Skip to content

Compliance Coverage

Number of controls whose technical requirements may help implement each standard (informational only).

Compliance disclaimer

CloudInfra Secure controls are designed to help organisations implement technical security requirements commonly found in recognised security standards. They do not constitute certification or proof of compliance.

Coverage summary

Standard Controls
DISA STIG 301
NIST CSF 301
NIST SP 800-53 Rev 5 301
NIST SP 800-171 301
FedRAMP 13
Microsoft Cloud Security Benchmark 262
Microsoft Security Baselines 301
CMMC Level 2 19
PCI DSS v4.0 301
SOC 2 43
ISO/IEC 27001 301
HIPAA Security Rule 27
UK Cyber Essentials 260
NIS2 301

Browse controls by standard

Select a standard to list the controls that map to it. This shows technical alignment only, not certification.

Showing 301 of 301 controls
#IDNameSeverityCategory
WIN-ACCT-001Block Microsoft AccountsMediumAccess Control
WIN-ACCT-002Guest Account DisabledMediumAccess Control
WIN-ACCT-003Force Logoff When Logon Hours ExpireLowAccount Policy
WIN-ASR-001ASR: Block Credential Stealing from LSASSHighAttack Surface Reduction
WIN-ASR-002ASR: Block Office Apps Creating Child ProcessesMediumAttack Surface Reduction
WIN-ASR-003ASR: Block Executable Content from Email and WebmailMediumAttack Surface Reduction
WIN-ASR-004ASR: Block Obfuscated ScriptsMediumAttack Surface Reduction
WIN-ASR-005ASR: Block Untrusted Processes from USBMediumAttack Surface Reduction
WIN-ASR-006ASR: Block Process Creation from PSExec and WMIMediumAttack Surface Reduction
WIN-ASR-007ASR: Advanced Protection Against RansomwareHighAttack Surface Reduction
WIN-ASR-008ASR: Block Office Apps Injecting Code into Other ProcessesMediumAttack Surface Reduction
WIN-ASR-009ASR: Block Office Apps Creating Executable ContentMediumAttack Surface Reduction
WIN-ASR-010ASR: Block Persistence Through WMI Event SubscriptionMediumAttack Surface Reduction
WIN-ASR-011ASR: Block Win32 API Calls from Office MacrosMediumAttack Surface Reduction
WIN-ASR-012ASR: Block Untrusted Executables by Prevalence, Age, or TrustMediumAttack Surface Reduction
WIN-ASR-013ASR: Block Adobe Reader from Creating Child ProcessesMediumAttack Surface Reduction
WIN-ASR-014ASR: Block Webshell Creation for ServersHighAttack Surface Reduction
WIN-ASR-015ASR: Block Rebooting Machine in Safe ModeMediumAttack Surface Reduction
WIN-AUD-001Audit Logon FailuresMediumLogging and Monitoring
WIN-AUD-002Audit Account Lockout EventsMediumLogging and Monitoring
WIN-AUD-003Audit Process CreationMediumLogging and Monitoring
WIN-AUD-004Audit Credential ValidationMediumLogging and Monitoring
WIN-AUD-005Audit Security Group ManagementMediumLogging and Monitoring
WIN-AUD-006Audit Special LogonMediumLogging and Monitoring
WIN-AUD-007Audit Sensitive Privilege UseMediumLogging and Monitoring
WIN-AUD-008Audit System IntegrityMediumLogging and Monitoring
WIN-AUD-009Audit LogoffMediumLogging and Monitoring
WIN-AUD-010Audit Removable StorageMediumLogging and Monitoring
WIN-AUD-011Audit Authentication Policy ChangeMediumLogging and Monitoring
WIN-AUD-012Audit User Account ManagementMediumLogging and Monitoring
WIN-AUD-013Audit Computer Account ManagementMediumLogging and Monitoring
WIN-AUD-014Audit Audit Policy ChangeMediumLogging and Monitoring
WIN-AUD-015Audit Other Logon/Logoff EventsMediumLogging and Monitoring
WIN-AUD-016Audit MPSSVC Rule-Level Policy ChangeMediumLogging and Monitoring
WIN-AUD-017Audit PNP ActivityMediumLogging and Monitoring
WIN-AUD-018Audit Group MembershipMediumLogging and Monitoring
WIN-AUD-019Audit Other Object Access EventsMediumLogging and Monitoring
WIN-AUD-020Audit Detailed File ShareMediumLogging and Monitoring
WIN-AUD-021Force Audit Policy Subcategory SettingsMediumLogging and Monitoring
WIN-AUD-022Audit Other Account Management EventsMediumLogging and Monitoring
WIN-AUD-023Audit File ShareMediumLogging and Monitoring
WIN-AUD-024Audit Authorization Policy ChangeMediumLogging and Monitoring
WIN-AUD-025Audit Other Policy Change EventsLowLogging and Monitoring
WIN-AUD-026Audit IPsec DriverMediumLogging and Monitoring
WIN-AUD-027Audit Other System EventsLowLogging and Monitoring
WIN-AUD-028Audit Security State ChangeMediumLogging and Monitoring
WIN-AUD-029Audit Security System ExtensionMediumLogging and Monitoring
WIN-AUD-030Include Command Line in Process Creation EventsMediumLogging and Monitoring
WIN-AUTORUN-001Disable AutoRun on All DrivesMediumAttack Surface Reduction
WIN-AUTORUN-002Disallow Autoplay for Non-Volume DevicesMediumAttack Surface Reduction
WIN-AUTORUN-003Set Default AutoRun Behavior to Do Not ExecuteMediumAttack Surface Reduction
WIN-CG-001Enable Credential GuardHighCredential Protection
WIN-CLOUD-001Turn Off Microsoft Consumer ExperiencesLowAttack Surface Reduction
WIN-CREDDEL-001Encryption Oracle Remediation (Force Updated Clients)HighCredential Protection
WIN-CREDDEL-002Remote Host Allows Delegation of Non-Exportable CredentialsMediumCredential Protection
WIN-CREDUI-001Do Not Display the Password Reveal ButtonLowCredential Protection
WIN-CREDUI-002Do Not Enumerate Administrator Accounts on ElevationMediumCredential Protection
WIN-CREDUI-003Prevent Use of Security Questions for Local AccountsLowCredential Protection
WIN-DEF-001Microsoft Defender Antivirus EnabledHighEndpoint Protection
WIN-DEF-002Enable Potentially Unwanted Application (PUA) ProtectionHighEndpoint Protection
WIN-DEF-003Enable Defender Real-Time ProtectionHighEndpoint Protection
WIN-DEF-004Enable Cloud-Delivered ProtectionMediumEndpoint Protection
WIN-DEF-005Enable Network ProtectionMediumEndpoint Protection
WIN-DEF-006Enable Controlled Folder AccessMediumEndpoint Protection
WIN-DEF-007Scan Removable Drives During Full ScanLowEndpoint Protection
WIN-DEF-008Enable Block at First SightMediumEndpoint Protection
WIN-DEF-009Enable Defender Behavior MonitoringHighEndpoint Protection
WIN-DEF-010Enable Email ScanningMediumEndpoint Protection
WIN-DEF-011Enable Archive ScanningMediumEndpoint Protection
WIN-DEF-012Scan Mapped Network Drives During Full ScanLowEndpoint Protection
WIN-DEF-013Scan Downloaded Files and AttachmentsHighEndpoint Protection
WIN-DEF-014Disable Local Admin Merge of Defender PreferencesMediumEndpoint Protection
WIN-DEF-015Enable Real-Time Script ScanningMediumEndpoint Protection
WIN-DEF-016Enable Defender File Hash ComputationLowEndpoint Protection
WIN-DEF-017Notify Antivirus When Opening Attachments (Default Profile)MediumEndpoint Protection
WIN-ELAM-001Boot-Start Driver Initialization PolicyMediumEndpoint Protection
WIN-EVTLOG-001Application Event Log Maximum Size (>= 32 MB)MediumLogging and Monitoring
WIN-EVTLOG-002Application Event Log Retention (Overwrite as Needed)LowLogging and Monitoring
WIN-EVTLOG-003Security Event Log Maximum Size (>= 192 MB)HighLogging and Monitoring
WIN-EVTLOG-004Security Event Log Retention (Overwrite as Needed)LowLogging and Monitoring
WIN-EVTLOG-005Setup Event Log Maximum Size (>= 32 MB)LowLogging and Monitoring
WIN-EVTLOG-006Setup Event Log Retention (Overwrite as Needed)LowLogging and Monitoring
WIN-EVTLOG-007System Event Log Maximum Size (>= 32 MB)MediumLogging and Monitoring
WIN-EVTLOG-008System Event Log Retention (Overwrite as Needed)LowLogging and Monitoring
WIN-EVTLOG-009Security Log Near-Capacity Warning ThresholdLowLogging and Monitoring
WIN-FW-001Windows Firewall Enabled (All Profiles)HighHost Firewall
WIN-FW-002Block Inbound Connections by Default (Domain Profile)MediumHost Firewall
WIN-FW-003Block Inbound Connections by Default (Private Profile)MediumHost Firewall
WIN-FW-004Block Inbound Connections by Default (Public Profile)MediumHost Firewall
WIN-FW-005Log Dropped Packets (Public Profile)LowHost Firewall
WIN-GPO-001Registry Policy Processing: Apply During Background RefreshLowAccess Control
WIN-GPO-002Registry Policy Processing: Process Even If UnchangedLowAccess Control
WIN-GPO-003Disable Continue Experiences (Connected Devices Platform)LowAttack Surface Reduction
WIN-INET-001Turn Off Downloading of Print Drivers Over HTTPLowNetwork Protocols
WIN-INET-002Turn Off Printing Over HTTPLowNetwork Protocols
WIN-INET-003Turn Off Windows Error ReportingLowAttack Surface Reduction
WIN-INET-004Turn Off Windows Customer Experience Improvement ProgramLowAttack Surface Reduction
WIN-INET-005Turn Off Internet Download for Web Publishing and Online OrderingLowAttack Surface Reduction
WIN-INET-006Turn Off Internet Connection Wizard If URL ConnectionLowAttack Surface Reduction
WIN-INET-007Turn Off Search Companion Content File UpdatesLowAttack Surface Reduction
WIN-INSTALL-001Disable Always Install ElevatedHighPrivilege Management
WIN-INSTALL-002Disable User Control Over Windows InstallerMediumPrivilege Management
WIN-KRB-001Configure Kerberos Encryption Types (AES only)MediumAuthentication
WIN-LDAP-001LDAP Client SigningMediumAuthentication
WIN-LOCK-001Account Lockout ThresholdMediumAccount Policy
WIN-LOCK-002Account Lockout DurationMediumAccount Policy
WIN-LOCK-003Reset Account Lockout CounterMediumAccount Policy
WIN-LOGON-001Machine Inactivity LimitMediumAccess Control
WIN-LOGON-002Do Not Display Last Signed-In UserLowAccess Control
WIN-LOGON-003Limit Number of Cached LogonsMediumAccess Control
WIN-LOGON-004Require Ctrl+Alt+Del at LogonLowAccess Control
WIN-LOGON-005Smart Card Removal Behavior (Lock Workstation)LowAccess Control
WIN-LOGON-006Disable Automatic LogonMediumAccess Control
WIN-LOGON-007Do Not Allow System to Be Shut Down Without Logging OnLowAccess Control
WIN-LOGON-008Require Domain Controller Authentication to Unlock WorkstationMediumAccess Control
WIN-LOGON-009Do Not Enumerate Connected Users on Domain-Joined ComputersMediumAccess Control
WIN-LOGON-010Do Not Enumerate Local Users on Domain-Joined ComputersMediumAccess Control
WIN-LOGON-011Block User From Showing Account Details on Sign-InLowAccess Control
WIN-LOGON-012Do Not Display Network Selection UILowAccess Control
WIN-LOGON-013Turn Off App Notifications on the Lock ScreenLowAccess Control
WIN-LOGON-014Disable Convenience PIN Sign-InMediumAccess Control
WIN-LOGON-015Disable Automatic Restart Sign-On (ARSO)MediumAccess Control
WIN-LOGON-016Screen Saver Grace PeriodLowAccess Control
WIN-LOGON-017Turn Off Toast Notifications on the Lock Screen (Default Profile)LowAccess Control
WIN-LOGON-018Logon Legal Notice TextLowAccess Control
WIN-LOGON-019Logon Legal Notice TitleLowAccess Control
WIN-LSA-001Do Not Store LAN Manager HashHighCredential Protection
WIN-LSA-002Restrict Anonymous SID EnumerationMediumAccess Control
WIN-LSA-003Enable LSASS Protection (RunAsPPL)HighCredential Protection
WIN-LSA-004Do Not Allow Anonymous Enumeration of SAM AccountsMediumAccess Control
WIN-LSA-005Enable Structured Exception Handling Overwrite Protection (SEHOP)MediumExploit Protection
WIN-LSA-006Digitally Encrypt or Sign Secure Channel Data (Always)MediumAuthentication
WIN-LSA-007Do Not Apply Everyone Permissions to Anonymous UsersMediumAccess Control
WIN-LSA-008Restrict Clients Allowed to Make Remote SAM CallsMediumAccess Control
WIN-LSA-009Limit Local Account Use of Blank PasswordsHighAccess Control
WIN-LSA-010Sharing and Security Model for Local Accounts (Classic)MediumAccess Control
WIN-LSA-011Disallow LocalSystem NULL Session FallbackMediumAccess Control
WIN-LSA-012Strengthen Default Permissions of Internal System ObjectsLowAccess Control
WIN-LSA-013Digitally Encrypt Secure Channel Data (When Possible)MediumAuthentication
WIN-LSA-014Digitally Sign Secure Channel Data (When Possible)MediumAuthentication
WIN-LSA-015Do Not Disable Machine Account Password ChangesMediumAuthentication
WIN-LSA-016Maximum Machine Account Password Age (30 Days)LowAuthentication
WIN-LSA-017Require Strong (Windows 2000 or Later) Session KeyMediumAuthentication
WIN-LSA-018Do Not Store Passwords and Credentials for Network AuthenticationHighCredential Protection
WIN-LSA-019Require Case Insensitivity for Non-Windows SubsystemsLowAccess Control
WIN-NET-001Disable LLMNRMediumNetwork Protocols
WIN-NET-002Disable IPv4 Source RoutingMediumNetwork Protocols
WIN-NET-003Disable ICMP RedirectsLowNetwork Protocols
WIN-NET-004Disable IPv6 Source RoutingMediumNetwork Protocols
WIN-NET-005Ignore NetBIOS Name Release RequestsLowNetwork Protocols
WIN-NET-006Disable mDNSMediumNetwork Protocols
WIN-NET-007Enable Safe DLL Search ModeMediumExploit Protection
WIN-NET-008Hardened UNC Path for SYSVOLHighNetwork Protocols
WIN-NET-009Hardened UNC Path for NETLOGONHighNetwork Protocols
WIN-NET-010Disable Font ProvidersLowAttack Surface Reduction
WIN-NET-011Turn Off Smart Multi-Homed Name ResolutionMediumNetwork Protocols
WIN-NET-012Prohibit Installation of Network BridgeLowNetwork Protocols
WIN-NET-013Prohibit Internet Connection SharingLowNetwork Protocols
WIN-NET-014Require Domain Users to Elevate When Setting Network LocationLowNetwork Protocols
WIN-NET-015Minimize Simultaneous Internet and Domain ConnectionsLowNetwork Protocols
WIN-NET-016Prohibit Non-Domain Networks When on Domain NetworkLowNetwork Protocols
WIN-NET-017Disable Windows Connect Now RegistrarsLowNetwork Protocols
WIN-NET-018Prohibit Access of Windows Connect Now WizardsLowNetwork Protocols
WIN-NET-019Turn Off Link-Layer Topology Mapper I/O DriverLowNetwork Protocols
WIN-NET-020Turn Off Link-Layer Topology Responder DriverLowNetwork Protocols
WIN-NET-021TCP Maximum Data Retransmissions (IPv4)LowNetwork Protocols
WIN-NET-022TCP Maximum Data Retransmissions (IPv6)LowNetwork Protocols
WIN-NET-023TCP Keep-Alive TimeLowNetwork Protocols
WIN-NET-024Disable Dead Gateway DetectionLowNetwork Protocols
WIN-NTLM-001LAN Manager Authentication Level (NTLMv2 Only)HighAuthentication
WIN-NTLM-002Minimum NTLM Session Security (Clients)MediumAuthentication
WIN-NTLM-003Minimum NTLM Session Security (Servers)MediumAuthentication
WIN-NTLM-004Allow LocalSystem to Use Computer Identity for NTLMMediumAuthentication
WIN-NTLM-005Disallow PKU2U Online IdentitiesMediumAuthentication
WIN-NTLM-006Audit Incoming NTLM TrafficLowAuthentication
WIN-NTLM-007Audit Outgoing NTLM Traffic to Remote ServersLowAuthentication
WIN-PRINT-001Restrict Point and Print Driver Installation to AdministratorsHighAttack Surface Reduction
WIN-PRINT-002Require Elevation for New Point and Print ConnectionsMediumAttack Surface Reduction
WIN-PRINT-003Prevent Users From Installing Printer DriversMediumAttack Surface Reduction
WIN-PSL-001Enable PowerShell Script Block LoggingMediumLogging and Monitoring
WIN-PSL-002Enable PowerShell Module LoggingMediumLogging and Monitoring
WIN-PSL-003Enable PowerShell TranscriptionMediumLogging and Monitoring
WIN-PWD-001Minimum Password LengthHighAccount Policy
WIN-PWD-002Password Complexity EnabledHighAccount Policy
WIN-PWD-003Maximum Password AgeMediumAccount Policy
WIN-PWD-004Minimum Password AgeLowAccount Policy
WIN-PWD-005Enforce Password HistoryMediumAccount Policy
WIN-PWD-006Disable Reversible Password EncryptionHighAccount Policy
WIN-RA-001Disable Solicited Remote AssistanceMediumRemote Access
WIN-RA-002Disable Offer (Unsolicited) Remote AssistanceMediumRemote Access
WIN-RDP-001Require Network Level Authentication for RDPHighRemote Access
WIN-RDP-002RDP Minimum Encryption Level (High)MediumRemote Access
WIN-RDP-003RDP Security Layer (TLS)MediumRemote Access
WIN-RDP-004Disable RDP Drive RedirectionMediumRemote Access
WIN-RDP-005Always Prompt for Password on RDP ConnectionMediumRemote Access
WIN-RDP-006Disable RDP Clipboard RedirectionLowRemote Access
WIN-RDP-007Set RDP Idle Session Time LimitLowRemote Access
WIN-RDP-008Set RDP Disconnected Session Time LimitLowRemote Access
WIN-RDP-009Do Not Allow Saved RDP PasswordsMediumRemote Access
WIN-RDP-010Disable RDP COM Port RedirectionLowRemote Access
WIN-RDP-011Disable RDP LPT Port RedirectionLowRemote Access
WIN-RDP-012Disable RDP Plug and Play Device RedirectionLowRemote Access
WIN-RDP-013Require Secure RPC for Remote DesktopMediumRemote Access
WIN-RDP-014Use Temporary Folders Per RDP SessionLowRemote Access
WIN-RPC-001Restrict Unauthenticated RPC ClientsMediumNetwork Protocols
WIN-RPC-002Enable RPC Endpoint Mapper Client AuthenticationMediumNetwork Protocols
WIN-SCRSVR-001Enable Screen Saver (Default Profile)LowAccess Control
WIN-SCRSVR-002Password Protect the Screen Saver (Default Profile)MediumAccess Control
WIN-SCRSVR-003Screen Saver Timeout (Default Profile)LowAccess Control
WIN-SMARTSCREEN-001Configure Windows Defender SmartScreenMediumEndpoint Protection
WIN-SMB-001Disable SMBv1HighNetwork Protocols
WIN-SMB-003Require SMB Signing (Server)HighNetwork Protocols
WIN-SMB-004Disable SMBv1 ClientHighNetwork Protocols
WIN-SMB-005Require SMB Client SigningMediumNetwork Protocols
WIN-SMB-006Restrict Anonymous Access to Named Pipes and SharesMediumNetwork Protocols
WIN-SMB-007Disable SMB Client Insecure Guest LogonsMediumNetwork Protocols
WIN-SMB-008Do Not Send Unencrypted Password to Third-Party SMB ServersMediumNetwork Protocols
WIN-SMB-009Digitally Sign Client Communications (If Server Agrees)LowNetwork Protocols
WIN-SMB-010Digitally Sign Server Communications (If Client Agrees)LowNetwork Protocols
WIN-SMB-011Idle Time Required Before Suspending an SMB Session (15 min)LowNetwork Protocols
WIN-SMB-012Disconnect Clients When Logon Hours ExpireLowNetwork Protocols
WIN-SMB-013Server SPN Target Name Validation LevelMediumNetwork Protocols
WIN-SVC-001Disable Remote Registry ServiceMediumAttack Surface Reduction
WIN-SVC-002Disable Print Spooler ServiceMediumAttack Surface Reduction
WIN-TELEM-001Limit Diagnostic Data to Required or LessLowAttack Surface Reduction
WIN-TELEM-002Disable OneSettings DownloadsLowAttack Surface Reduction
WIN-TELEM-003Do Not Show Feedback NotificationsLowAttack Surface Reduction
WIN-TELEM-004Enable OneSettings AuditingLowLogging and Monitoring
WIN-TELEM-005Disable Windows Insider Preview BuildsMediumAttack Surface Reduction
WIN-TLS-001Enable TLS 1.2 (Server)MediumCryptography
WIN-TLS-002Enable TLS 1.2 (Client)MediumCryptography
WIN-TLS-003Disable RC4 128/128 CipherHighCryptography
WIN-TLS-004Disable RC4 40/128 CipherHighCryptography
WIN-TLS-005Disable Triple DES 168 CipherMediumCryptography
WIN-TLS-006Disable RC4 56/128 CipherHighCryptography
WIN-TLS-007Disable RC4 64/128 CipherHighCryptography
WIN-TLS-008Disable DES 56/56 CipherMediumCryptography
WIN-TLS-009Disable NULL CipherMediumCryptography
WIN-TLS-010Disable TLS 1.0 (Server)HighCryptography
WIN-TLS-011Disable TLS 1.1 (Server)HighCryptography
WIN-TLS-012Disable SSL 3.0 (Server)HighCryptography
WIN-TLS-013Disable SSL 2.0 (Server)HighCryptography
WIN-UAC-001User Account Control EnabledHighPrivilege Management
WIN-UAC-002UAC Elevation Prompt for AdministratorsMediumPrivilege Management
WIN-UAC-003UAC Detect Application InstallationsMediumPrivilege Management
WIN-UAC-004Deny UAC Elevation Prompt for Standard UsersMediumPrivilege Management
WIN-UAC-005UAC Switch to the Secure Desktop for ElevationMediumPrivilege Management
WIN-UAC-006Only Elevate UIAccess Apps in Secure LocationsMediumPrivilege Management
WIN-UAC-007Apply UAC Token Filtering to Remote Local AccountsHighPrivilege Management
WIN-UAC-008Admin Approval Mode for the Built-in AdministratorMediumPrivilege Management
WIN-UAC-009Virtualize File and Registry Write Failures to Per-User LocationsLowPrivilege Management
WIN-URA-001Access Credential Manager as a Trusted Caller = No OneHighUser Rights Assignment
WIN-URA-002Act as Part of the Operating System = No OneHighUser Rights Assignment
WIN-URA-003Create a Token Object = No OneHighUser Rights Assignment
WIN-URA-004Create Permanent Shared Objects = No OneMediumUser Rights Assignment
WIN-URA-005Debug Programs = Administrators OnlyHighUser Rights Assignment
WIN-URA-006Deny Access to This Computer From the Network (includes Guests)MediumUser Rights Assignment
WIN-URA-007Deny Log On as a Batch Job (includes Guests)LowUser Rights Assignment
WIN-URA-008Deny Log On as a Service (includes Guests)LowUser Rights Assignment
WIN-URA-009Deny Log On Locally (includes Guests)MediumUser Rights Assignment
WIN-URA-010Deny Log On Through Remote Desktop Services (includes Guests)MediumUser Rights Assignment
WIN-URA-011Force Shutdown From a Remote System = Administrators OnlyMediumUser Rights Assignment
WIN-URA-012Generate Security Audits = Local Service, Network ServiceMediumUser Rights Assignment
WIN-URA-013Impersonate a Client After Authentication = Service Accounts and AdministratorsMediumUser Rights Assignment
WIN-URA-014Load and Unload Device Drivers = Administrators OnlyMediumUser Rights Assignment
WIN-URA-015Manage Auditing and Security Log = Administrators OnlyMediumUser Rights Assignment
WIN-URA-016Take Ownership of Files or Other Objects = Administrators OnlyMediumUser Rights Assignment
WIN-URA-017Access This Computer From the Network = Administrators, Authenticated UsersHighUser Rights Assignment
WIN-URA-018Allow Log On Locally = AdministratorsMediumUser Rights Assignment
WIN-URA-019Allow Log On Through Remote Desktop Services = Administrators, Remote Desktop UsersMediumUser Rights Assignment
WIN-URA-020Back Up Files and Directories = AdministratorsMediumUser Rights Assignment
WIN-URA-021Restore Files and Directories = AdministratorsMediumUser Rights Assignment
WIN-URA-022Change the System Time = Administrators, Local ServiceMediumUser Rights Assignment
WIN-URA-023Change the Time Zone = Administrators, Local Service, UsersLowUser Rights Assignment
WIN-URA-024Create a Pagefile = AdministratorsLowUser Rights Assignment
WIN-URA-025Create Global Objects = Administrators and Service AccountsMediumUser Rights Assignment
WIN-URA-026Create Symbolic Links = AdministratorsMediumUser Rights Assignment
WIN-URA-027Adjust Memory Quotas for a Process = Administrators and Service AccountsLowUser Rights Assignment
WIN-URA-028Increase Scheduling Priority = Administrators, Window ManagerLowUser Rights Assignment
WIN-URA-029Lock Pages in Memory = No OneMediumUser Rights Assignment
WIN-URA-030Perform Volume Maintenance Tasks = AdministratorsMediumUser Rights Assignment
WIN-URA-031Profile Single Process = AdministratorsLowUser Rights Assignment
WIN-URA-032Replace a Process Level Token = Local Service, Network ServiceMediumUser Rights Assignment
WIN-URA-033Shut Down the System = AdministratorsLowUser Rights Assignment
WIN-URA-034Modify Firmware Environment Values = AdministratorsMediumUser Rights Assignment
WIN-URA-035Enable Accounts to Be Trusted for Delegation = No OneHighUser Rights Assignment
WIN-URA-036Obtain an Impersonation Token for Another User = No OneMediumUser Rights Assignment
WIN-URA-037Modify an Object Label = No OneLowUser Rights Assignment
WIN-URA-038Synchronize Directory Service Data = No OneMediumUser Rights Assignment
WIN-URA-039Profile System Performance = Administrators, WdiServiceHostLowUser Rights Assignment
WIN-VBS-001Enable Virtualization Based SecurityHighCredential Protection
WIN-VBS-002Require Secure Boot for VBSMediumCredential Protection
WIN-VBS-003Enable Memory Integrity (HVCI)HighExploit Protection
WIN-WDIGEST-001Disable WDigest Credential CachingHighCredential Protection
WIN-WINRM-001Disable WinRM Client Basic AuthenticationMediumRemote Management
WIN-WINRM-002Disallow WinRM Unencrypted TrafficMediumRemote Management
WIN-WINRM-003Disable WinRM Client Digest AuthenticationMediumRemote Management
WIN-WINRM-004Disable WinRM Service Basic AuthenticationMediumRemote Management
WIN-WINRM-005Disallow WinRM Storing RunAs CredentialsMediumRemote Management
WIN-WINRM-006Disallow WinRM Client Unencrypted TrafficMediumRemote Management
WIN-WINRS-001Disable Windows Remote Shell AccessMediumRemote Management