for Local Accounts (Classic) Medium
WIN-KRB-001 Configure Kerberos Encryption Types (AES only) Medium
WIN-NET-005 Ignore NetBIOS Name Release Requests Low
WIN-PSL-003 Enable PowerShell Transcription Medium
WIN-UAC-006 Only Elevate UIAccess Apps in Secure Locations Medium
WIN-LOGON-006 Disable Automatic Logon Medium
WIN-TLS-001 Enable TLS 1.2 (Server) Medium
WIN-TLS-002 Enable TLS 1.2 (Client) Medium
WIN-TLS-003 Disable RC4 128/128 Cipher High
WIN-TLS-004 Disable RC4 40/128 Cipher High
WIN-TLS-005 Disable Triple DES 168 Cipher Medium
WIN-FW-002 Block Inbound Connections by Default (Domain Profile) Medium
WIN-FW-003 Block Inbound Connections by Default (Private Profile) Medium
WIN-FW-004 Block Inbound Connections by Default (Public Profile) Medium
WIN-DEF-009 Enable Defender Behavior Monitoring High
WIN-WINRM-003 Disable WinRM Client Digest Authentication Medium
WIN-VBS-001 Enable Virtualization Based Security High
WIN-VBS-002 Require Secure Boot for VBS Medium
WIN-VBS-003 Enable Memory Integrity (HVCI) High
WIN-CG-001 Enable Credential Guard High
WIN-TLS-006 Disable RC4 56/128 Cipher High
WIN-TLS-007 Disable RC4 64/128 Cipher High
WIN-TLS-008 Disable DES 56/56 Cipher Medium
WIN-TLS-009 Disable NULL Cipher Medium
WIN-ACCT-001 Block Microsoft Accounts Medium
WIN-UAC-007 Apply UAC Token Filtering to Remote Local Accounts High
WIN-AUD-017 Audit PNP Activity Medium
WIN-AUD-018 Audit Group Membership Medium
WIN-AUD-019 Audit Other Object Access Events Medium
WIN-AUD-020 Audit Detailed File Share Medium
WIN-LSA-011 Disallow LocalSystem NULL Session Fallback Medium
WIN-LSA-012 Strengthen Default Permissions of Internal System Objects Low
WIN-NET-007 Enable Safe DLL Search Mode Medium
WIN-DEF-013 Scan Downloaded Files and Attachments High
WIN-URA-001 Access Credential Manager as a Trusted Caller = No One High
WIN-URA-002 Act as Part of the Operating System = No One High
WIN-URA-003 Create a Token Object = No One High
WIN-URA-004 Create Permanent Shared Objects = No One Medium
WIN-URA-006 Deny Access to This Computer From the Network (includes Guests) Medium
WIN-URA-007 Deny Log On as a Batch Job (includes Guests) Low
WIN-URA-008 Deny Log On as a Service (includes Guests) Low
WIN-URA-009 Deny Log On Locally (includes Guests) Medium
WIN-URA-010 Deny Log On Through Remote Desktop Services (includes Guests) Medium
WIN-URA-029 Lock Pages in Memory = No One Medium
WIN-URA-036 Obtain an Impersonation Token for Another User = No One Medium
WIN-URA-037 Modify an Object Label = No One Low
WIN-LSA-013 Digitally Encrypt Secure Channel Data (When Possible) Medium
WIN-LSA-014 Digitally Sign Secure Channel Data (When Possible) Medium
WIN-LSA-015 Do Not Disable Machine Account Password Changes Medium
WIN-LSA-016 Maximum Machine Account Password Age (30 Days) Low
WIN-LSA-017 Require Strong (Windows 2000 or Later) Session Key Medium
WIN-NTLM-004 Allow LocalSystem to Use Computer Identity for NTLM Medium
WIN-AUD-021 Force Audit Policy Subcategory Settings Medium
WIN-ACCT-002 Guest Account Disabled Medium
WIN-ACCT-003 Force Logoff When Logon Hours Expire Low
WIN-AUD-022 Audit Other Account Management Events Medium
WIN-AUD-023 Audit File Share Medium
WIN-AUD-024 Audit Authorization Policy Change Medium
WIN-AUD-025 Audit Other Policy Change Events Low
WIN-AUD-026 Audit IPsec Driver Medium
WIN-AUD-027 Audit Other System Events Low
WIN-AUD-028 Audit Security State Change Medium
WIN-AUD-029 Audit Security System Extension Medium
WIN-EVTLOG-001 Application Event Log Maximum Size (>= 32 MB) Medium
WIN-EVTLOG-002 Application Event Log Retention (Overwrite as Needed) Low
WIN-EVTLOG-003 Security Event Log Maximum Size (>= 192 MB) High
WIN-EVTLOG-004 Security Event Log Retention (Overwrite as Needed) Low
WIN-EVTLOG-005 Setup Event Log Maximum Size (>= 32 MB) Low
WIN-EVTLOG-006 Setup Event Log Retention (Overwrite as Needed) Low
WIN-EVTLOG-007 System Event Log Maximum Size (>= 32 MB) Medium
WIN-EVTLOG-008 System Event Log Retention (Overwrite as Needed) Low
WIN-AUD-030 Include Command Line in Process Creation Events Medium
WIN-CREDDEL-001 Encryption Oracle Remediation (Force Updated Clients) High
WIN-CREDDEL-002 Remote Host Allows Delegation of Non-Exportable Credentials Medium
WIN-ELAM-001 Boot-Start Driver Initialization Policy Medium
WIN-GPO-001 Registry Policy Processing: Apply During Background Refresh Low
WIN-GPO-002 Registry Policy Processing: Process Even If Unchanged Low
WIN-GPO-003 Disable Continue Experiences (Connected Devices Platform) Low
WIN-INET-001 Turn Off Downloading of Print Drivers Over HTTP Low
WIN-INET-002 Turn Off Printing Over HTTP Low
WIN-INET-003 Turn Off Windows Error Reporting Low
WIN-INET-004 Turn Off Windows Customer Experience Improvement Program Low
WIN-INET-005 Turn Off Internet Download for Web Publishing and Online Ordering Low
WIN-INET-006 Turn Off Internet Connection Wizard If URL Connection Low
WIN-INET-007 Turn Off Search Companion Content File Updates Low
WIN-LOGON-009 Do Not Enumerate Connected Users on Domain-Joined Computers Medium
WIN-LOGON-010 Do Not Enumerate Local Users on Domain-Joined Computers Medium
WIN-LOGON-011 Block User From Showing Account Details on Sign-In Low
WIN-LOGON-012 Do Not Display Network Selection UI Low
WIN-LOGON-013 Turn Off App Notifications on the Lock Screen Low
WIN-LOGON-014 Disable Convenience PIN Sign-In Medium
WIN-RPC-001 Restrict Unauthenticated RPC Clients Medium
WIN-RPC-002 Enable RPC Endpoint Mapper Client Authentication Medium
WIN-CREDUI-001 Do Not Display the Password Reveal Button Low
WIN-CREDUI-002 Do Not Enumerate Administrator Accounts on Elevation Medium
WIN-TELEM-001 Limit Diagnostic Data to Required or Less Low
WIN-TELEM-002 Disable OneSettings Downloads Low
WIN-SMARTSCREEN-001 Configure Windows Defender SmartScreen Medium
WIN-WINRM-004 Disable WinRM Service Basic Authentication Medium
WIN-WINRM-005 Disallow WinRM Storing RunAs Credentials Medium
WIN-WINRM-006 Disallow WinRM Client Unencrypted Traffic Medium
WIN-WINRS-001 Disable Windows Remote Shell Access Medium
WIN-DEF-016 Enable Defender File Hash Computation Low
WIN-NET-008 Hardened UNC Path for SYSVOL High
WIN-NET-009 Hardened UNC Path for NETLOGON High
WIN-NET-010 Disable Font Providers Low
WIN-NET-011 Turn Off Smart Multi-Homed Name Resolution Medium
WIN-NET-021 TCP Maximum Data Retransmissions (IPv4) Low
WIN-NET-022 TCP Maximum Data Retransmissions (IPv6) Low
WIN-EVTLOG-009 Security Log Near-Capacity Warning Threshold Low
WIN-SCRSVR-001 Enable Screen Saver (Default Profile) Low
WIN-SCRSVR-002 Password Protect the Screen Saver (Default Profile) Medium
WIN-SCRSVR-003 Screen Saver Timeout (Default Profile) Low
WIN-LOGON-018 Logon Legal Notice Text Low
WIN-LOGON-019 Logon Legal Notice Title Low

CloudInfra Secure Enterprise - Enterprise tier

Comprehensive baseline for regulated and high-assurance environments.

ID: CloudInfraSecure-Enterprise   Controls: 301   Supported OS: WindowsServer2022, WindowsServer2025

Control Name Severity
WIN-FW-001 Windows Firewall Enabled (All Profiles) High
WIN-SMB-001 Disable SMBv1 High
WIN-TLS-010 Disable TLS 1.0 (Server) High
WIN-TLS-011 Disable TLS 1.1 (Server) High
WIN-RDP-001 Require Network Level Authentication for RDP High
WIN-PSL-001 Enable PowerShell Script Block Logging Medium
WIN-PSL-002 Enable PowerShell Module Logging Medium
WIN-PWD-001 Minimum Password Length High
WIN-PWD-002 Password Complexity Enabled High
WIN-LOCK-001 Account Lockout Threshold Medium
WIN-AUD-001 Audit Logon Failures Medium
WIN-AUD-002 Audit Account Lockout Events Medium
WIN-DEF-001 Microsoft Defender Antivirus Enabled High
WIN-UAC-001 User Account Control Enabled High
WIN-PWD-003 Maximum Password Age Medium
WIN-PWD-004 Minimum Password Age Low
WIN-PWD-005 Enforce Password History Medium
WIN-PWD-006 Disable Reversible Password Encryption High
WIN-LOCK-002 Account Lockout Duration Medium
WIN-LOCK-003 Reset Account Lockout Counter Medium
WIN-SMB-003 Require SMB Signing (Server) High
WIN-NTLM-001 LAN Manager Authentication Level (NTLMv2 Only) High
WIN-LSA-001 Do Not Store LAN Manager Hash High
WIN-LSA-002 Restrict Anonymous SID Enumeration Medium
WIN-LSA-003 Enable LSASS Protection (RunAsPPL) High
WIN-WDIGEST-001 Disable WDigest Credential Caching High
WIN-UAC-002 UAC Elevation Prompt for Administrators Medium
WIN-INSTALL-001 Disable Always Install Elevated High
WIN-AUTORUN-001 Disable AutoRun on All Drives Medium
WIN-AUD-003 Audit Process Creation Medium
WIN-AUD-004 Audit Credential Validation Medium
WIN-AUD-005 Audit Security Group Management Medium
WIN-SMB-004 Disable SMBv1 Client High
WIN-SMB-005 Require SMB Client Signing Medium
WIN-LDAP-001 LDAP Client Signing Medium
WIN-NET-001 Disable LLMNR Medium
WIN-TLS-012 Disable SSL 3.0 (Server) High
WIN-TLS-013 Disable SSL 2.0 (Server) High
WIN-RDP-002 RDP Minimum Encryption Level (High) Medium
WIN-RDP-003 RDP Security Layer (TLS) Medium
WIN-RDP-004 Disable RDP Drive Redirection Medium
WIN-SVC-001 Disable Remote Registry Service Medium
WIN-LOGON-001 Machine Inactivity Limit Medium
WIN-LOGON-002 Do Not Display Last Signed-In User Low
WIN-UAC-003 UAC Detect Application Installations Medium
WIN-AUD-006 Audit Special Logon Medium
WIN-AUD-007 Audit Sensitive Privilege Use Medium
WIN-AUD-008 Audit System Integrity Medium
WIN-DEF-002 Enable Potentially Unwanted Application (PUA) Protection High
WIN-DEF-003 Enable Defender Real-Time Protection High
WIN-DEF-004 Enable Cloud-Delivered Protection Medium
WIN-ASR-001 ASR: Block Credential Stealing from LSASS High
WIN-ASR-002 ASR: Block Office Apps Creating Child Processes Medium
WIN-ASR-003 ASR: Block Executable Content from Email and Webmail Medium
WIN-NET-002 Disable IPv4 Source Routing Medium
WIN-NET-003 Disable ICMP Redirects Low
WIN-NET-004 Disable IPv6 Source Routing Medium
WIN-SMB-006 Restrict Anonymous Access to Named Pipes and Shares Medium
WIN-LSA-004 Do Not Allow Anonymous Enumeration of SAM Accounts Medium
WIN-LSA-005 Enable Structured Exception Handling Overwrite Protection (SEHOP) Medium
WIN-LOGON-003 Limit Number of Cached Logons Medium
WIN-UAC-004 Deny UAC Elevation Prompt for Standard Users Medium
WIN-UAC-005 UAC Switch to the Secure Desktop for Elevation Medium
WIN-AUD-009 Audit Logoff Medium
WIN-AUD-010 Audit Removable Storage Medium
WIN-AUD-011 Audit Authentication Policy Change Medium
WIN-ASR-004 ASR: Block Obfuscated Scripts Medium
WIN-ASR-005 ASR: Block Untrusted Processes from USB Medium
WIN-ASR-006 ASR: Block Process Creation from PSExec and WMI Medium
WIN-ASR-007 ASR: Advanced Protection Against Ransomware High
WIN-ASR-008 ASR: Block Office Apps Injecting Code into Other Processes Medium
WIN-ASR-009 ASR: Block Office Apps Creating Executable Content Medium
WIN-AUD-012 Audit User Account Management Medium
WIN-AUD-013 Audit Computer Account Management Medium
WIN-AUD-014 Audit Audit Policy Change Medium
WIN-AUD-015 Audit Other Logon/Logoff Events Medium
WIN-AUD-016 Audit MPSSVC Rule-Level Policy Change Medium
WIN-LOGON-004 Require Ctrl+Alt+Del at Logon Low
WIN-NTLM-002 Minimum NTLM Session Security (Clients) Medium
WIN-NTLM-003 Minimum NTLM Session Security (Servers) Medium
WIN-LSA-006 Digitally Encrypt or Sign Secure Channel Data (Always) Medium
WIN-LSA-007 Do Not Apply Everyone Permissions to Anonymous Users Medium
WIN-WINRM-001 Disable WinRM Client Basic Authentication Medium
WIN-WINRM-002 Disallow WinRM Unencrypted Traffic Medium
WIN-ASR-010 ASR: Block Persistence Through WMI Event Subscription Medium
WIN-ASR-011 ASR: Block Win32 API Calls from Office Macros Medium
WIN-ASR-012 ASR: Block Untrusted Executables by Prevalence, Age, or Trust Medium
WIN-ASR-013 ASR: Block Adobe Reader from Creating Child Processes Medium
WIN-LSA-008 Restrict Clients Allowed to Make Remote SAM Calls Medium
WIN-LSA-009 Limit Local Account Use of Blank Passwords High
WIN-LSA-010 Sharing and Security Model for Local Accounts (Classic) Medium
WIN-KRB-001 Configure Kerberos Encryption Types (AES only) Medium
WIN-LOGON-005 Smart Card Removal Behavior (Lock Workstation) Low
WIN-LOGON-006 Disable Automatic Logon Medium
WIN-NET-005 Ignore NetBIOS Name Release Requests Low
WIN-PSL-003 Enable PowerShell Transcription Medium
WIN-RDP-005 Always Prompt for Password on RDP Connection Medium
WIN-RDP-006 Disable RDP Clipboard Redirection Low
WIN-SMB-007 Disable SMB Client Insecure Guest Logons Medium
WIN-UAC-006 Only Elevate UIAccess Apps in Secure Locations Medium
WIN-DEF-005 Enable Network Protection Medium
WIN-DEF-006 Enable Controlled Folder Access Medium
WIN-DEF-007 Scan Removable Drives During Full Scan Low
WIN-DEF-008 Enable Block at First Sight Medium
WIN-DEF-009 Enable Defender Behavior Monitoring High
WIN-TLS-001 Enable TLS 1.2 (Server) Medium
WIN-TLS-002 Enable TLS 1.2 (Client) Medium
WIN-TLS-003 Disable RC4 128/128 Cipher High
WIN-TLS-004 Disable RC4 40/128 Cipher High
WIN-TLS-005 Disable Triple DES 168 Cipher Medium
WIN-FW-002 Block Inbound Connections by Default (Domain Profile) Medium
WIN-FW-003 Block Inbound Connections by Default (Private Profile) Medium
WIN-FW-004 Block Inbound Connections by Default (Public Profile) Medium
WIN-FW-005 Log Dropped Packets (Public Profile) Low
WIN-SVC-002 Disable Print Spooler Service Medium
WIN-WINRM-003 Disable WinRM Client Digest Authentication Medium
WIN-VBS-001 Enable Virtualization Based Security High
WIN-VBS-002 Require Secure Boot for VBS Medium
WIN-VBS-003 Enable Memory Integrity (HVCI) High
WIN-CG-001 Enable Credential Guard High
WIN-TLS-006 Disable RC4 56/128 Cipher High
WIN-TLS-007 Disable RC4 64/128 Cipher High
WIN-TLS-008 Disable DES 56/56 Cipher Medium
WIN-TLS-009 Disable NULL Cipher Medium
WIN-RDP-007 Set RDP Idle Session Time Limit Low
WIN-RDP-008 Set RDP Disconnected Session Time Limit Low
WIN-RDP-009 Do Not Allow Saved RDP Passwords Medium
WIN-UAC-007 Apply UAC Token Filtering to Remote Local Accounts High
WIN-ACCT-001 Block Microsoft Accounts Medium
WIN-NET-006 Disable mDNS Medium
WIN-ASR-014 ASR: Block Webshell Creation for Servers High
WIN-ASR-015 ASR: Block Rebooting Machine in Safe Mode Medium
WIN-DEF-010 Enable Email Scanning Medium
WIN-DEF-011 Enable Archive Scanning Medium
WIN-DEF-012 Scan Mapped Network Drives During Full Scan Low
WIN-DEF-013 Scan Downloaded Files and Attachments High
WIN-DEF-014 Disable Local Admin Merge of Defender Preferences Medium
WIN-DEF-015 Enable Real-Time Script Scanning Medium
WIN-AUD-017 Audit PNP Activity Medium
WIN-AUD-018 Audit Group Membership Medium
WIN-AUD-019 Audit Other Object Access Events Medium
WIN-AUD-020 Audit Detailed File Share Medium
WIN-SMB-008 Do Not Send Unencrypted Password to Third-Party SMB Servers Medium
WIN-LSA-011 Disallow LocalSystem NULL Session Fallback Medium
WIN-LSA-012 Strengthen Default Permissions of Internal System Objects Low
WIN-NET-007 Enable Safe DLL Search Mode Medium
WIN-PRINT-001 Restrict Point and Print Driver Installation to Administrators High
WIN-PRINT-002 Require Elevation for New Point and Print Connections Medium
WIN-URA-001 Access Credential Manager as a Trusted Caller = No One High
WIN-URA-002 Act as Part of the Operating System = No One High
WIN-URA-003 Create a Token Object = No One High
WIN-URA-004 Create Permanent Shared Objects = No One Medium
WIN-URA-005 Debug Programs = Administrators Only High
WIN-URA-006 Deny Access to This Computer From the Network (includes Guests) Medium
WIN-URA-007 Deny Log On as a Batch Job (includes Guests) Low
WIN-URA-008 Deny Log On as a Service (includes Guests) Low
WIN-URA-009 Deny Log On Locally (includes Guests) Medium
WIN-URA-010 Deny Log On Through Remote Desktop Services (includes Guests) Medium
WIN-URA-011 Force Shutdown From a Remote System = Administrators Only Medium
WIN-URA-012 Generate Security Audits = Local Service, Network Service Medium
WIN-URA-013 Impersonate a Client After Authentication = Service Accounts and Administrators Medium
WIN-URA-014 Load and Unload Device Drivers = Administrators Only Medium
WIN-URA-015 Manage Auditing and Security Log = Administrators Only Medium
WIN-URA-016 Take Ownership of Files or Other Objects = Administrators Only Medium
WIN-URA-017 Access This Computer From the Network = Administrators, Authenticated Users High
WIN-URA-018 Allow Log On Locally = Administrators Medium
WIN-URA-019 Allow Log On Through Remote Desktop Services = Administrators, Remote Desktop Users Medium
WIN-URA-020 Back Up Files and Directories = Administrators Medium
WIN-URA-021 Restore Files and Directories = Administrators Medium
WIN-URA-022 Change the System Time = Administrators, Local Service Medium
WIN-URA-023 Change the Time Zone = Administrators, Local Service, Users Low
WIN-URA-024 Create a Pagefile = Administrators Low
WIN-URA-025 Create Global Objects = Administrators and Service Accounts Medium
WIN-URA-026 Create Symbolic Links = Administrators Medium
WIN-URA-027 Adjust Memory Quotas for a Process = Administrators and Service Accounts Low
WIN-URA-028 Increase Scheduling Priority = Administrators, Window Manager Low
WIN-URA-029 Lock Pages in Memory = No One Medium
WIN-URA-030 Perform Volume Maintenance Tasks = Administrators Medium
WIN-URA-031 Profile Single Process = Administrators Low
WIN-URA-032 Replace a Process Level Token = Local Service, Network Service Medium
WIN-URA-033 Shut Down the System = Administrators Low
WIN-URA-034 Modify Firmware Environment Values = Administrators Medium
WIN-URA-035 Enable Accounts to Be Trusted for Delegation = No One High
WIN-URA-036 Obtain an Impersonation Token for Another User = No One Medium
WIN-URA-037 Modify an Object Label = No One Low
WIN-URA-038 Synchronize Directory Service Data = No One Medium
WIN-URA-039 Profile System Performance = Administrators, WdiServiceHost Low
WIN-LSA-013 Digitally Encrypt Secure Channel Data (When Possible) Medium
WIN-LSA-014 Digitally Sign Secure Channel Data (When Possible) Medium
WIN-LSA-015 Do Not Disable Machine Account Password Changes Medium
WIN-LSA-016 Maximum Machine Account Password Age (30 Days) Low
WIN-LSA-017 Require Strong (Windows 2000 or Later) Session Key Medium
WIN-SMB-009 Digitally Sign Client Communications (If Server Agrees) Low
WIN-SMB-010 Digitally Sign Server Communications (If Client Agrees) Low
WIN-SMB-011 Idle Time Required Before Suspending an SMB Session (15 min) Low
WIN-SMB-012 Disconnect Clients When Logon Hours Expire Low
WIN-SMB-013 Server SPN Target Name Validation Level Medium
WIN-NTLM-004 Allow LocalSystem to Use Computer Identity for NTLM Medium
WIN-NTLM-005 Disallow PKU2U Online Identities Medium
WIN-NTLM-006 Audit Incoming NTLM Traffic Low
WIN-NTLM-007 Audit Outgoing NTLM Traffic to Remote Servers Low
WIN-LSA-018 Do Not Store Passwords and Credentials for Network Authentication High
WIN-LOGON-007 Do Not Allow System to Be Shut Down Without Logging On Low
WIN-LSA-019 Require Case Insensitivity for Non-Windows Subsystems Low
WIN-AUD-021 Force Audit Policy Subcategory Settings Medium
WIN-PRINT-003 Prevent Users From Installing Printer Drivers Medium
WIN-ACCT-002 Guest Account Disabled Medium
WIN-ACCT-003 Force Logoff When Logon Hours Expire Low
WIN-UAC-008 Admin Approval Mode for the Built-in Administrator Medium
WIN-UAC-009 Virtualize File and Registry Write Failures to Per-User Locations Low
WIN-LOGON-008 Require Domain Controller Authentication to Unlock Workstation Medium
WIN-AUD-022 Audit Other Account Management Events Medium
WIN-AUD-023 Audit File Share Medium
WIN-AUD-024 Audit Authorization Policy Change Medium
WIN-AUD-025 Audit Other Policy Change Events Low
WIN-AUD-026 Audit IPsec Driver Medium
WIN-AUD-027 Audit Other System Events Low
WIN-AUD-028 Audit Security State Change Medium
WIN-AUD-029 Audit Security System Extension Medium
WIN-EVTLOG-001 Application Event Log Maximum Size (>= 32 MB) Medium
WIN-EVTLOG-002 Application Event Log Retention (Overwrite as Needed) Low
WIN-EVTLOG-003 Security Event Log Maximum Size (>= 192 MB) High
WIN-EVTLOG-004 Security Event Log Retention (Overwrite as Needed) Low
WIN-EVTLOG-005 Setup Event Log Maximum Size (>= 32 MB) Low
WIN-EVTLOG-006 Setup Event Log Retention (Overwrite as Needed) Low
WIN-EVTLOG-007 System Event Log Maximum Size (>= 32 MB) Medium
WIN-EVTLOG-008 System Event Log Retention (Overwrite as Needed) Low
WIN-AUD-030 Include Command Line in Process Creation Events Medium
WIN-CREDDEL-001 Encryption Oracle Remediation (Force Updated Clients) High
WIN-CREDDEL-002 Remote Host Allows Delegation of Non-Exportable Credentials Medium
WIN-ELAM-001 Boot-Start Driver Initialization Policy Medium
WIN-GPO-001 Registry Policy Processing: Apply During Background Refresh Low
WIN-GPO-002 Registry Policy Processing: Process Even If Unchanged Low
WIN-GPO-003 Disable Continue Experiences (Connected Devices Platform) Low
WIN-INET-001 Turn Off Downloading of Print Drivers Over HTTP Low
WIN-INET-002 Turn Off Printing Over HTTP Low
WIN-INET-003 Turn Off Windows Error Reporting Low
WIN-INET-004 Turn Off Windows Customer Experience Improvement Program Low
WIN-INET-005 Turn Off Internet Download for Web Publishing and Online Ordering Low
WIN-INET-006 Turn Off Internet Connection Wizard If URL Connection Low
WIN-INET-007 Turn Off Search Companion Content File Updates Low
WIN-LOGON-009 Do Not Enumerate Connected Users on Domain-Joined Computers Medium
WIN-LOGON-010 Do Not Enumerate Local Users on Domain-Joined Computers Medium
WIN-LOGON-011 Block User From Showing Account Details on Sign-In Low
WIN-LOGON-012 Do Not Display Network Selection UI Low
WIN-LOGON-013 Turn Off App Notifications on the Lock Screen Low
WIN-LOGON-014 Disable Convenience PIN Sign-In Medium
WIN-RA-001 Disable Solicited Remote Assistance Medium
WIN-RA-002 Disable Offer (Unsolicited) Remote Assistance Medium
WIN-RPC-001 Restrict Unauthenticated RPC Clients Medium
WIN-RPC-002 Enable RPC Endpoint Mapper Client Authentication Medium
WIN-CREDUI-001 Do Not Display the Password Reveal Button Low
WIN-CREDUI-002 Do Not Enumerate Administrator Accounts on Elevation Medium
WIN-CREDUI-003 Prevent Use of Security Questions for Local Accounts Low
WIN-TELEM-001 Limit Diagnostic Data to Required or Less Low
WIN-TELEM-002 Disable OneSettings Downloads Low
WIN-TELEM-003 Do Not Show Feedback Notifications Low
WIN-TELEM-004 Enable OneSettings Auditing Low
WIN-TELEM-005 Disable Windows Insider Preview Builds Medium
WIN-CLOUD-001 Turn Off Microsoft Consumer Experiences Low
WIN-SMARTSCREEN-001 Configure Windows Defender SmartScreen Medium
WIN-RDP-010 Disable RDP COM Port Redirection Low
WIN-RDP-011 Disable RDP LPT Port Redirection Low
WIN-RDP-012 Disable RDP Plug and Play Device Redirection Low
WIN-RDP-013 Require Secure RPC for Remote Desktop Medium
WIN-RDP-014 Use Temporary Folders Per RDP Session Low
WIN-WINRM-004 Disable WinRM Service Basic Authentication Medium
WIN-WINRM-005 Disallow WinRM Storing RunAs Credentials Medium
WIN-WINRM-006 Disallow WinRM Client Unencrypted Traffic Medium
WIN-WINRS-001 Disable Windows Remote Shell Access Medium
WIN-AUTORUN-002 Disallow Autoplay for Non-Volume Devices Medium
WIN-AUTORUN-003 Set Default AutoRun Behavior to Do Not Execute Medium
WIN-INSTALL-002 Disable User Control Over Windows Installer Medium
WIN-LOGON-015 Disable Automatic Restart Sign-On (ARSO) Medium
WIN-DEF-016 Enable Defender File Hash Computation Low
WIN-NET-008 Hardened UNC Path for SYSVOL High
WIN-NET-009 Hardened UNC Path for NETLOGON High
WIN-NET-010 Disable Font Providers Low
WIN-NET-011 Turn Off Smart Multi-Homed Name Resolution Medium
WIN-NET-012 Prohibit Installation of Network Bridge Low
WIN-NET-013 Prohibit Internet Connection Sharing Low
WIN-NET-014 Require Domain Users to Elevate When Setting Network Location Low
WIN-NET-015 Minimize Simultaneous Internet and Domain Connections Low
WIN-NET-016 Prohibit Non-Domain Networks When on Domain Network Low
WIN-NET-017 Disable Windows Connect Now Registrars Low
WIN-NET-018 Prohibit Access of Windows Connect Now Wizards Low
WIN-NET-019 Turn Off Link-Layer Topology Mapper I/O Driver Low
WIN-NET-020 Turn Off Link-Layer Topology Responder Driver Low
WIN-NET-021 TCP Maximum Data Retransmissions (IPv4) Low
WIN-NET-022 TCP Maximum Data Retransmissions (IPv6) Low
WIN-NET-023 TCP Keep-Alive Time Low
WIN-NET-024 Disable Dead Gateway Detection Low
WIN-EVTLOG-009 Security Log Near-Capacity Warning Threshold Low
WIN-LOGON-016 Screen Saver Grace Period Low
WIN-SCRSVR-001 Enable Screen Saver (Default Profile) Low
WIN-SCRSVR-002 Password Protect the Screen Saver (Default Profile) Medium
WIN-SCRSVR-003 Screen Saver Timeout (Default Profile) Low
WIN-LOGON-017 Turn Off Toast Notifications on the Lock Screen (Default Profile) Low
WIN-DEF-017 Notify Antivirus When Opening Attachments (Default Profile) Medium
WIN-LOGON-018 Logon Legal Notice Text Low
WIN-LOGON-019 Logon Legal Notice Title Low

CloudInfra Secure Essential - Essential tier

Baseline of essential hardening controls suitable for any Windows Server workload.

ID: CloudInfraSecure-Essential   Controls: 17   Supported OS: WindowsServer2022, WindowsServer2025

Control Name Severity
WIN-FW-001 Windows Firewall Enabled (All Profiles) High
WIN-SMB-001 Disable SMBv1 High
WIN-TLS-010 Disable TLS 1.0 (Server) High
WIN-TLS-011 Disable TLS 1.1 (Server) High
WIN-UAC-001 User Account Control Enabled High
WIN-DEF-001 Microsoft Defender Antivirus Enabled High
WIN-PWD-001 Minimum Password Length High
WIN-PWD-002 Password Complexity Enabled High
WIN-PWD-006 Disable Reversible Password Encryption High
WIN-LSA-001 Do Not Store LAN Manager Hash High
WIN-WDIGEST-001 Disable WDigest Credential Caching High
WIN-TLS-012 Disable SSL 3.0 (Server) High
WIN-TLS-013 Disable SSL 2.0 (Server) High
WIN-DEF-002 Enable Potentially Unwanted Application (PUA) Protection High
WIN-DEF-003 Enable Defender Real-Time Protection High
WIN-LOGON-018 Logon Legal Notice Text Low
WIN-LOGON-019 Logon Legal Notice Title Low

CloudInfra Secure IIS Web Server - Role tier

Baseline for Internet Information Services (IIS) web servers.

ID: CloudInfraSecure-IISWebServer   Controls: 103   Supported OS: WindowsServer2022, WindowsServer2025

Control Name Severity
WIN-FW-001 Windows Firewall Enabled (All Profiles) High
WIN-TLS-010 Disable TLS 1.0 (Server) High
WIN-TLS-011 Disable TLS 1.1 (Server) High
WIN-DEF-001 Microsoft Defender Antivirus Enabled High
WIN-UAC-001 User Account Control Enabled High
WIN-PSL-001 Enable PowerShell Script Block Logging Medium
WIN-PSL-002 Enable PowerShell Module Logging Medium
WIN-SMB-003 Require SMB Signing (Server) High
WIN-NTLM-001 LAN Manager Authentication Level (NTLMv2 Only) High
WIN-LSA-001 Do Not Store LAN Manager Hash High
WIN-WDIGEST-001 Disable WDigest Credential Caching High
WIN-INSTALL-001 Disable Always Install Elevated High
WIN-AUTORUN-001 Disable AutoRun on All Drives Medium
WIN-TLS-012 Disable SSL 3.0 (Server) High
WIN-TLS-013 Disable SSL 2.0 (Server) High
WIN-SMB-004 Disable SMBv1 Client High
WIN-NET-001 Disable LLMNR Medium
WIN-SVC-001 Disable Remote Registry Service Medium
WIN-DEF-002 Enable Potentially Unwanted Application (PUA) Protection High
WIN-DEF-003 Enable Defender Real-Time Protection High
WIN-NET-002 Disable IPv4 Source Routing Medium
WIN-NET-003 Disable ICMP Redirects Low
WIN-NET-004 Disable IPv6 Source Routing Medium
WIN-SMB-006 Restrict Anonymous Access to Named Pipes and Shares Medium
WIN-ASR-003 ASR: Block Executable Content from Email and Webmail Medium
WIN-NTLM-002 Minimum NTLM Session Security (Clients) Medium
WIN-NTLM-003 Minimum NTLM Session Security (Servers) Medium
WIN-WINRM-001 Disable WinRM Client Basic Authentication Medium
WIN-WINRM-002 Disallow WinRM Unencrypted Traffic Medium
WIN-AUD-016 Audit MPSSVC Rule-Level Policy Change Medium
WIN-LSA-008 Restrict Clients Allowed to Make Remote SAM Calls Medium
WIN-NET-005 Ignore NetBIOS Name Release Requests Low
WIN-PSL-003 Enable PowerShell Transcription Medium
WIN-SMB-007 Disable SMB Client Insecure Guest Logons Medium
WIN-UAC-006 Only Elevate UIAccess Apps in Secure Locations Medium
WIN-TLS-001 Enable TLS 1.2 (Server) Medium
WIN-TLS-002 Enable TLS 1.2 (Client) Medium
WIN-TLS-003 Disable RC4 128/128 Cipher High
WIN-TLS-004 Disable RC4 40/128 Cipher High
WIN-TLS-005 Disable Triple DES 168 Cipher Medium
WIN-FW-004 Block Inbound Connections by Default (Public Profile) Medium
WIN-FW-005 Log Dropped Packets (Public Profile) Low
WIN-DEF-009 Enable Defender Behavior Monitoring High
WIN-TLS-006 Disable RC4 56/128 Cipher High
WIN-TLS-007 Disable RC4 64/128 Cipher High
WIN-TLS-008 Disable DES 56/56 Cipher Medium
WIN-TLS-009 Disable NULL Cipher Medium
WIN-NET-006 Disable mDNS Medium
WIN-RDP-009 Do Not Allow Saved RDP Passwords Medium
WIN-ASR-014 ASR: Block Webshell Creation for Servers High
WIN-DEF-010 Enable Email Scanning Medium
WIN-DEF-011 Enable Archive Scanning Medium
WIN-DEF-013 Scan Downloaded Files and Attachments High
WIN-NET-007 Enable Safe DLL Search Mode Medium
WIN-PRINT-001 Restrict Point and Print Driver Installation to Administrators High
WIN-AUD-020 Audit Detailed File Share Medium
WIN-URA-001 Access Credential Manager as a Trusted Caller = No One High
WIN-URA-002 Act as Part of the Operating System = No One High
WIN-URA-003 Create a Token Object = No One High
WIN-URA-004 Create Permanent Shared Objects = No One Medium
WIN-URA-006 Deny Access to This Computer From the Network (includes Guests) Medium
WIN-URA-007 Deny Log On as a Batch Job (includes Guests) Low
WIN-URA-008 Deny Log On as a Service (includes Guests) Low
WIN-URA-009 Deny Log On Locally (includes Guests) Medium
WIN-URA-010 Deny Log On Through Remote Desktop Services (includes Guests) Medium
WIN-URA-029 Lock Pages in Memory = No One Medium
WIN-URA-035 Enable Accounts to Be Trusted for Delegation = No One High
WIN-URA-036 Obtain an Impersonation Token for Another User = No One Medium
WIN-URA-037 Modify an Object Label = No One Low
WIN-URA-038 Synchronize Directory Service Data = No One Medium
WIN-SMB-009 Digitally Sign Client Communications (If Server Agrees) Low
WIN-SMB-010 Digitally Sign Server Communications (If Client Agrees) Low
WIN-SMB-013 Server SPN Target Name Validation Level Medium
WIN-LSA-018 Do Not Store Passwords and Credentials for Network Authentication High
WIN-PRINT-003 Prevent Users From Installing Printer Drivers Medium
WIN-ACCT-002 Guest Account Disabled Medium
WIN-AUD-023 Audit File Share Medium
WIN-EVTLOG-001 Application Event Log Maximum Size (>= 32 MB) Medium
WIN-EVTLOG-003 Security Event Log Maximum Size (>= 192 MB) High
WIN-EVTLOG-007 System Event Log Maximum Size (>= 32 MB) Medium
WIN-AUD-029 Audit Security System Extension Medium
WIN-AUD-030 Include Command Line in Process Creation Events Medium
WIN-CREDDEL-001 Encryption Oracle Remediation (Force Updated Clients) High
WIN-INET-001 Turn Off Downloading of Print Drivers Over HTTP Low
WIN-INET-002 Turn Off Printing Over HTTP Low
WIN-RPC-001 Restrict Unauthenticated RPC Clients Medium
WIN-RA-001 Disable Solicited Remote Assistance Medium
WIN-RA-002 Disable Offer (Unsolicited) Remote Assistance Medium
WIN-SMARTSCREEN-001 Configure Windows Defender SmartScreen Medium
WIN-WINRM-004 Disable WinRM Service Basic Authentication Medium
WIN-WINRM-005 Disallow WinRM Storing RunAs Credentials Medium
WIN-WINRM-006 Disallow WinRM Client Unencrypted Traffic Medium
WIN-WINRS-001 Disable Windows Remote Shell Access Medium
WIN-DEF-016 Enable Defender File Hash Computation Low
WIN-AUTORUN-002 Disallow Autoplay for Non-Volume Devices Medium
WIN-NET-008 Hardened UNC Path for SYSVOL High
WIN-NET-009 Hardened UNC Path for NETLOGON High
WIN-NET-011 Turn Off Smart Multi-Homed Name Resolution Medium
WIN-NET-021 TCP Maximum Data Retransmissions (IPv4) Low
WIN-NET-024 Disable Dead Gateway Detection Low
WIN-DEF-017 Notify Antivirus When Opening Attachments (Default Profile) Medium
WIN-LOGON-018 Logon Legal Notice Text Low
WIN-LOGON-019 Logon Legal Notice Title Low

CloudInfra Secure Remote Desktop Server - Role tier

Baseline for Remote Desktop Session Host servers.

ID: CloudInfraSecure-RemoteDesktopServer   Controls: 99   Supported OS: WindowsServer2022, WindowsServer2025

Control Name Severity
WIN-RDP-001 Require Network Level Authentication for RDP High
WIN-TLS-010 Disable TLS 1.0 (Server) High
WIN-TLS-011 Disable TLS 1.1 (Server) High
WIN-FW-001 Windows Firewall Enabled (All Profiles) High
WIN-DEF-001 Microsoft Defender Antivirus Enabled High
WIN-LOCK-001 Account Lockout Threshold Medium
WIN-UAC-001 User Account Control Enabled High
WIN-NTLM-001 LAN Manager Authentication Level (NTLMv2 Only) High
WIN-LSA-001 Do Not Store LAN Manager Hash High
WIN-WDIGEST-001 Disable WDigest Credential Caching High
WIN-UAC-002 UAC Elevation Prompt for Administrators Medium
WIN-INSTALL-001 Disable Always Install Elevated High
WIN-AUTORUN-001 Disable AutoRun on All Drives Medium
WIN-RDP-002 RDP Minimum Encryption Level (High) Medium
WIN-RDP-003 RDP Security Layer (TLS) Medium
WIN-RDP-004 Disable RDP Drive Redirection Medium
WIN-TLS-012 Disable SSL 3.0 (Server) High
WIN-TLS-013 Disable SSL 2.0 (Server) High
WIN-NET-001 Disable LLMNR Medium
WIN-LOGON-001 Machine Inactivity Limit Medium
WIN-DEF-002 Enable Potentially Unwanted Application (PUA) Protection High
WIN-DEF-003 Enable Defender Real-Time Protection High
WIN-UAC-004 Deny UAC Elevation Prompt for Standard Users Medium
WIN-UAC-005 UAC Switch to the Secure Desktop for Elevation Medium
WIN-LOGON-003 Limit Number of Cached Logons Medium
WIN-AUD-009 Audit Logoff Medium
WIN-LOGON-004 Require Ctrl+Alt+Del at Logon Low
WIN-NTLM-002 Minimum NTLM Session Security (Clients) Medium
WIN-NTLM-003 Minimum NTLM Session Security (Servers) Medium
WIN-WINRM-001 Disable WinRM Client Basic Authentication Medium
WIN-WINRM-002 Disallow WinRM Unencrypted Traffic Medium
WIN-AUD-015 Audit Other Logon/Logoff Events Medium
WIN-LOGON-005 Smart Card Removal Behavior (Lock Workstation) Low
WIN-RDP-005 Always Prompt for Password on RDP Connection Medium
WIN-RDP-006 Disable RDP Clipboard Redirection Low
WIN-PSL-003 Enable PowerShell Transcription Medium
WIN-SMB-007 Disable SMB Client Insecure Guest Logons Medium
WIN-TLS-001 Enable TLS 1.2 (Server) Medium
WIN-TLS-002 Enable TLS 1.2 (Client) Medium
WIN-TLS-003 Disable RC4 128/128 Cipher High
WIN-FW-004 Block Inbound Connections by Default (Public Profile) Medium
WIN-WINRM-003 Disable WinRM Client Digest Authentication Medium
WIN-DEF-009 Enable Defender Behavior Monitoring High
WIN-RDP-007 Set RDP Idle Session Time Limit Low
WIN-RDP-008 Set RDP Disconnected Session Time Limit Low
WIN-RDP-009 Do Not Allow Saved RDP Passwords Medium
WIN-TLS-006 Disable RC4 56/128 Cipher High
WIN-TLS-007 Disable RC4 64/128 Cipher High
WIN-UAC-007 Apply UAC Token Filtering to Remote Local Accounts High
WIN-DEF-010 Enable Email Scanning Medium
WIN-DEF-013 Scan Downloaded Files and Attachments High
WIN-SMB-008 Do Not Send Unencrypted Password to Third-Party SMB Servers Medium
WIN-PRINT-001 Restrict Point and Print Driver Installation to Administrators High
WIN-PRINT-002 Require Elevation for New Point and Print Connections Medium
WIN-AUD-017 Audit PNP Activity Medium
WIN-URA-001 Access Credential Manager as a Trusted Caller = No One High
WIN-URA-002 Act as Part of the Operating System = No One High
WIN-URA-003 Create a Token Object = No One High
WIN-URA-004 Create Permanent Shared Objects = No One Medium
WIN-URA-006 Deny Access to This Computer From the Network (includes Guests) Medium
WIN-URA-007 Deny Log On as a Batch Job (includes Guests) Low
WIN-URA-008 Deny Log On as a Service (includes Guests) Low
WIN-URA-009 Deny Log On Locally (includes Guests) Medium
WIN-URA-010 Deny Log On Through Remote Desktop Services (includes Guests) Medium
WIN-URA-029 Lock Pages in Memory = No One Medium
WIN-URA-035 Enable Accounts to Be Trusted for Delegation = No One High
WIN-URA-036 Obtain an Impersonation Token for Another User = No One Medium
WIN-URA-037 Modify an Object Label = No One Low
WIN-URA-038 Synchronize Directory Service Data = No One Medium
WIN-URA-019 Allow Log On Through Remote Desktop Services = Administrators, Remote Desktop Users Medium
WIN-SMB-011 Idle Time Required Before Suspending an SMB Session (15 min) Low
WIN-LSA-018 Do Not Store Passwords and Credentials for Network Authentication High
WIN-UAC-008 Admin Approval Mode for the Built-in Administrator Medium
WIN-ACCT-002 Guest Account Disabled Medium
WIN-PRINT-003 Prevent Users From Installing Printer Drivers Medium
WIN-AUD-023 Audit File Share Medium
WIN-EVTLOG-003 Security Event Log Maximum Size (>= 192 MB) High
WIN-EVTLOG-007 System Event Log Maximum Size (>= 32 MB) Medium
WIN-AUD-028 Audit Security State Change Medium
WIN-AUD-029 Audit Security System Extension Medium
WIN-CREDDEL-001 Encryption Oracle Remediation (Force Updated Clients) High
WIN-CREDDEL-002 Remote Host Allows Delegation of Non-Exportable Credentials Medium
WIN-RA-001 Disable Solicited Remote Assistance Medium
WIN-RA-002 Disable Offer (Unsolicited) Remote Assistance Medium
WIN-LOGON-009 Do Not Enumerate Connected Users on Domain-Joined Computers Medium
WIN-RDP-010 Disable RDP COM Port Redirection Low
WIN-RDP-011 Disable RDP LPT Port Redirection Low
WIN-RDP-012 Disable RDP Plug and Play Device Redirection Low
WIN-RDP-013 Require Secure RPC for Remote Desktop Medium
WIN-RDP-014 Use Temporary Folders Per RDP Session Low
WIN-SMARTSCREEN-001 Configure Windows Defender SmartScreen Medium
WIN-SCRSVR-001 Enable Screen Saver (Default Profile) Low
WIN-SCRSVR-002 Password Protect the Screen Saver (Default Profile) Medium
WIN-SCRSVR-003 Screen Saver Timeout (Default Profile) Low
WIN-LOGON-016 Screen Saver Grace Period Low
WIN-LOGON-017 Turn Off Toast Notifications on the Lock Screen (Default Profile) Low
WIN-DEF-017 Notify Antivirus When Opening Attachments (Default Profile) Medium
WIN-LOGON-018 Logon Legal Notice Text Low
WIN-LOGON-019 Logon Legal Notice Title Low

CloudInfra Secure SQL Server - Role tier

Baseline for Microsoft SQL Server hosts.

ID: CloudInfraSecure-SQLServer   Controls: 93   Supported OS: WindowsServer2022, WindowsServer2025

Control Name Severity
WIN-FW-001 Windows Firewall Enabled (All Profiles) High
WIN-TLS-010 Disable TLS 1.0 (Server) High
WIN-TLS-011 Disable TLS 1.1 (Server) High
WIN-DEF-001 Microsoft Defender Antivirus Enabled High
WIN-AUD-001 Audit Logon Failures Medium
WIN-AUD-002 Audit Account Lockout Events Medium
WIN-UAC-001 User Account Control Enabled High
WIN-SMB-003 Require SMB Signing (Server) High
WIN-NTLM-001 LAN Manager Authentication Level (NTLMv2 Only) High
WIN-LSA-001 Do Not Store LAN Manager Hash High
WIN-WDIGEST-001 Disable WDigest Credential Caching High
WIN-LSA-002 Restrict Anonymous SID Enumeration Medium
WIN-TLS-012 Disable SSL 3.0 (Server) High
WIN-TLS-013 Disable SSL 2.0 (Server) High
WIN-LDAP-001 LDAP Client Signing Medium
WIN-NET-001 Disable LLMNR Medium
WIN-SMB-004 Disable SMBv1 Client High
WIN-DEF-002 Enable Potentially Unwanted Application (PUA) Protection High
WIN-DEF-003 Enable Defender Real-Time Protection High
WIN-NET-002 Disable IPv4 Source Routing Medium
WIN-NET-004 Disable IPv6 Source Routing Medium
WIN-SMB-006 Restrict Anonymous Access to Named Pipes and Shares Medium
WIN-LSA-004 Do Not Allow Anonymous Enumeration of SAM Accounts Medium
WIN-NTLM-002 Minimum NTLM Session Security (Clients) Medium
WIN-NTLM-003 Minimum NTLM Session Security (Servers) Medium
WIN-WINRM-001 Disable WinRM Client Basic Authentication Medium
WIN-WINRM-002 Disallow WinRM Unencrypted Traffic Medium
WIN-LSA-007 Do Not Apply Everyone Permissions to Anonymous Users Medium
WIN-LSA-008 Restrict Clients Allowed to Make Remote SAM Calls Medium
WIN-LSA-009 Limit Local Account Use of Blank Passwords High
WIN-LSA-010 Sharing and Security Model for Local Accounts (Classic) Medium
WIN-KRB-001 Configure Kerberos Encryption Types (AES only) Medium
WIN-PSL-003 Enable PowerShell Transcription Medium
WIN-TLS-001 Enable TLS 1.2 (Server) Medium
WIN-TLS-002 Enable TLS 1.2 (Client) Medium
WIN-TLS-003 Disable RC4 128/128 Cipher High
WIN-TLS-004 Disable RC4 40/128 Cipher High
WIN-TLS-005 Disable Triple DES 168 Cipher Medium
WIN-FW-002 Block Inbound Connections by Default (Domain Profile) Medium
WIN-DEF-009 Enable Defender Behavior Monitoring High
WIN-TLS-006 Disable RC4 56/128 Cipher High
WIN-TLS-007 Disable RC4 64/128 Cipher High
WIN-TLS-008 Disable DES 56/56 Cipher Medium
WIN-TLS-009 Disable NULL Cipher Medium
WIN-VBS-001 Enable Virtualization Based Security High
WIN-CG-001 Enable Credential Guard High
WIN-DEF-011 Enable Archive Scanning Medium
WIN-DEF-013 Scan Downloaded Files and Attachments High
WIN-LSA-011 Disallow LocalSystem NULL Session Fallback Medium
WIN-LSA-012 Strengthen Default Permissions of Internal System Objects Low
WIN-NET-007 Enable Safe DLL Search Mode Medium
WIN-AUD-019 Audit Other Object Access Events Medium
WIN-URA-001 Access Credential Manager as a Trusted Caller = No One High
WIN-URA-002 Act as Part of the Operating System = No One High
WIN-URA-003 Create a Token Object = No One High
WIN-URA-004 Create Permanent Shared Objects = No One Medium
WIN-URA-006 Deny Access to This Computer From the Network (includes Guests) Medium
WIN-URA-007 Deny Log On as a Batch Job (includes Guests) Low
WIN-URA-008 Deny Log On as a Service (includes Guests) Low
WIN-URA-009 Deny Log On Locally (includes Guests) Medium
WIN-URA-010 Deny Log On Through Remote Desktop Services (includes Guests) Medium
WIN-URA-029 Lock Pages in Memory = No One Medium
WIN-URA-035 Enable Accounts to Be Trusted for Delegation = No One High
WIN-URA-036 Obtain an Impersonation Token for Another User = No One Medium
WIN-URA-037 Modify an Object Label = No One Low
WIN-URA-038 Synchronize Directory Service Data = No One Medium
WIN-LSA-017 Require Strong (Windows 2000 or Later) Session Key Medium
WIN-LSA-018 Do Not Store Passwords and Credentials for Network Authentication High
WIN-NTLM-004 Allow LocalSystem to Use Computer Identity for NTLM Medium
WIN-AUD-021 Force Audit Policy Subcategory Settings Medium
WIN-ACCT-002 Guest Account Disabled Medium
WIN-AUD-023 Audit File Share Medium
WIN-EVTLOG-003 Security Event Log Maximum Size (>= 192 MB) High
WIN-EVTLOG-004 Security Event Log Retention (Overwrite as Needed) Low
WIN-AUD-024 Audit Authorization Policy Change Medium
WIN-AUD-029 Audit Security System Extension Medium
WIN-AUD-030 Include Command Line in Process Creation Events Medium
WIN-CREDDEL-001 Encryption Oracle Remediation (Force Updated Clients) High
WIN-CREDDEL-002 Remote Host Allows Delegation of Non-Exportable Credentials Medium
WIN-RPC-001 Restrict Unauthenticated RPC Clients Medium
WIN-RPC-002 Enable RPC Endpoint Mapper Client Authentication Medium
WIN-WINRM-004 Disable WinRM Service Basic Authentication Medium
WIN-WINRM-005 Disallow WinRM Storing RunAs Credentials Medium
WIN-WINRM-006 Disallow WinRM Client Unencrypted Traffic Medium
WIN-WINRS-001 Disable Windows Remote Shell Access Medium
WIN-DEF-016 Enable Defender File Hash Computation Low
WIN-NET-008 Hardened UNC Path for SYSVOL High
WIN-NET-009 Hardened UNC Path for NETLOGON High
WIN-NET-021 TCP Maximum Data Retransmissions (IPv4) Low
WIN-NET-022 TCP Maximum Data Retransmissions (IPv6) Low
WIN-EVTLOG-009 Security Log Near-Capacity Warning Threshold Low
WIN-LOGON-018 Logon Legal Notice Text Low
WIN-LOGON-019 Logon Legal Notice Title Low

CloudInfra Secure Standard - Standard tier

Recommended baseline adding logging, auditing and access hardening on top of Essential.

ID: CloudInfraSecure-Standard   Controls: 274   Supported OS: WindowsServer2022, WindowsServer2025

Control Name Severity
WIN-FW-001 Windows Firewall Enabled (All Profiles) High
WIN-SMB-001 Disable SMBv1 High
WIN-TLS-010 Disable TLS 1.0 (Server) High
WIN-TLS-011 Disable TLS 1.1 (Server) High
WIN-RDP-001 Require Network Level Authentication for RDP High
WIN-PSL-001 Enable PowerShell Script Block Logging Medium
WIN-PSL-002 Enable PowerShell Module Logging Medium
WIN-PWD-001 Minimum Password Length High
WIN-PWD-002 Password Complexity Enabled High
WIN-LOCK-001 Account Lockout Threshold Medium
WIN-AUD-001 Audit Logon Failures Medium
WIN-AUD-002 Audit Account Lockout Events Medium
WIN-DEF-001 Microsoft Defender Antivirus Enabled High
WIN-UAC-001 User Account Control Enabled High
WIN-PWD-003 Maximum Password Age Medium
WIN-PWD-004 Minimum Password Age Low
WIN-PWD-005 Enforce Password History Medium
WIN-PWD-006 Disable Reversible Password Encryption High
WIN-LOCK-002 Account Lockout Duration Medium
WIN-LOCK-003 Reset Account Lockout Counter Medium
WIN-SMB-003 Require SMB Signing (Server) High
WIN-NTLM-001 LAN Manager Authentication Level (NTLMv2 Only) High
WIN-LSA-001 Do Not Store LAN Manager Hash High
WIN-LSA-002 Restrict Anonymous SID Enumeration Medium
WIN-WDIGEST-001 Disable WDigest Credential Caching High
WIN-UAC-002 UAC Elevation Prompt for Administrators Medium
WIN-INSTALL-001 Disable Always Install Elevated High
WIN-AUTORUN-001 Disable AutoRun on All Drives Medium
WIN-AUD-003 Audit Process Creation Medium
WIN-AUD-004 Audit Credential Validation Medium
WIN-AUD-005 Audit Security Group Management Medium
WIN-SMB-004 Disable SMBv1 Client High
WIN-SMB-005 Require SMB Client Signing Medium
WIN-LDAP-001 LDAP Client Signing Medium
WIN-NET-001 Disable LLMNR Medium
WIN-TLS-012 Disable SSL 3.0 (Server) High
WIN-TLS-013 Disable SSL 2.0 (Server) High
WIN-RDP-002 RDP Minimum Encryption Level (High) Medium
WIN-RDP-003 RDP Security Layer (TLS) Medium
WIN-RDP-004 Disable RDP Drive Redirection Medium
WIN-SVC-001 Disable Remote Registry Service Medium
WIN-LOGON-001 Machine Inactivity Limit Medium
WIN-LOGON-002 Do Not Display Last Signed-In User Low
WIN-UAC-003 UAC Detect Application Installations Medium
WIN-AUD-006 Audit Special Logon Medium
WIN-AUD-008 Audit System Integrity Medium
WIN-DEF-002 Enable Potentially Unwanted Application (PUA) Protection High
WIN-DEF-003 Enable Defender Real-Time Protection High
WIN-DEF-004 Enable Cloud-Delivered Protection Medium
WIN-NET-002 Disable IPv4 Source Routing Medium
WIN-NET-003 Disable ICMP Redirects Low
WIN-NET-004 Disable IPv6 Source Routing Medium
WIN-SMB-006 Restrict Anonymous Access to Named Pipes and Shares Medium
WIN-LSA-004 Do Not Allow Anonymous Enumeration of SAM Accounts Medium
WIN-LSA-005 Enable Structured Exception Handling Overwrite Protection (SEHOP) Medium
WIN-LOGON-003 Limit Number of Cached Logons Medium
WIN-UAC-004 Deny UAC Elevation Prompt for Standard Users Medium
WIN-UAC-005 UAC Switch to the Secure Desktop for Elevation Medium
WIN-AUD-009 Audit Logoff Medium
WIN-AUD-010 Audit Removable Storage Medium
WIN-AUD-011 Audit Authentication Policy Change Medium
WIN-AUD-012 Audit User Account Management Medium
WIN-AUD-013 Audit Computer Account Management Medium
WIN-AUD-014 Audit Audit Policy Change Medium
WIN-AUD-015 Audit Other Logon/Logoff Events Medium
WIN-AUD-016 Audit MPSSVC Rule-Level Policy Change Medium
WIN-LOGON-004 Require Ctrl+Alt+Del at Logon Low
WIN-NTLM-002 Minimum NTLM Session Security (Clients) Medium
WIN-NTLM-003 Minimum NTLM Session Security (Servers) Medium
WIN-LSA-006 Digitally Encrypt or Sign Secure Channel Data (Always) Medium
WIN-LSA-007 Do Not Apply Everyone Permissions to Anonymous Users Medium
WIN-WINRM-001 Disable WinRM Client Basic Authentication Medium
WIN-WINRM-002 Disallow WinRM Unencrypted Traffic Medium
WIN-LSA-008 Restrict Clients Allowed to Make Remote SAM Calls Medium
WIN-LSA-009 Limit Local Account Use of Blank Passwords High
WIN-LSA-010 Sharing and Security Model for Local Accounts (Classic) Medium
WIN-KRB-001 Configure Kerberos Encryption Types (AES only) Medium
WIN-LOGON-006 Disable Automatic Logon Medium
WIN-NET-005 Ignore NetBIOS Name Release Requests Low
WIN-PSL-003 Enable PowerShell Transcription Medium
WIN-RDP-005 Always Prompt for Password on RDP Connection Medium
WIN-SMB-007 Disable SMB Client Insecure Guest Logons Medium
WIN-UAC-006 Only Elevate UIAccess Apps in Secure Locations Medium
WIN-DEF-007 Scan Removable Drives During Full Scan Low
WIN-DEF-008 Enable Block at First Sight Medium
WIN-DEF-009 Enable Defender Behavior Monitoring High
WIN-TLS-001 Enable TLS 1.2 (Server) Medium
WIN-TLS-002 Enable TLS 1.2 (Client) Medium
WIN-TLS-003 Disable RC4 128/128 Cipher High
WIN-TLS-004 Disable RC4 40/128 Cipher High
WIN-TLS-005 Disable Triple DES 168 Cipher Medium
WIN-FW-002 Block Inbound Connections by Default (Domain Profile) Medium
WIN-FW-003 Block Inbound Connections by Default (Private Profile) Medium
WIN-FW-004 Block Inbound Connections by Default (Public Profile) Medium
WIN-FW-005 Log Dropped Packets (Public Profile) Low
WIN-WINRM-003 Disable WinRM Client Digest Authentication Medium
WIN-TLS-006 Disable RC4 56/128 Cipher High
WIN-TLS-007 Disable RC4 64/128 Cipher High
WIN-TLS-008 Disable DES 56/56 Cipher Medium
WIN-TLS-009 Disable NULL Cipher Medium
WIN-RDP-007 Set RDP Idle Session Time Limit Low
WIN-RDP-008 Set RDP Disconnected Session Time Limit Low
WIN-RDP-009 Do Not Allow Saved RDP Passwords Medium
WIN-UAC-007 Apply UAC Token Filtering to Remote Local Accounts High
WIN-ACCT-001 Block Microsoft Accounts Medium
WIN-NET-006 Disable mDNS Medium
WIN-DEF-010 Enable Email Scanning Medium
WIN-DEF-011 Enable Archive Scanning Medium
WIN-DEF-012 Scan Mapped Network Drives During Full Scan Low
WIN-DEF-013 Scan Downloaded Files and Attachments High
WIN-DEF-014 Disable Local Admin Merge of Defender Preferences Medium
WIN-DEF-015 Enable Real-Time Script Scanning Medium
WIN-AUD-017 Audit PNP Activity Medium
WIN-AUD-018 Audit Group Membership Medium
WIN-AUD-019 Audit Other Object Access Events Medium
WIN-AUD-020 Audit Detailed File Share Medium
WIN-SMB-008 Do Not Send Unencrypted Password to Third-Party SMB Servers Medium
WIN-LSA-011 Disallow LocalSystem NULL Session Fallback Medium
WIN-LSA-012 Strengthen Default Permissions of Internal System Objects Low
WIN-NET-007 Enable Safe DLL Search Mode Medium
WIN-PRINT-001 Restrict Point and Print Driver Installation to Administrators High
WIN-PRINT-002 Require Elevation for New Point and Print Connections Medium
WIN-URA-001 Access Credential Manager as a Trusted Caller = No One High
WIN-URA-002 Act as Part of the Operating System = No One High
WIN-URA-003 Create a Token Object = No One High
WIN-URA-004 Create Permanent Shared Objects = No One Medium
WIN-URA-005 Debug Programs = Administrators Only High
WIN-URA-006 Deny Access to This Computer From the Network (includes Guests) Medium
WIN-URA-007 Deny Log On as a Batch Job (includes Guests) Low
WIN-URA-008 Deny Log On as a Service (includes Guests) Low
WIN-URA-009 Deny Log On Locally (includes Guests) Medium
WIN-URA-010 Deny Log On Through Remote Desktop Services (includes Guests) Medium
WIN-URA-011 Force Shutdown From a Remote System = Administrators Only Medium
WIN-URA-012 Generate Security Audits = Local Service, Network Service Medium
WIN-URA-013 Impersonate a Client After Authentication = Service Accounts and Administrators Medium
WIN-URA-014 Load and Unload Device Drivers = Administrators Only Medium
WIN-URA-015 Manage Auditing and Security Log = Administrators Only Medium
WIN-URA-016 Take Ownership of Files or Other Objects = Administrators Only Medium
WIN-URA-017 Access This Computer From the Network = Administrators, Authenticated Users High
WIN-URA-018 Allow Log On Locally = Administrators Medium
WIN-URA-019 Allow Log On Through Remote Desktop Services = Administrators, Remote Desktop Users Medium
WIN-URA-020 Back Up Files and Directories = Administrators Medium
WIN-URA-021 Restore Files and Directories = Administrators Medium
WIN-URA-022 Change the System Time = Administrators, Local Service Medium
WIN-URA-023 Change the Time Zone = Administrators, Local Service, Users Low
WIN-URA-024 Create a Pagefile = Administrators Low
WIN-URA-025 Create Global Objects = Administrators and Service Accounts Medium
WIN-URA-026 Create Symbolic Links = Administrators Medium
WIN-URA-027 Adjust Memory Quotas for a Process = Administrators and Service Accounts Low
WIN-URA-028 Increase Scheduling Priority = Administrators, Window Manager Low
WIN-URA-029 Lock Pages in Memory = No One Medium
WIN-URA-030 Perform Volume Maintenance Tasks = Administrators Medium
WIN-URA-031 Profile Single Process = Administrators Low
WIN-URA-032 Replace a Process Level Token = Local Service, Network Service Medium
WIN-URA-033 Shut Down the System = Administrators Low
WIN-URA-034 Modify Firmware Environment Values = Administrators Medium
WIN-URA-035 Enable Accounts to Be Trusted for Delegation = No One High
WIN-URA-036 Obtain an Impersonation Token for Another User = No One Medium
WIN-URA-037 Modify an Object Label = No One Low
WIN-URA-038 Synchronize Directory Service Data = No One Medium
WIN-URA-039 Profile System Performance = Administrators, WdiServiceHost Low
WIN-LSA-013 Digitally Encrypt Secure Channel Data (When Possible) Medium
WIN-LSA-014 Digitally Sign Secure Channel Data (When Possible) Medium
WIN-LSA-015 Do Not Disable Machine Account Password Changes Medium
WIN-LSA-016 Maximum Machine Account Password Age (30 Days) Low
WIN-LSA-017 Require Strong (Windows 2000 or Later) Session Key Medium
WIN-SMB-009 Digitally Sign Client Communications (If Server Agrees) Low
WIN-SMB-010 Digitally Sign Server Communications (If Client Agrees) Low
WIN-SMB-011 Idle Time Required Before Suspending an SMB Session (15 min) Low
WIN-SMB-012 Disconnect Clients When Logon Hours Expire Low
WIN-SMB-013 Server SPN Target Name Validation Level Medium
WIN-NTLM-004 Allow LocalSystem to Use Computer Identity for NTLM Medium
WIN-NTLM-005 Disallow PKU2U Online Identities Medium
WIN-NTLM-006 Audit Incoming NTLM Traffic Low
WIN-NTLM-007 Audit Outgoing NTLM Traffic to Remote Servers Low
WIN-LSA-018 Do Not Store Passwords and Credentials for Network Authentication High
WIN-LOGON-007 Do Not Allow System to Be Shut Down Without Logging On Low
WIN-LSA-019 Require Case Insensitivity for Non-Windows Subsystems Low
WIN-AUD-021 Force Audit Policy Subcategory Settings Medium
WIN-PRINT-003 Prevent Users From Installing Printer Drivers Medium
WIN-ACCT-002 Guest Account Disabled Medium
WIN-ACCT-003 Force Logoff When Logon Hours Expire Low
WIN-UAC-008 Admin Approval Mode for the Built-in Administrator Medium
WIN-UAC-009 Virtualize File and Registry Write Failures to Per-User Locations Low
WIN-AUD-022 Audit Other Account Management Events Medium
WIN-AUD-023 Audit File Share Medium
WIN-AUD-024 Audit Authorization Policy Change Medium
WIN-AUD-025 Audit Other Policy Change Events Low
WIN-AUD-026 Audit IPsec Driver Medium
WIN-AUD-027 Audit Other System Events Low
WIN-AUD-028 Audit Security State Change Medium
WIN-AUD-029 Audit Security System Extension Medium
WIN-EVTLOG-001 Application Event Log Maximum Size (>= 32 MB) Medium
WIN-EVTLOG-002 Application Event Log Retention (Overwrite as Needed) Low
WIN-EVTLOG-003 Security Event Log Maximum Size (>= 192 MB) High
WIN-EVTLOG-004 Security Event Log Retention (Overwrite as Needed) Low
WIN-EVTLOG-005 Setup Event Log Maximum Size (>= 32 MB) Low
WIN-EVTLOG-006 Setup Event Log Retention (Overwrite as Needed) Low
WIN-EVTLOG-007 System Event Log Maximum Size (>= 32 MB) Medium
WIN-EVTLOG-008 System Event Log Retention (Overwrite as Needed) Low
WIN-AUD-030 Include Command Line in Process Creation Events Medium
WIN-CREDDEL-001 Encryption Oracle Remediation (Force Updated Clients) High
WIN-CREDDEL-002 Remote Host Allows Delegation of Non-Exportable Credentials Medium
WIN-ELAM-001 Boot-Start Driver Initialization Policy Medium
WIN-GPO-001 Registry Policy Processing: Apply During Background Refresh Low
WIN-GPO-002 Registry Policy Processing: Process Even If Unchanged Low
WIN-GPO-003 Disable Continue Experiences (Connected Devices Platform) Low
WIN-INET-001 Turn Off Downloading of Print Drivers Over HTTP Low
WIN-INET-002 Turn Off Printing Over HTTP Low
WIN-INET-003 Turn Off Windows Error Reporting Low
WIN-INET-004 Turn Off Windows Customer Experience Improvement Program Low
WIN-INET-005 Turn Off Internet Download for Web Publishing and Online Ordering Low
WIN-INET-006 Turn Off Internet Connection Wizard If URL Connection Low
WIN-INET-007 Turn Off Search Companion Content File Updates Low
WIN-LOGON-009 Do Not Enumerate Connected Users on Domain-Joined Computers Medium
WIN-LOGON-010 Do Not Enumerate Local Users on Domain-Joined Computers Medium
WIN-LOGON-011 Block User From Showing Account Details on Sign-In Low
WIN-LOGON-012 Do Not Display Network Selection UI Low
WIN-LOGON-013 Turn Off App Notifications on the Lock Screen Low
WIN-LOGON-014 Disable Convenience PIN Sign-In Medium
WIN-RA-001 Disable Solicited Remote Assistance Medium
WIN-RA-002 Disable Offer (Unsolicited) Remote Assistance Medium
WIN-RPC-001 Restrict Unauthenticated RPC Clients Medium
WIN-RPC-002 Enable RPC Endpoint Mapper Client Authentication Medium
WIN-CREDUI-001 Do Not Display the Password Reveal Button Low
WIN-CREDUI-002 Do Not Enumerate Administrator Accounts on Elevation Medium
WIN-CREDUI-003 Prevent Use of Security Questions for Local Accounts Low
WIN-TELEM-001 Limit Diagnostic Data to Required or Less Low
WIN-TELEM-002 Disable OneSettings Downloads Low
WIN-TELEM-003 Do Not Show Feedback Notifications Low
WIN-TELEM-004 Enable OneSettings Auditing Low
WIN-TELEM-005 Disable Windows Insider Preview Builds Medium
WIN-CLOUD-001 Turn Off Microsoft Consumer Experiences Low
WIN-SMARTSCREEN-001 Configure Windows Defender SmartScreen Medium
WIN-RDP-010 Disable RDP COM Port Redirection Low
WIN-RDP-011 Disable RDP LPT Port Redirection Low
WIN-RDP-012 Disable RDP Plug and Play Device Redirection Low
WIN-RDP-013 Require Secure RPC for Remote Desktop Medium
WIN-RDP-014 Use Temporary Folders Per RDP Session Low
WIN-WINRM-004 Disable WinRM Service Basic Authentication Medium
WIN-WINRM-005 Disallow WinRM Storing RunAs Credentials Medium
WIN-WINRM-006 Disallow WinRM Client Unencrypted Traffic Medium
WIN-WINRS-001 Disable Windows Remote Shell Access Medium
WIN-AUTORUN-002 Disallow Autoplay for Non-Volume Devices Medium
WIN-AUTORUN-003 Set Default AutoRun Behavior to Do Not Execute Medium
WIN-INSTALL-002 Disable User Control Over Windows Installer Medium
WIN-LOGON-015 Disable Automatic Restart Sign-On (ARSO) Medium
WIN-DEF-016 Enable Defender File Hash Computation Low
WIN-NET-008 Hardened UNC Path for SYSVOL High
WIN-NET-009 Hardened UNC Path for NETLOGON High
WIN-NET-010 Disable Font Providers Low
WIN-NET-011 Turn Off Smart Multi-Homed Name Resolution Medium
WIN-NET-012 Prohibit Installation of Network Bridge Low
WIN-NET-013 Prohibit Internet Connection Sharing Low
WIN-NET-014 Require Domain Users to Elevate When Setting Network Location Low
WIN-NET-015 Minimize Simultaneous Internet and Domain Connections Low
WIN-NET-016 Prohibit Non-Domain Networks When on Domain Network Low
WIN-NET-017 Disable Windows Connect Now Registrars Low
WIN-NET-018 Prohibit Access of Windows Connect Now Wizards Low
WIN-NET-019 Turn Off Link-Layer Topology Mapper I/O Driver Low
WIN-NET-020 Turn Off Link-Layer Topology Responder Driver Low
WIN-NET-021 TCP Maximum Data Retransmissions (IPv4) Low
WIN-NET-022 TCP Maximum Data Retransmissions (IPv6) Low
WIN-NET-023 TCP Keep-Alive Time Low
WIN-NET-024 Disable Dead Gateway Detection Low
WIN-EVTLOG-009 Security Log Near-Capacity Warning Threshold Low
WIN-LOGON-016 Screen Saver Grace Period Low
WIN-SCRSVR-001 Enable Screen Saver (Default Profile) Low
WIN-SCRSVR-002 Password Protect the Screen Saver (Default Profile) Medium
WIN-SCRSVR-003 Screen Saver Timeout (Default Profile) Low
WIN-LOGON-017 Turn Off Toast Notifications on the Lock Screen (Default Profile) Low
WIN-DEF-017 Notify Antivirus When Opening Attachments (Default Profile) Medium
WIN-LOGON-018 Logon Legal Notice Text Low
WIN-LOGON-019 Logon Legal Notice Title Low