Baselines¶
CloudInfra Secure ships 7 baselines. Each is a curated collection of control IDs.
CloudInfra Secure Domain Controller - Role tier¶
Baseline for Active Directory Domain Controllers.
ID: CloudInfraSecure-DomainController Controls: 181 Supported OS: WindowsServer2022, WindowsServer2025
| Control | Name | Severity |
|---|---|---|
| WIN-FW-001 | Windows Firewall Enabled (All Profiles) | High |
| WIN-SMB-001 | Disable SMBv1 | High |
| WIN-TLS-010 | Disable TLS 1.0 (Server) | High |
| WIN-TLS-011 | Disable TLS 1.1 (Server) | High |
| WIN-PWD-001 | Minimum Password Length | High |
| WIN-PWD-002 | Password Complexity Enabled | High |
| WIN-LOCK-001 | Account Lockout Threshold | Medium |
| WIN-AUD-001 | Audit Logon Failures | Medium |
| WIN-AUD-002 | Audit Account Lockout Events | Medium |
| WIN-UAC-001 | User Account Control Enabled | High |
| WIN-DEF-001 | Microsoft Defender Antivirus Enabled | High |
| WIN-PWD-003 | Maximum Password Age | Medium |
| WIN-PWD-004 | Minimum Password Age | Low |
| WIN-PWD-005 | Enforce Password History | Medium |
| WIN-PWD-006 | Disable Reversible Password Encryption | High |
| WIN-LOCK-002 | Account Lockout Duration | Medium |
| WIN-LOCK-003 | Reset Account Lockout Counter | Medium |
| WIN-NTLM-001 | LAN Manager Authentication Level (NTLMv2 Only) | High |
| WIN-LSA-001 | Do Not Store LAN Manager Hash | High |
| WIN-LSA-002 | Restrict Anonymous SID Enumeration | Medium |
| WIN-WDIGEST-001 | Disable WDigest Credential Caching | High |
| WIN-LSA-003 | Enable LSASS Protection (RunAsPPL) | High |
| WIN-AUD-004 | Audit Credential Validation | Medium |
| WIN-AUD-005 | Audit Security Group Management | Medium |
| WIN-AUD-003 | Audit Process Creation | Medium |
| WIN-SMB-004 | Disable SMBv1 Client | High |
| WIN-SMB-005 | Require SMB Client Signing | Medium |
| WIN-LDAP-001 | LDAP Client Signing | Medium |
| WIN-NET-001 | Disable LLMNR | Medium |
| WIN-TLS-012 | Disable SSL 3.0 (Server) | High |
| WIN-TLS-013 | Disable SSL 2.0 (Server) | High |
| WIN-LOGON-001 | Machine Inactivity Limit | Medium |
| WIN-LOGON-002 | Do Not Display Last Signed-In User | Low |
| WIN-AUD-006 | Audit Special Logon | Medium |
| WIN-AUD-007 | Audit Sensitive Privilege Use | Medium |
| WIN-AUD-008 | Audit System Integrity | Medium |
| WIN-SVC-001 | Disable Remote Registry Service | Medium |
| WIN-DEF-002 | Enable Potentially Unwanted Application (PUA) Protection | High |
| WIN-DEF-003 | Enable Defender Real-Time Protection | High |
| WIN-DEF-004 | Enable Cloud-Delivered Protection | Medium |
| WIN-NET-002 | Disable IPv4 Source Routing | Medium |
| WIN-NET-003 | Disable ICMP Redirects | Low |
| WIN-NET-004 | Disable IPv6 Source Routing | Medium |
| WIN-SMB-006 | Restrict Anonymous Access to Named Pipes and Shares | Medium |
| WIN-LSA-004 | Do Not Allow Anonymous Enumeration of SAM Accounts | Medium |
| WIN-LSA-005 | Enable Structured Exception Handling Overwrite Protection (SEHOP) | Medium |
| WIN-LOGON-003 | Limit Number of Cached Logons | Medium |
| WIN-UAC-004 | Deny UAC Elevation Prompt for Standard Users | Medium |
| WIN-UAC-005 | UAC Switch to the Secure Desktop for Elevation | Medium |
| WIN-AUD-009 | Audit Logoff | Medium |
| WIN-AUD-010 | Audit Removable Storage | Medium |
| WIN-AUD-011 | Audit Authentication Policy Change | Medium |
| WIN-AUD-012 | Audit User Account Management | Medium |
| WIN-AUD-013 | Audit Computer Account Management | Medium |
| WIN-AUD-014 | Audit Audit Policy Change | Medium |
| WIN-AUD-015 | Audit Other Logon/Logoff Events | Medium |
| WIN-AUD-016 | Audit MPSSVC Rule-Level Policy Change | Medium |
| WIN-NTLM-002 | Minimum NTLM Session Security (Clients) | Medium |
| WIN-NTLM-003 | Minimum NTLM Session Security (Servers) | Medium |
| WIN-LSA-006 | Digitally Encrypt or Sign Secure Channel Data (Always) | Medium |
| WIN-LSA-007 | Do Not Apply Everyone Permissions to Anonymous Users | Medium |
| WIN-LOGON-004 | Require Ctrl+Alt+Del at Logon | Low |
| WIN-WINRM-001 | Disable WinRM Client Basic Authentication | Medium |
| WIN-WINRM-002 | Disallow WinRM Unencrypted Traffic | Medium |
| WIN-LSA-008 | Restrict Clients Allowed to Make Remote SAM Calls | Medium |
| WIN-LSA-009 | Limit Local Account Use of Blank Passwords | High |
| WIN-LSA-010 | Sharing and Security Model for Local Accounts (Classic) | Medium |
| WIN-KRB-001 | Configure Kerberos Encryption Types (AES only) | Medium |
| WIN-NET-005 | Ignore NetBIOS Name Release Requests | Low |
| WIN-PSL-003 | Enable PowerShell Transcription | Medium |
| WIN-UAC-006 | Only Elevate UIAccess Apps in Secure Locations | Medium |
| WIN-LOGON-006 | Disable Automatic Logon | Medium |
| WIN-TLS-001 | Enable TLS 1.2 (Server) | Medium |
| WIN-TLS-002 | Enable TLS 1.2 (Client) | Medium |
| WIN-TLS-003 | Disable RC4 128/128 Cipher | High |
| WIN-TLS-004 | Disable RC4 40/128 Cipher | High |
| WIN-TLS-005 | Disable Triple DES 168 Cipher | Medium |
| WIN-FW-002 | Block Inbound Connections by Default (Domain Profile) | Medium |
| WIN-FW-003 | Block Inbound Connections by Default (Private Profile) | Medium |
| WIN-FW-004 | Block Inbound Connections by Default (Public Profile) | Medium |
| WIN-DEF-009 | Enable Defender Behavior Monitoring | High |
| WIN-WINRM-003 | Disable WinRM Client Digest Authentication | Medium |
| WIN-VBS-001 | Enable Virtualization Based Security | High |
| WIN-VBS-002 | Require Secure Boot for VBS | Medium |
| WIN-VBS-003 | Enable Memory Integrity (HVCI) | High |
| WIN-CG-001 | Enable Credential Guard | High |
| WIN-TLS-006 | Disable RC4 56/128 Cipher | High |
| WIN-TLS-007 | Disable RC4 64/128 Cipher | High |
| WIN-TLS-008 | Disable DES 56/56 Cipher | Medium |
| WIN-TLS-009 | Disable NULL Cipher | Medium |
| WIN-ACCT-001 | Block Microsoft Accounts | Medium |
| WIN-UAC-007 | Apply UAC Token Filtering to Remote Local Accounts | High |
| WIN-AUD-017 | Audit PNP Activity | Medium |
| WIN-AUD-018 | Audit Group Membership | Medium |
| WIN-AUD-019 | Audit Other Object Access Events | Medium |
| WIN-AUD-020 | Audit Detailed File Share | Medium |
| WIN-LSA-011 | Disallow LocalSystem NULL Session Fallback | Medium |
| WIN-LSA-012 | Strengthen Default Permissions of Internal System Objects | Low |
| WIN-NET-007 | Enable Safe DLL Search Mode | Medium |
| WIN-DEF-013 | Scan Downloaded Files and Attachments | High |
| WIN-URA-001 | Access Credential Manager as a Trusted Caller = No One | High |
| WIN-URA-002 | Act as Part of the Operating System = No One | High |
| WIN-URA-003 | Create a Token Object = No One | High |
| WIN-URA-004 | Create Permanent Shared Objects = No One | Medium |
| WIN-URA-006 | Deny Access to This Computer From the Network (includes Guests) | Medium |
| WIN-URA-007 | Deny Log On as a Batch Job (includes Guests) | Low |
| WIN-URA-008 | Deny Log On as a Service (includes Guests) | Low |
| WIN-URA-009 | Deny Log On Locally (includes Guests) | Medium |
| WIN-URA-010 | Deny Log On Through Remote Desktop Services (includes Guests) | Medium |
| WIN-URA-029 | Lock Pages in Memory = No One | Medium |
| WIN-URA-036 | Obtain an Impersonation Token for Another User = No One | Medium |
| WIN-URA-037 | Modify an Object Label = No One | Low |
| WIN-LSA-013 | Digitally Encrypt Secure Channel Data (When Possible) | Medium |
| WIN-LSA-014 | Digitally Sign Secure Channel Data (When Possible) | Medium |
| WIN-LSA-015 | Do Not Disable Machine Account Password Changes | Medium |
| WIN-LSA-016 | Maximum Machine Account Password Age (30 Days) | Low |
| WIN-LSA-017 | Require Strong (Windows 2000 or Later) Session Key | Medium |
| WIN-NTLM-004 | Allow LocalSystem to Use Computer Identity for NTLM | Medium |
| WIN-AUD-021 | Force Audit Policy Subcategory Settings | Medium |
| WIN-ACCT-002 | Guest Account Disabled | Medium |
| WIN-ACCT-003 | Force Logoff When Logon Hours Expire | Low |
| WIN-AUD-022 | Audit Other Account Management Events | Medium |
| WIN-AUD-023 | Audit File Share | Medium |
| WIN-AUD-024 | Audit Authorization Policy Change | Medium |
| WIN-AUD-025 | Audit Other Policy Change Events | Low |
| WIN-AUD-026 | Audit IPsec Driver | Medium |
| WIN-AUD-027 | Audit Other System Events | Low |
| WIN-AUD-028 | Audit Security State Change | Medium |
| WIN-AUD-029 | Audit Security System Extension | Medium |
| WIN-EVTLOG-001 | Application Event Log Maximum Size (>= 32 MB) | Medium |
| WIN-EVTLOG-002 | Application Event Log Retention (Overwrite as Needed) | Low |
| WIN-EVTLOG-003 | Security Event Log Maximum Size (>= 192 MB) | High |
| WIN-EVTLOG-004 | Security Event Log Retention (Overwrite as Needed) | Low |
| WIN-EVTLOG-005 | Setup Event Log Maximum Size (>= 32 MB) | Low |
| WIN-EVTLOG-006 | Setup Event Log Retention (Overwrite as Needed) | Low |
| WIN-EVTLOG-007 | System Event Log Maximum Size (>= 32 MB) | Medium |
| WIN-EVTLOG-008 | System Event Log Retention (Overwrite as Needed) | Low |
| WIN-AUD-030 | Include Command Line in Process Creation Events | Medium |
| WIN-CREDDEL-001 | Encryption Oracle Remediation (Force Updated Clients) | High |
| WIN-CREDDEL-002 | Remote Host Allows Delegation of Non-Exportable Credentials | Medium |
| WIN-ELAM-001 | Boot-Start Driver Initialization Policy | Medium |
| WIN-GPO-001 | Registry Policy Processing: Apply During Background Refresh | Low |
| WIN-GPO-002 | Registry Policy Processing: Process Even If Unchanged | Low |
| WIN-GPO-003 | Disable Continue Experiences (Connected Devices Platform) | Low |
| WIN-INET-001 | Turn Off Downloading of Print Drivers Over HTTP | Low |
| WIN-INET-002 | Turn Off Printing Over HTTP | Low |
| WIN-INET-003 | Turn Off Windows Error Reporting | Low |
| WIN-INET-004 | Turn Off Windows Customer Experience Improvement Program | Low |
| WIN-INET-005 | Turn Off Internet Download for Web Publishing and Online Ordering | Low |
| WIN-INET-006 | Turn Off Internet Connection Wizard If URL Connection | Low |
| WIN-INET-007 | Turn Off Search Companion Content File Updates | Low |
| WIN-LOGON-009 | Do Not Enumerate Connected Users on Domain-Joined Computers | Medium |
| WIN-LOGON-010 | Do Not Enumerate Local Users on Domain-Joined Computers | Medium |
| WIN-LOGON-011 | Block User From Showing Account Details on Sign-In | Low |
| WIN-LOGON-012 | Do Not Display Network Selection UI | Low |
| WIN-LOGON-013 | Turn Off App Notifications on the Lock Screen | Low |
| WIN-LOGON-014 | Disable Convenience PIN Sign-In | Medium |
| WIN-RPC-001 | Restrict Unauthenticated RPC Clients | Medium |
| WIN-RPC-002 | Enable RPC Endpoint Mapper Client Authentication | Medium |
| WIN-CREDUI-001 | Do Not Display the Password Reveal Button | Low |
| WIN-CREDUI-002 | Do Not Enumerate Administrator Accounts on Elevation | Medium |
| WIN-TELEM-001 | Limit Diagnostic Data to Required or Less | Low |
| WIN-TELEM-002 | Disable OneSettings Downloads | Low |
| WIN-SMARTSCREEN-001 | Configure Windows Defender SmartScreen | Medium |
| WIN-WINRM-004 | Disable WinRM Service Basic Authentication | Medium |
| WIN-WINRM-005 | Disallow WinRM Storing RunAs Credentials | Medium |
| WIN-WINRM-006 | Disallow WinRM Client Unencrypted Traffic | Medium |
| WIN-WINRS-001 | Disable Windows Remote Shell Access | Medium |
| WIN-DEF-016 | Enable Defender File Hash Computation | Low |
| WIN-NET-008 | Hardened UNC Path for SYSVOL | High |
| WIN-NET-009 | Hardened UNC Path for NETLOGON | High |
| WIN-NET-010 | Disable Font Providers | Low |
| WIN-NET-011 | Turn Off Smart Multi-Homed Name Resolution | Medium |
| WIN-NET-021 | TCP Maximum Data Retransmissions (IPv4) | Low |
| WIN-NET-022 | TCP Maximum Data Retransmissions (IPv6) | Low |
| WIN-EVTLOG-009 | Security Log Near-Capacity Warning Threshold | Low |
| WIN-SCRSVR-001 | Enable Screen Saver (Default Profile) | Low |
| WIN-SCRSVR-002 | Password Protect the Screen Saver (Default Profile) | Medium |
| WIN-SCRSVR-003 | Screen Saver Timeout (Default Profile) | Low |
| WIN-LOGON-018 | Logon Legal Notice Text | Low |
| WIN-LOGON-019 | Logon Legal Notice Title | Low |
CloudInfra Secure Enterprise - Enterprise tier¶
Comprehensive baseline for regulated and high-assurance environments.
ID: CloudInfraSecure-Enterprise Controls: 301 Supported OS: WindowsServer2022, WindowsServer2025
| Control | Name | Severity |
|---|---|---|
| WIN-FW-001 | Windows Firewall Enabled (All Profiles) | High |
| WIN-SMB-001 | Disable SMBv1 | High |
| WIN-TLS-010 | Disable TLS 1.0 (Server) | High |
| WIN-TLS-011 | Disable TLS 1.1 (Server) | High |
| WIN-RDP-001 | Require Network Level Authentication for RDP | High |
| WIN-PSL-001 | Enable PowerShell Script Block Logging | Medium |
| WIN-PSL-002 | Enable PowerShell Module Logging | Medium |
| WIN-PWD-001 | Minimum Password Length | High |
| WIN-PWD-002 | Password Complexity Enabled | High |
| WIN-LOCK-001 | Account Lockout Threshold | Medium |
| WIN-AUD-001 | Audit Logon Failures | Medium |
| WIN-AUD-002 | Audit Account Lockout Events | Medium |
| WIN-DEF-001 | Microsoft Defender Antivirus Enabled | High |
| WIN-UAC-001 | User Account Control Enabled | High |
| WIN-PWD-003 | Maximum Password Age | Medium |
| WIN-PWD-004 | Minimum Password Age | Low |
| WIN-PWD-005 | Enforce Password History | Medium |
| WIN-PWD-006 | Disable Reversible Password Encryption | High |
| WIN-LOCK-002 | Account Lockout Duration | Medium |
| WIN-LOCK-003 | Reset Account Lockout Counter | Medium |
| WIN-SMB-003 | Require SMB Signing (Server) | High |
| WIN-NTLM-001 | LAN Manager Authentication Level (NTLMv2 Only) | High |
| WIN-LSA-001 | Do Not Store LAN Manager Hash | High |
| WIN-LSA-002 | Restrict Anonymous SID Enumeration | Medium |
| WIN-LSA-003 | Enable LSASS Protection (RunAsPPL) | High |
| WIN-WDIGEST-001 | Disable WDigest Credential Caching | High |
| WIN-UAC-002 | UAC Elevation Prompt for Administrators | Medium |
| WIN-INSTALL-001 | Disable Always Install Elevated | High |
| WIN-AUTORUN-001 | Disable AutoRun on All Drives | Medium |
| WIN-AUD-003 | Audit Process Creation | Medium |
| WIN-AUD-004 | Audit Credential Validation | Medium |
| WIN-AUD-005 | Audit Security Group Management | Medium |
| WIN-SMB-004 | Disable SMBv1 Client | High |
| WIN-SMB-005 | Require SMB Client Signing | Medium |
| WIN-LDAP-001 | LDAP Client Signing | Medium |
| WIN-NET-001 | Disable LLMNR | Medium |
| WIN-TLS-012 | Disable SSL 3.0 (Server) | High |
| WIN-TLS-013 | Disable SSL 2.0 (Server) | High |
| WIN-RDP-002 | RDP Minimum Encryption Level (High) | Medium |
| WIN-RDP-003 | RDP Security Layer (TLS) | Medium |
| WIN-RDP-004 | Disable RDP Drive Redirection | Medium |
| WIN-SVC-001 | Disable Remote Registry Service | Medium |
| WIN-LOGON-001 | Machine Inactivity Limit | Medium |
| WIN-LOGON-002 | Do Not Display Last Signed-In User | Low |
| WIN-UAC-003 | UAC Detect Application Installations | Medium |
| WIN-AUD-006 | Audit Special Logon | Medium |
| WIN-AUD-007 | Audit Sensitive Privilege Use | Medium |
| WIN-AUD-008 | Audit System Integrity | Medium |
| WIN-DEF-002 | Enable Potentially Unwanted Application (PUA) Protection | High |
| WIN-DEF-003 | Enable Defender Real-Time Protection | High |
| WIN-DEF-004 | Enable Cloud-Delivered Protection | Medium |
| WIN-ASR-001 | ASR: Block Credential Stealing from LSASS | High |
| WIN-ASR-002 | ASR: Block Office Apps Creating Child Processes | Medium |
| WIN-ASR-003 | ASR: Block Executable Content from Email and Webmail | Medium |
| WIN-NET-002 | Disable IPv4 Source Routing | Medium |
| WIN-NET-003 | Disable ICMP Redirects | Low |
| WIN-NET-004 | Disable IPv6 Source Routing | Medium |
| WIN-SMB-006 | Restrict Anonymous Access to Named Pipes and Shares | Medium |
| WIN-LSA-004 | Do Not Allow Anonymous Enumeration of SAM Accounts | Medium |
| WIN-LSA-005 | Enable Structured Exception Handling Overwrite Protection (SEHOP) | Medium |
| WIN-LOGON-003 | Limit Number of Cached Logons | Medium |
| WIN-UAC-004 | Deny UAC Elevation Prompt for Standard Users | Medium |
| WIN-UAC-005 | UAC Switch to the Secure Desktop for Elevation | Medium |
| WIN-AUD-009 | Audit Logoff | Medium |
| WIN-AUD-010 | Audit Removable Storage | Medium |
| WIN-AUD-011 | Audit Authentication Policy Change | Medium |
| WIN-ASR-004 | ASR: Block Obfuscated Scripts | Medium |
| WIN-ASR-005 | ASR: Block Untrusted Processes from USB | Medium |
| WIN-ASR-006 | ASR: Block Process Creation from PSExec and WMI | Medium |
| WIN-ASR-007 | ASR: Advanced Protection Against Ransomware | High |
| WIN-ASR-008 | ASR: Block Office Apps Injecting Code into Other Processes | Medium |
| WIN-ASR-009 | ASR: Block Office Apps Creating Executable Content | Medium |
| WIN-AUD-012 | Audit User Account Management | Medium |
| WIN-AUD-013 | Audit Computer Account Management | Medium |
| WIN-AUD-014 | Audit Audit Policy Change | Medium |
| WIN-AUD-015 | Audit Other Logon/Logoff Events | Medium |
| WIN-AUD-016 | Audit MPSSVC Rule-Level Policy Change | Medium |
| WIN-LOGON-004 | Require Ctrl+Alt+Del at Logon | Low |
| WIN-NTLM-002 | Minimum NTLM Session Security (Clients) | Medium |
| WIN-NTLM-003 | Minimum NTLM Session Security (Servers) | Medium |
| WIN-LSA-006 | Digitally Encrypt or Sign Secure Channel Data (Always) | Medium |
| WIN-LSA-007 | Do Not Apply Everyone Permissions to Anonymous Users | Medium |
| WIN-WINRM-001 | Disable WinRM Client Basic Authentication | Medium |
| WIN-WINRM-002 | Disallow WinRM Unencrypted Traffic | Medium |
| WIN-ASR-010 | ASR: Block Persistence Through WMI Event Subscription | Medium |
| WIN-ASR-011 | ASR: Block Win32 API Calls from Office Macros | Medium |
| WIN-ASR-012 | ASR: Block Untrusted Executables by Prevalence, Age, or Trust | Medium |
| WIN-ASR-013 | ASR: Block Adobe Reader from Creating Child Processes | Medium |
| WIN-LSA-008 | Restrict Clients Allowed to Make Remote SAM Calls | Medium |
| WIN-LSA-009 | Limit Local Account Use of Blank Passwords | High |
| WIN-LSA-010 | Sharing and Security Model for Local Accounts (Classic) | Medium |
| WIN-KRB-001 | Configure Kerberos Encryption Types (AES only) | Medium |
| WIN-LOGON-005 | Smart Card Removal Behavior (Lock Workstation) | Low |
| WIN-LOGON-006 | Disable Automatic Logon | Medium |
| WIN-NET-005 | Ignore NetBIOS Name Release Requests | Low |
| WIN-PSL-003 | Enable PowerShell Transcription | Medium |
| WIN-RDP-005 | Always Prompt for Password on RDP Connection | Medium |
| WIN-RDP-006 | Disable RDP Clipboard Redirection | Low |
| WIN-SMB-007 | Disable SMB Client Insecure Guest Logons | Medium |
| WIN-UAC-006 | Only Elevate UIAccess Apps in Secure Locations | Medium |
| WIN-DEF-005 | Enable Network Protection | Medium |
| WIN-DEF-006 | Enable Controlled Folder Access | Medium |
| WIN-DEF-007 | Scan Removable Drives During Full Scan | Low |
| WIN-DEF-008 | Enable Block at First Sight | Medium |
| WIN-DEF-009 | Enable Defender Behavior Monitoring | High |
| WIN-TLS-001 | Enable TLS 1.2 (Server) | Medium |
| WIN-TLS-002 | Enable TLS 1.2 (Client) | Medium |
| WIN-TLS-003 | Disable RC4 128/128 Cipher | High |
| WIN-TLS-004 | Disable RC4 40/128 Cipher | High |
| WIN-TLS-005 | Disable Triple DES 168 Cipher | Medium |
| WIN-FW-002 | Block Inbound Connections by Default (Domain Profile) | Medium |
| WIN-FW-003 | Block Inbound Connections by Default (Private Profile) | Medium |
| WIN-FW-004 | Block Inbound Connections by Default (Public Profile) | Medium |
| WIN-FW-005 | Log Dropped Packets (Public Profile) | Low |
| WIN-SVC-002 | Disable Print Spooler Service | Medium |
| WIN-WINRM-003 | Disable WinRM Client Digest Authentication | Medium |
| WIN-VBS-001 | Enable Virtualization Based Security | High |
| WIN-VBS-002 | Require Secure Boot for VBS | Medium |
| WIN-VBS-003 | Enable Memory Integrity (HVCI) | High |
| WIN-CG-001 | Enable Credential Guard | High |
| WIN-TLS-006 | Disable RC4 56/128 Cipher | High |
| WIN-TLS-007 | Disable RC4 64/128 Cipher | High |
| WIN-TLS-008 | Disable DES 56/56 Cipher | Medium |
| WIN-TLS-009 | Disable NULL Cipher | Medium |
| WIN-RDP-007 | Set RDP Idle Session Time Limit | Low |
| WIN-RDP-008 | Set RDP Disconnected Session Time Limit | Low |
| WIN-RDP-009 | Do Not Allow Saved RDP Passwords | Medium |
| WIN-UAC-007 | Apply UAC Token Filtering to Remote Local Accounts | High |
| WIN-ACCT-001 | Block Microsoft Accounts | Medium |
| WIN-NET-006 | Disable mDNS | Medium |
| WIN-ASR-014 | ASR: Block Webshell Creation for Servers | High |
| WIN-ASR-015 | ASR: Block Rebooting Machine in Safe Mode | Medium |
| WIN-DEF-010 | Enable Email Scanning | Medium |
| WIN-DEF-011 | Enable Archive Scanning | Medium |
| WIN-DEF-012 | Scan Mapped Network Drives During Full Scan | Low |
| WIN-DEF-013 | Scan Downloaded Files and Attachments | High |
| WIN-DEF-014 | Disable Local Admin Merge of Defender Preferences | Medium |
| WIN-DEF-015 | Enable Real-Time Script Scanning | Medium |
| WIN-AUD-017 | Audit PNP Activity | Medium |
| WIN-AUD-018 | Audit Group Membership | Medium |
| WIN-AUD-019 | Audit Other Object Access Events | Medium |
| WIN-AUD-020 | Audit Detailed File Share | Medium |
| WIN-SMB-008 | Do Not Send Unencrypted Password to Third-Party SMB Servers | Medium |
| WIN-LSA-011 | Disallow LocalSystem NULL Session Fallback | Medium |
| WIN-LSA-012 | Strengthen Default Permissions of Internal System Objects | Low |
| WIN-NET-007 | Enable Safe DLL Search Mode | Medium |
| WIN-PRINT-001 | Restrict Point and Print Driver Installation to Administrators | High |
| WIN-PRINT-002 | Require Elevation for New Point and Print Connections | Medium |
| WIN-URA-001 | Access Credential Manager as a Trusted Caller = No One | High |
| WIN-URA-002 | Act as Part of the Operating System = No One | High |
| WIN-URA-003 | Create a Token Object = No One | High |
| WIN-URA-004 | Create Permanent Shared Objects = No One | Medium |
| WIN-URA-005 | Debug Programs = Administrators Only | High |
| WIN-URA-006 | Deny Access to This Computer From the Network (includes Guests) | Medium |
| WIN-URA-007 | Deny Log On as a Batch Job (includes Guests) | Low |
| WIN-URA-008 | Deny Log On as a Service (includes Guests) | Low |
| WIN-URA-009 | Deny Log On Locally (includes Guests) | Medium |
| WIN-URA-010 | Deny Log On Through Remote Desktop Services (includes Guests) | Medium |
| WIN-URA-011 | Force Shutdown From a Remote System = Administrators Only | Medium |
| WIN-URA-012 | Generate Security Audits = Local Service, Network Service | Medium |
| WIN-URA-013 | Impersonate a Client After Authentication = Service Accounts and Administrators | Medium |
| WIN-URA-014 | Load and Unload Device Drivers = Administrators Only | Medium |
| WIN-URA-015 | Manage Auditing and Security Log = Administrators Only | Medium |
| WIN-URA-016 | Take Ownership of Files or Other Objects = Administrators Only | Medium |
| WIN-URA-017 | Access This Computer From the Network = Administrators, Authenticated Users | High |
| WIN-URA-018 | Allow Log On Locally = Administrators | Medium |
| WIN-URA-019 | Allow Log On Through Remote Desktop Services = Administrators, Remote Desktop Users | Medium |
| WIN-URA-020 | Back Up Files and Directories = Administrators | Medium |
| WIN-URA-021 | Restore Files and Directories = Administrators | Medium |
| WIN-URA-022 | Change the System Time = Administrators, Local Service | Medium |
| WIN-URA-023 | Change the Time Zone = Administrators, Local Service, Users | Low |
| WIN-URA-024 | Create a Pagefile = Administrators | Low |
| WIN-URA-025 | Create Global Objects = Administrators and Service Accounts | Medium |
| WIN-URA-026 | Create Symbolic Links = Administrators | Medium |
| WIN-URA-027 | Adjust Memory Quotas for a Process = Administrators and Service Accounts | Low |
| WIN-URA-028 | Increase Scheduling Priority = Administrators, Window Manager | Low |
| WIN-URA-029 | Lock Pages in Memory = No One | Medium |
| WIN-URA-030 | Perform Volume Maintenance Tasks = Administrators | Medium |
| WIN-URA-031 | Profile Single Process = Administrators | Low |
| WIN-URA-032 | Replace a Process Level Token = Local Service, Network Service | Medium |
| WIN-URA-033 | Shut Down the System = Administrators | Low |
| WIN-URA-034 | Modify Firmware Environment Values = Administrators | Medium |
| WIN-URA-035 | Enable Accounts to Be Trusted for Delegation = No One | High |
| WIN-URA-036 | Obtain an Impersonation Token for Another User = No One | Medium |
| WIN-URA-037 | Modify an Object Label = No One | Low |
| WIN-URA-038 | Synchronize Directory Service Data = No One | Medium |
| WIN-URA-039 | Profile System Performance = Administrators, WdiServiceHost | Low |
| WIN-LSA-013 | Digitally Encrypt Secure Channel Data (When Possible) | Medium |
| WIN-LSA-014 | Digitally Sign Secure Channel Data (When Possible) | Medium |
| WIN-LSA-015 | Do Not Disable Machine Account Password Changes | Medium |
| WIN-LSA-016 | Maximum Machine Account Password Age (30 Days) | Low |
| WIN-LSA-017 | Require Strong (Windows 2000 or Later) Session Key | Medium |
| WIN-SMB-009 | Digitally Sign Client Communications (If Server Agrees) | Low |
| WIN-SMB-010 | Digitally Sign Server Communications (If Client Agrees) | Low |
| WIN-SMB-011 | Idle Time Required Before Suspending an SMB Session (15 min) | Low |
| WIN-SMB-012 | Disconnect Clients When Logon Hours Expire | Low |
| WIN-SMB-013 | Server SPN Target Name Validation Level | Medium |
| WIN-NTLM-004 | Allow LocalSystem to Use Computer Identity for NTLM | Medium |
| WIN-NTLM-005 | Disallow PKU2U Online Identities | Medium |
| WIN-NTLM-006 | Audit Incoming NTLM Traffic | Low |
| WIN-NTLM-007 | Audit Outgoing NTLM Traffic to Remote Servers | Low |
| WIN-LSA-018 | Do Not Store Passwords and Credentials for Network Authentication | High |
| WIN-LOGON-007 | Do Not Allow System to Be Shut Down Without Logging On | Low |
| WIN-LSA-019 | Require Case Insensitivity for Non-Windows Subsystems | Low |
| WIN-AUD-021 | Force Audit Policy Subcategory Settings | Medium |
| WIN-PRINT-003 | Prevent Users From Installing Printer Drivers | Medium |
| WIN-ACCT-002 | Guest Account Disabled | Medium |
| WIN-ACCT-003 | Force Logoff When Logon Hours Expire | Low |
| WIN-UAC-008 | Admin Approval Mode for the Built-in Administrator | Medium |
| WIN-UAC-009 | Virtualize File and Registry Write Failures to Per-User Locations | Low |
| WIN-LOGON-008 | Require Domain Controller Authentication to Unlock Workstation | Medium |
| WIN-AUD-022 | Audit Other Account Management Events | Medium |
| WIN-AUD-023 | Audit File Share | Medium |
| WIN-AUD-024 | Audit Authorization Policy Change | Medium |
| WIN-AUD-025 | Audit Other Policy Change Events | Low |
| WIN-AUD-026 | Audit IPsec Driver | Medium |
| WIN-AUD-027 | Audit Other System Events | Low |
| WIN-AUD-028 | Audit Security State Change | Medium |
| WIN-AUD-029 | Audit Security System Extension | Medium |
| WIN-EVTLOG-001 | Application Event Log Maximum Size (>= 32 MB) | Medium |
| WIN-EVTLOG-002 | Application Event Log Retention (Overwrite as Needed) | Low |
| WIN-EVTLOG-003 | Security Event Log Maximum Size (>= 192 MB) | High |
| WIN-EVTLOG-004 | Security Event Log Retention (Overwrite as Needed) | Low |
| WIN-EVTLOG-005 | Setup Event Log Maximum Size (>= 32 MB) | Low |
| WIN-EVTLOG-006 | Setup Event Log Retention (Overwrite as Needed) | Low |
| WIN-EVTLOG-007 | System Event Log Maximum Size (>= 32 MB) | Medium |
| WIN-EVTLOG-008 | System Event Log Retention (Overwrite as Needed) | Low |
| WIN-AUD-030 | Include Command Line in Process Creation Events | Medium |
| WIN-CREDDEL-001 | Encryption Oracle Remediation (Force Updated Clients) | High |
| WIN-CREDDEL-002 | Remote Host Allows Delegation of Non-Exportable Credentials | Medium |
| WIN-ELAM-001 | Boot-Start Driver Initialization Policy | Medium |
| WIN-GPO-001 | Registry Policy Processing: Apply During Background Refresh | Low |
| WIN-GPO-002 | Registry Policy Processing: Process Even If Unchanged | Low |
| WIN-GPO-003 | Disable Continue Experiences (Connected Devices Platform) | Low |
| WIN-INET-001 | Turn Off Downloading of Print Drivers Over HTTP | Low |
| WIN-INET-002 | Turn Off Printing Over HTTP | Low |
| WIN-INET-003 | Turn Off Windows Error Reporting | Low |
| WIN-INET-004 | Turn Off Windows Customer Experience Improvement Program | Low |
| WIN-INET-005 | Turn Off Internet Download for Web Publishing and Online Ordering | Low |
| WIN-INET-006 | Turn Off Internet Connection Wizard If URL Connection | Low |
| WIN-INET-007 | Turn Off Search Companion Content File Updates | Low |
| WIN-LOGON-009 | Do Not Enumerate Connected Users on Domain-Joined Computers | Medium |
| WIN-LOGON-010 | Do Not Enumerate Local Users on Domain-Joined Computers | Medium |
| WIN-LOGON-011 | Block User From Showing Account Details on Sign-In | Low |
| WIN-LOGON-012 | Do Not Display Network Selection UI | Low |
| WIN-LOGON-013 | Turn Off App Notifications on the Lock Screen | Low |
| WIN-LOGON-014 | Disable Convenience PIN Sign-In | Medium |
| WIN-RA-001 | Disable Solicited Remote Assistance | Medium |
| WIN-RA-002 | Disable Offer (Unsolicited) Remote Assistance | Medium |
| WIN-RPC-001 | Restrict Unauthenticated RPC Clients | Medium |
| WIN-RPC-002 | Enable RPC Endpoint Mapper Client Authentication | Medium |
| WIN-CREDUI-001 | Do Not Display the Password Reveal Button | Low |
| WIN-CREDUI-002 | Do Not Enumerate Administrator Accounts on Elevation | Medium |
| WIN-CREDUI-003 | Prevent Use of Security Questions for Local Accounts | Low |
| WIN-TELEM-001 | Limit Diagnostic Data to Required or Less | Low |
| WIN-TELEM-002 | Disable OneSettings Downloads | Low |
| WIN-TELEM-003 | Do Not Show Feedback Notifications | Low |
| WIN-TELEM-004 | Enable OneSettings Auditing | Low |
| WIN-TELEM-005 | Disable Windows Insider Preview Builds | Medium |
| WIN-CLOUD-001 | Turn Off Microsoft Consumer Experiences | Low |
| WIN-SMARTSCREEN-001 | Configure Windows Defender SmartScreen | Medium |
| WIN-RDP-010 | Disable RDP COM Port Redirection | Low |
| WIN-RDP-011 | Disable RDP LPT Port Redirection | Low |
| WIN-RDP-012 | Disable RDP Plug and Play Device Redirection | Low |
| WIN-RDP-013 | Require Secure RPC for Remote Desktop | Medium |
| WIN-RDP-014 | Use Temporary Folders Per RDP Session | Low |
| WIN-WINRM-004 | Disable WinRM Service Basic Authentication | Medium |
| WIN-WINRM-005 | Disallow WinRM Storing RunAs Credentials | Medium |
| WIN-WINRM-006 | Disallow WinRM Client Unencrypted Traffic | Medium |
| WIN-WINRS-001 | Disable Windows Remote Shell Access | Medium |
| WIN-AUTORUN-002 | Disallow Autoplay for Non-Volume Devices | Medium |
| WIN-AUTORUN-003 | Set Default AutoRun Behavior to Do Not Execute | Medium |
| WIN-INSTALL-002 | Disable User Control Over Windows Installer | Medium |
| WIN-LOGON-015 | Disable Automatic Restart Sign-On (ARSO) | Medium |
| WIN-DEF-016 | Enable Defender File Hash Computation | Low |
| WIN-NET-008 | Hardened UNC Path for SYSVOL | High |
| WIN-NET-009 | Hardened UNC Path for NETLOGON | High |
| WIN-NET-010 | Disable Font Providers | Low |
| WIN-NET-011 | Turn Off Smart Multi-Homed Name Resolution | Medium |
| WIN-NET-012 | Prohibit Installation of Network Bridge | Low |
| WIN-NET-013 | Prohibit Internet Connection Sharing | Low |
| WIN-NET-014 | Require Domain Users to Elevate When Setting Network Location | Low |
| WIN-NET-015 | Minimize Simultaneous Internet and Domain Connections | Low |
| WIN-NET-016 | Prohibit Non-Domain Networks When on Domain Network | Low |
| WIN-NET-017 | Disable Windows Connect Now Registrars | Low |
| WIN-NET-018 | Prohibit Access of Windows Connect Now Wizards | Low |
| WIN-NET-019 | Turn Off Link-Layer Topology Mapper I/O Driver | Low |
| WIN-NET-020 | Turn Off Link-Layer Topology Responder Driver | Low |
| WIN-NET-021 | TCP Maximum Data Retransmissions (IPv4) | Low |
| WIN-NET-022 | TCP Maximum Data Retransmissions (IPv6) | Low |
| WIN-NET-023 | TCP Keep-Alive Time | Low |
| WIN-NET-024 | Disable Dead Gateway Detection | Low |
| WIN-EVTLOG-009 | Security Log Near-Capacity Warning Threshold | Low |
| WIN-LOGON-016 | Screen Saver Grace Period | Low |
| WIN-SCRSVR-001 | Enable Screen Saver (Default Profile) | Low |
| WIN-SCRSVR-002 | Password Protect the Screen Saver (Default Profile) | Medium |
| WIN-SCRSVR-003 | Screen Saver Timeout (Default Profile) | Low |
| WIN-LOGON-017 | Turn Off Toast Notifications on the Lock Screen (Default Profile) | Low |
| WIN-DEF-017 | Notify Antivirus When Opening Attachments (Default Profile) | Medium |
| WIN-LOGON-018 | Logon Legal Notice Text | Low |
| WIN-LOGON-019 | Logon Legal Notice Title | Low |
CloudInfra Secure Essential - Essential tier¶
Baseline of essential hardening controls suitable for any Windows Server workload.
ID: CloudInfraSecure-Essential Controls: 17 Supported OS: WindowsServer2022, WindowsServer2025
| Control | Name | Severity |
|---|---|---|
| WIN-FW-001 | Windows Firewall Enabled (All Profiles) | High |
| WIN-SMB-001 | Disable SMBv1 | High |
| WIN-TLS-010 | Disable TLS 1.0 (Server) | High |
| WIN-TLS-011 | Disable TLS 1.1 (Server) | High |
| WIN-UAC-001 | User Account Control Enabled | High |
| WIN-DEF-001 | Microsoft Defender Antivirus Enabled | High |
| WIN-PWD-001 | Minimum Password Length | High |
| WIN-PWD-002 | Password Complexity Enabled | High |
| WIN-PWD-006 | Disable Reversible Password Encryption | High |
| WIN-LSA-001 | Do Not Store LAN Manager Hash | High |
| WIN-WDIGEST-001 | Disable WDigest Credential Caching | High |
| WIN-TLS-012 | Disable SSL 3.0 (Server) | High |
| WIN-TLS-013 | Disable SSL 2.0 (Server) | High |
| WIN-DEF-002 | Enable Potentially Unwanted Application (PUA) Protection | High |
| WIN-DEF-003 | Enable Defender Real-Time Protection | High |
| WIN-LOGON-018 | Logon Legal Notice Text | Low |
| WIN-LOGON-019 | Logon Legal Notice Title | Low |
CloudInfra Secure IIS Web Server - Role tier¶
Baseline for Internet Information Services (IIS) web servers.
ID: CloudInfraSecure-IISWebServer Controls: 103 Supported OS: WindowsServer2022, WindowsServer2025
| Control | Name | Severity |
|---|---|---|
| WIN-FW-001 | Windows Firewall Enabled (All Profiles) | High |
| WIN-TLS-010 | Disable TLS 1.0 (Server) | High |
| WIN-TLS-011 | Disable TLS 1.1 (Server) | High |
| WIN-DEF-001 | Microsoft Defender Antivirus Enabled | High |
| WIN-UAC-001 | User Account Control Enabled | High |
| WIN-PSL-001 | Enable PowerShell Script Block Logging | Medium |
| WIN-PSL-002 | Enable PowerShell Module Logging | Medium |
| WIN-SMB-003 | Require SMB Signing (Server) | High |
| WIN-NTLM-001 | LAN Manager Authentication Level (NTLMv2 Only) | High |
| WIN-LSA-001 | Do Not Store LAN Manager Hash | High |
| WIN-WDIGEST-001 | Disable WDigest Credential Caching | High |
| WIN-INSTALL-001 | Disable Always Install Elevated | High |
| WIN-AUTORUN-001 | Disable AutoRun on All Drives | Medium |
| WIN-TLS-012 | Disable SSL 3.0 (Server) | High |
| WIN-TLS-013 | Disable SSL 2.0 (Server) | High |
| WIN-SMB-004 | Disable SMBv1 Client | High |
| WIN-NET-001 | Disable LLMNR | Medium |
| WIN-SVC-001 | Disable Remote Registry Service | Medium |
| WIN-DEF-002 | Enable Potentially Unwanted Application (PUA) Protection | High |
| WIN-DEF-003 | Enable Defender Real-Time Protection | High |
| WIN-NET-002 | Disable IPv4 Source Routing | Medium |
| WIN-NET-003 | Disable ICMP Redirects | Low |
| WIN-NET-004 | Disable IPv6 Source Routing | Medium |
| WIN-SMB-006 | Restrict Anonymous Access to Named Pipes and Shares | Medium |
| WIN-ASR-003 | ASR: Block Executable Content from Email and Webmail | Medium |
| WIN-NTLM-002 | Minimum NTLM Session Security (Clients) | Medium |
| WIN-NTLM-003 | Minimum NTLM Session Security (Servers) | Medium |
| WIN-WINRM-001 | Disable WinRM Client Basic Authentication | Medium |
| WIN-WINRM-002 | Disallow WinRM Unencrypted Traffic | Medium |
| WIN-AUD-016 | Audit MPSSVC Rule-Level Policy Change | Medium |
| WIN-LSA-008 | Restrict Clients Allowed to Make Remote SAM Calls | Medium |
| WIN-NET-005 | Ignore NetBIOS Name Release Requests | Low |
| WIN-PSL-003 | Enable PowerShell Transcription | Medium |
| WIN-SMB-007 | Disable SMB Client Insecure Guest Logons | Medium |
| WIN-UAC-006 | Only Elevate UIAccess Apps in Secure Locations | Medium |
| WIN-TLS-001 | Enable TLS 1.2 (Server) | Medium |
| WIN-TLS-002 | Enable TLS 1.2 (Client) | Medium |
| WIN-TLS-003 | Disable RC4 128/128 Cipher | High |
| WIN-TLS-004 | Disable RC4 40/128 Cipher | High |
| WIN-TLS-005 | Disable Triple DES 168 Cipher | Medium |
| WIN-FW-004 | Block Inbound Connections by Default (Public Profile) | Medium |
| WIN-FW-005 | Log Dropped Packets (Public Profile) | Low |
| WIN-DEF-009 | Enable Defender Behavior Monitoring | High |
| WIN-TLS-006 | Disable RC4 56/128 Cipher | High |
| WIN-TLS-007 | Disable RC4 64/128 Cipher | High |
| WIN-TLS-008 | Disable DES 56/56 Cipher | Medium |
| WIN-TLS-009 | Disable NULL Cipher | Medium |
| WIN-NET-006 | Disable mDNS | Medium |
| WIN-RDP-009 | Do Not Allow Saved RDP Passwords | Medium |
| WIN-ASR-014 | ASR: Block Webshell Creation for Servers | High |
| WIN-DEF-010 | Enable Email Scanning | Medium |
| WIN-DEF-011 | Enable Archive Scanning | Medium |
| WIN-DEF-013 | Scan Downloaded Files and Attachments | High |
| WIN-NET-007 | Enable Safe DLL Search Mode | Medium |
| WIN-PRINT-001 | Restrict Point and Print Driver Installation to Administrators | High |
| WIN-AUD-020 | Audit Detailed File Share | Medium |
| WIN-URA-001 | Access Credential Manager as a Trusted Caller = No One | High |
| WIN-URA-002 | Act as Part of the Operating System = No One | High |
| WIN-URA-003 | Create a Token Object = No One | High |
| WIN-URA-004 | Create Permanent Shared Objects = No One | Medium |
| WIN-URA-006 | Deny Access to This Computer From the Network (includes Guests) | Medium |
| WIN-URA-007 | Deny Log On as a Batch Job (includes Guests) | Low |
| WIN-URA-008 | Deny Log On as a Service (includes Guests) | Low |
| WIN-URA-009 | Deny Log On Locally (includes Guests) | Medium |
| WIN-URA-010 | Deny Log On Through Remote Desktop Services (includes Guests) | Medium |
| WIN-URA-029 | Lock Pages in Memory = No One | Medium |
| WIN-URA-035 | Enable Accounts to Be Trusted for Delegation = No One | High |
| WIN-URA-036 | Obtain an Impersonation Token for Another User = No One | Medium |
| WIN-URA-037 | Modify an Object Label = No One | Low |
| WIN-URA-038 | Synchronize Directory Service Data = No One | Medium |
| WIN-SMB-009 | Digitally Sign Client Communications (If Server Agrees) | Low |
| WIN-SMB-010 | Digitally Sign Server Communications (If Client Agrees) | Low |
| WIN-SMB-013 | Server SPN Target Name Validation Level | Medium |
| WIN-LSA-018 | Do Not Store Passwords and Credentials for Network Authentication | High |
| WIN-PRINT-003 | Prevent Users From Installing Printer Drivers | Medium |
| WIN-ACCT-002 | Guest Account Disabled | Medium |
| WIN-AUD-023 | Audit File Share | Medium |
| WIN-EVTLOG-001 | Application Event Log Maximum Size (>= 32 MB) | Medium |
| WIN-EVTLOG-003 | Security Event Log Maximum Size (>= 192 MB) | High |
| WIN-EVTLOG-007 | System Event Log Maximum Size (>= 32 MB) | Medium |
| WIN-AUD-029 | Audit Security System Extension | Medium |
| WIN-AUD-030 | Include Command Line in Process Creation Events | Medium |
| WIN-CREDDEL-001 | Encryption Oracle Remediation (Force Updated Clients) | High |
| WIN-INET-001 | Turn Off Downloading of Print Drivers Over HTTP | Low |
| WIN-INET-002 | Turn Off Printing Over HTTP | Low |
| WIN-RPC-001 | Restrict Unauthenticated RPC Clients | Medium |
| WIN-RA-001 | Disable Solicited Remote Assistance | Medium |
| WIN-RA-002 | Disable Offer (Unsolicited) Remote Assistance | Medium |
| WIN-SMARTSCREEN-001 | Configure Windows Defender SmartScreen | Medium |
| WIN-WINRM-004 | Disable WinRM Service Basic Authentication | Medium |
| WIN-WINRM-005 | Disallow WinRM Storing RunAs Credentials | Medium |
| WIN-WINRM-006 | Disallow WinRM Client Unencrypted Traffic | Medium |
| WIN-WINRS-001 | Disable Windows Remote Shell Access | Medium |
| WIN-DEF-016 | Enable Defender File Hash Computation | Low |
| WIN-AUTORUN-002 | Disallow Autoplay for Non-Volume Devices | Medium |
| WIN-NET-008 | Hardened UNC Path for SYSVOL | High |
| WIN-NET-009 | Hardened UNC Path for NETLOGON | High |
| WIN-NET-011 | Turn Off Smart Multi-Homed Name Resolution | Medium |
| WIN-NET-021 | TCP Maximum Data Retransmissions (IPv4) | Low |
| WIN-NET-024 | Disable Dead Gateway Detection | Low |
| WIN-DEF-017 | Notify Antivirus When Opening Attachments (Default Profile) | Medium |
| WIN-LOGON-018 | Logon Legal Notice Text | Low |
| WIN-LOGON-019 | Logon Legal Notice Title | Low |
CloudInfra Secure Remote Desktop Server - Role tier¶
Baseline for Remote Desktop Session Host servers.
ID: CloudInfraSecure-RemoteDesktopServer Controls: 99 Supported OS: WindowsServer2022, WindowsServer2025
| Control | Name | Severity |
|---|---|---|
| WIN-RDP-001 | Require Network Level Authentication for RDP | High |
| WIN-TLS-010 | Disable TLS 1.0 (Server) | High |
| WIN-TLS-011 | Disable TLS 1.1 (Server) | High |
| WIN-FW-001 | Windows Firewall Enabled (All Profiles) | High |
| WIN-DEF-001 | Microsoft Defender Antivirus Enabled | High |
| WIN-LOCK-001 | Account Lockout Threshold | Medium |
| WIN-UAC-001 | User Account Control Enabled | High |
| WIN-NTLM-001 | LAN Manager Authentication Level (NTLMv2 Only) | High |
| WIN-LSA-001 | Do Not Store LAN Manager Hash | High |
| WIN-WDIGEST-001 | Disable WDigest Credential Caching | High |
| WIN-UAC-002 | UAC Elevation Prompt for Administrators | Medium |
| WIN-INSTALL-001 | Disable Always Install Elevated | High |
| WIN-AUTORUN-001 | Disable AutoRun on All Drives | Medium |
| WIN-RDP-002 | RDP Minimum Encryption Level (High) | Medium |
| WIN-RDP-003 | RDP Security Layer (TLS) | Medium |
| WIN-RDP-004 | Disable RDP Drive Redirection | Medium |
| WIN-TLS-012 | Disable SSL 3.0 (Server) | High |
| WIN-TLS-013 | Disable SSL 2.0 (Server) | High |
| WIN-NET-001 | Disable LLMNR | Medium |
| WIN-LOGON-001 | Machine Inactivity Limit | Medium |
| WIN-DEF-002 | Enable Potentially Unwanted Application (PUA) Protection | High |
| WIN-DEF-003 | Enable Defender Real-Time Protection | High |
| WIN-UAC-004 | Deny UAC Elevation Prompt for Standard Users | Medium |
| WIN-UAC-005 | UAC Switch to the Secure Desktop for Elevation | Medium |
| WIN-LOGON-003 | Limit Number of Cached Logons | Medium |
| WIN-AUD-009 | Audit Logoff | Medium |
| WIN-LOGON-004 | Require Ctrl+Alt+Del at Logon | Low |
| WIN-NTLM-002 | Minimum NTLM Session Security (Clients) | Medium |
| WIN-NTLM-003 | Minimum NTLM Session Security (Servers) | Medium |
| WIN-WINRM-001 | Disable WinRM Client Basic Authentication | Medium |
| WIN-WINRM-002 | Disallow WinRM Unencrypted Traffic | Medium |
| WIN-AUD-015 | Audit Other Logon/Logoff Events | Medium |
| WIN-LOGON-005 | Smart Card Removal Behavior (Lock Workstation) | Low |
| WIN-RDP-005 | Always Prompt for Password on RDP Connection | Medium |
| WIN-RDP-006 | Disable RDP Clipboard Redirection | Low |
| WIN-PSL-003 | Enable PowerShell Transcription | Medium |
| WIN-SMB-007 | Disable SMB Client Insecure Guest Logons | Medium |
| WIN-TLS-001 | Enable TLS 1.2 (Server) | Medium |
| WIN-TLS-002 | Enable TLS 1.2 (Client) | Medium |
| WIN-TLS-003 | Disable RC4 128/128 Cipher | High |
| WIN-FW-004 | Block Inbound Connections by Default (Public Profile) | Medium |
| WIN-WINRM-003 | Disable WinRM Client Digest Authentication | Medium |
| WIN-DEF-009 | Enable Defender Behavior Monitoring | High |
| WIN-RDP-007 | Set RDP Idle Session Time Limit | Low |
| WIN-RDP-008 | Set RDP Disconnected Session Time Limit | Low |
| WIN-RDP-009 | Do Not Allow Saved RDP Passwords | Medium |
| WIN-TLS-006 | Disable RC4 56/128 Cipher | High |
| WIN-TLS-007 | Disable RC4 64/128 Cipher | High |
| WIN-UAC-007 | Apply UAC Token Filtering to Remote Local Accounts | High |
| WIN-DEF-010 | Enable Email Scanning | Medium |
| WIN-DEF-013 | Scan Downloaded Files and Attachments | High |
| WIN-SMB-008 | Do Not Send Unencrypted Password to Third-Party SMB Servers | Medium |
| WIN-PRINT-001 | Restrict Point and Print Driver Installation to Administrators | High |
| WIN-PRINT-002 | Require Elevation for New Point and Print Connections | Medium |
| WIN-AUD-017 | Audit PNP Activity | Medium |
| WIN-URA-001 | Access Credential Manager as a Trusted Caller = No One | High |
| WIN-URA-002 | Act as Part of the Operating System = No One | High |
| WIN-URA-003 | Create a Token Object = No One | High |
| WIN-URA-004 | Create Permanent Shared Objects = No One | Medium |
| WIN-URA-006 | Deny Access to This Computer From the Network (includes Guests) | Medium |
| WIN-URA-007 | Deny Log On as a Batch Job (includes Guests) | Low |
| WIN-URA-008 | Deny Log On as a Service (includes Guests) | Low |
| WIN-URA-009 | Deny Log On Locally (includes Guests) | Medium |
| WIN-URA-010 | Deny Log On Through Remote Desktop Services (includes Guests) | Medium |
| WIN-URA-029 | Lock Pages in Memory = No One | Medium |
| WIN-URA-035 | Enable Accounts to Be Trusted for Delegation = No One | High |
| WIN-URA-036 | Obtain an Impersonation Token for Another User = No One | Medium |
| WIN-URA-037 | Modify an Object Label = No One | Low |
| WIN-URA-038 | Synchronize Directory Service Data = No One | Medium |
| WIN-URA-019 | Allow Log On Through Remote Desktop Services = Administrators, Remote Desktop Users | Medium |
| WIN-SMB-011 | Idle Time Required Before Suspending an SMB Session (15 min) | Low |
| WIN-LSA-018 | Do Not Store Passwords and Credentials for Network Authentication | High |
| WIN-UAC-008 | Admin Approval Mode for the Built-in Administrator | Medium |
| WIN-ACCT-002 | Guest Account Disabled | Medium |
| WIN-PRINT-003 | Prevent Users From Installing Printer Drivers | Medium |
| WIN-AUD-023 | Audit File Share | Medium |
| WIN-EVTLOG-003 | Security Event Log Maximum Size (>= 192 MB) | High |
| WIN-EVTLOG-007 | System Event Log Maximum Size (>= 32 MB) | Medium |
| WIN-AUD-028 | Audit Security State Change | Medium |
| WIN-AUD-029 | Audit Security System Extension | Medium |
| WIN-CREDDEL-001 | Encryption Oracle Remediation (Force Updated Clients) | High |
| WIN-CREDDEL-002 | Remote Host Allows Delegation of Non-Exportable Credentials | Medium |
| WIN-RA-001 | Disable Solicited Remote Assistance | Medium |
| WIN-RA-002 | Disable Offer (Unsolicited) Remote Assistance | Medium |
| WIN-LOGON-009 | Do Not Enumerate Connected Users on Domain-Joined Computers | Medium |
| WIN-RDP-010 | Disable RDP COM Port Redirection | Low |
| WIN-RDP-011 | Disable RDP LPT Port Redirection | Low |
| WIN-RDP-012 | Disable RDP Plug and Play Device Redirection | Low |
| WIN-RDP-013 | Require Secure RPC for Remote Desktop | Medium |
| WIN-RDP-014 | Use Temporary Folders Per RDP Session | Low |
| WIN-SMARTSCREEN-001 | Configure Windows Defender SmartScreen | Medium |
| WIN-SCRSVR-001 | Enable Screen Saver (Default Profile) | Low |
| WIN-SCRSVR-002 | Password Protect the Screen Saver (Default Profile) | Medium |
| WIN-SCRSVR-003 | Screen Saver Timeout (Default Profile) | Low |
| WIN-LOGON-016 | Screen Saver Grace Period | Low |
| WIN-LOGON-017 | Turn Off Toast Notifications on the Lock Screen (Default Profile) | Low |
| WIN-DEF-017 | Notify Antivirus When Opening Attachments (Default Profile) | Medium |
| WIN-LOGON-018 | Logon Legal Notice Text | Low |
| WIN-LOGON-019 | Logon Legal Notice Title | Low |
CloudInfra Secure SQL Server - Role tier¶
Baseline for Microsoft SQL Server hosts.
ID: CloudInfraSecure-SQLServer Controls: 93 Supported OS: WindowsServer2022, WindowsServer2025
| Control | Name | Severity |
|---|---|---|
| WIN-FW-001 | Windows Firewall Enabled (All Profiles) | High |
| WIN-TLS-010 | Disable TLS 1.0 (Server) | High |
| WIN-TLS-011 | Disable TLS 1.1 (Server) | High |
| WIN-DEF-001 | Microsoft Defender Antivirus Enabled | High |
| WIN-AUD-001 | Audit Logon Failures | Medium |
| WIN-AUD-002 | Audit Account Lockout Events | Medium |
| WIN-UAC-001 | User Account Control Enabled | High |
| WIN-SMB-003 | Require SMB Signing (Server) | High |
| WIN-NTLM-001 | LAN Manager Authentication Level (NTLMv2 Only) | High |
| WIN-LSA-001 | Do Not Store LAN Manager Hash | High |
| WIN-WDIGEST-001 | Disable WDigest Credential Caching | High |
| WIN-LSA-002 | Restrict Anonymous SID Enumeration | Medium |
| WIN-TLS-012 | Disable SSL 3.0 (Server) | High |
| WIN-TLS-013 | Disable SSL 2.0 (Server) | High |
| WIN-LDAP-001 | LDAP Client Signing | Medium |
| WIN-NET-001 | Disable LLMNR | Medium |
| WIN-SMB-004 | Disable SMBv1 Client | High |
| WIN-DEF-002 | Enable Potentially Unwanted Application (PUA) Protection | High |
| WIN-DEF-003 | Enable Defender Real-Time Protection | High |
| WIN-NET-002 | Disable IPv4 Source Routing | Medium |
| WIN-NET-004 | Disable IPv6 Source Routing | Medium |
| WIN-SMB-006 | Restrict Anonymous Access to Named Pipes and Shares | Medium |
| WIN-LSA-004 | Do Not Allow Anonymous Enumeration of SAM Accounts | Medium |
| WIN-NTLM-002 | Minimum NTLM Session Security (Clients) | Medium |
| WIN-NTLM-003 | Minimum NTLM Session Security (Servers) | Medium |
| WIN-WINRM-001 | Disable WinRM Client Basic Authentication | Medium |
| WIN-WINRM-002 | Disallow WinRM Unencrypted Traffic | Medium |
| WIN-LSA-007 | Do Not Apply Everyone Permissions to Anonymous Users | Medium |
| WIN-LSA-008 | Restrict Clients Allowed to Make Remote SAM Calls | Medium |
| WIN-LSA-009 | Limit Local Account Use of Blank Passwords | High |
| WIN-LSA-010 | Sharing and Security Model for Local Accounts (Classic) | Medium |
| WIN-KRB-001 | Configure Kerberos Encryption Types (AES only) | Medium |
| WIN-PSL-003 | Enable PowerShell Transcription | Medium |
| WIN-TLS-001 | Enable TLS 1.2 (Server) | Medium |
| WIN-TLS-002 | Enable TLS 1.2 (Client) | Medium |
| WIN-TLS-003 | Disable RC4 128/128 Cipher | High |
| WIN-TLS-004 | Disable RC4 40/128 Cipher | High |
| WIN-TLS-005 | Disable Triple DES 168 Cipher | Medium |
| WIN-FW-002 | Block Inbound Connections by Default (Domain Profile) | Medium |
| WIN-DEF-009 | Enable Defender Behavior Monitoring | High |
| WIN-TLS-006 | Disable RC4 56/128 Cipher | High |
| WIN-TLS-007 | Disable RC4 64/128 Cipher | High |
| WIN-TLS-008 | Disable DES 56/56 Cipher | Medium |
| WIN-TLS-009 | Disable NULL Cipher | Medium |
| WIN-VBS-001 | Enable Virtualization Based Security | High |
| WIN-CG-001 | Enable Credential Guard | High |
| WIN-DEF-011 | Enable Archive Scanning | Medium |
| WIN-DEF-013 | Scan Downloaded Files and Attachments | High |
| WIN-LSA-011 | Disallow LocalSystem NULL Session Fallback | Medium |
| WIN-LSA-012 | Strengthen Default Permissions of Internal System Objects | Low |
| WIN-NET-007 | Enable Safe DLL Search Mode | Medium |
| WIN-AUD-019 | Audit Other Object Access Events | Medium |
| WIN-URA-001 | Access Credential Manager as a Trusted Caller = No One | High |
| WIN-URA-002 | Act as Part of the Operating System = No One | High |
| WIN-URA-003 | Create a Token Object = No One | High |
| WIN-URA-004 | Create Permanent Shared Objects = No One | Medium |
| WIN-URA-006 | Deny Access to This Computer From the Network (includes Guests) | Medium |
| WIN-URA-007 | Deny Log On as a Batch Job (includes Guests) | Low |
| WIN-URA-008 | Deny Log On as a Service (includes Guests) | Low |
| WIN-URA-009 | Deny Log On Locally (includes Guests) | Medium |
| WIN-URA-010 | Deny Log On Through Remote Desktop Services (includes Guests) | Medium |
| WIN-URA-029 | Lock Pages in Memory = No One | Medium |
| WIN-URA-035 | Enable Accounts to Be Trusted for Delegation = No One | High |
| WIN-URA-036 | Obtain an Impersonation Token for Another User = No One | Medium |
| WIN-URA-037 | Modify an Object Label = No One | Low |
| WIN-URA-038 | Synchronize Directory Service Data = No One | Medium |
| WIN-LSA-017 | Require Strong (Windows 2000 or Later) Session Key | Medium |
| WIN-LSA-018 | Do Not Store Passwords and Credentials for Network Authentication | High |
| WIN-NTLM-004 | Allow LocalSystem to Use Computer Identity for NTLM | Medium |
| WIN-AUD-021 | Force Audit Policy Subcategory Settings | Medium |
| WIN-ACCT-002 | Guest Account Disabled | Medium |
| WIN-AUD-023 | Audit File Share | Medium |
| WIN-EVTLOG-003 | Security Event Log Maximum Size (>= 192 MB) | High |
| WIN-EVTLOG-004 | Security Event Log Retention (Overwrite as Needed) | Low |
| WIN-AUD-024 | Audit Authorization Policy Change | Medium |
| WIN-AUD-029 | Audit Security System Extension | Medium |
| WIN-AUD-030 | Include Command Line in Process Creation Events | Medium |
| WIN-CREDDEL-001 | Encryption Oracle Remediation (Force Updated Clients) | High |
| WIN-CREDDEL-002 | Remote Host Allows Delegation of Non-Exportable Credentials | Medium |
| WIN-RPC-001 | Restrict Unauthenticated RPC Clients | Medium |
| WIN-RPC-002 | Enable RPC Endpoint Mapper Client Authentication | Medium |
| WIN-WINRM-004 | Disable WinRM Service Basic Authentication | Medium |
| WIN-WINRM-005 | Disallow WinRM Storing RunAs Credentials | Medium |
| WIN-WINRM-006 | Disallow WinRM Client Unencrypted Traffic | Medium |
| WIN-WINRS-001 | Disable Windows Remote Shell Access | Medium |
| WIN-DEF-016 | Enable Defender File Hash Computation | Low |
| WIN-NET-008 | Hardened UNC Path for SYSVOL | High |
| WIN-NET-009 | Hardened UNC Path for NETLOGON | High |
| WIN-NET-021 | TCP Maximum Data Retransmissions (IPv4) | Low |
| WIN-NET-022 | TCP Maximum Data Retransmissions (IPv6) | Low |
| WIN-EVTLOG-009 | Security Log Near-Capacity Warning Threshold | Low |
| WIN-LOGON-018 | Logon Legal Notice Text | Low |
| WIN-LOGON-019 | Logon Legal Notice Title | Low |
CloudInfra Secure Standard - Standard tier¶
Recommended baseline adding logging, auditing and access hardening on top of Essential.
ID: CloudInfraSecure-Standard Controls: 274 Supported OS: WindowsServer2022, WindowsServer2025
| Control | Name | Severity |
|---|---|---|
| WIN-FW-001 | Windows Firewall Enabled (All Profiles) | High |
| WIN-SMB-001 | Disable SMBv1 | High |
| WIN-TLS-010 | Disable TLS 1.0 (Server) | High |
| WIN-TLS-011 | Disable TLS 1.1 (Server) | High |
| WIN-RDP-001 | Require Network Level Authentication for RDP | High |
| WIN-PSL-001 | Enable PowerShell Script Block Logging | Medium |
| WIN-PSL-002 | Enable PowerShell Module Logging | Medium |
| WIN-PWD-001 | Minimum Password Length | High |
| WIN-PWD-002 | Password Complexity Enabled | High |
| WIN-LOCK-001 | Account Lockout Threshold | Medium |
| WIN-AUD-001 | Audit Logon Failures | Medium |
| WIN-AUD-002 | Audit Account Lockout Events | Medium |
| WIN-DEF-001 | Microsoft Defender Antivirus Enabled | High |
| WIN-UAC-001 | User Account Control Enabled | High |
| WIN-PWD-003 | Maximum Password Age | Medium |
| WIN-PWD-004 | Minimum Password Age | Low |
| WIN-PWD-005 | Enforce Password History | Medium |
| WIN-PWD-006 | Disable Reversible Password Encryption | High |
| WIN-LOCK-002 | Account Lockout Duration | Medium |
| WIN-LOCK-003 | Reset Account Lockout Counter | Medium |
| WIN-SMB-003 | Require SMB Signing (Server) | High |
| WIN-NTLM-001 | LAN Manager Authentication Level (NTLMv2 Only) | High |
| WIN-LSA-001 | Do Not Store LAN Manager Hash | High |
| WIN-LSA-002 | Restrict Anonymous SID Enumeration | Medium |
| WIN-WDIGEST-001 | Disable WDigest Credential Caching | High |
| WIN-UAC-002 | UAC Elevation Prompt for Administrators | Medium |
| WIN-INSTALL-001 | Disable Always Install Elevated | High |
| WIN-AUTORUN-001 | Disable AutoRun on All Drives | Medium |
| WIN-AUD-003 | Audit Process Creation | Medium |
| WIN-AUD-004 | Audit Credential Validation | Medium |
| WIN-AUD-005 | Audit Security Group Management | Medium |
| WIN-SMB-004 | Disable SMBv1 Client | High |
| WIN-SMB-005 | Require SMB Client Signing | Medium |
| WIN-LDAP-001 | LDAP Client Signing | Medium |
| WIN-NET-001 | Disable LLMNR | Medium |
| WIN-TLS-012 | Disable SSL 3.0 (Server) | High |
| WIN-TLS-013 | Disable SSL 2.0 (Server) | High |
| WIN-RDP-002 | RDP Minimum Encryption Level (High) | Medium |
| WIN-RDP-003 | RDP Security Layer (TLS) | Medium |
| WIN-RDP-004 | Disable RDP Drive Redirection | Medium |
| WIN-SVC-001 | Disable Remote Registry Service | Medium |
| WIN-LOGON-001 | Machine Inactivity Limit | Medium |
| WIN-LOGON-002 | Do Not Display Last Signed-In User | Low |
| WIN-UAC-003 | UAC Detect Application Installations | Medium |
| WIN-AUD-006 | Audit Special Logon | Medium |
| WIN-AUD-008 | Audit System Integrity | Medium |
| WIN-DEF-002 | Enable Potentially Unwanted Application (PUA) Protection | High |
| WIN-DEF-003 | Enable Defender Real-Time Protection | High |
| WIN-DEF-004 | Enable Cloud-Delivered Protection | Medium |
| WIN-NET-002 | Disable IPv4 Source Routing | Medium |
| WIN-NET-003 | Disable ICMP Redirects | Low |
| WIN-NET-004 | Disable IPv6 Source Routing | Medium |
| WIN-SMB-006 | Restrict Anonymous Access to Named Pipes and Shares | Medium |
| WIN-LSA-004 | Do Not Allow Anonymous Enumeration of SAM Accounts | Medium |
| WIN-LSA-005 | Enable Structured Exception Handling Overwrite Protection (SEHOP) | Medium |
| WIN-LOGON-003 | Limit Number of Cached Logons | Medium |
| WIN-UAC-004 | Deny UAC Elevation Prompt for Standard Users | Medium |
| WIN-UAC-005 | UAC Switch to the Secure Desktop for Elevation | Medium |
| WIN-AUD-009 | Audit Logoff | Medium |
| WIN-AUD-010 | Audit Removable Storage | Medium |
| WIN-AUD-011 | Audit Authentication Policy Change | Medium |
| WIN-AUD-012 | Audit User Account Management | Medium |
| WIN-AUD-013 | Audit Computer Account Management | Medium |
| WIN-AUD-014 | Audit Audit Policy Change | Medium |
| WIN-AUD-015 | Audit Other Logon/Logoff Events | Medium |
| WIN-AUD-016 | Audit MPSSVC Rule-Level Policy Change | Medium |
| WIN-LOGON-004 | Require Ctrl+Alt+Del at Logon | Low |
| WIN-NTLM-002 | Minimum NTLM Session Security (Clients) | Medium |
| WIN-NTLM-003 | Minimum NTLM Session Security (Servers) | Medium |
| WIN-LSA-006 | Digitally Encrypt or Sign Secure Channel Data (Always) | Medium |
| WIN-LSA-007 | Do Not Apply Everyone Permissions to Anonymous Users | Medium |
| WIN-WINRM-001 | Disable WinRM Client Basic Authentication | Medium |
| WIN-WINRM-002 | Disallow WinRM Unencrypted Traffic | Medium |
| WIN-LSA-008 | Restrict Clients Allowed to Make Remote SAM Calls | Medium |
| WIN-LSA-009 | Limit Local Account Use of Blank Passwords | High |
| WIN-LSA-010 | Sharing and Security Model for Local Accounts (Classic) | Medium |
| WIN-KRB-001 | Configure Kerberos Encryption Types (AES only) | Medium |
| WIN-LOGON-006 | Disable Automatic Logon | Medium |
| WIN-NET-005 | Ignore NetBIOS Name Release Requests | Low |
| WIN-PSL-003 | Enable PowerShell Transcription | Medium |
| WIN-RDP-005 | Always Prompt for Password on RDP Connection | Medium |
| WIN-SMB-007 | Disable SMB Client Insecure Guest Logons | Medium |
| WIN-UAC-006 | Only Elevate UIAccess Apps in Secure Locations | Medium |
| WIN-DEF-007 | Scan Removable Drives During Full Scan | Low |
| WIN-DEF-008 | Enable Block at First Sight | Medium |
| WIN-DEF-009 | Enable Defender Behavior Monitoring | High |
| WIN-TLS-001 | Enable TLS 1.2 (Server) | Medium |
| WIN-TLS-002 | Enable TLS 1.2 (Client) | Medium |
| WIN-TLS-003 | Disable RC4 128/128 Cipher | High |
| WIN-TLS-004 | Disable RC4 40/128 Cipher | High |
| WIN-TLS-005 | Disable Triple DES 168 Cipher | Medium |
| WIN-FW-002 | Block Inbound Connections by Default (Domain Profile) | Medium |
| WIN-FW-003 | Block Inbound Connections by Default (Private Profile) | Medium |
| WIN-FW-004 | Block Inbound Connections by Default (Public Profile) | Medium |
| WIN-FW-005 | Log Dropped Packets (Public Profile) | Low |
| WIN-WINRM-003 | Disable WinRM Client Digest Authentication | Medium |
| WIN-TLS-006 | Disable RC4 56/128 Cipher | High |
| WIN-TLS-007 | Disable RC4 64/128 Cipher | High |
| WIN-TLS-008 | Disable DES 56/56 Cipher | Medium |
| WIN-TLS-009 | Disable NULL Cipher | Medium |
| WIN-RDP-007 | Set RDP Idle Session Time Limit | Low |
| WIN-RDP-008 | Set RDP Disconnected Session Time Limit | Low |
| WIN-RDP-009 | Do Not Allow Saved RDP Passwords | Medium |
| WIN-UAC-007 | Apply UAC Token Filtering to Remote Local Accounts | High |
| WIN-ACCT-001 | Block Microsoft Accounts | Medium |
| WIN-NET-006 | Disable mDNS | Medium |
| WIN-DEF-010 | Enable Email Scanning | Medium |
| WIN-DEF-011 | Enable Archive Scanning | Medium |
| WIN-DEF-012 | Scan Mapped Network Drives During Full Scan | Low |
| WIN-DEF-013 | Scan Downloaded Files and Attachments | High |
| WIN-DEF-014 | Disable Local Admin Merge of Defender Preferences | Medium |
| WIN-DEF-015 | Enable Real-Time Script Scanning | Medium |
| WIN-AUD-017 | Audit PNP Activity | Medium |
| WIN-AUD-018 | Audit Group Membership | Medium |
| WIN-AUD-019 | Audit Other Object Access Events | Medium |
| WIN-AUD-020 | Audit Detailed File Share | Medium |
| WIN-SMB-008 | Do Not Send Unencrypted Password to Third-Party SMB Servers | Medium |
| WIN-LSA-011 | Disallow LocalSystem NULL Session Fallback | Medium |
| WIN-LSA-012 | Strengthen Default Permissions of Internal System Objects | Low |
| WIN-NET-007 | Enable Safe DLL Search Mode | Medium |
| WIN-PRINT-001 | Restrict Point and Print Driver Installation to Administrators | High |
| WIN-PRINT-002 | Require Elevation for New Point and Print Connections | Medium |
| WIN-URA-001 | Access Credential Manager as a Trusted Caller = No One | High |
| WIN-URA-002 | Act as Part of the Operating System = No One | High |
| WIN-URA-003 | Create a Token Object = No One | High |
| WIN-URA-004 | Create Permanent Shared Objects = No One | Medium |
| WIN-URA-005 | Debug Programs = Administrators Only | High |
| WIN-URA-006 | Deny Access to This Computer From the Network (includes Guests) | Medium |
| WIN-URA-007 | Deny Log On as a Batch Job (includes Guests) | Low |
| WIN-URA-008 | Deny Log On as a Service (includes Guests) | Low |
| WIN-URA-009 | Deny Log On Locally (includes Guests) | Medium |
| WIN-URA-010 | Deny Log On Through Remote Desktop Services (includes Guests) | Medium |
| WIN-URA-011 | Force Shutdown From a Remote System = Administrators Only | Medium |
| WIN-URA-012 | Generate Security Audits = Local Service, Network Service | Medium |
| WIN-URA-013 | Impersonate a Client After Authentication = Service Accounts and Administrators | Medium |
| WIN-URA-014 | Load and Unload Device Drivers = Administrators Only | Medium |
| WIN-URA-015 | Manage Auditing and Security Log = Administrators Only | Medium |
| WIN-URA-016 | Take Ownership of Files or Other Objects = Administrators Only | Medium |
| WIN-URA-017 | Access This Computer From the Network = Administrators, Authenticated Users | High |
| WIN-URA-018 | Allow Log On Locally = Administrators | Medium |
| WIN-URA-019 | Allow Log On Through Remote Desktop Services = Administrators, Remote Desktop Users | Medium |
| WIN-URA-020 | Back Up Files and Directories = Administrators | Medium |
| WIN-URA-021 | Restore Files and Directories = Administrators | Medium |
| WIN-URA-022 | Change the System Time = Administrators, Local Service | Medium |
| WIN-URA-023 | Change the Time Zone = Administrators, Local Service, Users | Low |
| WIN-URA-024 | Create a Pagefile = Administrators | Low |
| WIN-URA-025 | Create Global Objects = Administrators and Service Accounts | Medium |
| WIN-URA-026 | Create Symbolic Links = Administrators | Medium |
| WIN-URA-027 | Adjust Memory Quotas for a Process = Administrators and Service Accounts | Low |
| WIN-URA-028 | Increase Scheduling Priority = Administrators, Window Manager | Low |
| WIN-URA-029 | Lock Pages in Memory = No One | Medium |
| WIN-URA-030 | Perform Volume Maintenance Tasks = Administrators | Medium |
| WIN-URA-031 | Profile Single Process = Administrators | Low |
| WIN-URA-032 | Replace a Process Level Token = Local Service, Network Service | Medium |
| WIN-URA-033 | Shut Down the System = Administrators | Low |
| WIN-URA-034 | Modify Firmware Environment Values = Administrators | Medium |
| WIN-URA-035 | Enable Accounts to Be Trusted for Delegation = No One | High |
| WIN-URA-036 | Obtain an Impersonation Token for Another User = No One | Medium |
| WIN-URA-037 | Modify an Object Label = No One | Low |
| WIN-URA-038 | Synchronize Directory Service Data = No One | Medium |
| WIN-URA-039 | Profile System Performance = Administrators, WdiServiceHost | Low |
| WIN-LSA-013 | Digitally Encrypt Secure Channel Data (When Possible) | Medium |
| WIN-LSA-014 | Digitally Sign Secure Channel Data (When Possible) | Medium |
| WIN-LSA-015 | Do Not Disable Machine Account Password Changes | Medium |
| WIN-LSA-016 | Maximum Machine Account Password Age (30 Days) | Low |
| WIN-LSA-017 | Require Strong (Windows 2000 or Later) Session Key | Medium |
| WIN-SMB-009 | Digitally Sign Client Communications (If Server Agrees) | Low |
| WIN-SMB-010 | Digitally Sign Server Communications (If Client Agrees) | Low |
| WIN-SMB-011 | Idle Time Required Before Suspending an SMB Session (15 min) | Low |
| WIN-SMB-012 | Disconnect Clients When Logon Hours Expire | Low |
| WIN-SMB-013 | Server SPN Target Name Validation Level | Medium |
| WIN-NTLM-004 | Allow LocalSystem to Use Computer Identity for NTLM | Medium |
| WIN-NTLM-005 | Disallow PKU2U Online Identities | Medium |
| WIN-NTLM-006 | Audit Incoming NTLM Traffic | Low |
| WIN-NTLM-007 | Audit Outgoing NTLM Traffic to Remote Servers | Low |
| WIN-LSA-018 | Do Not Store Passwords and Credentials for Network Authentication | High |
| WIN-LOGON-007 | Do Not Allow System to Be Shut Down Without Logging On | Low |
| WIN-LSA-019 | Require Case Insensitivity for Non-Windows Subsystems | Low |
| WIN-AUD-021 | Force Audit Policy Subcategory Settings | Medium |
| WIN-PRINT-003 | Prevent Users From Installing Printer Drivers | Medium |
| WIN-ACCT-002 | Guest Account Disabled | Medium |
| WIN-ACCT-003 | Force Logoff When Logon Hours Expire | Low |
| WIN-UAC-008 | Admin Approval Mode for the Built-in Administrator | Medium |
| WIN-UAC-009 | Virtualize File and Registry Write Failures to Per-User Locations | Low |
| WIN-AUD-022 | Audit Other Account Management Events | Medium |
| WIN-AUD-023 | Audit File Share | Medium |
| WIN-AUD-024 | Audit Authorization Policy Change | Medium |
| WIN-AUD-025 | Audit Other Policy Change Events | Low |
| WIN-AUD-026 | Audit IPsec Driver | Medium |
| WIN-AUD-027 | Audit Other System Events | Low |
| WIN-AUD-028 | Audit Security State Change | Medium |
| WIN-AUD-029 | Audit Security System Extension | Medium |
| WIN-EVTLOG-001 | Application Event Log Maximum Size (>= 32 MB) | Medium |
| WIN-EVTLOG-002 | Application Event Log Retention (Overwrite as Needed) | Low |
| WIN-EVTLOG-003 | Security Event Log Maximum Size (>= 192 MB) | High |
| WIN-EVTLOG-004 | Security Event Log Retention (Overwrite as Needed) | Low |
| WIN-EVTLOG-005 | Setup Event Log Maximum Size (>= 32 MB) | Low |
| WIN-EVTLOG-006 | Setup Event Log Retention (Overwrite as Needed) | Low |
| WIN-EVTLOG-007 | System Event Log Maximum Size (>= 32 MB) | Medium |
| WIN-EVTLOG-008 | System Event Log Retention (Overwrite as Needed) | Low |
| WIN-AUD-030 | Include Command Line in Process Creation Events | Medium |
| WIN-CREDDEL-001 | Encryption Oracle Remediation (Force Updated Clients) | High |
| WIN-CREDDEL-002 | Remote Host Allows Delegation of Non-Exportable Credentials | Medium |
| WIN-ELAM-001 | Boot-Start Driver Initialization Policy | Medium |
| WIN-GPO-001 | Registry Policy Processing: Apply During Background Refresh | Low |
| WIN-GPO-002 | Registry Policy Processing: Process Even If Unchanged | Low |
| WIN-GPO-003 | Disable Continue Experiences (Connected Devices Platform) | Low |
| WIN-INET-001 | Turn Off Downloading of Print Drivers Over HTTP | Low |
| WIN-INET-002 | Turn Off Printing Over HTTP | Low |
| WIN-INET-003 | Turn Off Windows Error Reporting | Low |
| WIN-INET-004 | Turn Off Windows Customer Experience Improvement Program | Low |
| WIN-INET-005 | Turn Off Internet Download for Web Publishing and Online Ordering | Low |
| WIN-INET-006 | Turn Off Internet Connection Wizard If URL Connection | Low |
| WIN-INET-007 | Turn Off Search Companion Content File Updates | Low |
| WIN-LOGON-009 | Do Not Enumerate Connected Users on Domain-Joined Computers | Medium |
| WIN-LOGON-010 | Do Not Enumerate Local Users on Domain-Joined Computers | Medium |
| WIN-LOGON-011 | Block User From Showing Account Details on Sign-In | Low |
| WIN-LOGON-012 | Do Not Display Network Selection UI | Low |
| WIN-LOGON-013 | Turn Off App Notifications on the Lock Screen | Low |
| WIN-LOGON-014 | Disable Convenience PIN Sign-In | Medium |
| WIN-RA-001 | Disable Solicited Remote Assistance | Medium |
| WIN-RA-002 | Disable Offer (Unsolicited) Remote Assistance | Medium |
| WIN-RPC-001 | Restrict Unauthenticated RPC Clients | Medium |
| WIN-RPC-002 | Enable RPC Endpoint Mapper Client Authentication | Medium |
| WIN-CREDUI-001 | Do Not Display the Password Reveal Button | Low |
| WIN-CREDUI-002 | Do Not Enumerate Administrator Accounts on Elevation | Medium |
| WIN-CREDUI-003 | Prevent Use of Security Questions for Local Accounts | Low |
| WIN-TELEM-001 | Limit Diagnostic Data to Required or Less | Low |
| WIN-TELEM-002 | Disable OneSettings Downloads | Low |
| WIN-TELEM-003 | Do Not Show Feedback Notifications | Low |
| WIN-TELEM-004 | Enable OneSettings Auditing | Low |
| WIN-TELEM-005 | Disable Windows Insider Preview Builds | Medium |
| WIN-CLOUD-001 | Turn Off Microsoft Consumer Experiences | Low |
| WIN-SMARTSCREEN-001 | Configure Windows Defender SmartScreen | Medium |
| WIN-RDP-010 | Disable RDP COM Port Redirection | Low |
| WIN-RDP-011 | Disable RDP LPT Port Redirection | Low |
| WIN-RDP-012 | Disable RDP Plug and Play Device Redirection | Low |
| WIN-RDP-013 | Require Secure RPC for Remote Desktop | Medium |
| WIN-RDP-014 | Use Temporary Folders Per RDP Session | Low |
| WIN-WINRM-004 | Disable WinRM Service Basic Authentication | Medium |
| WIN-WINRM-005 | Disallow WinRM Storing RunAs Credentials | Medium |
| WIN-WINRM-006 | Disallow WinRM Client Unencrypted Traffic | Medium |
| WIN-WINRS-001 | Disable Windows Remote Shell Access | Medium |
| WIN-AUTORUN-002 | Disallow Autoplay for Non-Volume Devices | Medium |
| WIN-AUTORUN-003 | Set Default AutoRun Behavior to Do Not Execute | Medium |
| WIN-INSTALL-002 | Disable User Control Over Windows Installer | Medium |
| WIN-LOGON-015 | Disable Automatic Restart Sign-On (ARSO) | Medium |
| WIN-DEF-016 | Enable Defender File Hash Computation | Low |
| WIN-NET-008 | Hardened UNC Path for SYSVOL | High |
| WIN-NET-009 | Hardened UNC Path for NETLOGON | High |
| WIN-NET-010 | Disable Font Providers | Low |
| WIN-NET-011 | Turn Off Smart Multi-Homed Name Resolution | Medium |
| WIN-NET-012 | Prohibit Installation of Network Bridge | Low |
| WIN-NET-013 | Prohibit Internet Connection Sharing | Low |
| WIN-NET-014 | Require Domain Users to Elevate When Setting Network Location | Low |
| WIN-NET-015 | Minimize Simultaneous Internet and Domain Connections | Low |
| WIN-NET-016 | Prohibit Non-Domain Networks When on Domain Network | Low |
| WIN-NET-017 | Disable Windows Connect Now Registrars | Low |
| WIN-NET-018 | Prohibit Access of Windows Connect Now Wizards | Low |
| WIN-NET-019 | Turn Off Link-Layer Topology Mapper I/O Driver | Low |
| WIN-NET-020 | Turn Off Link-Layer Topology Responder Driver | Low |
| WIN-NET-021 | TCP Maximum Data Retransmissions (IPv4) | Low |
| WIN-NET-022 | TCP Maximum Data Retransmissions (IPv6) | Low |
| WIN-NET-023 | TCP Keep-Alive Time | Low |
| WIN-NET-024 | Disable Dead Gateway Detection | Low |
| WIN-EVTLOG-009 | Security Log Near-Capacity Warning Threshold | Low |
| WIN-LOGON-016 | Screen Saver Grace Period | Low |
| WIN-SCRSVR-001 | Enable Screen Saver (Default Profile) | Low |
| WIN-SCRSVR-002 | Password Protect the Screen Saver (Default Profile) | Medium |
| WIN-SCRSVR-003 | Screen Saver Timeout (Default Profile) | Low |
| WIN-LOGON-017 | Turn Off Toast Notifications on the Lock Screen (Default Profile) | Low |
| WIN-DEF-017 | Notify Antivirus When Opening Attachments (Default Profile) | Medium |
| WIN-LOGON-018 | Logon Legal Notice Text | Low |
| WIN-LOGON-019 | Logon Legal Notice Title | Low |