Compliance Coverage¶
Number of controls whose technical requirements may help implement each standard (informational only).
Compliance disclaimer
CloudInfra Secure controls are designed to help organisations implement technical security requirements commonly found in recognised security standards. They do not constitute certification or proof of compliance.
Coverage summary¶
| Standard | Controls |
|---|---|
| DISA STIG | 301 |
| NIST CSF | 301 |
| NIST SP 800-53 Rev 5 | 301 |
| NIST SP 800-171 | 301 |
| FedRAMP | 13 |
| Microsoft Cloud Security Benchmark | 262 |
| Microsoft Security Baselines | 301 |
| CMMC Level 2 | 19 |
| PCI DSS v4.0 | 301 |
| SOC 2 | 43 |
| ISO/IEC 27001 | 301 |
| HIPAA Security Rule | 27 |
| UK Cyber Essentials | 260 |
| NIS2 | 301 |
Browse controls by standard¶
Select a standard to list the controls that map to it. This shows technical alignment only, not certification.
| # | ID | Name | Severity | Category |
|---|---|---|---|---|
| WIN-ACCT-001 | Block Microsoft Accounts | Medium | Access Control | |
| WIN-ACCT-002 | Guest Account Disabled | Medium | Access Control | |
| WIN-ACCT-003 | Force Logoff When Logon Hours Expire | Low | Account Policy | |
| WIN-ASR-001 | ASR: Block Credential Stealing from LSASS | High | Attack Surface Reduction | |
| WIN-ASR-002 | ASR: Block Office Apps Creating Child Processes | Medium | Attack Surface Reduction | |
| WIN-ASR-003 | ASR: Block Executable Content from Email and Webmail | Medium | Attack Surface Reduction | |
| WIN-ASR-004 | ASR: Block Obfuscated Scripts | Medium | Attack Surface Reduction | |
| WIN-ASR-005 | ASR: Block Untrusted Processes from USB | Medium | Attack Surface Reduction | |
| WIN-ASR-006 | ASR: Block Process Creation from PSExec and WMI | Medium | Attack Surface Reduction | |
| WIN-ASR-007 | ASR: Advanced Protection Against Ransomware | High | Attack Surface Reduction | |
| WIN-ASR-008 | ASR: Block Office Apps Injecting Code into Other Processes | Medium | Attack Surface Reduction | |
| WIN-ASR-009 | ASR: Block Office Apps Creating Executable Content | Medium | Attack Surface Reduction | |
| WIN-ASR-010 | ASR: Block Persistence Through WMI Event Subscription | Medium | Attack Surface Reduction | |
| WIN-ASR-011 | ASR: Block Win32 API Calls from Office Macros | Medium | Attack Surface Reduction | |
| WIN-ASR-012 | ASR: Block Untrusted Executables by Prevalence, Age, or Trust | Medium | Attack Surface Reduction | |
| WIN-ASR-013 | ASR: Block Adobe Reader from Creating Child Processes | Medium | Attack Surface Reduction | |
| WIN-ASR-014 | ASR: Block Webshell Creation for Servers | High | Attack Surface Reduction | |
| WIN-ASR-015 | ASR: Block Rebooting Machine in Safe Mode | Medium | Attack Surface Reduction | |
| WIN-AUD-001 | Audit Logon Failures | Medium | Logging and Monitoring | |
| WIN-AUD-002 | Audit Account Lockout Events | Medium | Logging and Monitoring | |
| WIN-AUD-003 | Audit Process Creation | Medium | Logging and Monitoring | |
| WIN-AUD-004 | Audit Credential Validation | Medium | Logging and Monitoring | |
| WIN-AUD-005 | Audit Security Group Management | Medium | Logging and Monitoring | |
| WIN-AUD-006 | Audit Special Logon | Medium | Logging and Monitoring | |
| WIN-AUD-007 | Audit Sensitive Privilege Use | Medium | Logging and Monitoring | |
| WIN-AUD-008 | Audit System Integrity | Medium | Logging and Monitoring | |
| WIN-AUD-009 | Audit Logoff | Medium | Logging and Monitoring | |
| WIN-AUD-010 | Audit Removable Storage | Medium | Logging and Monitoring | |
| WIN-AUD-011 | Audit Authentication Policy Change | Medium | Logging and Monitoring | |
| WIN-AUD-012 | Audit User Account Management | Medium | Logging and Monitoring | |
| WIN-AUD-013 | Audit Computer Account Management | Medium | Logging and Monitoring | |
| WIN-AUD-014 | Audit Audit Policy Change | Medium | Logging and Monitoring | |
| WIN-AUD-015 | Audit Other Logon/Logoff Events | Medium | Logging and Monitoring | |
| WIN-AUD-016 | Audit MPSSVC Rule-Level Policy Change | Medium | Logging and Monitoring | |
| WIN-AUD-017 | Audit PNP Activity | Medium | Logging and Monitoring | |
| WIN-AUD-018 | Audit Group Membership | Medium | Logging and Monitoring | |
| WIN-AUD-019 | Audit Other Object Access Events | Medium | Logging and Monitoring | |
| WIN-AUD-020 | Audit Detailed File Share | Medium | Logging and Monitoring | |
| WIN-AUD-021 | Force Audit Policy Subcategory Settings | Medium | Logging and Monitoring | |
| WIN-AUD-022 | Audit Other Account Management Events | Medium | Logging and Monitoring | |
| WIN-AUD-023 | Audit File Share | Medium | Logging and Monitoring | |
| WIN-AUD-024 | Audit Authorization Policy Change | Medium | Logging and Monitoring | |
| WIN-AUD-025 | Audit Other Policy Change Events | Low | Logging and Monitoring | |
| WIN-AUD-026 | Audit IPsec Driver | Medium | Logging and Monitoring | |
| WIN-AUD-027 | Audit Other System Events | Low | Logging and Monitoring | |
| WIN-AUD-028 | Audit Security State Change | Medium | Logging and Monitoring | |
| WIN-AUD-029 | Audit Security System Extension | Medium | Logging and Monitoring | |
| WIN-AUD-030 | Include Command Line in Process Creation Events | Medium | Logging and Monitoring | |
| WIN-AUTORUN-001 | Disable AutoRun on All Drives | Medium | Attack Surface Reduction | |
| WIN-AUTORUN-002 | Disallow Autoplay for Non-Volume Devices | Medium | Attack Surface Reduction | |
| WIN-AUTORUN-003 | Set Default AutoRun Behavior to Do Not Execute | Medium | Attack Surface Reduction | |
| WIN-CG-001 | Enable Credential Guard | High | Credential Protection | |
| WIN-CLOUD-001 | Turn Off Microsoft Consumer Experiences | Low | Attack Surface Reduction | |
| WIN-CREDDEL-001 | Encryption Oracle Remediation (Force Updated Clients) | High | Credential Protection | |
| WIN-CREDDEL-002 | Remote Host Allows Delegation of Non-Exportable Credentials | Medium | Credential Protection | |
| WIN-CREDUI-001 | Do Not Display the Password Reveal Button | Low | Credential Protection | |
| WIN-CREDUI-002 | Do Not Enumerate Administrator Accounts on Elevation | Medium | Credential Protection | |
| WIN-CREDUI-003 | Prevent Use of Security Questions for Local Accounts | Low | Credential Protection | |
| WIN-DEF-001 | Microsoft Defender Antivirus Enabled | High | Endpoint Protection | |
| WIN-DEF-002 | Enable Potentially Unwanted Application (PUA) Protection | High | Endpoint Protection | |
| WIN-DEF-003 | Enable Defender Real-Time Protection | High | Endpoint Protection | |
| WIN-DEF-004 | Enable Cloud-Delivered Protection | Medium | Endpoint Protection | |
| WIN-DEF-005 | Enable Network Protection | Medium | Endpoint Protection | |
| WIN-DEF-006 | Enable Controlled Folder Access | Medium | Endpoint Protection | |
| WIN-DEF-007 | Scan Removable Drives During Full Scan | Low | Endpoint Protection | |
| WIN-DEF-008 | Enable Block at First Sight | Medium | Endpoint Protection | |
| WIN-DEF-009 | Enable Defender Behavior Monitoring | High | Endpoint Protection | |
| WIN-DEF-010 | Enable Email Scanning | Medium | Endpoint Protection | |
| WIN-DEF-011 | Enable Archive Scanning | Medium | Endpoint Protection | |
| WIN-DEF-012 | Scan Mapped Network Drives During Full Scan | Low | Endpoint Protection | |
| WIN-DEF-013 | Scan Downloaded Files and Attachments | High | Endpoint Protection | |
| WIN-DEF-014 | Disable Local Admin Merge of Defender Preferences | Medium | Endpoint Protection | |
| WIN-DEF-015 | Enable Real-Time Script Scanning | Medium | Endpoint Protection | |
| WIN-DEF-016 | Enable Defender File Hash Computation | Low | Endpoint Protection | |
| WIN-DEF-017 | Notify Antivirus When Opening Attachments (Default Profile) | Medium | Endpoint Protection | |
| WIN-ELAM-001 | Boot-Start Driver Initialization Policy | Medium | Endpoint Protection | |
| WIN-EVTLOG-001 | Application Event Log Maximum Size (>= 32 MB) | Medium | Logging and Monitoring | |
| WIN-EVTLOG-002 | Application Event Log Retention (Overwrite as Needed) | Low | Logging and Monitoring | |
| WIN-EVTLOG-003 | Security Event Log Maximum Size (>= 192 MB) | High | Logging and Monitoring | |
| WIN-EVTLOG-004 | Security Event Log Retention (Overwrite as Needed) | Low | Logging and Monitoring | |
| WIN-EVTLOG-005 | Setup Event Log Maximum Size (>= 32 MB) | Low | Logging and Monitoring | |
| WIN-EVTLOG-006 | Setup Event Log Retention (Overwrite as Needed) | Low | Logging and Monitoring | |
| WIN-EVTLOG-007 | System Event Log Maximum Size (>= 32 MB) | Medium | Logging and Monitoring | |
| WIN-EVTLOG-008 | System Event Log Retention (Overwrite as Needed) | Low | Logging and Monitoring | |
| WIN-EVTLOG-009 | Security Log Near-Capacity Warning Threshold | Low | Logging and Monitoring | |
| WIN-FW-001 | Windows Firewall Enabled (All Profiles) | High | Host Firewall | |
| WIN-FW-002 | Block Inbound Connections by Default (Domain Profile) | Medium | Host Firewall | |
| WIN-FW-003 | Block Inbound Connections by Default (Private Profile) | Medium | Host Firewall | |
| WIN-FW-004 | Block Inbound Connections by Default (Public Profile) | Medium | Host Firewall | |
| WIN-FW-005 | Log Dropped Packets (Public Profile) | Low | Host Firewall | |
| WIN-GPO-001 | Registry Policy Processing: Apply During Background Refresh | Low | Access Control | |
| WIN-GPO-002 | Registry Policy Processing: Process Even If Unchanged | Low | Access Control | |
| WIN-GPO-003 | Disable Continue Experiences (Connected Devices Platform) | Low | Attack Surface Reduction | |
| WIN-INET-001 | Turn Off Downloading of Print Drivers Over HTTP | Low | Network Protocols | |
| WIN-INET-002 | Turn Off Printing Over HTTP | Low | Network Protocols | |
| WIN-INET-003 | Turn Off Windows Error Reporting | Low | Attack Surface Reduction | |
| WIN-INET-004 | Turn Off Windows Customer Experience Improvement Program | Low | Attack Surface Reduction | |
| WIN-INET-005 | Turn Off Internet Download for Web Publishing and Online Ordering | Low | Attack Surface Reduction | |
| WIN-INET-006 | Turn Off Internet Connection Wizard If URL Connection | Low | Attack Surface Reduction | |
| WIN-INET-007 | Turn Off Search Companion Content File Updates | Low | Attack Surface Reduction | |
| WIN-INSTALL-001 | Disable Always Install Elevated | High | Privilege Management | |
| WIN-INSTALL-002 | Disable User Control Over Windows Installer | Medium | Privilege Management | |
| WIN-KRB-001 | Configure Kerberos Encryption Types (AES only) | Medium | Authentication | |
| WIN-LDAP-001 | LDAP Client Signing | Medium | Authentication | |
| WIN-LOCK-001 | Account Lockout Threshold | Medium | Account Policy | |
| WIN-LOCK-002 | Account Lockout Duration | Medium | Account Policy | |
| WIN-LOCK-003 | Reset Account Lockout Counter | Medium | Account Policy | |
| WIN-LOGON-001 | Machine Inactivity Limit | Medium | Access Control | |
| WIN-LOGON-002 | Do Not Display Last Signed-In User | Low | Access Control | |
| WIN-LOGON-003 | Limit Number of Cached Logons | Medium | Access Control | |
| WIN-LOGON-004 | Require Ctrl+Alt+Del at Logon | Low | Access Control | |
| WIN-LOGON-005 | Smart Card Removal Behavior (Lock Workstation) | Low | Access Control | |
| WIN-LOGON-006 | Disable Automatic Logon | Medium | Access Control | |
| WIN-LOGON-007 | Do Not Allow System to Be Shut Down Without Logging On | Low | Access Control | |
| WIN-LOGON-008 | Require Domain Controller Authentication to Unlock Workstation | Medium | Access Control | |
| WIN-LOGON-009 | Do Not Enumerate Connected Users on Domain-Joined Computers | Medium | Access Control | |
| WIN-LOGON-010 | Do Not Enumerate Local Users on Domain-Joined Computers | Medium | Access Control | |
| WIN-LOGON-011 | Block User From Showing Account Details on Sign-In | Low | Access Control | |
| WIN-LOGON-012 | Do Not Display Network Selection UI | Low | Access Control | |
| WIN-LOGON-013 | Turn Off App Notifications on the Lock Screen | Low | Access Control | |
| WIN-LOGON-014 | Disable Convenience PIN Sign-In | Medium | Access Control | |
| WIN-LOGON-015 | Disable Automatic Restart Sign-On (ARSO) | Medium | Access Control | |
| WIN-LOGON-016 | Screen Saver Grace Period | Low | Access Control | |
| WIN-LOGON-017 | Turn Off Toast Notifications on the Lock Screen (Default Profile) | Low | Access Control | |
| WIN-LOGON-018 | Logon Legal Notice Text | Low | Access Control | |
| WIN-LOGON-019 | Logon Legal Notice Title | Low | Access Control | |
| WIN-LSA-001 | Do Not Store LAN Manager Hash | High | Credential Protection | |
| WIN-LSA-002 | Restrict Anonymous SID Enumeration | Medium | Access Control | |
| WIN-LSA-003 | Enable LSASS Protection (RunAsPPL) | High | Credential Protection | |
| WIN-LSA-004 | Do Not Allow Anonymous Enumeration of SAM Accounts | Medium | Access Control | |
| WIN-LSA-005 | Enable Structured Exception Handling Overwrite Protection (SEHOP) | Medium | Exploit Protection | |
| WIN-LSA-006 | Digitally Encrypt or Sign Secure Channel Data (Always) | Medium | Authentication | |
| WIN-LSA-007 | Do Not Apply Everyone Permissions to Anonymous Users | Medium | Access Control | |
| WIN-LSA-008 | Restrict Clients Allowed to Make Remote SAM Calls | Medium | Access Control | |
| WIN-LSA-009 | Limit Local Account Use of Blank Passwords | High | Access Control | |
| WIN-LSA-010 | Sharing and Security Model for Local Accounts (Classic) | Medium | Access Control | |
| WIN-LSA-011 | Disallow LocalSystem NULL Session Fallback | Medium | Access Control | |
| WIN-LSA-012 | Strengthen Default Permissions of Internal System Objects | Low | Access Control | |
| WIN-LSA-013 | Digitally Encrypt Secure Channel Data (When Possible) | Medium | Authentication | |
| WIN-LSA-014 | Digitally Sign Secure Channel Data (When Possible) | Medium | Authentication | |
| WIN-LSA-015 | Do Not Disable Machine Account Password Changes | Medium | Authentication | |
| WIN-LSA-016 | Maximum Machine Account Password Age (30 Days) | Low | Authentication | |
| WIN-LSA-017 | Require Strong (Windows 2000 or Later) Session Key | Medium | Authentication | |
| WIN-LSA-018 | Do Not Store Passwords and Credentials for Network Authentication | High | Credential Protection | |
| WIN-LSA-019 | Require Case Insensitivity for Non-Windows Subsystems | Low | Access Control | |
| WIN-NET-001 | Disable LLMNR | Medium | Network Protocols | |
| WIN-NET-002 | Disable IPv4 Source Routing | Medium | Network Protocols | |
| WIN-NET-003 | Disable ICMP Redirects | Low | Network Protocols | |
| WIN-NET-004 | Disable IPv6 Source Routing | Medium | Network Protocols | |
| WIN-NET-005 | Ignore NetBIOS Name Release Requests | Low | Network Protocols | |
| WIN-NET-006 | Disable mDNS | Medium | Network Protocols | |
| WIN-NET-007 | Enable Safe DLL Search Mode | Medium | Exploit Protection | |
| WIN-NET-008 | Hardened UNC Path for SYSVOL | High | Network Protocols | |
| WIN-NET-009 | Hardened UNC Path for NETLOGON | High | Network Protocols | |
| WIN-NET-010 | Disable Font Providers | Low | Attack Surface Reduction | |
| WIN-NET-011 | Turn Off Smart Multi-Homed Name Resolution | Medium | Network Protocols | |
| WIN-NET-012 | Prohibit Installation of Network Bridge | Low | Network Protocols | |
| WIN-NET-013 | Prohibit Internet Connection Sharing | Low | Network Protocols | |
| WIN-NET-014 | Require Domain Users to Elevate When Setting Network Location | Low | Network Protocols | |
| WIN-NET-015 | Minimize Simultaneous Internet and Domain Connections | Low | Network Protocols | |
| WIN-NET-016 | Prohibit Non-Domain Networks When on Domain Network | Low | Network Protocols | |
| WIN-NET-017 | Disable Windows Connect Now Registrars | Low | Network Protocols | |
| WIN-NET-018 | Prohibit Access of Windows Connect Now Wizards | Low | Network Protocols | |
| WIN-NET-019 | Turn Off Link-Layer Topology Mapper I/O Driver | Low | Network Protocols | |
| WIN-NET-020 | Turn Off Link-Layer Topology Responder Driver | Low | Network Protocols | |
| WIN-NET-021 | TCP Maximum Data Retransmissions (IPv4) | Low | Network Protocols | |
| WIN-NET-022 | TCP Maximum Data Retransmissions (IPv6) | Low | Network Protocols | |
| WIN-NET-023 | TCP Keep-Alive Time | Low | Network Protocols | |
| WIN-NET-024 | Disable Dead Gateway Detection | Low | Network Protocols | |
| WIN-NTLM-001 | LAN Manager Authentication Level (NTLMv2 Only) | High | Authentication | |
| WIN-NTLM-002 | Minimum NTLM Session Security (Clients) | Medium | Authentication | |
| WIN-NTLM-003 | Minimum NTLM Session Security (Servers) | Medium | Authentication | |
| WIN-NTLM-004 | Allow LocalSystem to Use Computer Identity for NTLM | Medium | Authentication | |
| WIN-NTLM-005 | Disallow PKU2U Online Identities | Medium | Authentication | |
| WIN-NTLM-006 | Audit Incoming NTLM Traffic | Low | Authentication | |
| WIN-NTLM-007 | Audit Outgoing NTLM Traffic to Remote Servers | Low | Authentication | |
| WIN-PRINT-001 | Restrict Point and Print Driver Installation to Administrators | High | Attack Surface Reduction | |
| WIN-PRINT-002 | Require Elevation for New Point and Print Connections | Medium | Attack Surface Reduction | |
| WIN-PRINT-003 | Prevent Users From Installing Printer Drivers | Medium | Attack Surface Reduction | |
| WIN-PSL-001 | Enable PowerShell Script Block Logging | Medium | Logging and Monitoring | |
| WIN-PSL-002 | Enable PowerShell Module Logging | Medium | Logging and Monitoring | |
| WIN-PSL-003 | Enable PowerShell Transcription | Medium | Logging and Monitoring | |
| WIN-PWD-001 | Minimum Password Length | High | Account Policy | |
| WIN-PWD-002 | Password Complexity Enabled | High | Account Policy | |
| WIN-PWD-003 | Maximum Password Age | Medium | Account Policy | |
| WIN-PWD-004 | Minimum Password Age | Low | Account Policy | |
| WIN-PWD-005 | Enforce Password History | Medium | Account Policy | |
| WIN-PWD-006 | Disable Reversible Password Encryption | High | Account Policy | |
| WIN-RA-001 | Disable Solicited Remote Assistance | Medium | Remote Access | |
| WIN-RA-002 | Disable Offer (Unsolicited) Remote Assistance | Medium | Remote Access | |
| WIN-RDP-001 | Require Network Level Authentication for RDP | High | Remote Access | |
| WIN-RDP-002 | RDP Minimum Encryption Level (High) | Medium | Remote Access | |
| WIN-RDP-003 | RDP Security Layer (TLS) | Medium | Remote Access | |
| WIN-RDP-004 | Disable RDP Drive Redirection | Medium | Remote Access | |
| WIN-RDP-005 | Always Prompt for Password on RDP Connection | Medium | Remote Access | |
| WIN-RDP-006 | Disable RDP Clipboard Redirection | Low | Remote Access | |
| WIN-RDP-007 | Set RDP Idle Session Time Limit | Low | Remote Access | |
| WIN-RDP-008 | Set RDP Disconnected Session Time Limit | Low | Remote Access | |
| WIN-RDP-009 | Do Not Allow Saved RDP Passwords | Medium | Remote Access | |
| WIN-RDP-010 | Disable RDP COM Port Redirection | Low | Remote Access | |
| WIN-RDP-011 | Disable RDP LPT Port Redirection | Low | Remote Access | |
| WIN-RDP-012 | Disable RDP Plug and Play Device Redirection | Low | Remote Access | |
| WIN-RDP-013 | Require Secure RPC for Remote Desktop | Medium | Remote Access | |
| WIN-RDP-014 | Use Temporary Folders Per RDP Session | Low | Remote Access | |
| WIN-RPC-001 | Restrict Unauthenticated RPC Clients | Medium | Network Protocols | |
| WIN-RPC-002 | Enable RPC Endpoint Mapper Client Authentication | Medium | Network Protocols | |
| WIN-SCRSVR-001 | Enable Screen Saver (Default Profile) | Low | Access Control | |
| WIN-SCRSVR-002 | Password Protect the Screen Saver (Default Profile) | Medium | Access Control | |
| WIN-SCRSVR-003 | Screen Saver Timeout (Default Profile) | Low | Access Control | |
| WIN-SMARTSCREEN-001 | Configure Windows Defender SmartScreen | Medium | Endpoint Protection | |
| WIN-SMB-001 | Disable SMBv1 | High | Network Protocols | |
| WIN-SMB-003 | Require SMB Signing (Server) | High | Network Protocols | |
| WIN-SMB-004 | Disable SMBv1 Client | High | Network Protocols | |
| WIN-SMB-005 | Require SMB Client Signing | Medium | Network Protocols | |
| WIN-SMB-006 | Restrict Anonymous Access to Named Pipes and Shares | Medium | Network Protocols | |
| WIN-SMB-007 | Disable SMB Client Insecure Guest Logons | Medium | Network Protocols | |
| WIN-SMB-008 | Do Not Send Unencrypted Password to Third-Party SMB Servers | Medium | Network Protocols | |
| WIN-SMB-009 | Digitally Sign Client Communications (If Server Agrees) | Low | Network Protocols | |
| WIN-SMB-010 | Digitally Sign Server Communications (If Client Agrees) | Low | Network Protocols | |
| WIN-SMB-011 | Idle Time Required Before Suspending an SMB Session (15 min) | Low | Network Protocols | |
| WIN-SMB-012 | Disconnect Clients When Logon Hours Expire | Low | Network Protocols | |
| WIN-SMB-013 | Server SPN Target Name Validation Level | Medium | Network Protocols | |
| WIN-SVC-001 | Disable Remote Registry Service | Medium | Attack Surface Reduction | |
| WIN-SVC-002 | Disable Print Spooler Service | Medium | Attack Surface Reduction | |
| WIN-TELEM-001 | Limit Diagnostic Data to Required or Less | Low | Attack Surface Reduction | |
| WIN-TELEM-002 | Disable OneSettings Downloads | Low | Attack Surface Reduction | |
| WIN-TELEM-003 | Do Not Show Feedback Notifications | Low | Attack Surface Reduction | |
| WIN-TELEM-004 | Enable OneSettings Auditing | Low | Logging and Monitoring | |
| WIN-TELEM-005 | Disable Windows Insider Preview Builds | Medium | Attack Surface Reduction | |
| WIN-TLS-001 | Enable TLS 1.2 (Server) | Medium | Cryptography | |
| WIN-TLS-002 | Enable TLS 1.2 (Client) | Medium | Cryptography | |
| WIN-TLS-003 | Disable RC4 128/128 Cipher | High | Cryptography | |
| WIN-TLS-004 | Disable RC4 40/128 Cipher | High | Cryptography | |
| WIN-TLS-005 | Disable Triple DES 168 Cipher | Medium | Cryptography | |
| WIN-TLS-006 | Disable RC4 56/128 Cipher | High | Cryptography | |
| WIN-TLS-007 | Disable RC4 64/128 Cipher | High | Cryptography | |
| WIN-TLS-008 | Disable DES 56/56 Cipher | Medium | Cryptography | |
| WIN-TLS-009 | Disable NULL Cipher | Medium | Cryptography | |
| WIN-TLS-010 | Disable TLS 1.0 (Server) | High | Cryptography | |
| WIN-TLS-011 | Disable TLS 1.1 (Server) | High | Cryptography | |
| WIN-TLS-012 | Disable SSL 3.0 (Server) | High | Cryptography | |
| WIN-TLS-013 | Disable SSL 2.0 (Server) | High | Cryptography | |
| WIN-UAC-001 | User Account Control Enabled | High | Privilege Management | |
| WIN-UAC-002 | UAC Elevation Prompt for Administrators | Medium | Privilege Management | |
| WIN-UAC-003 | UAC Detect Application Installations | Medium | Privilege Management | |
| WIN-UAC-004 | Deny UAC Elevation Prompt for Standard Users | Medium | Privilege Management | |
| WIN-UAC-005 | UAC Switch to the Secure Desktop for Elevation | Medium | Privilege Management | |
| WIN-UAC-006 | Only Elevate UIAccess Apps in Secure Locations | Medium | Privilege Management | |
| WIN-UAC-007 | Apply UAC Token Filtering to Remote Local Accounts | High | Privilege Management | |
| WIN-UAC-008 | Admin Approval Mode for the Built-in Administrator | Medium | Privilege Management | |
| WIN-UAC-009 | Virtualize File and Registry Write Failures to Per-User Locations | Low | Privilege Management | |
| WIN-URA-001 | Access Credential Manager as a Trusted Caller = No One | High | User Rights Assignment | |
| WIN-URA-002 | Act as Part of the Operating System = No One | High | User Rights Assignment | |
| WIN-URA-003 | Create a Token Object = No One | High | User Rights Assignment | |
| WIN-URA-004 | Create Permanent Shared Objects = No One | Medium | User Rights Assignment | |
| WIN-URA-005 | Debug Programs = Administrators Only | High | User Rights Assignment | |
| WIN-URA-006 | Deny Access to This Computer From the Network (includes Guests) | Medium | User Rights Assignment | |
| WIN-URA-007 | Deny Log On as a Batch Job (includes Guests) | Low | User Rights Assignment | |
| WIN-URA-008 | Deny Log On as a Service (includes Guests) | Low | User Rights Assignment | |
| WIN-URA-009 | Deny Log On Locally (includes Guests) | Medium | User Rights Assignment | |
| WIN-URA-010 | Deny Log On Through Remote Desktop Services (includes Guests) | Medium | User Rights Assignment | |
| WIN-URA-011 | Force Shutdown From a Remote System = Administrators Only | Medium | User Rights Assignment | |
| WIN-URA-012 | Generate Security Audits = Local Service, Network Service | Medium | User Rights Assignment | |
| WIN-URA-013 | Impersonate a Client After Authentication = Service Accounts and Administrators | Medium | User Rights Assignment | |
| WIN-URA-014 | Load and Unload Device Drivers = Administrators Only | Medium | User Rights Assignment | |
| WIN-URA-015 | Manage Auditing and Security Log = Administrators Only | Medium | User Rights Assignment | |
| WIN-URA-016 | Take Ownership of Files or Other Objects = Administrators Only | Medium | User Rights Assignment | |
| WIN-URA-017 | Access This Computer From the Network = Administrators, Authenticated Users | High | User Rights Assignment | |
| WIN-URA-018 | Allow Log On Locally = Administrators | Medium | User Rights Assignment | |
| WIN-URA-019 | Allow Log On Through Remote Desktop Services = Administrators, Remote Desktop Users | Medium | User Rights Assignment | |
| WIN-URA-020 | Back Up Files and Directories = Administrators | Medium | User Rights Assignment | |
| WIN-URA-021 | Restore Files and Directories = Administrators | Medium | User Rights Assignment | |
| WIN-URA-022 | Change the System Time = Administrators, Local Service | Medium | User Rights Assignment | |
| WIN-URA-023 | Change the Time Zone = Administrators, Local Service, Users | Low | User Rights Assignment | |
| WIN-URA-024 | Create a Pagefile = Administrators | Low | User Rights Assignment | |
| WIN-URA-025 | Create Global Objects = Administrators and Service Accounts | Medium | User Rights Assignment | |
| WIN-URA-026 | Create Symbolic Links = Administrators | Medium | User Rights Assignment | |
| WIN-URA-027 | Adjust Memory Quotas for a Process = Administrators and Service Accounts | Low | User Rights Assignment | |
| WIN-URA-028 | Increase Scheduling Priority = Administrators, Window Manager | Low | User Rights Assignment | |
| WIN-URA-029 | Lock Pages in Memory = No One | Medium | User Rights Assignment | |
| WIN-URA-030 | Perform Volume Maintenance Tasks = Administrators | Medium | User Rights Assignment | |
| WIN-URA-031 | Profile Single Process = Administrators | Low | User Rights Assignment | |
| WIN-URA-032 | Replace a Process Level Token = Local Service, Network Service | Medium | User Rights Assignment | |
| WIN-URA-033 | Shut Down the System = Administrators | Low | User Rights Assignment | |
| WIN-URA-034 | Modify Firmware Environment Values = Administrators | Medium | User Rights Assignment | |
| WIN-URA-035 | Enable Accounts to Be Trusted for Delegation = No One | High | User Rights Assignment | |
| WIN-URA-036 | Obtain an Impersonation Token for Another User = No One | Medium | User Rights Assignment | |
| WIN-URA-037 | Modify an Object Label = No One | Low | User Rights Assignment | |
| WIN-URA-038 | Synchronize Directory Service Data = No One | Medium | User Rights Assignment | |
| WIN-URA-039 | Profile System Performance = Administrators, WdiServiceHost | Low | User Rights Assignment | |
| WIN-VBS-001 | Enable Virtualization Based Security | High | Credential Protection | |
| WIN-VBS-002 | Require Secure Boot for VBS | Medium | Credential Protection | |
| WIN-VBS-003 | Enable Memory Integrity (HVCI) | High | Exploit Protection | |
| WIN-WDIGEST-001 | Disable WDigest Credential Caching | High | Credential Protection | |
| WIN-WINRM-001 | Disable WinRM Client Basic Authentication | Medium | Remote Management | |
| WIN-WINRM-002 | Disallow WinRM Unencrypted Traffic | Medium | Remote Management | |
| WIN-WINRM-003 | Disable WinRM Client Digest Authentication | Medium | Remote Management | |
| WIN-WINRM-004 | Disable WinRM Service Basic Authentication | Medium | Remote Management | |
| WIN-WINRM-005 | Disallow WinRM Storing RunAs Credentials | Medium | Remote Management | |
| WIN-WINRM-006 | Disallow WinRM Client Unencrypted Traffic | Medium | Remote Management | |
| WIN-WINRS-001 | Disable Windows Remote Shell Access | Medium | Remote Management |