Skip to content

Controls

The CloudInfra Secure control library (301 controls). Each control exists once and may be used by many baselines.

Compliance disclaimer

CloudInfra Secure controls are designed to help organisations implement technical security requirements commonly found in recognised security standards. They do not constitute certification or proof of compliance.

Coverage summary

Controls tagged GPO are delivered through a Group Policy registry value that a domain policy can override; the rest are direct system settings.

Showing 301 of 301 controls
#IDNameSeverityCategoryProviderDelivery
WIN-ACCT-001Block Microsoft AccountsMediumAccess ControlRegistryGPO
WIN-ACCT-002Guest Account DisabledMediumAccess ControlSecEditDirect
WIN-ACCT-003Force Logoff When Logon Hours ExpireLowAccount PolicySecEditDirect
WIN-ASR-001ASR: Block Credential Stealing from LSASSHighAttack Surface ReductionRegistryGPO
WIN-ASR-002ASR: Block Office Apps Creating Child ProcessesMediumAttack Surface ReductionRegistryGPO
WIN-ASR-003ASR: Block Executable Content from Email and WebmailMediumAttack Surface ReductionRegistryGPO
WIN-ASR-004ASR: Block Obfuscated ScriptsMediumAttack Surface ReductionRegistryGPO
WIN-ASR-005ASR: Block Untrusted Processes from USBMediumAttack Surface ReductionRegistryGPO
WIN-ASR-006ASR: Block Process Creation from PSExec and WMIMediumAttack Surface ReductionRegistryGPO
WIN-ASR-007ASR: Advanced Protection Against RansomwareHighAttack Surface ReductionRegistryGPO
WIN-ASR-008ASR: Block Office Apps Injecting Code into Other ProcessesMediumAttack Surface ReductionRegistryGPO
WIN-ASR-009ASR: Block Office Apps Creating Executable ContentMediumAttack Surface ReductionRegistryGPO
WIN-ASR-010ASR: Block Persistence Through WMI Event SubscriptionMediumAttack Surface ReductionRegistryGPO
WIN-ASR-011ASR: Block Win32 API Calls from Office MacrosMediumAttack Surface ReductionRegistryGPO
WIN-ASR-012ASR: Block Untrusted Executables by Prevalence, Age, or TrustMediumAttack Surface ReductionRegistryGPO
WIN-ASR-013ASR: Block Adobe Reader from Creating Child ProcessesMediumAttack Surface ReductionRegistryGPO
WIN-ASR-014ASR: Block Webshell Creation for ServersHighAttack Surface ReductionRegistryGPO
WIN-ASR-015ASR: Block Rebooting Machine in Safe ModeMediumAttack Surface ReductionRegistryGPO
WIN-AUD-001Audit Logon FailuresMediumLogging and MonitoringAuditPolDirect
WIN-AUD-002Audit Account Lockout EventsMediumLogging and MonitoringAuditPolDirect
WIN-AUD-003Audit Process CreationMediumLogging and MonitoringAuditPolDirect
WIN-AUD-004Audit Credential ValidationMediumLogging and MonitoringAuditPolDirect
WIN-AUD-005Audit Security Group ManagementMediumLogging and MonitoringAuditPolDirect
WIN-AUD-006Audit Special LogonMediumLogging and MonitoringAuditPolDirect
WIN-AUD-007Audit Sensitive Privilege UseMediumLogging and MonitoringAuditPolDirect
WIN-AUD-008Audit System IntegrityMediumLogging and MonitoringAuditPolDirect
WIN-AUD-009Audit LogoffMediumLogging and MonitoringAuditPolDirect
WIN-AUD-010Audit Removable StorageMediumLogging and MonitoringAuditPolDirect
WIN-AUD-011Audit Authentication Policy ChangeMediumLogging and MonitoringAuditPolDirect
WIN-AUD-012Audit User Account ManagementMediumLogging and MonitoringAuditPolDirect
WIN-AUD-013Audit Computer Account ManagementMediumLogging and MonitoringAuditPolDirect
WIN-AUD-014Audit Audit Policy ChangeMediumLogging and MonitoringAuditPolDirect
WIN-AUD-015Audit Other Logon/Logoff EventsMediumLogging and MonitoringAuditPolDirect
WIN-AUD-016Audit MPSSVC Rule-Level Policy ChangeMediumLogging and MonitoringAuditPolDirect
WIN-AUD-017Audit PNP ActivityMediumLogging and MonitoringAuditPolDirect
WIN-AUD-018Audit Group MembershipMediumLogging and MonitoringAuditPolDirect
WIN-AUD-019Audit Other Object Access EventsMediumLogging and MonitoringAuditPolDirect
WIN-AUD-020Audit Detailed File ShareMediumLogging and MonitoringAuditPolDirect
WIN-AUD-021Force Audit Policy Subcategory SettingsMediumLogging and MonitoringRegistryDirect
WIN-AUD-022Audit Other Account Management EventsMediumLogging and MonitoringAuditPolDirect
WIN-AUD-023Audit File ShareMediumLogging and MonitoringAuditPolDirect
WIN-AUD-024Audit Authorization Policy ChangeMediumLogging and MonitoringAuditPolDirect
WIN-AUD-025Audit Other Policy Change EventsLowLogging and MonitoringAuditPolDirect
WIN-AUD-026Audit IPsec DriverMediumLogging and MonitoringAuditPolDirect
WIN-AUD-027Audit Other System EventsLowLogging and MonitoringAuditPolDirect
WIN-AUD-028Audit Security State ChangeMediumLogging and MonitoringAuditPolDirect
WIN-AUD-029Audit Security System ExtensionMediumLogging and MonitoringAuditPolDirect
WIN-AUD-030Include Command Line in Process Creation EventsMediumLogging and MonitoringRegistryGPO
WIN-AUTORUN-001Disable AutoRun on All DrivesMediumAttack Surface ReductionRegistryGPO
WIN-AUTORUN-002Disallow Autoplay for Non-Volume DevicesMediumAttack Surface ReductionRegistryGPO
WIN-AUTORUN-003Set Default AutoRun Behavior to Do Not ExecuteMediumAttack Surface ReductionRegistryGPO
WIN-CG-001Enable Credential GuardHighCredential ProtectionRegistryDirect
WIN-CLOUD-001Turn Off Microsoft Consumer ExperiencesLowAttack Surface ReductionRegistryGPO
WIN-CREDDEL-001Encryption Oracle Remediation (Force Updated Clients)HighCredential ProtectionRegistryGPO
WIN-CREDDEL-002Remote Host Allows Delegation of Non-Exportable CredentialsMediumCredential ProtectionRegistryGPO
WIN-CREDUI-001Do Not Display the Password Reveal ButtonLowCredential ProtectionRegistryGPO
WIN-CREDUI-002Do Not Enumerate Administrator Accounts on ElevationMediumCredential ProtectionRegistryGPO
WIN-CREDUI-003Prevent Use of Security Questions for Local AccountsLowCredential ProtectionRegistryGPO
WIN-DEF-001Microsoft Defender Antivirus EnabledHighEndpoint ProtectionDefenderDirect
WIN-DEF-002Enable Potentially Unwanted Application (PUA) ProtectionHighEndpoint ProtectionRegistryGPO
WIN-DEF-003Enable Defender Real-Time ProtectionHighEndpoint ProtectionRegistryGPO
WIN-DEF-004Enable Cloud-Delivered ProtectionMediumEndpoint ProtectionRegistryGPO
WIN-DEF-005Enable Network ProtectionMediumEndpoint ProtectionRegistryGPO
WIN-DEF-006Enable Controlled Folder AccessMediumEndpoint ProtectionRegistryGPO
WIN-DEF-007Scan Removable Drives During Full ScanLowEndpoint ProtectionRegistryGPO
WIN-DEF-008Enable Block at First SightMediumEndpoint ProtectionRegistryGPO
WIN-DEF-009Enable Defender Behavior MonitoringHighEndpoint ProtectionRegistryGPO
WIN-DEF-010Enable Email ScanningMediumEndpoint ProtectionRegistryGPO
WIN-DEF-011Enable Archive ScanningMediumEndpoint ProtectionRegistryGPO
WIN-DEF-012Scan Mapped Network Drives During Full ScanLowEndpoint ProtectionRegistryGPO
WIN-DEF-013Scan Downloaded Files and AttachmentsHighEndpoint ProtectionRegistryGPO
WIN-DEF-014Disable Local Admin Merge of Defender PreferencesMediumEndpoint ProtectionRegistryGPO
WIN-DEF-015Enable Real-Time Script ScanningMediumEndpoint ProtectionRegistryGPO
WIN-DEF-016Enable Defender File Hash ComputationLowEndpoint ProtectionRegistryGPO
WIN-DEF-017Notify Antivirus When Opening Attachments (Default Profile)MediumEndpoint ProtectionRegistryGPO
WIN-ELAM-001Boot-Start Driver Initialization PolicyMediumEndpoint ProtectionRegistryGPO
WIN-EVTLOG-001Application Event Log Maximum Size (>= 32 MB)MediumLogging and MonitoringRegistryGPO
WIN-EVTLOG-002Application Event Log Retention (Overwrite as Needed)LowLogging and MonitoringRegistryGPO
WIN-EVTLOG-003Security Event Log Maximum Size (>= 192 MB)HighLogging and MonitoringRegistryGPO
WIN-EVTLOG-004Security Event Log Retention (Overwrite as Needed)LowLogging and MonitoringRegistryGPO
WIN-EVTLOG-005Setup Event Log Maximum Size (>= 32 MB)LowLogging and MonitoringRegistryGPO
WIN-EVTLOG-006Setup Event Log Retention (Overwrite as Needed)LowLogging and MonitoringRegistryGPO
WIN-EVTLOG-007System Event Log Maximum Size (>= 32 MB)MediumLogging and MonitoringRegistryGPO
WIN-EVTLOG-008System Event Log Retention (Overwrite as Needed)LowLogging and MonitoringRegistryGPO
WIN-EVTLOG-009Security Log Near-Capacity Warning ThresholdLowLogging and MonitoringRegistryDirect
WIN-FW-001Windows Firewall Enabled (All Profiles)HighHost FirewallFirewallDirect
WIN-FW-002Block Inbound Connections by Default (Domain Profile)MediumHost FirewallRegistryGPO
WIN-FW-003Block Inbound Connections by Default (Private Profile)MediumHost FirewallRegistryGPO
WIN-FW-004Block Inbound Connections by Default (Public Profile)MediumHost FirewallRegistryGPO
WIN-FW-005Log Dropped Packets (Public Profile)LowHost FirewallRegistryGPO
WIN-GPO-001Registry Policy Processing: Apply During Background RefreshLowAccess ControlRegistryGPO
WIN-GPO-002Registry Policy Processing: Process Even If UnchangedLowAccess ControlRegistryGPO
WIN-GPO-003Disable Continue Experiences (Connected Devices Platform)LowAttack Surface ReductionRegistryGPO
WIN-INET-001Turn Off Downloading of Print Drivers Over HTTPLowNetwork ProtocolsRegistryGPO
WIN-INET-002Turn Off Printing Over HTTPLowNetwork ProtocolsRegistryGPO
WIN-INET-003Turn Off Windows Error ReportingLowAttack Surface ReductionRegistryGPO
WIN-INET-004Turn Off Windows Customer Experience Improvement ProgramLowAttack Surface ReductionRegistryGPO
WIN-INET-005Turn Off Internet Download for Web Publishing and Online OrderingLowAttack Surface ReductionRegistryGPO
WIN-INET-006Turn Off Internet Connection Wizard If URL ConnectionLowAttack Surface ReductionRegistryGPO
WIN-INET-007Turn Off Search Companion Content File UpdatesLowAttack Surface ReductionRegistryGPO
WIN-INSTALL-001Disable Always Install ElevatedHighPrivilege ManagementRegistryGPO
WIN-INSTALL-002Disable User Control Over Windows InstallerMediumPrivilege ManagementRegistryGPO
WIN-KRB-001Configure Kerberos Encryption Types (AES only)MediumAuthenticationRegistryGPO
WIN-LDAP-001LDAP Client SigningMediumAuthenticationRegistryDirect
WIN-LOCK-001Account Lockout ThresholdMediumAccount PolicySecEditDirect
WIN-LOCK-002Account Lockout DurationMediumAccount PolicySecEditDirect
WIN-LOCK-003Reset Account Lockout CounterMediumAccount PolicySecEditDirect
WIN-LOGON-001Machine Inactivity LimitMediumAccess ControlRegistryGPO
WIN-LOGON-002Do Not Display Last Signed-In UserLowAccess ControlRegistryGPO
WIN-LOGON-003Limit Number of Cached LogonsMediumAccess ControlRegistryDirect
WIN-LOGON-004Require Ctrl+Alt+Del at LogonLowAccess ControlRegistryGPO
WIN-LOGON-005Smart Card Removal Behavior (Lock Workstation)LowAccess ControlRegistryDirect
WIN-LOGON-006Disable Automatic LogonMediumAccess ControlRegistryDirect
WIN-LOGON-007Do Not Allow System to Be Shut Down Without Logging OnLowAccess ControlRegistryGPO
WIN-LOGON-008Require Domain Controller Authentication to Unlock WorkstationMediumAccess ControlRegistryDirect
WIN-LOGON-009Do Not Enumerate Connected Users on Domain-Joined ComputersMediumAccess ControlRegistryGPO
WIN-LOGON-010Do Not Enumerate Local Users on Domain-Joined ComputersMediumAccess ControlRegistryGPO
WIN-LOGON-011Block User From Showing Account Details on Sign-InLowAccess ControlRegistryGPO
WIN-LOGON-012Do Not Display Network Selection UILowAccess ControlRegistryGPO
WIN-LOGON-013Turn Off App Notifications on the Lock ScreenLowAccess ControlRegistryGPO
WIN-LOGON-014Disable Convenience PIN Sign-InMediumAccess ControlRegistryGPO
WIN-LOGON-015Disable Automatic Restart Sign-On (ARSO)MediumAccess ControlRegistryGPO
WIN-LOGON-016Screen Saver Grace PeriodLowAccess ControlRegistryDirect
WIN-LOGON-017Turn Off Toast Notifications on the Lock Screen (Default Profile)LowAccess ControlRegistryGPO
WIN-LOGON-018Logon Legal Notice TextLowAccess ControlRegistryGPO
WIN-LOGON-019Logon Legal Notice TitleLowAccess ControlRegistryGPO
WIN-LSA-001Do Not Store LAN Manager HashHighCredential ProtectionRegistryDirect
WIN-LSA-002Restrict Anonymous SID EnumerationMediumAccess ControlRegistryDirect
WIN-LSA-003Enable LSASS Protection (RunAsPPL)HighCredential ProtectionRegistryDirect
WIN-LSA-004Do Not Allow Anonymous Enumeration of SAM AccountsMediumAccess ControlRegistryDirect
WIN-LSA-005Enable Structured Exception Handling Overwrite Protection (SEHOP)MediumExploit ProtectionRegistryDirect
WIN-LSA-006Digitally Encrypt or Sign Secure Channel Data (Always)MediumAuthenticationRegistryDirect
WIN-LSA-007Do Not Apply Everyone Permissions to Anonymous UsersMediumAccess ControlRegistryDirect
WIN-LSA-008Restrict Clients Allowed to Make Remote SAM CallsMediumAccess ControlRegistryDirect
WIN-LSA-009Limit Local Account Use of Blank PasswordsHighAccess ControlRegistryDirect
WIN-LSA-010Sharing and Security Model for Local Accounts (Classic)MediumAccess ControlRegistryDirect
WIN-LSA-011Disallow LocalSystem NULL Session FallbackMediumAccess ControlRegistryDirect
WIN-LSA-012Strengthen Default Permissions of Internal System ObjectsLowAccess ControlRegistryDirect
WIN-LSA-013Digitally Encrypt Secure Channel Data (When Possible)MediumAuthenticationRegistryDirect
WIN-LSA-014Digitally Sign Secure Channel Data (When Possible)MediumAuthenticationRegistryDirect
WIN-LSA-015Do Not Disable Machine Account Password ChangesMediumAuthenticationRegistryDirect
WIN-LSA-016Maximum Machine Account Password Age (30 Days)LowAuthenticationRegistryDirect
WIN-LSA-017Require Strong (Windows 2000 or Later) Session KeyMediumAuthenticationRegistryDirect
WIN-LSA-018Do Not Store Passwords and Credentials for Network AuthenticationHighCredential ProtectionRegistryDirect
WIN-LSA-019Require Case Insensitivity for Non-Windows SubsystemsLowAccess ControlRegistryDirect
WIN-NET-001Disable LLMNRMediumNetwork ProtocolsRegistryGPO
WIN-NET-002Disable IPv4 Source RoutingMediumNetwork ProtocolsRegistryDirect
WIN-NET-003Disable ICMP RedirectsLowNetwork ProtocolsRegistryDirect
WIN-NET-004Disable IPv6 Source RoutingMediumNetwork ProtocolsRegistryDirect
WIN-NET-005Ignore NetBIOS Name Release RequestsLowNetwork ProtocolsRegistryDirect
WIN-NET-006Disable mDNSMediumNetwork ProtocolsRegistryDirect
WIN-NET-007Enable Safe DLL Search ModeMediumExploit ProtectionRegistryDirect
WIN-NET-008Hardened UNC Path for SYSVOLHighNetwork ProtocolsRegistryGPO
WIN-NET-009Hardened UNC Path for NETLOGONHighNetwork ProtocolsRegistryGPO
WIN-NET-010Disable Font ProvidersLowAttack Surface ReductionRegistryGPO
WIN-NET-011Turn Off Smart Multi-Homed Name ResolutionMediumNetwork ProtocolsRegistryGPO
WIN-NET-012Prohibit Installation of Network BridgeLowNetwork ProtocolsRegistryGPO
WIN-NET-013Prohibit Internet Connection SharingLowNetwork ProtocolsRegistryGPO
WIN-NET-014Require Domain Users to Elevate When Setting Network LocationLowNetwork ProtocolsRegistryGPO
WIN-NET-015Minimize Simultaneous Internet and Domain ConnectionsLowNetwork ProtocolsRegistryGPO
WIN-NET-016Prohibit Non-Domain Networks When on Domain NetworkLowNetwork ProtocolsRegistryGPO
WIN-NET-017Disable Windows Connect Now RegistrarsLowNetwork ProtocolsRegistryGPO
WIN-NET-018Prohibit Access of Windows Connect Now WizardsLowNetwork ProtocolsRegistryGPO
WIN-NET-019Turn Off Link-Layer Topology Mapper I/O DriverLowNetwork ProtocolsRegistryGPO
WIN-NET-020Turn Off Link-Layer Topology Responder DriverLowNetwork ProtocolsRegistryGPO
WIN-NET-021TCP Maximum Data Retransmissions (IPv4)LowNetwork ProtocolsRegistryDirect
WIN-NET-022TCP Maximum Data Retransmissions (IPv6)LowNetwork ProtocolsRegistryDirect
WIN-NET-023TCP Keep-Alive TimeLowNetwork ProtocolsRegistryDirect
WIN-NET-024Disable Dead Gateway DetectionLowNetwork ProtocolsRegistryDirect
WIN-NTLM-001LAN Manager Authentication Level (NTLMv2 Only)HighAuthenticationRegistryDirect
WIN-NTLM-002Minimum NTLM Session Security (Clients)MediumAuthenticationRegistryDirect
WIN-NTLM-003Minimum NTLM Session Security (Servers)MediumAuthenticationRegistryDirect
WIN-NTLM-004Allow LocalSystem to Use Computer Identity for NTLMMediumAuthenticationRegistryDirect
WIN-NTLM-005Disallow PKU2U Online IdentitiesMediumAuthenticationRegistryDirect
WIN-NTLM-006Audit Incoming NTLM TrafficLowAuthenticationRegistryDirect
WIN-NTLM-007Audit Outgoing NTLM Traffic to Remote ServersLowAuthenticationRegistryDirect
WIN-PRINT-001Restrict Point and Print Driver Installation to AdministratorsHighAttack Surface ReductionRegistryGPO
WIN-PRINT-002Require Elevation for New Point and Print ConnectionsMediumAttack Surface ReductionRegistryGPO
WIN-PRINT-003Prevent Users From Installing Printer DriversMediumAttack Surface ReductionRegistryDirect
WIN-PSL-001Enable PowerShell Script Block LoggingMediumLogging and MonitoringRegistryGPO
WIN-PSL-002Enable PowerShell Module LoggingMediumLogging and MonitoringRegistryGPO
WIN-PSL-003Enable PowerShell TranscriptionMediumLogging and MonitoringRegistryGPO
WIN-PWD-001Minimum Password LengthHighAccount PolicySecEditDirect
WIN-PWD-002Password Complexity EnabledHighAccount PolicySecEditDirect
WIN-PWD-003Maximum Password AgeMediumAccount PolicySecEditDirect
WIN-PWD-004Minimum Password AgeLowAccount PolicySecEditDirect
WIN-PWD-005Enforce Password HistoryMediumAccount PolicySecEditDirect
WIN-PWD-006Disable Reversible Password EncryptionHighAccount PolicySecEditDirect
WIN-RA-001Disable Solicited Remote AssistanceMediumRemote AccessRegistryGPO
WIN-RA-002Disable Offer (Unsolicited) Remote AssistanceMediumRemote AccessRegistryGPO
WIN-RDP-001Require Network Level Authentication for RDPHighRemote AccessRegistryDirect
WIN-RDP-002RDP Minimum Encryption Level (High)MediumRemote AccessRegistryDirect
WIN-RDP-003RDP Security Layer (TLS)MediumRemote AccessRegistryDirect
WIN-RDP-004Disable RDP Drive RedirectionMediumRemote AccessRegistryDirect
WIN-RDP-005Always Prompt for Password on RDP ConnectionMediumRemote AccessRegistryGPO
WIN-RDP-006Disable RDP Clipboard RedirectionLowRemote AccessRegistryGPO
WIN-RDP-007Set RDP Idle Session Time LimitLowRemote AccessRegistryGPO
WIN-RDP-008Set RDP Disconnected Session Time LimitLowRemote AccessRegistryGPO
WIN-RDP-009Do Not Allow Saved RDP PasswordsMediumRemote AccessRegistryGPO
WIN-RDP-010Disable RDP COM Port RedirectionLowRemote AccessRegistryGPO
WIN-RDP-011Disable RDP LPT Port RedirectionLowRemote AccessRegistryGPO
WIN-RDP-012Disable RDP Plug and Play Device RedirectionLowRemote AccessRegistryGPO
WIN-RDP-013Require Secure RPC for Remote DesktopMediumRemote AccessRegistryGPO
WIN-RDP-014Use Temporary Folders Per RDP SessionLowRemote AccessRegistryGPO
WIN-RPC-001Restrict Unauthenticated RPC ClientsMediumNetwork ProtocolsRegistryGPO
WIN-RPC-002Enable RPC Endpoint Mapper Client AuthenticationMediumNetwork ProtocolsRegistryGPO
WIN-SCRSVR-001Enable Screen Saver (Default Profile)LowAccess ControlRegistryGPO
WIN-SCRSVR-002Password Protect the Screen Saver (Default Profile)MediumAccess ControlRegistryGPO
WIN-SCRSVR-003Screen Saver Timeout (Default Profile)LowAccess ControlRegistryGPO
WIN-SMARTSCREEN-001Configure Windows Defender SmartScreenMediumEndpoint ProtectionRegistryGPO
WIN-SMB-001Disable SMBv1HighNetwork ProtocolsRegistryDirect
WIN-SMB-003Require SMB Signing (Server)HighNetwork ProtocolsRegistryDirect
WIN-SMB-004Disable SMBv1 ClientHighNetwork ProtocolsRegistryDirect
WIN-SMB-005Require SMB Client SigningMediumNetwork ProtocolsRegistryDirect
WIN-SMB-006Restrict Anonymous Access to Named Pipes and SharesMediumNetwork ProtocolsRegistryDirect
WIN-SMB-007Disable SMB Client Insecure Guest LogonsMediumNetwork ProtocolsRegistryGPO
WIN-SMB-008Do Not Send Unencrypted Password to Third-Party SMB ServersMediumNetwork ProtocolsRegistryDirect
WIN-SMB-009Digitally Sign Client Communications (If Server Agrees)LowNetwork ProtocolsRegistryDirect
WIN-SMB-010Digitally Sign Server Communications (If Client Agrees)LowNetwork ProtocolsRegistryDirect
WIN-SMB-011Idle Time Required Before Suspending an SMB Session (15 min)LowNetwork ProtocolsRegistryDirect
WIN-SMB-012Disconnect Clients When Logon Hours ExpireLowNetwork ProtocolsRegistryDirect
WIN-SMB-013Server SPN Target Name Validation LevelMediumNetwork ProtocolsRegistryDirect
WIN-SVC-001Disable Remote Registry ServiceMediumAttack Surface ReductionServiceDirect
WIN-SVC-002Disable Print Spooler ServiceMediumAttack Surface ReductionServiceDirect
WIN-TELEM-001Limit Diagnostic Data to Required or LessLowAttack Surface ReductionRegistryGPO
WIN-TELEM-002Disable OneSettings DownloadsLowAttack Surface ReductionRegistryGPO
WIN-TELEM-003Do Not Show Feedback NotificationsLowAttack Surface ReductionRegistryGPO
WIN-TELEM-004Enable OneSettings AuditingLowLogging and MonitoringRegistryGPO
WIN-TELEM-005Disable Windows Insider Preview BuildsMediumAttack Surface ReductionRegistryGPO
WIN-TLS-001Enable TLS 1.2 (Server)MediumCryptographyRegistryDirect
WIN-TLS-002Enable TLS 1.2 (Client)MediumCryptographyRegistryDirect
WIN-TLS-003Disable RC4 128/128 CipherHighCryptographyRegistryDirect
WIN-TLS-004Disable RC4 40/128 CipherHighCryptographyRegistryDirect
WIN-TLS-005Disable Triple DES 168 CipherMediumCryptographyRegistryDirect
WIN-TLS-006Disable RC4 56/128 CipherHighCryptographyRegistryDirect
WIN-TLS-007Disable RC4 64/128 CipherHighCryptographyRegistryDirect
WIN-TLS-008Disable DES 56/56 CipherMediumCryptographyRegistryDirect
WIN-TLS-009Disable NULL CipherMediumCryptographyRegistryDirect
WIN-TLS-010Disable TLS 1.0 (Server)HighCryptographyRegistryDirect
WIN-TLS-011Disable TLS 1.1 (Server)HighCryptographyRegistryDirect
WIN-TLS-012Disable SSL 3.0 (Server)HighCryptographyRegistryDirect
WIN-TLS-013Disable SSL 2.0 (Server)HighCryptographyRegistryDirect
WIN-UAC-001User Account Control EnabledHighPrivilege ManagementRegistryGPO
WIN-UAC-002UAC Elevation Prompt for AdministratorsMediumPrivilege ManagementRegistryGPO
WIN-UAC-003UAC Detect Application InstallationsMediumPrivilege ManagementRegistryGPO
WIN-UAC-004Deny UAC Elevation Prompt for Standard UsersMediumPrivilege ManagementRegistryGPO
WIN-UAC-005UAC Switch to the Secure Desktop for ElevationMediumPrivilege ManagementRegistryGPO
WIN-UAC-006Only Elevate UIAccess Apps in Secure LocationsMediumPrivilege ManagementRegistryGPO
WIN-UAC-007Apply UAC Token Filtering to Remote Local AccountsHighPrivilege ManagementRegistryGPO
WIN-UAC-008Admin Approval Mode for the Built-in AdministratorMediumPrivilege ManagementRegistryGPO
WIN-UAC-009Virtualize File and Registry Write Failures to Per-User LocationsLowPrivilege ManagementRegistryGPO
WIN-URA-001Access Credential Manager as a Trusted Caller = No OneHighUser Rights AssignmentSecEditDirect
WIN-URA-002Act as Part of the Operating System = No OneHighUser Rights AssignmentSecEditDirect
WIN-URA-003Create a Token Object = No OneHighUser Rights AssignmentSecEditDirect
WIN-URA-004Create Permanent Shared Objects = No OneMediumUser Rights AssignmentSecEditDirect
WIN-URA-005Debug Programs = Administrators OnlyHighUser Rights AssignmentSecEditDirect
WIN-URA-006Deny Access to This Computer From the Network (includes Guests)MediumUser Rights AssignmentSecEditDirect
WIN-URA-007Deny Log On as a Batch Job (includes Guests)LowUser Rights AssignmentSecEditDirect
WIN-URA-008Deny Log On as a Service (includes Guests)LowUser Rights AssignmentSecEditDirect
WIN-URA-009Deny Log On Locally (includes Guests)MediumUser Rights AssignmentSecEditDirect
WIN-URA-010Deny Log On Through Remote Desktop Services (includes Guests)MediumUser Rights AssignmentSecEditDirect
WIN-URA-011Force Shutdown From a Remote System = Administrators OnlyMediumUser Rights AssignmentSecEditDirect
WIN-URA-012Generate Security Audits = Local Service, Network ServiceMediumUser Rights AssignmentSecEditDirect
WIN-URA-013Impersonate a Client After Authentication = Service Accounts and AdministratorsMediumUser Rights AssignmentSecEditDirect
WIN-URA-014Load and Unload Device Drivers = Administrators OnlyMediumUser Rights AssignmentSecEditDirect
WIN-URA-015Manage Auditing and Security Log = Administrators OnlyMediumUser Rights AssignmentSecEditDirect
WIN-URA-016Take Ownership of Files or Other Objects = Administrators OnlyMediumUser Rights AssignmentSecEditDirect
WIN-URA-017Access This Computer From the Network = Administrators, Authenticated UsersHighUser Rights AssignmentSecEditDirect
WIN-URA-018Allow Log On Locally = AdministratorsMediumUser Rights AssignmentSecEditDirect
WIN-URA-019Allow Log On Through Remote Desktop Services = Administrators, Remote Desktop UsersMediumUser Rights AssignmentSecEditDirect
WIN-URA-020Back Up Files and Directories = AdministratorsMediumUser Rights AssignmentSecEditDirect
WIN-URA-021Restore Files and Directories = AdministratorsMediumUser Rights AssignmentSecEditDirect
WIN-URA-022Change the System Time = Administrators, Local ServiceMediumUser Rights AssignmentSecEditDirect
WIN-URA-023Change the Time Zone = Administrators, Local Service, UsersLowUser Rights AssignmentSecEditDirect
WIN-URA-024Create a Pagefile = AdministratorsLowUser Rights AssignmentSecEditDirect
WIN-URA-025Create Global Objects = Administrators and Service AccountsMediumUser Rights AssignmentSecEditDirect
WIN-URA-026Create Symbolic Links = AdministratorsMediumUser Rights AssignmentSecEditDirect
WIN-URA-027Adjust Memory Quotas for a Process = Administrators and Service AccountsLowUser Rights AssignmentSecEditDirect
WIN-URA-028Increase Scheduling Priority = Administrators, Window ManagerLowUser Rights AssignmentSecEditDirect
WIN-URA-029Lock Pages in Memory = No OneMediumUser Rights AssignmentSecEditDirect
WIN-URA-030Perform Volume Maintenance Tasks = AdministratorsMediumUser Rights AssignmentSecEditDirect
WIN-URA-031Profile Single Process = AdministratorsLowUser Rights AssignmentSecEditDirect
WIN-URA-032Replace a Process Level Token = Local Service, Network ServiceMediumUser Rights AssignmentSecEditDirect
WIN-URA-033Shut Down the System = AdministratorsLowUser Rights AssignmentSecEditDirect
WIN-URA-034Modify Firmware Environment Values = AdministratorsMediumUser Rights AssignmentSecEditDirect
WIN-URA-035Enable Accounts to Be Trusted for Delegation = No OneHighUser Rights AssignmentSecEditDirect
WIN-URA-036Obtain an Impersonation Token for Another User = No OneMediumUser Rights AssignmentSecEditDirect
WIN-URA-037Modify an Object Label = No OneLowUser Rights AssignmentSecEditDirect
WIN-URA-038Synchronize Directory Service Data = No OneMediumUser Rights AssignmentSecEditDirect
WIN-URA-039Profile System Performance = Administrators, WdiServiceHostLowUser Rights AssignmentSecEditDirect
WIN-VBS-001Enable Virtualization Based SecurityHighCredential ProtectionRegistryDirect
WIN-VBS-002Require Secure Boot for VBSMediumCredential ProtectionRegistryDirect
WIN-VBS-003Enable Memory Integrity (HVCI)HighExploit ProtectionRegistryDirect
WIN-WDIGEST-001Disable WDigest Credential CachingHighCredential ProtectionRegistryDirect
WIN-WINRM-001Disable WinRM Client Basic AuthenticationMediumRemote ManagementRegistryGPO
WIN-WINRM-002Disallow WinRM Unencrypted TrafficMediumRemote ManagementRegistryGPO
WIN-WINRM-003Disable WinRM Client Digest AuthenticationMediumRemote ManagementRegistryGPO
WIN-WINRM-004Disable WinRM Service Basic AuthenticationMediumRemote ManagementRegistryGPO
WIN-WINRM-005Disallow WinRM Storing RunAs CredentialsMediumRemote ManagementRegistryGPO
WIN-WINRM-006Disallow WinRM Client Unencrypted TrafficMediumRemote ManagementRegistryGPO
WIN-WINRS-001Disable Windows Remote Shell AccessMediumRemote ManagementRegistryGPO

Control reference

WIN-ACCT-001 - Block Microsoft Accounts

Severity: Medium   Category: Access Control   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent users from adding or logging on with Microsoft accounts. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Consumer Microsoft accounts on servers bypass enterprise identity controls and complicate auditing.

Remediation. Set Policies System NoConnectedUser to 3 (users cannot add or log on with Microsoft accounts).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts

WIN-ACCT-002 - Guest Account Disabled

Severity: Medium   Category: Access Control   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

The built-in Guest account must be disabled.

Rationale. An enabled Guest account permits anonymous, unattributed access.

Remediation. Disable the built-in Guest account (EnableGuestAccount = 0).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-guest-account-status

WIN-ACCT-003 - Force Logoff When Logon Hours Expire

Severity: Low   Category: Account Policy   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard   Applies to: Domain-joined only

Force users to log off when their logon hours expire.

Rationale. Sessions outliving permitted hours bypass time-based access controls.

Remediation. Enable Force logoff when logon hours expire (ForceLogoffWhenHourExpire = 1).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire

WIN-ASR-001 - ASR: Block Credential Stealing from LSASS

Severity: High   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Enterprise

The Attack Surface Reduction rule blocking credential theft from the LSASS process must be enabled in block mode. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Credential theft from LSASS enables lateral movement and privilege escalation.

Remediation. Enable ASR rule 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 in block mode (1).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference

WIN-ASR-002 - ASR: Block Office Apps Creating Child Processes

Severity: Medium   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Enterprise

The Attack Surface Reduction rule blocking Office applications from creating child processes must be enabled. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Office child-process creation is a common malware/macro execution technique.

Remediation. Enable ASR rule d4f940ab-401b-4efc-aadc-ad5f3c50688a in block mode (1).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference

WIN-ASR-003 - ASR: Block Executable Content from Email and Webmail

Severity: Medium   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Enterprise

The Attack Surface Reduction rule blocking executable content from email and webmail must be enabled. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Executable email attachments are a primary malware delivery vector.

Remediation. Enable ASR rule be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 in block mode (1).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference

WIN-ASR-004 - ASR: Block Obfuscated Scripts

Severity: Medium   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Enterprise

Block execution of potentially obfuscated scripts, a common malware evasion technique. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Obfuscated scripts hide malicious behaviour from analysis and detection.

Remediation. Enable ASR rule 5beb7efe-fd9a-4556-801d-275e5ffc04cc in block mode (1).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference

WIN-ASR-005 - ASR: Block Untrusted Processes from USB

Severity: Medium   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Enterprise

Block untrusted and unsigned executables from running from USB removable media. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Removable media is a common malware ingress vector.

Remediation. Enable ASR rule b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 in block mode (1).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference

WIN-ASR-006 - ASR: Block Process Creation from PSExec and WMI

Severity: Medium   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Enterprise

Block processes created via PsExec and WMI commands, commonly used for lateral movement. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. PsExec/WMI process creation enables remote code execution and lateral movement.

Remediation. Enable ASR rule d1e49aac-8f56-4280-b9ba-993a6d77406c in block mode (1).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference

WIN-ASR-007 - ASR: Advanced Protection Against Ransomware

Severity: High   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Enterprise

Enable advanced heuristic and cloud protection against ransomware. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Ransomware can rapidly encrypt data across the host and network.

Remediation. Enable ASR rule c1db55ab-c21a-4637-bb3f-a12568109d35 in block mode (1).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference

WIN-ASR-008 - ASR: Block Office Apps Injecting Code into Other Processes

Severity: Medium   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Enterprise

Block Office applications from injecting code into other processes. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Code injection from Office lets malware masquerade as trusted processes.

Remediation. Enable ASR rule 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 in block mode (1).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference

WIN-ASR-009 - ASR: Block Office Apps Creating Executable Content

Severity: Medium   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Enterprise

Block Office applications from writing executable content to disk. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Office-dropped executables are used for persistence and payload delivery.

Remediation. Enable ASR rule 3b576869-a4ec-4529-8536-b80a7769e899 in block mode (1).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference

WIN-ASR-010 - ASR: Block Persistence Through WMI Event Subscription

Severity: Medium   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Enterprise

Block malware from establishing persistence via WMI event subscription. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. WMI event subscriptions are a stealthy, fileless persistence mechanism.

Remediation. Enable ASR rule e6db77e5-3df2-4cf1-b95a-636979351e5b in block mode (1).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference

WIN-ASR-011 - ASR: Block Win32 API Calls from Office Macros

Severity: Medium   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Enterprise

Block Office macros from calling Win32 APIs. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Macro Win32 API calls are used to download and execute malware.

Remediation. Enable ASR rule 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b in block mode (1).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference

WIN-ASR-012 - ASR: Block Untrusted Executables by Prevalence, Age, or Trust

Severity: Medium   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Enterprise

Block executable files from running unless they meet a prevalence, age, or trusted-list criterion. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Newly seen, low-prevalence executables are frequently malware.

Remediation. Enable ASR rule 01443614-cd74-433a-b99e-2ecdc07bfc25 in block mode (1).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference

WIN-ASR-013 - ASR: Block Adobe Reader from Creating Child Processes

Severity: Medium   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Enterprise

Block Adobe Reader from spawning child processes. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Malicious PDFs abuse Adobe Reader to launch payloads.

Remediation. Enable ASR rule 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c in block mode (1).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference

WIN-ASR-014 - ASR: Block Webshell Creation for Servers

Severity: High   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Enterprise

Block the creation of web shells on server roles (e.g. Exchange, IIS). Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Web shells give attackers persistent remote command execution on internet-facing servers.

Remediation. Enable ASR rule a8f5898e-1dc8-49a9-9878-85004b8a61e6 in block mode (1).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference

WIN-ASR-015 - ASR: Block Rebooting Machine in Safe Mode

Severity: Medium   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Enterprise

Block attempts to reboot the machine into Safe Mode to bypass security tooling. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Attackers reboot to Safe Mode to disable endpoint protection that does not load there.

Remediation. Enable ASR rule 33ddedf1-c6e0-47cb-833e-de6133960387 in block mode (1).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference

WIN-AUD-001 - Audit Logon Failures

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

The advanced audit policy must log failed logon events (subcategory 'Logon') to support detection of unauthorized access attempts.

Rationale. Failed authentication attempts go unrecorded, hindering intrusion detection.

Remediation. Enable failure auditing for the Logon subcategory (auditpol /set /subcategory:Logon /failure:enable).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-logon

WIN-AUD-002 - Audit Account Lockout Events

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

The advanced audit policy must log account lockout events (subcategory 'Account Lockout') to support detection of brute-force activity.

Rationale. Account lockouts from attacks go unrecorded.

Remediation. Enable failure auditing for the Account Lockout subcategory via auditpol (subcategory Account Lockout, failure enable).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-account-lockout

WIN-AUD-003 - Audit Process Creation

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Enterprise

Process creation events must be audited to support detection and forensic investigation.

Rationale. Without process auditing, malicious execution is hard to detect or investigate.

Remediation. Enable success auditing for the Process Creation subcategory (Detailed Tracking).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-process-creation

WIN-AUD-004 - Audit Credential Validation

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Credential validation events must be audited to detect authentication attacks.

Rationale. Unaudited credential validation hides brute-force and password-spray activity.

Remediation. Enable success and failure auditing for the Credential Validation subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-credential-validation

WIN-AUD-005 - Audit Security Group Management

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Changes to security groups must be audited to detect privilege escalation via group membership.

Rationale. Unaudited group changes hide privilege escalation and persistence.

Remediation. Enable success auditing for the Security Group Management subcategory (Account Management).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-security-group-management

WIN-AUD-006 - Audit Special Logon

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Special logon events (privileged logons) must be audited.

Rationale. Unaudited privileged logons hide administrative and attacker activity.

Remediation. Enable success auditing for the Special Logon subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-special-logon

WIN-AUD-007 - Audit Sensitive Privilege Use

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Enterprise

Use of sensitive privileges must be audited to detect privilege abuse.

Rationale. Unaudited sensitive privilege use hides privilege-escalation and abuse.

Remediation. Enable success and failure auditing for the Sensitive Privilege Use subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-sensitive-privilege-use

WIN-AUD-008 - Audit System Integrity

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

System integrity events (audit subsystem failures, driver issues) must be audited.

Rationale. Unaudited integrity events hide tampering with the audit subsystem.

Remediation. Enable success and failure auditing for the System Integrity subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-system-integrity

WIN-AUD-009 - Audit Logoff

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Logoff events must be audited to correlate session activity.

Rationale. Unaudited logoffs leave gaps in the session timeline.

Remediation. Enable success auditing for the Logoff subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-logoff

WIN-AUD-010 - Audit Removable Storage

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Access to removable storage must be audited to detect data exfiltration.

Rationale. Unaudited removable-storage use hides data theft.

Remediation. Enable success and failure auditing for the Removable Storage subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-removable-storage

WIN-AUD-011 - Audit Authentication Policy Change

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Changes to authentication policy must be audited.

Rationale. Unaudited authentication-policy changes hide tampering with security controls.

Remediation. Enable success auditing for the Authentication Policy Change subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-authentication-policy-change

WIN-AUD-012 - Audit User Account Management

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Changes to user accounts (create, delete, enable, password reset) must be audited.

Rationale. Unaudited account changes hide account creation and privilege abuse.

Remediation. Enable success and failure auditing for the User Account Management subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-user-account-management

WIN-AUD-013 - Audit Computer Account Management

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Changes to computer accounts must be audited.

Rationale. Unaudited computer-account changes hide rogue machine joins and tampering.

Remediation. Enable success auditing for the Computer Account Management subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-computer-account-management

WIN-AUD-014 - Audit Audit Policy Change

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Changes to the audit policy itself must be audited.

Rationale. Unaudited audit-policy changes let an attacker disable logging undetected.

Remediation. Enable success and failure auditing for the Audit Policy Change subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-audit-policy-change

WIN-AUD-015 - Audit Other Logon/Logoff Events

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Other logon/logoff events (RDP reconnects, workstation lock/unlock) must be audited.

Rationale. These events reveal remote-session and screen-lock activity useful for detection.

Remediation. Enable success and failure auditing for the Other Logon/Logoff Events subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-other-logonlogoff-events

WIN-AUD-016 - Audit MPSSVC Rule-Level Policy Change

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Changes to Windows Firewall rules must be audited.

Rationale. Unaudited firewall-rule changes hide attempts to open the host to attack.

Remediation. Enable success and failure auditing for the MPSSVC Rule-Level Policy Change subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change

WIN-AUD-017 - Audit PNP Activity

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Audit when Plug and Play detects an external device (e.g. USB).

Rationale. Unaudited device attachment hides data-exfiltration and rogue-hardware events.

Remediation. Enable success auditing for the Plug and Play Events subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-pnp-activity

WIN-AUD-018 - Audit Group Membership

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Record the group memberships in each logon token.

Rationale. Without group-membership auditing it is harder to detect privileged-group logons.

Remediation. Enable success auditing for the Group Membership subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-group-membership

WIN-AUD-019 - Audit Other Object Access Events

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Audit scheduled-task and COM+ object operations.

Rationale. Scheduled tasks and COM+ objects are common persistence mechanisms.

Remediation. Enable success and failure auditing for the Other Object Access Events subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-other-object-access-events

WIN-AUD-020 - Audit Detailed File Share

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Audit failed attempts to access files and folders on shared folders.

Rationale. Failed share-access attempts can indicate reconnaissance or unauthorized access.

Remediation. Enable failure auditing for the Detailed File Share subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-detailed-file-share

WIN-AUD-021 - Force Audit Policy Subcategory Settings

Severity: Medium   Category: Logging and Monitoring   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Force advanced audit subcategory settings to override legacy category-level audit policy.

Rationale. Without this, granular advanced audit policy may not take effect.

Remediation. Set Lsa SCENoApplyLegacyAuditPolicy to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override

WIN-AUD-022 - Audit Other Account Management Events

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Audit account-management events not covered by the other account-management subcategories.

Rationale. Some account-management actions would otherwise go unrecorded.

Remediation. Enable success and failure auditing for the Other Account Management Events subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-other-account-management-events

WIN-AUD-023 - Audit File Share

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Audit creation, deletion, modification, and access of network shares.

Rationale. Share tampering and unauthorized share access would go undetected.

Remediation. Enable success and failure auditing for the File Share subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-file-share

WIN-AUD-024 - Audit Authorization Policy Change

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Audit changes to authorization policy, including user-rights assignment changes.

Rationale. Unaudited authorization-policy changes hide privilege tampering.

Remediation. Enable success auditing for the Authorization Policy Change subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-authorization-policy-change

WIN-AUD-025 - Audit Other Policy Change Events

Severity: Low   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Audit failures applying security policy and cryptographic (CNG) operations.

Rationale. Failed policy application and crypto errors would go unrecorded.

Remediation. Enable failure auditing for the Other Policy Change Events subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-other-policy-change-events

WIN-AUD-026 - Audit IPsec Driver

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Audit IPsec driver activities such as dropped packets and integrity failures.

Rationale. IPsec failures and attacks against IPsec would go undetected.

Remediation. Enable success and failure auditing for the IPsec Driver subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-ipsec-driver

WIN-AUD-027 - Audit Other System Events

Severity: Low   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Audit other system events such as Windows Firewall service state and start/stop.

Rationale. Firewall service state changes would otherwise go unrecorded.

Remediation. Enable success and failure auditing for the Other System Events subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-other-system-events

WIN-AUD-028 - Audit Security State Change

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Audit changes in the security state of the system, such as startup and shutdown.

Rationale. System start/stop and time changes would go unrecorded.

Remediation. Enable success auditing for the Security State Change subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-security-state-change

WIN-AUD-029 - Audit Security System Extension

Severity: Medium   Category: Logging and Monitoring   Provider: AuditPol   Delivery: Direct   Reboot: No   Tier: Standard

Audit the loading of authentication/security packages and service installations.

Rationale. Malicious security packages and service installs are critical events to detect.

Remediation. Enable success auditing for the Security System Extension subcategory.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-security-system-extension

WIN-AUD-030 - Include Command Line in Process Creation Events

Severity: Medium   Category: Logging and Monitoring   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Record the full command line in process-creation (4688) events. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Without command lines, process auditing misses the arguments that reveal malicious intent.

Remediation. Set Policies System Audit ProcessCreationIncludeCmdLine_Enabled to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-AUTORUN-001 - Disable AutoRun on All Drives

Severity: Medium   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

AutoRun/AutoPlay must be disabled on all drive types to prevent automatic execution from removable media. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. AutoRun can automatically execute malware from removable or network media.

Remediation. Set Policies Explorer NoDriveTypeAutoRun to 255 to disable AutoRun on all drives.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-AUTORUN-002 - Disallow Autoplay for Non-Volume Devices

Severity: Medium   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Disable AutoPlay for non-volume devices such as MTP cameras and phones. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. AutoPlay on such devices can auto-launch malicious content.

Remediation. Set Explorer NoAutoplayfornonVolume to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-AUTORUN-003 - Set Default AutoRun Behavior to Do Not Execute

Severity: Medium   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Set the default AutoRun behavior to never execute autorun commands. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. AutoRun command execution is a classic removable-media infection vector.

Remediation. Set Explorer NoAutorun to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-CG-001 - Enable Credential Guard

Severity: High   Category: Credential Protection   Provider: Registry   Delivery: Direct   Reboot: Yes   Tier: Enterprise

Enable Credential Guard (with UEFI lock) to isolate and protect NTLM hashes and Kerberos tickets in VBS.

Rationale. Without Credential Guard, tools like Mimikatz can extract domain credentials from LSASS.

Remediation. Set Control Lsa LsaCfgFlags to 1 (Credential Guard with UEFI lock). Requires VBS and a reboot.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure

WIN-CLOUD-001 - Turn Off Microsoft Consumer Experiences

Severity: Low   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Disable Microsoft consumer experiences (app suggestions, consumer content). Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Consumer content downloads and installs unwanted software over the internet.

Remediation. Set CloudContent DisableWindowsConsumerFeatures to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-CREDDEL-001 - Encryption Oracle Remediation (Force Updated Clients)

Severity: High   Category: Credential Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Require patched CredSSP on both ends of RDP to block the CVE-2018-0886 encryption-oracle attack. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Unpatched CredSSP allows remote code execution against RDP sessions.

Remediation. Set Policies System CredSSP Parameters AllowEncryptionOracle to 0 (Force Updated Clients).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-CREDDEL-002 - Remote Host Allows Delegation of Non-Exportable Credentials

Severity: Medium   Category: Credential Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Allow only non-exportable (Remote Credential Guard) credential delegation to remote hosts. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Exportable delegated credentials can be stolen from a compromised remote host.

Remediation. Set CredentialsDelegation AllowProtectedCreds to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-CREDUI-001 - Do Not Display the Password Reveal Button

Severity: Low   Category: Credential Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Hide the password-reveal (eye) button in credential dialogs. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. The reveal button can expose a typed password to a shoulder-surfer.

Remediation. Set CredUI DisablePasswordReveal to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-CREDUI-002 - Do Not Enumerate Administrator Accounts on Elevation

Severity: Medium   Category: Credential Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Do not list administrator accounts when a UAC elevation prompt appears. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Enumerating admins on elevation discloses privileged account names.

Remediation. Set CredUI EnumerateAdministrators to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-CREDUI-003 - Prevent Use of Security Questions for Local Accounts

Severity: Low   Category: Credential Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Disable security questions as a local-account password reset method. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Security questions are weak, guessable recovery credentials.

Remediation. Set System NoLocalPasswordResetQuestions to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-DEF-001 - Microsoft Defender Antivirus Enabled

Severity: High   Category: Endpoint Protection   Provider: Defender   Delivery: Direct   Reboot: No   Tier: Essential

Microsoft Defender Antivirus must be enabled and providing real-time protection.

Rationale. Absence of endpoint antivirus protection allows malware execution.

Remediation. Ensure Microsoft Defender Antivirus is enabled with real-time protection. Managed by platform/AV policy; enable via Windows Security or Group Policy (not auto-applied by CloudInfra Secure).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP CMMC Level 2 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows

WIN-DEF-002 - Enable Potentially Unwanted Application (PUA) Protection

Severity: High   Category: Endpoint Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Essential

Microsoft Defender must block potentially unwanted applications (PUA) such as adware and bundled software. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. PUAs degrade performance and can be a foothold for further compromise.

Remediation. Set Windows Defender PUAProtection policy value to 1 (block).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows

WIN-DEF-003 - Enable Defender Real-Time Protection

Severity: High   Category: Endpoint Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Essential

Microsoft Defender real-time protection must not be disabled by policy. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. Disabling real-time protection removes continuous malware scanning.

Remediation. Ensure Real-Time Protection DisableRealtimeMonitoring is 0 (or absent).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows

WIN-DEF-004 - Enable Cloud-Delivered Protection

Severity: Medium   Category: Endpoint Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Microsoft Defender cloud-delivered protection (MAPS) must be enabled for faster protection against new threats. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Without cloud protection, response to emerging threats is slower.

Remediation. Set Windows Defender Spynet SpynetReporting to 2 (Advanced MAPS).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows

WIN-DEF-005 - Enable Network Protection

Severity: Medium   Category: Endpoint Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Enterprise

Enable Defender network protection to block connections to dangerous domains and IP addresses. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Without network protection, users and processes can reach phishing and exploit domains.

Remediation. Set Exploit Guard Network Protection EnableNetworkProtection to 1 (block mode). On Windows Server, AllowNetworkProtectionOnWinServer must also be enabled.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection

WIN-DEF-006 - Enable Controlled Folder Access

Severity: Medium   Category: Endpoint Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Enterprise

Enable controlled folder access to protect key folders from unauthorized changes by untrusted apps (ransomware). Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Ransomware can encrypt files in unprotected folders.

Remediation. Set Exploit Guard Controlled Folder Access EnableControlledFolderAccess to 1 (block mode).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/controlled-folder-access-configure

WIN-DEF-007 - Scan Removable Drives During Full Scan

Severity: Low   Category: Endpoint Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Scan removable drives (such as USB) during a full antivirus scan. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Malware on removable media can go undetected if such drives are skipped.

Remediation. Set Windows Defender Scan DisableRemovableDriveScanning to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows

WIN-DEF-008 - Enable Block at First Sight

Severity: Medium   Category: Endpoint Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Enable Defender block-at-first-sight rapid cloud verdicts for newly seen files. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Novel malware may execute before traditional signatures are available.

Remediation. Set Windows Defender Spynet DisableBlockAtFirstSeen to 0 (requires cloud-delivered protection).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows

WIN-DEF-009 - Enable Defender Behavior Monitoring

Severity: High   Category: Endpoint Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Enable Defender behavior monitoring to detect malicious activity by behaviour, not just signatures. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. Disabling behaviour monitoring removes detection of fileless and living-off-the-land attacks.

Remediation. Set Windows Defender Real-Time Protection DisableBehaviorMonitoring to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows

WIN-DEF-010 - Enable Email Scanning

Severity: Medium   Category: Endpoint Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Scan email bodies and attachments for malware. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Malware delivered by email can go undetected if email scanning is off.

Remediation. Set Windows Defender Scan DisableEmailScanning to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows

WIN-DEF-011 - Enable Archive Scanning

Severity: Medium   Category: Endpoint Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Scan inside archive files (such as .zip and .rar) for malware. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Malware hidden in archives evades scanning if archive scanning is off.

Remediation. Set Windows Defender Scan DisableArchiveScanning to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows

WIN-DEF-012 - Scan Mapped Network Drives During Full Scan

Severity: Low   Category: Endpoint Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Include mapped network drives when running a full antivirus scan. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Malware staged on mapped drives can be missed by full scans.

Remediation. Set Windows Defender Scan DisableScanningMappedNetworkDrivesForFullScan to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows

WIN-DEF-013 - Scan Downloaded Files and Attachments

Severity: High   Category: Endpoint Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Scan downloaded files and attachments in real time (IOAV protection). Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. Disabling IOAV protection lets downloaded malware execute unscanned.

Remediation. Set Windows Defender Real-Time Protection DisableIOAVProtection to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows

WIN-DEF-014 - Disable Local Admin Merge of Defender Preferences

Severity: Medium   Category: Endpoint Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent local administrators from merging their own Defender exclusions and preferences with policy. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Local admin merge lets an attacker with local admin hide exclusions from central policy.

Remediation. Set Windows Defender DisableLocalAdminMerge to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows

WIN-DEF-015 - Enable Real-Time Script Scanning

Severity: Medium   Category: Endpoint Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Scan scripts as they run (real-time script scanning). Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. Malicious scripts execute unscanned when script scanning is disabled.

Remediation. Set Windows Defender Real-Time Protection DisableScriptScanning to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows

WIN-DEF-016 - Enable Defender File Hash Computation

Severity: Low   Category: Endpoint Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Compute file hashes for all executed files so indicators can be matched. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Without hash computation, hash-based threat indicators cannot match.

Remediation. Set Windows Defender MpEngine EnableFileHashComputation to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-DEF-017 - Notify Antivirus When Opening Attachments (Default Profile)

Severity: Medium   Category: Endpoint Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Have antivirus scan file attachments when they are opened, for the default profile. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Unscanned attachments are a primary malware delivery vector.

Remediation. Set default-profile Policies Attachments ScanWithAntiVirus to 3.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-ELAM-001 - Boot-Start Driver Initialization Policy

Severity: Medium   Category: Endpoint Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Let Early Launch Antimalware evaluate boot-start drivers (Good, Unknown, and Bad but Critical). Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Unvetted boot-start drivers can load rootkits before antimalware starts.

Remediation. Set EarlyLaunch DriverLoadPolicy to 3.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-EVTLOG-001 - Application Event Log Maximum Size (>= 32 MB)

Severity: Medium   Category: Logging and Monitoring   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

The Application event log must be at least 32,768 KB so events are retained long enough to investigate. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. A small log wraps quickly and loses evidence of an incident.

Remediation. Set EventLog Application MaxSize to at least 32768 (KB).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-EVTLOG-002 - Application Event Log Retention (Overwrite as Needed)

Severity: Low   Category: Logging and Monitoring   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

The Application event log must overwrite oldest events when full rather than halting logging. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. A non-overwriting full log can stop new events or the system.

Remediation. Set EventLog Application Retention to 0 (overwrite events as needed).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-EVTLOG-003 - Security Event Log Maximum Size (>= 192 MB)

Severity: High   Category: Logging and Monitoring   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

The Security event log must be at least 196,608 KB given its high event volume. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. A small Security log wraps quickly and loses critical audit evidence.

Remediation. Set EventLog Security MaxSize to at least 196608 (KB).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-EVTLOG-004 - Security Event Log Retention (Overwrite as Needed)

Severity: Low   Category: Logging and Monitoring   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

The Security event log must overwrite oldest events when full rather than halting logging. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. A non-overwriting full Security log can stop new events or the system.

Remediation. Set EventLog Security Retention to 0 (overwrite events as needed).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-EVTLOG-005 - Setup Event Log Maximum Size (>= 32 MB)

Severity: Low   Category: Logging and Monitoring   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

The Setup event log must be at least 32,768 KB. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. A small Setup log loses servicing and setup history.

Remediation. Set EventLog Setup MaxSize to at least 32768 (KB).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-EVTLOG-006 - Setup Event Log Retention (Overwrite as Needed)

Severity: Low   Category: Logging and Monitoring   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

The Setup event log must overwrite oldest events when full rather than halting logging. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. A non-overwriting full Setup log can stop new events.

Remediation. Set EventLog Setup Retention to 0 (overwrite events as needed).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-EVTLOG-007 - System Event Log Maximum Size (>= 32 MB)

Severity: Medium   Category: Logging and Monitoring   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

The System event log must be at least 32,768 KB. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. A small System log wraps quickly and loses evidence.

Remediation. Set EventLog System MaxSize to at least 32768 (KB).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-EVTLOG-008 - System Event Log Retention (Overwrite as Needed)

Severity: Low   Category: Logging and Monitoring   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

The System event log must overwrite oldest events when full rather than halting logging. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. A non-overwriting full System log can stop new events or the system.

Remediation. Set EventLog System Retention to 0 (overwrite events as needed).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-EVTLOG-009 - Security Log Near-Capacity Warning Threshold

Severity: Low   Category: Logging and Monitoring   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Raise an event when the Security log reaches 90% of capacity.

Rationale. Without a warning, the Security log can fill silently and lose events.

Remediation. Set Eventlog Security WarningLevel to 90 or fewer.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-FW-001 - Windows Firewall Enabled (All Profiles)

Severity: High   Category: Host Firewall   Provider: Firewall   Delivery: Direct   Reboot: No   Tier: Essential

The Windows Defender Firewall must be enabled for the Domain, Private and Public profiles to enforce host-based network filtering.

Rationale. Unrestricted inbound network access if the host firewall is disabled.

Remediation. Enable Windows Defender Firewall on the Domain, Private and Public profiles (Set-NetFirewallProfile -Enabled True).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP CMMC Level 2 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/

WIN-FW-002 - Block Inbound Connections by Default (Domain Profile)

Severity: Medium   Category: Host Firewall   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

The domain firewall profile must block inbound connections that do not match a rule. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. A permissive default inbound action exposes unlisted services to the network.

Remediation. Set WindowsFirewall DomainProfile DefaultInboundAction to 1 (Block).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/

WIN-FW-003 - Block Inbound Connections by Default (Private Profile)

Severity: Medium   Category: Host Firewall   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

The private firewall profile must block inbound connections that do not match a rule. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. A permissive default inbound action exposes unlisted services to the network.

Remediation. Set WindowsFirewall StandardProfile DefaultInboundAction to 1 (Block).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/

WIN-FW-004 - Block Inbound Connections by Default (Public Profile)

Severity: Medium   Category: Host Firewall   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

The public firewall profile must block inbound connections that do not match a rule. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. A permissive default inbound action exposes unlisted services on untrusted networks.

Remediation. Set WindowsFirewall PublicProfile DefaultInboundAction to 1 (Block).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/

WIN-FW-005 - Log Dropped Packets (Public Profile)

Severity: Low   Category: Host Firewall   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

The public firewall profile must log dropped packets for troubleshooting and detection. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Without firewall logging, blocked-connection attempts leave no forensic trail.

Remediation. Set WindowsFirewall PublicProfile Logging LogDroppedPackets to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/

WIN-GPO-001 - Registry Policy Processing: Apply During Background Refresh

Severity: Low   Category: Access Control   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Apply registry Group Policy during periodic background refresh. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. If background processing is off, security policy drift is not re-corrected.

Remediation. Set Group Policy {35378EAC-683F-11D2-A89A-00C04FBBCFA2} NoBackgroundPolicy to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-GPO-002 - Registry Policy Processing: Process Even If Unchanged

Severity: Low   Category: Access Control   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Reapply registry Group Policy even when the GPOs have not changed. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Local tampering with policy-set values persists until the GPO changes if this is off.

Remediation. Set Group Policy {35378EAC-683F-11D2-A89A-00C04FBBCFA2} NoGPOListChanges to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-GPO-003 - Disable Continue Experiences (Connected Devices Platform)

Severity: Low   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Disable the Connected Devices Platform used for cross-device continue experiences. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. CDP opens network discovery and data-sharing not needed on servers.

Remediation. Set System EnableCdp to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-INET-001 - Turn Off Downloading of Print Drivers Over HTTP

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent downloading printer drivers over HTTP. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. HTTP driver download can deliver untrusted driver code.

Remediation. Set Printers DisableWebPnPDownload to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-INET-002 - Turn Off Printing Over HTTP

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent the client from printing over HTTP. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. HTTP printing exposes an unnecessary outbound channel.

Remediation. Set Printers DisableHTTPPrinting to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-INET-003 - Turn Off Windows Error Reporting

Severity: Low   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Disable Windows Error Reporting so crash data is not sent externally. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Error reports can leak sensitive memory contents off the host.

Remediation. Set Windows Error Reporting Disabled to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-INET-004 - Turn Off Windows Customer Experience Improvement Program

Severity: Low   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Disable the Windows CEIP telemetry channel. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. CEIP sends usage telemetry that is unnecessary on hardened servers.

Remediation. Set SQMClient Windows CEIPEnable to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-INET-005 - Turn Off Internet Download for Web Publishing and Online Ordering

Severity: Low   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Disable Web publishing and online ordering wizards that fetch content from the internet. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. These wizards create unnecessary outbound web interactions.

Remediation. Set Explorer NoWebServices to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-INET-006 - Turn Off Internet Connection Wizard If URL Connection

Severity: Low   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent the Internet Connection Wizard from contacting Microsoft. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Unneeded internet connectivity checks widen the outbound surface.

Remediation. Set Internet Connection Wizard ExitOnMSICW to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-INET-007 - Turn Off Search Companion Content File Updates

Severity: Low   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent Search Companion from downloading content updates over the internet. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Automatic content downloads are unnecessary outbound traffic.

Remediation. Set SearchCompanion DisableContentFileUpdates to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-INSTALL-001 - Disable Always Install Elevated

Severity: High   Category: Privilege Management   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Windows Installer must not install packages with elevated privileges for standard users. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. AlwaysInstallElevated lets any user install software as SYSTEM - a privilege-escalation path.

Remediation. Ensure Installer AlwaysInstallElevated is 0 (or absent). Remove any policy enabling it.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-INSTALL-002 - Disable User Control Over Windows Installer

Severity: Medium   Category: Privilege Management   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent users from changing installer options that are normally admin-only. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. User control over installs can be abused to elevate or bypass policy.

Remediation. Set Installer EnableUserControl to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-KRB-001 - Configure Kerberos Encryption Types (AES only)

Severity: Medium   Category: Authentication   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Allow only AES (and future) encryption types for Kerberos, disabling weak DES and RC4. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Weak Kerberos ciphers (DES, RC4) are susceptible to Kerberoasting and cracking.

Remediation. Set Kerberos Parameters SupportedEncryptionTypes to 2147483640 (AES128, AES256, future types).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos

WIN-LDAP-001 - LDAP Client Signing

Severity: Medium   Category: Authentication   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

The LDAP client must negotiate signing to protect directory queries from tampering and relay.

Rationale. Unsigned LDAP traffic is vulnerable to man-in-the-middle and relay attacks.

Remediation. Set Services LDAP LDAPClientIntegrity to 1 (negotiate signing).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements

WIN-LOCK-001 - Account Lockout Threshold

Severity: Medium   Category: Account Policy   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

The account lockout threshold must be set to a non-zero value of 5 or fewer invalid logon attempts to resist password guessing.

Rationale. Unlimited logon attempts enable brute-force password attacks.

Remediation. Set the account lockout threshold to a non-zero value of 5 or fewer invalid attempts (Account Policies, Account Lockout Policy).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 CMMC Level 2 PCI DSS v4.0 ISO/IEC 27001 Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/account-lockout-threshold

WIN-LOCK-002 - Account Lockout Duration

Severity: Medium   Category: Account Policy   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

A locked account should remain locked long enough to slow automated password guessing.

Rationale. A short lockout duration lets attackers resume guessing quickly.

Remediation. Set the account lockout duration to 15 minutes or more.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/account-lockout-duration

WIN-LOCK-003 - Reset Account Lockout Counter

Severity: Medium   Category: Account Policy   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

The failed-logon counter should persist long enough to make lockout thresholds effective.

Rationale. A short reset window weakens the lockout threshold against slow guessing.

Remediation. Set the reset account lockout counter to 15 minutes or more.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after

WIN-LOGON-001 - Machine Inactivity Limit

Severity: Medium   Category: Access Control   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

The machine must lock after a period of inactivity to protect unattended sessions. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Unattended, unlocked sessions can be hijacked by anyone with physical or console access.

Remediation. Set Policies System InactivityTimeoutSecs to 900 (15 minutes) or fewer.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit

WIN-LOGON-002 - Do Not Display Last Signed-In User

Severity: Low   Category: Access Control   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

The last signed-in username must not be displayed at the logon screen. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Displaying the last user discloses a valid account name to attackers.

Remediation. Set Policies System DontDisplayLastUserName to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name

WIN-LOGON-003 - Limit Number of Cached Logons

Severity: Medium   Category: Access Control   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

The number of cached domain logon credentials must be limited to reduce offline credential-theft exposure.

Rationale. Cached credentials can be extracted and cracked offline.

Remediation. Set Winlogon CachedLogonsCount to 4 or fewer.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available

WIN-LOGON-004 - Require Ctrl+Alt+Del at Logon

Severity: Low   Category: Access Control   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Users must press Ctrl+Alt+Del before signing in to guarantee a trusted logon path. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. Without the secure attention sequence, credential-harvesting spoofed logon screens are possible.

Remediation. Set Policies System DisableCAD to 0 (require Ctrl+Alt+Del).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del

WIN-LOGON-005 - Smart Card Removal Behavior (Lock Workstation)

Severity: Low   Category: Access Control   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Enterprise

Lock the workstation when a logged-on user removes their smart card.

Rationale. An unlocked, unattended session after card removal is open to misuse.

Remediation. Set Winlogon ScRemoveOption to 1 (Lock Workstation).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior

WIN-LOGON-006 - Disable Automatic Logon

Severity: Medium   Category: Access Control   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Disable automatic logon, which stores a plaintext password in the registry.

Rationale. AutoAdminLogon stores credentials in cleartext and logs in without authentication.

Remediation. Set Winlogon AutoAdminLogon to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-LOGON-007 - Do Not Allow System to Be Shut Down Without Logging On

Severity: Low   Category: Access Control   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Require authentication before the system can be shut down. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. Unauthenticated shutdown from the logon screen enables denial of service.

Remediation. Set Policies System ShutdownWithoutLogon to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on

WIN-LOGON-008 - Require Domain Controller Authentication to Unlock Workstation

Severity: Medium   Category: Access Control   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Enterprise

Require a domain controller to authenticate the account when unlocking a locked session.

Rationale. Cached-credential unlock ignores recent account disable/lockout changes.

Remediation. Set Winlogon ForceUnlockLogon to 1 (best paired with cached logons = 0).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation

WIN-LOGON-009 - Do Not Enumerate Connected Users on Domain-Joined Computers

Severity: Medium   Category: Access Control   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Do not show connected users on the sign-in screen of domain-joined servers. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Enumerating users discloses valid account names to anyone at the console.

Remediation. Set System DontEnumerateConnectedUsers to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-LOGON-010 - Do Not Enumerate Local Users on Domain-Joined Computers

Severity: Medium   Category: Access Control   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Do not enumerate local users on domain-joined servers. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. Enumerating local users discloses valid account names.

Remediation. Set System EnumerateLocalUsers to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-LOGON-011 - Block User From Showing Account Details on Sign-In

Severity: Low   Category: Access Control   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent display of account details (such as email) on the sign-in screen. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Exposed account details aid social-engineering and targeting.

Remediation. Set System BlockUserFromShowingAccountDetailsOnSignin to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-LOGON-012 - Do Not Display Network Selection UI

Severity: Low   Category: Access Control   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Hide the network selection UI on the sign-in screen. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. The network UI lets an unauthenticated user change connectivity from the lock screen.

Remediation. Set System DontDisplayNetworkSelectionUI to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-LOGON-013 - Turn Off App Notifications on the Lock Screen

Severity: Low   Category: Access Control   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent app notifications from appearing on the lock screen. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Lock-screen notifications can leak sensitive information.

Remediation. Set System DisableLockScreenAppNotifications to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-LOGON-014 - Disable Convenience PIN Sign-In

Severity: Medium   Category: Access Control   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Disable domain convenience PIN sign-in. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. A convenience PIN is a weaker credential than a full domain password.

Remediation. Set System AllowDomainPINLogon to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-LOGON-015 - Disable Automatic Restart Sign-On (ARSO)

Severity: Medium   Category: Access Control   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Do not automatically sign in and lock the last user after a restart. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. ARSO caches credentials to auto-sign-in after updates, a credential-exposure risk.

Remediation. Set System DisableAutomaticRestartSignOn to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-LOGON-016 - Screen Saver Grace Period

Severity: Low   Category: Access Control   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Limit the grace period before a password-protected screen saver locks the session.

Rationale. A long grace period lets someone dismiss the screen saver without the password.

Remediation. Set Winlogon ScreenSaverGracePeriod to 5 (seconds) or fewer.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-LOGON-017 - Turn Off Toast Notifications on the Lock Screen (Default Profile)

Severity: Low   Category: Access Control   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent toast notifications from appearing on the lock screen for the default profile. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Lock-screen notifications can leak sensitive information.

Remediation. Set default-profile PushNotifications NoToastApplicationNotificationOnLockScreen to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-LOGON-018 - Logon Legal Notice Text

Severity: Low   Category: Access Control   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Display a legal warning banner (message text) before interactive and Remote Desktop logon. Audits that a non-empty banner is set; the applied default authorized-use text can be replaced with your own wording. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Without a logon banner, users are not warned that access is authorized-only and monitored, weakening legal and deterrence posture.

Remediation. Set Policies System LegalNoticeText to your organisation authorized-use warning (any non-empty value). Customise by editing this control apply value.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on

WIN-LOGON-019 - Logon Legal Notice Title

Severity: Low   Category: Access Control   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Set the title bar caption for the logon warning banner. Audits that a non-empty caption is set; the applied default can be replaced with your own wording. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. A banner with no title is less clear and less authoritative as a legal warning.

Remediation. Set Policies System LegalNoticeCaption to a non-empty title. Customise by editing this control apply value.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on

WIN-LSA-001 - Do Not Store LAN Manager Hash

Severity: High   Category: Credential Protection   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Essential

The weak LAN Manager hash of passwords must not be stored on next password change.

Rationale. LM hashes are easily cracked, exposing account passwords.

Remediation. Set Lsa NoLMHash to 1 so LM hashes are not stored.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change

WIN-LSA-002 - Restrict Anonymous SID Enumeration

Severity: Medium   Category: Access Control   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Anonymous users must not be able to enumerate SIDs and account names.

Rationale. Anonymous enumeration aids reconnaissance and targeted attacks.

Remediation. Set Lsa RestrictAnonymous to 1 to restrict anonymous enumeration.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares

WIN-LSA-003 - Enable LSASS Protection (RunAsPPL)

Severity: High   Category: Credential Protection   Provider: Registry   Delivery: Direct   Reboot: Yes   Tier: Enterprise

LSASS must run as a protected process (PPL) to resist credential theft tools.

Rationale. Unprotected LSASS memory can be dumped to steal credentials.

Remediation. Set Lsa RunAsPPL to 1 to run LSASS as a protected process. Requires a reboot.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-LSA-004 - Do Not Allow Anonymous Enumeration of SAM Accounts

Severity: Medium   Category: Access Control   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Anonymous users must not be able to enumerate SAM accounts.

Rationale. Anonymous SAM enumeration aids account discovery and password attacks.

Remediation. Set Lsa RestrictAnonymousSAM to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts

WIN-LSA-005 - Enable Structured Exception Handling Overwrite Protection (SEHOP)

Severity: Medium   Category: Exploit Protection   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

SEHOP must be enabled to block Structured Exception Handler overwrite exploitation.

Rationale. SEH overwrite is a common memory-corruption exploitation technique.

Remediation. Ensure Session Manager kernel DisableExceptionChainValidation is 0 (SEHOP enabled).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-LSA-006 - Digitally Encrypt or Sign Secure Channel Data (Always)

Severity: Medium   Category: Authentication   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

All domain secure-channel traffic must be signed or encrypted.

Rationale. Unsigned secure-channel traffic is vulnerable to tampering and replay.

Remediation. Set Netlogon Parameters RequireSignOrSeal to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always

WIN-LSA-007 - Do Not Apply Everyone Permissions to Anonymous Users

Severity: Medium   Category: Access Control   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

The Everyone SID must not be applied to anonymous connections.

Rationale. Applying Everyone permissions to anonymous users grants broad unauthenticated access.

Remediation. Set Lsa EveryoneIncludesAnonymous to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users

WIN-LSA-008 - Restrict Clients Allowed to Make Remote SAM Calls

Severity: Medium   Category: Access Control   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Restrict remote SAM (SAMRPC) enumeration to the local Administrators group.

Rationale. Remote SAM enumeration lets low-privilege attackers map users, groups, and admins.

Remediation. Set Lsa RestrictRemoteSam to the SDDL O:SYG:SYD:(A;;RC;;;BA) (Administrators only).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls

WIN-LSA-009 - Limit Local Account Use of Blank Passwords

Severity: High   Category: Access Control   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Restrict local accounts with blank passwords to console logon only (no remote/network logon).

Rationale. Blank-password local accounts allow trivial remote access if guessed or known.

Remediation. Set Lsa LimitBlankPasswordUse to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only

WIN-LSA-010 - Sharing and Security Model for Local Accounts (Classic)

Severity: Medium   Category: Access Control   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Local accounts authenticate as themselves (Classic), not mapped to Guest.

Rationale. The Guest-only model weakens access control by treating all local network logons equally.

Remediation. Set Lsa ForceGuest to 0 (Classic - local users authenticate as themselves).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts

WIN-LSA-011 - Disallow LocalSystem NULL Session Fallback

Severity: Medium   Category: Access Control   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Prevent LocalSystem services from falling back to unprotected NULL-session authentication.

Rationale. NULL-session fallback transmits data with a well-known key, providing no confidentiality or integrity.

Remediation. Set Lsa MSV1_0 AllowNullSessionFallback to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback

WIN-LSA-012 - Strengthen Default Permissions of Internal System Objects

Severity: Low   Category: Access Control   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Strengthen the default DACL on shared system objects so non-administrators cannot modify objects they did not create.

Rationale. Weak default object permissions enable symbolic-link and predictable-name attacks.

Remediation. Set Session Manager ProtectionMode to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects

WIN-LSA-013 - Digitally Encrypt Secure Channel Data (When Possible)

Severity: Medium   Category: Authentication   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Encrypt domain secure-channel traffic whenever the domain controller supports it.

Rationale. Unencrypted secure-channel data can be read in transit.

Remediation. Set Netlogon Parameters SealSecureChannel to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible

WIN-LSA-014 - Digitally Sign Secure Channel Data (When Possible)

Severity: Medium   Category: Authentication   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Sign domain secure-channel traffic whenever the domain controller supports it.

Rationale. Unsigned secure-channel data can be tampered with in transit.

Remediation. Set Netlogon Parameters SignSecureChannel to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible

WIN-LSA-015 - Do Not Disable Machine Account Password Changes

Severity: Medium   Category: Authentication   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Allow periodic machine-account password changes.

Rationale. A static machine-account password is easier to compromise and replay.

Remediation. Set Netlogon Parameters DisablePasswordChange to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes

WIN-LSA-016 - Maximum Machine Account Password Age (30 Days)

Severity: Low   Category: Authentication   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

The machine-account password must be rotated at least every 30 days.

Rationale. Infrequent rotation extends the window for a stolen machine password.

Remediation. Set Netlogon Parameters MaximumPasswordAge to 30.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age

WIN-LSA-017 - Require Strong (Windows 2000 or Later) Session Key

Severity: Medium   Category: Authentication   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Require a strong 128-bit secure-channel session key.

Rationale. Weak 64-bit session keys are more vulnerable to eavesdropping and hijacking.

Remediation. Set Netlogon Parameters RequireStrongKey to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key

WIN-LSA-018 - Do Not Store Passwords and Credentials for Network Authentication

Severity: High   Category: Credential Protection   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Prevent caching of network-authentication passwords and credentials.

Rationale. Cached network credentials can be harvested from a compromised host.

Remediation. Set Lsa DisableDomainCreds to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication

WIN-LSA-019 - Require Case Insensitivity for Non-Windows Subsystems

Severity: Low   Category: Access Control   Provider: Registry   Delivery: Direct   Reboot: Yes   Tier: Standard

Enforce case insensitivity for all subsystems, including POSIX.

Rationale. Case-sensitive object names can be used to bypass name-based access checks.

Remediation. Set Session Manager Kernel ObCaseInsensitive to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems

WIN-NET-001 - Disable LLMNR

Severity: Medium   Category: Network Protocols   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Link-Local Multicast Name Resolution (LLMNR) must be disabled to prevent name-resolution poisoning and credential capture. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. LLMNR enables responder-style spoofing and NTLM credential theft.

Remediation. Set DNSClient EnableMulticast to 0 to disable LLMNR.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-002 - Disable IPv4 Source Routing

Severity: Medium   Category: Network Protocols   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

IPv4 source routing must be disabled to prevent source-routed packet spoofing.

Rationale. Source routing lets attackers dictate the network path of packets, aiding spoofing.

Remediation. Set Tcpip Parameters DisableIPSourceRouting to 2 (highest protection).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-003 - Disable ICMP Redirects

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

ICMP redirects must not override OSPF-generated routes.

Rationale. ICMP redirects can be abused to reroute traffic through an attacker.

Remediation. Set Tcpip Parameters EnableICMPRedirect to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-004 - Disable IPv6 Source Routing

Severity: Medium   Category: Network Protocols   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

IPv6 source routing must be disabled to prevent source-routed packet spoofing.

Rationale. IPv6 source routing enables path manipulation and spoofing.

Remediation. Set Tcpip6 Parameters DisableIPSourceRouting to 2.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-005 - Ignore NetBIOS Name Release Requests

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Ignore NetBIOS name-release requests except from WINS servers.

Rationale. Malicious name-release requests enable NetBIOS denial-of-service and spoofing.

Remediation. Set Netbt Parameters NoNameReleaseOnDemand to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-006 - Disable mDNS

Severity: Medium   Category: Network Protocols   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Disable multicast DNS (mDNS) name resolution.

Rationale. mDNS, like LLMNR, can be abused for name-resolution spoofing and credential harvesting.

Remediation. Set Dnscache Parameters EnableMDNS to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-007 - Enable Safe DLL Search Mode

Severity: Medium   Category: Exploit Protection   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Use safe DLL search order so system locations are searched before the current directory.

Rationale. Unsafe DLL search order enables DLL-planting (DLL hijacking) attacks.

Remediation. Set Session Manager SafeDllSearchMode to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-008 - Hardened UNC Path for SYSVOL

Severity: High   Category: Network Protocols   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Require mutual authentication and integrity for access to the SYSVOL share. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Unhardened SYSVOL access enables Group Policy man-in-the-middle attacks.

Remediation. Set NetworkProvider HardenedPaths \*\SYSVOL to RequireMutualAuthentication=1, RequireIntegrity=1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-009 - Hardened UNC Path for NETLOGON

Severity: High   Category: Network Protocols   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Require mutual authentication and integrity for access to the NETLOGON share. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Unhardened NETLOGON access enables logon-script man-in-the-middle attacks.

Remediation. Set NetworkProvider HardenedPaths \*\NETLOGON to RequireMutualAuthentication=1, RequireIntegrity=1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-010 - Disable Font Providers

Severity: Low   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent Windows from fetching fonts from online font providers. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Font provider calls are unnecessary outbound network traffic.

Remediation. Set System EnableFontProviders to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-011 - Turn Off Smart Multi-Homed Name Resolution

Severity: Medium   Category: Network Protocols   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Disable smart multi-homed name resolution, which can send DNS queries on all interfaces. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Multi-homed resolution can leak internal names and enable spoofing responses.

Remediation. Set Windows NT DNSClient DisableSmartNameResolution to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-012 - Prohibit Installation of Network Bridge

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent users from installing and configuring a Network Bridge. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. A network bridge can join isolated network segments and bypass controls.

Remediation. Set Network Connections NC_AllowNetBridge_NLA to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-013 - Prohibit Internet Connection Sharing

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent use of the Internet Connection Sharing feature. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. ICS can expose an internal network through an uncontrolled gateway.

Remediation. Set Network Connections NC_ShowSharedAccessUI to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-014 - Require Domain Users to Elevate When Setting Network Location

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Require elevation before a domain user can change a network location. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Changing a network to Private lowers firewall restrictions.

Remediation. Set Network Connections NC_StdDomainUserSetLocation to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-015 - Minimize Simultaneous Internet and Domain Connections

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent simultaneous connections to the internet and the domain network. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Bridged connectivity can route around perimeter controls.

Remediation. Set WcmSvc GroupPolicy fMinimizeConnections to 3.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-016 - Prohibit Non-Domain Networks When on Domain Network

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Block connections to non-domain networks while connected to the domain network. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Dual-homing to untrusted networks can bridge attacks into the domain.

Remediation. Set WcmSvc GroupPolicy fBlockNonDomain to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-017 - Disable Windows Connect Now Registrars

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Disable configuration of wireless settings using Windows Connect Now. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. WCN registrars allow wireless provisioning not needed on servers.

Remediation. Set WCN Registrars EnableRegistrars to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-018 - Prohibit Access of Windows Connect Now Wizards

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prohibit access to the Windows Connect Now wizards. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. WCN wizards expose unnecessary wireless provisioning UI.

Remediation. Set WCN UI DisableWcnUi to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-019 - Turn Off Link-Layer Topology Mapper I/O Driver

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Disable the Link-Layer Topology Discovery Mapper I/O (LLTDIO) driver on the domain. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. LLTD can be used to map the network for reconnaissance.

Remediation. Set LLTD AllowLLTDIOOnDomain to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-020 - Turn Off Link-Layer Topology Responder Driver

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Disable the Link-Layer Topology Discovery Responder (RSPNDR) driver on the domain. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. The responder advertises the host to network-mapping tools.

Remediation. Set LLTD AllowRspndrOnDomain to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-021 - TCP Maximum Data Retransmissions (IPv4)

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Limit how many times TCP retransmits an unacknowledged data segment (IPv4).

Rationale. Excessive retransmissions increase exposure to SYN-flood style attacks.

Remediation. Set Tcpip Parameters TcpMaxDataRetransmissions to 3 or fewer.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-022 - TCP Maximum Data Retransmissions (IPv6)

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Limit how many times TCP retransmits an unacknowledged data segment (IPv6).

Rationale. Excessive retransmissions increase exposure to SYN-flood style attacks.

Remediation. Set Tcpip6 Parameters TcpMaxDataRetransmissions to 3 or fewer.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-023 - TCP Keep-Alive Time

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Set how often TCP sends keep-alive packets to at most 5 minutes.

Rationale. Long keep-alive intervals leave idle connections open longer than necessary.

Remediation. Set Tcpip Parameters KeepAliveTime to 300000 (ms) or fewer.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NET-024 - Disable Dead Gateway Detection

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Disable TCP dead-gateway detection so the stack does not switch gateways automatically.

Rationale. Automatic gateway switching can be induced to redirect traffic.

Remediation. Set Tcpip Parameters EnableDeadGWDetect to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-NTLM-001 - LAN Manager Authentication Level (NTLMv2 Only)

Severity: High   Category: Authentication   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

The system must send NTLMv2 responses only and refuse LM and NTLM, resisting downgrade and relay attacks.

Rationale. Legacy LM/NTLM authentication is vulnerable to cracking and relay.

Remediation. Set Lsa LmCompatibilityLevel to 5 (send NTLMv2 only, refuse LM and NTLM).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level

WIN-NTLM-002 - Minimum NTLM Session Security (Clients)

Severity: Medium   Category: Authentication   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

NTLM SSP clients must require NTLMv2 session security and 128-bit encryption.

Rationale. Weak NTLM session security is vulnerable to downgrade and man-in-the-middle attacks.

Remediation. Set Lsa MSV1_0 NTLMMinClientSec to 537395200 (require NTLMv2 and 128-bit).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients

WIN-NTLM-003 - Minimum NTLM Session Security (Servers)

Severity: Medium   Category: Authentication   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

NTLM SSP servers must require NTLMv2 session security and 128-bit encryption.

Rationale. Weak NTLM session security is vulnerable to downgrade and man-in-the-middle attacks.

Remediation. Set Lsa MSV1_0 NTLMMinServerSec to 537395200 (require NTLMv2 and 128-bit).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers

WIN-NTLM-004 - Allow LocalSystem to Use Computer Identity for NTLM

Severity: Medium   Category: Authentication   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

LocalSystem services authenticate with the computer identity instead of anonymously.

Rationale. Anonymous LocalSystem NTLM weakens session security.

Remediation. Set Lsa UseMachineId to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm

WIN-NTLM-005 - Disallow PKU2U Online Identities

Severity: Medium   Category: Authentication   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Prevent PKU2U from using online identities to authenticate to this server (on-premises environments).

Rationale. PKU2U online identities can bypass domain-defined access controls.

Remediation. Set Lsa pku2u AllowOnlineID to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities

WIN-NTLM-006 - Audit Incoming NTLM Traffic

Severity: Low   Category: Authentication   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Log all incoming NTLM authentication so NTLM usage can be measured before restriction.

Rationale. Without auditing, NTLM dependence is invisible and hard to eliminate.

Remediation. Set Lsa MSV1_0 AuditReceivingNTLMTraffic to 2 (all accounts).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic

WIN-NTLM-007 - Audit Outgoing NTLM Traffic to Remote Servers

Severity: Low   Category: Authentication   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Log all outgoing NTLM authentication to remote servers.

Rationale. Unmeasured outgoing NTLM makes it hard to move to Kerberos.

Remediation. Set Lsa MSV1_0 RestrictSendingNTLMTraffic to 1 (Audit all).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers

WIN-PRINT-001 - Restrict Point and Print Driver Installation to Administrators

Severity: High   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Only administrators may install printer drivers via Point and Print. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Unrestricted Point and Print driver installation was the basis of the PrintNightmare RCE.

Remediation. Set Printers PointAndPrint RestrictDriverInstallationToAdministrators to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-PRINT-002 - Require Elevation for New Point and Print Connections

Severity: Medium   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Warn and require elevation when installing drivers for a new Point and Print connection. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. Silent driver installation lets a malicious print server push a driver without prompting.

Remediation. Set Printers PointAndPrint NoWarningNoElevationOnInstall to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-PRINT-003 - Prevent Users From Installing Printer Drivers

Severity: Medium   Category: Attack Surface Reduction   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Only administrators may install printer drivers when adding a network printer.

Rationale. User-installed printer drivers can introduce untrusted kernel code on servers.

Remediation. Set Print Providers LanMan Print Services Servers AddPrinterDrivers to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers

WIN-PSL-001 - Enable PowerShell Script Block Logging

Severity: Medium   Category: Logging and Monitoring   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

PowerShell Script Block Logging must be enabled to record the content of executed script blocks for detection and forensics. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Reduced visibility of malicious PowerShell activity.

Remediation. Enable PowerShell Script Block Logging by setting EnableScriptBlockLogging to 1 under the ScriptBlockLogging policy key.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows

WIN-PSL-002 - Enable PowerShell Module Logging

Severity: Medium   Category: Logging and Monitoring   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

PowerShell Module Logging must be enabled to record pipeline execution details of PowerShell modules. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Reduced visibility of malicious PowerShell module activity.

Remediation. Enable PowerShell Module Logging by setting EnableModuleLogging to 1 under the ModuleLogging policy key.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows

WIN-PSL-003 - Enable PowerShell Transcription

Severity: Medium   Category: Logging and Monitoring   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Capture a transcript of every PowerShell session. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Transcripts provide a forensic record of interactive and scripted PowerShell use.

Remediation. Set PowerShell Transcription EnableTranscripting to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2

References: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows

WIN-PWD-001 - Minimum Password Length

Severity: High   Category: Account Policy   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Essential

The local security policy must require a minimum password length of at least 14 characters.

Rationale. Short passwords are susceptible to brute-force and guessing attacks.

Remediation. Set the minimum password length policy to 14 or greater (Local Security Policy, Account Policies, Password Policy).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 CMMC Level 2 PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/minimum-password-length

WIN-PWD-002 - Password Complexity Enabled

Severity: High   Category: Account Policy   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Essential

The local security policy must enforce password complexity requirements.

Rationale. Simple passwords are susceptible to guessing and dictionary attacks.

Remediation. Enable the password complexity requirements policy (PasswordComplexity = 1).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 CMMC Level 2 PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements

WIN-PWD-003 - Maximum Password Age

Severity: Medium   Category: Account Policy   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Passwords must expire within a defined period so that compromised credentials have a limited useful lifetime.

Rationale. Passwords that never expire remain valid indefinitely if leaked.

Remediation. Set the maximum password age to 365 days or fewer (but not 0) in the account policy.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/maximum-password-age

WIN-PWD-004 - Minimum Password Age

Severity: Low   Category: Account Policy   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

A minimum password age prevents users from cycling rapidly through passwords to defeat history enforcement.

Rationale. Without a minimum age, users can bypass password history by changing passwords repeatedly.

Remediation. Set the minimum password age to at least 1 day in the account policy.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/minimum-password-age

WIN-PWD-005 - Enforce Password History

Severity: Medium   Category: Account Policy   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Remembering previous passwords prevents reuse of recently used credentials.

Rationale. Password reuse increases exposure if an old password is compromised.

Remediation. Set the enforce password history policy to 24 or more remembered passwords.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/enforce-password-history

WIN-PWD-006 - Disable Reversible Password Encryption

Severity: High   Category: Account Policy   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Essential

Storing passwords using reversible encryption is equivalent to storing plaintext passwords and must be disabled.

Rationale. Reversibly encrypted passwords can be trivially recovered to plaintext.

Remediation. Disable the store-passwords-using-reversible-encryption policy (set to 0).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption

WIN-RA-001 - Disable Solicited Remote Assistance

Severity: Medium   Category: Remote Access   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Disable solicited (Ask for help) Remote Assistance. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Remote Assistance can grant an outsider interactive control of the server.

Remediation. Set Terminal Services fAllowToGetHelp to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-RA-002 - Disable Offer (Unsolicited) Remote Assistance

Severity: Medium   Category: Remote Access   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Disable offer-based (unsolicited) Remote Assistance. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Unsolicited Remote Assistance lets a helper connect without a user request.

Remediation. Set Terminal Services fAllowUnsolicited to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-RDP-001 - Require Network Level Authentication for RDP

Severity: High   Category: Remote Access   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Remote Desktop connections must require Network Level Authentication (NLA) so users authenticate before a session is established.

Rationale. Pre-authentication exposure of the RDP session host to unauthenticated attackers.

Remediation. Require Network Level Authentication for RDP by setting UserAuthentication to 1 on the RDP-Tcp WinStation.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-RDP-002 - RDP Minimum Encryption Level (High)

Severity: Medium   Category: Remote Access   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Remote Desktop sessions must use a High minimum encryption level.

Rationale. Weak RDP encryption exposes session data to interception.

Remediation. Set the RDP-Tcp MinEncryptionLevel to 3 (High).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-RDP-003 - RDP Security Layer (TLS)

Severity: Medium   Category: Remote Access   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Remote Desktop must use the SSL/TLS security layer for connection security.

Rationale. The legacy RDP security layer is susceptible to man-in-the-middle attacks.

Remediation. Set the RDP-Tcp SecurityLayer to 2 (SSL/TLS).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-RDP-004 - Disable RDP Drive Redirection

Severity: Medium   Category: Remote Access   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Client drive redirection over RDP must be disabled to prevent data exfiltration and malware ingress.

Rationale. Drive redirection allows files to move between client and server, aiding exfiltration.

Remediation. Set the RDP-Tcp fDisableCdm value to 1 to disable client drive redirection.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-RDP-005 - Always Prompt for Password on RDP Connection

Severity: Medium   Category: Remote Access   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Require Remote Desktop clients to provide a password at connection time. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Saved credentials let a stolen client session reconnect without authentication.

Remediation. Set Terminal Services fPromptForPassword to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-RDP-006 - Disable RDP Clipboard Redirection

Severity: Low   Category: Remote Access   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Enterprise

Disable clipboard redirection in Remote Desktop sessions. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Clipboard redirection can exfiltrate data between the session and the client.

Remediation. Set Terminal Services fDisableClip to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-RDP-007 - Set RDP Idle Session Time Limit

Severity: Low   Category: Remote Access   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

End idle Remote Desktop sessions after a time limit (15 minutes). Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Abandoned idle sessions can be hijacked at the console or over the network.

Remediation. Set Terminal Services MaxIdleTime to 900000 (15 minutes, in milliseconds).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-RDP-008 - Set RDP Disconnected Session Time Limit

Severity: Low   Category: Remote Access   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

End disconnected Remote Desktop sessions after a time limit (1 minute). Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Disconnected sessions retain a logged-on context that can be resumed by others.

Remediation. Set Terminal Services MaxDisconnectionTime to 60000 (1 minute, in milliseconds).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-RDP-009 - Do Not Allow Saved RDP Passwords

Severity: Medium   Category: Remote Access   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent Remote Desktop clients from saving passwords. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Saved RDP credentials let a stolen client reconnect without authentication.

Remediation. Set Terminal Services DisablePasswordSaving to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-RDP-010 - Disable RDP COM Port Redirection

Severity: Low   Category: Remote Access   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent COM port redirection in Remote Desktop sessions. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Device redirection expands the RDP data-exfiltration surface.

Remediation. Set Terminal Services fDisableCcm to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-RDP-011 - Disable RDP LPT Port Redirection

Severity: Low   Category: Remote Access   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent LPT port redirection in Remote Desktop sessions. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Device redirection expands the RDP data-exfiltration surface.

Remediation. Set Terminal Services fDisableLPT to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-RDP-012 - Disable RDP Plug and Play Device Redirection

Severity: Low   Category: Remote Access   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent supported Plug and Play device redirection in Remote Desktop sessions. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. PnP redirection can attach untrusted devices to the session.

Remediation. Set Terminal Services fDisablePNPRedir to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-RDP-013 - Require Secure RPC for Remote Desktop

Severity: Medium   Category: Remote Access   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Require secure (encrypted, authenticated) RPC for Remote Desktop connections. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. Unsecured RPC exposes RDP management traffic.

Remediation. Set Terminal Services fEncryptRPCTraffic to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-RDP-014 - Use Temporary Folders Per RDP Session

Severity: Low   Category: Remote Access   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Use a separate temporary folder for each Remote Desktop session. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. Shared temp folders can leak data between sessions.

Remediation. Set Terminal Services PerSessionTempDir to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-RPC-001 - Restrict Unauthenticated RPC Clients

Severity: Medium   Category: Network Protocols   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Require authentication for RPC clients connecting to the RPC runtime. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Unauthenticated RPC is a broad remote attack surface.

Remediation. Set Rpc RestrictRemoteClients to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-RPC-002 - Enable RPC Endpoint Mapper Client Authentication

Severity: Medium   Category: Network Protocols   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Require authentication when resolving RPC endpoints via the Endpoint Mapper. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Unauthenticated endpoint resolution can be abused for reconnaissance and relay.

Remediation. Set Rpc EnableAuthEpResolution to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-SCRSVR-001 - Enable Screen Saver (Default Profile)

Severity: Low   Category: Access Control   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Enable the screen saver for the default user profile so new sessions lock when idle. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Without a screen saver, unattended sessions stay unlocked.

Remediation. Set default-profile Control Panel Desktop ScreenSaveActive to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-SCRSVR-002 - Password Protect the Screen Saver (Default Profile)

Severity: Medium   Category: Access Control   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Require a password to dismiss the screen saver for the default user profile. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. An unprotected screen saver does not actually lock the session.

Remediation. Set default-profile Control Panel Desktop ScreenSaverIsSecure to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-SCRSVR-003 - Screen Saver Timeout (Default Profile)

Severity: Low   Category: Access Control   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Lock the default-profile session with the screen saver after at most 15 minutes of inactivity. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Long timeouts leave unattended sessions unlocked for too long.

Remediation. Set default-profile Control Panel Desktop ScreenSaveTimeOut to 900 (seconds) or fewer.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-SMARTSCREEN-001 - Configure Windows Defender SmartScreen

Severity: Medium   Category: Endpoint Protection   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Enable SmartScreen reputation checks for apps and files. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Without SmartScreen, users can run known-malicious downloads.

Remediation. Set System EnableSmartScreen to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-SMB-001 - Disable SMBv1

Severity: High   Category: Network Protocols   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Essential

SMBv1 is a deprecated protocol vulnerable to EternalBlue-class remote code execution and lateral movement. It must be disabled on the server.

Rationale. Remote code execution and lateral movement via legacy SMB protocol.

Remediation. Disable the SMBv1 server by setting the LanmanServer Parameters value SMB1 to 0. CloudInfra Secure applies this automatically; reboot to fully remove the SMBv1 driver.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 CMMC Level 2 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3

WIN-SMB-003 - Require SMB Signing (Server)

Severity: High   Category: Network Protocols   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

The SMB server must require packet signing to prevent tampering and man-in-the-middle attacks on file traffic.

Rationale. Unsigned SMB traffic can be intercepted or modified in transit.

Remediation. Set LanmanServer Parameters RequireSecuritySignature to 1 to require SMB signing.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always

WIN-SMB-004 - Disable SMBv1 Client

Severity: High   Category: Network Protocols   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

The SMBv1 client driver (mrxsmb10) must be disabled to prevent the host connecting over the vulnerable SMBv1 protocol.

Rationale. SMBv1 client use exposes the host to EternalBlue-class and downgrade attacks.

Remediation. Set the mrxsmb10 service Start value to 4 (disabled) to disable the SMBv1 client driver.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3

WIN-SMB-005 - Require SMB Client Signing

Severity: Medium   Category: Network Protocols   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

The SMB client must require packet signing to protect outbound file traffic from tampering.

Rationale. Unsigned SMB client traffic can be intercepted or modified.

Remediation. Set LanmanWorkstation Parameters RequireSecuritySignature to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always

WIN-SMB-006 - Restrict Anonymous Access to Named Pipes and Shares

Severity: Medium   Category: Network Protocols   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Anonymous (null session) access to named pipes and shares must be restricted.

Rationale. Null sessions can enumerate and access shares without authentication.

Remediation. Set LanmanServer Parameters RestrictNullSessAccess to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares

WIN-SMB-007 - Disable SMB Client Insecure Guest Logons

Severity: Medium   Category: Network Protocols   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent the SMB client from making insecure guest logons to file servers. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Insecure guest access exposes clients to rogue/man-in-the-middle SMB servers.

Remediation. Set LanmanWorkstation AllowInsecureGuestAuth to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-SMB-008 - Do Not Send Unencrypted Password to Third-Party SMB Servers

Severity: Medium   Category: Network Protocols   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Prevent the SMB client from sending plaintext passwords to non-Microsoft SMB servers.

Rationale. Plaintext passwords on the wire can be captured by a network eavesdropper.

Remediation. Set LanmanWorkstation Parameters EnablePlainTextPassword to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers

WIN-SMB-009 - Digitally Sign Client Communications (If Server Agrees)

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

The SMB client negotiates signing whenever the server supports it.

Rationale. Unsigned SMB sessions are vulnerable to tampering and relay.

Remediation. Set LanmanWorkstation Parameters EnableSecuritySignature to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees

WIN-SMB-010 - Digitally Sign Server Communications (If Client Agrees)

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

The SMB server negotiates signing whenever the client supports it.

Rationale. Unsigned SMB sessions are vulnerable to tampering and relay.

Remediation. Set LanmanServer Parameters EnableSecuritySignature to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agrees

WIN-SMB-011 - Idle Time Required Before Suspending an SMB Session (15 min)

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Suspend idle SMB sessions after 15 minutes.

Rationale. Idle sessions consume resources and can be resumed by an attacker.

Remediation. Set LanmanServer Parameters AutoDisconnect to 15.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session

WIN-SMB-012 - Disconnect Clients When Logon Hours Expire

Severity: Low   Category: Network Protocols   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Force-disconnect SMB clients when their logon hours expire.

Rationale. Sessions that outlive logon hours bypass time-based access controls.

Remediation. Set LanmanServer Parameters EnableForcedLogOff to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire

WIN-SMB-013 - Server SPN Target Name Validation Level

Severity: Medium   Category: Network Protocols   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Standard

Validate the SPN provided by SMB clients to mitigate SMB relay attacks.

Rationale. Without SPN validation, SMB is exposed to relay attacks.

Remediation. Set LanmanServer Parameters SmbServerNameHardeningLevel to 1 (Accept if provided by client).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level

WIN-SVC-001 - Disable Remote Registry Service

Severity: Medium   Category: Attack Surface Reduction   Provider: Service   Delivery: Direct   Reboot: No   Tier: Standard

The Remote Registry service must be stopped and disabled to reduce remote attack surface.

Rationale. Remote Registry enables remote reconnaissance and modification of the registry.

Remediation. Stop and disable the RemoteRegistry service.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-SVC-002 - Disable Print Spooler Service

Severity: Medium   Category: Attack Surface Reduction   Provider: Service   Delivery: Direct   Reboot: No   Tier: Enterprise

The Print Spooler service must be stopped and disabled on servers that do not print (PrintNightmare mitigation).

Rationale. The Print Spooler has a history of critical remote code execution vulnerabilities.

Remediation. Stop and disable the Spooler service. Do not apply to print servers.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-TELEM-001 - Limit Diagnostic Data to Required or Less

Severity: Low   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Send no more than the required level of diagnostic data. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Higher telemetry levels transmit more potentially sensitive data off the host.

Remediation. Set DataCollection AllowTelemetry to 0 (Security) or 1 (Required).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-TELEM-002 - Disable OneSettings Downloads

Severity: Low   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent Windows from downloading configuration from the OneSettings service. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. OneSettings downloads are unnecessary outbound calls on a hardened server.

Remediation. Set DataCollection DisableOneSettingsDownloads to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-TELEM-003 - Do Not Show Feedback Notifications

Severity: Low   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Suppress Windows feedback notifications. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Feedback prompts are unnecessary on servers and encourage data submission.

Remediation. Set DataCollection DoNotShowFeedbackNotifications to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-TELEM-004 - Enable OneSettings Auditing

Severity: Low   Category: Logging and Monitoring   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Audit access to the OneSettings service. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Without auditing, OneSettings activity is invisible.

Remediation. Set DataCollection EnableOneSettingsAuditing to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-TELEM-005 - Disable Windows Insider Preview Builds

Severity: Medium   Category: Attack Surface Reduction   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent enrollment in Windows Insider preview builds. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. Preview builds are pre-release code not suitable for production servers.

Remediation. Set PreviewBuilds AllowBuildPreview to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-TLS-001 - Enable TLS 1.2 (Server)

Severity: Medium   Category: Cryptography   Provider: Registry   Delivery: Direct   Reboot: Yes   Tier: Standard

Explicitly enable the TLS 1.2 SCHANNEL server endpoint.

Rationale. If TLS 1.2 is not enabled, services may negotiate weaker or no encryption.

Remediation. Set SCHANNEL TLS 1.2 Server Enabled to 1. A reboot is required to take effect.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

WIN-TLS-002 - Enable TLS 1.2 (Client)

Severity: Medium   Category: Cryptography   Provider: Registry   Delivery: Direct   Reboot: Yes   Tier: Standard

Explicitly enable the TLS 1.2 SCHANNEL client endpoint.

Rationale. If TLS 1.2 is not enabled, outbound connections may negotiate weaker encryption.

Remediation. Set SCHANNEL TLS 1.2 Client Enabled to 1. A reboot is required to take effect.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

WIN-TLS-003 - Disable RC4 128/128 Cipher

Severity: High   Category: Cryptography   Provider: Registry   Delivery: Direct   Reboot: Yes   Tier: Standard

Disable the weak RC4 128/128 SCHANNEL cipher.

Rationale. RC4 is a broken stream cipher vulnerable to practical attacks.

Remediation. Set SCHANNEL Ciphers RC4 128/128 Enabled to 0. A reboot is required to take effect.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

WIN-TLS-004 - Disable RC4 40/128 Cipher

Severity: High   Category: Cryptography   Provider: Registry   Delivery: Direct   Reboot: Yes   Tier: Standard

Disable the weak RC4 40/128 SCHANNEL cipher.

Rationale. RC4 40-bit is trivially breakable.

Remediation. Set SCHANNEL Ciphers RC4 40/128 Enabled to 0. A reboot is required to take effect.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

WIN-TLS-005 - Disable Triple DES 168 Cipher

Severity: Medium   Category: Cryptography   Provider: Registry   Delivery: Direct   Reboot: Yes   Tier: Standard

Disable the legacy Triple DES 168 SCHANNEL cipher.

Rationale. 3DES is vulnerable to birthday (Sweet32) attacks and is deprecated.

Remediation. Set SCHANNEL Ciphers Triple DES 168 Enabled to 0. A reboot is required to take effect.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

WIN-TLS-006 - Disable RC4 56/128 Cipher

Severity: High   Category: Cryptography   Provider: Registry   Delivery: Direct   Reboot: Yes   Tier: Standard

Disable the weak RC4 56/128 SCHANNEL cipher.

Rationale. RC4 is a broken stream cipher vulnerable to practical attacks.

Remediation. Set SCHANNEL Ciphers RC4 56/128 Enabled to 0. A reboot is required to take effect.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

WIN-TLS-007 - Disable RC4 64/128 Cipher

Severity: High   Category: Cryptography   Provider: Registry   Delivery: Direct   Reboot: Yes   Tier: Standard

Disable the weak RC4 64/128 SCHANNEL cipher.

Rationale. RC4 is a broken stream cipher vulnerable to practical attacks.

Remediation. Set SCHANNEL Ciphers RC4 64/128 Enabled to 0. A reboot is required to take effect.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

WIN-TLS-008 - Disable DES 56/56 Cipher

Severity: Medium   Category: Cryptography   Provider: Registry   Delivery: Direct   Reboot: Yes   Tier: Standard

Disable the legacy DES 56/56 SCHANNEL cipher.

Rationale. Single DES with a 56-bit key is trivially breakable.

Remediation. Set SCHANNEL Ciphers DES 56/56 Enabled to 0. A reboot is required to take effect.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

WIN-TLS-009 - Disable NULL Cipher

Severity: Medium   Category: Cryptography   Provider: Registry   Delivery: Direct   Reboot: Yes   Tier: Standard

Disable the SCHANNEL NULL cipher (no encryption).

Rationale. The NULL cipher provides authentication without confidentiality.

Remediation. Set SCHANNEL Ciphers NULL Enabled to 0. A reboot is required to take effect.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

WIN-TLS-010 - Disable TLS 1.0 (Server)

Severity: High   Category: Cryptography   Provider: Registry   Delivery: Direct   Reboot: Yes   Tier: Essential

TLS 1.0 is a deprecated protocol with known weaknesses. The SCHANNEL server endpoint for TLS 1.0 must be disabled.

Rationale. Downgrade and cryptographic attacks against legacy TLS.

Remediation. Disable the TLS 1.0 server endpoint by setting the SCHANNEL TLS 1.0 Server Enabled value to 0. A reboot is required to take effect.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

WIN-TLS-011 - Disable TLS 1.1 (Server)

Severity: High   Category: Cryptography   Provider: Registry   Delivery: Direct   Reboot: Yes   Tier: Essential

TLS 1.1 is a deprecated protocol. The SCHANNEL server endpoint for TLS 1.1 must be disabled.

Rationale. Downgrade and cryptographic attacks against legacy TLS.

Remediation. Disable the TLS 1.1 server endpoint by setting the SCHANNEL TLS 1.1 Server Enabled value to 0. A reboot is required to take effect.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

WIN-TLS-012 - Disable SSL 3.0 (Server)

Severity: High   Category: Cryptography   Provider: Registry   Delivery: Direct   Reboot: Yes   Tier: Essential

The deprecated SSL 3.0 protocol must be disabled on the SCHANNEL server endpoint.

Rationale. SSL 3.0 is vulnerable to POODLE and other attacks.

Remediation. Set the SCHANNEL SSL 3.0 Server Enabled value to 0. Requires a reboot.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

WIN-TLS-013 - Disable SSL 2.0 (Server)

Severity: High   Category: Cryptography   Provider: Registry   Delivery: Direct   Reboot: Yes   Tier: Essential

The obsolete SSL 2.0 protocol must be disabled on the SCHANNEL server endpoint.

Rationale. SSL 2.0 is fundamentally insecure and must not be offered.

Remediation. Set the SCHANNEL SSL 2.0 Server Enabled value to 0. Requires a reboot.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

WIN-UAC-001 - User Account Control Enabled

Severity: High   Category: Privilege Management   Provider: Registry   Delivery: Group Policy   Reboot: Yes   Tier: Essential

User Account Control (UAC) must be enabled (EnableLUA = 1) to enforce administrative elevation prompts. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Disabling UAC allows silent privilege escalation by malicious code.

Remediation. Enable User Account Control by setting EnableLUA to 1 under the CurrentVersion Policies System key. A reboot is required to take effect.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 CMMC Level 2 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode

WIN-UAC-002 - UAC Elevation Prompt for Administrators

Severity: Medium   Category: Privilege Management   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Administrator elevation must prompt for consent on the secure desktop. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Weak elevation prompts allow silent or spoofed privilege escalation.

Remediation. Set Policies System ConsentPromptBehaviorAdmin to 2 (prompt for consent on the secure desktop).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode

WIN-UAC-003 - UAC Detect Application Installations

Severity: Medium   Category: Privilege Management   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

UAC must detect application installations and prompt for elevation. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Silent installer elevation allows privilege escalation via installers.

Remediation. Set Policies System EnableInstallerDetection to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation

WIN-UAC-004 - Deny UAC Elevation Prompt for Standard Users

Severity: Medium   Category: Privilege Management   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Standard users must not be prompted to elevate; elevation requests are automatically denied. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Prompting standard users to elevate encourages credential sharing and misuse.

Remediation. Set Policies System ConsentPromptBehaviorUser to 0 (automatically deny).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users

WIN-UAC-005 - UAC Switch to the Secure Desktop for Elevation

Severity: Medium   Category: Privilege Management   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Elevation prompts must be shown on the secure desktop to resist spoofing. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. Elevation prompts on the interactive desktop can be spoofed to capture credentials.

Remediation. Set Policies System PromptOnSecureDesktop to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation

WIN-UAC-006 - Only Elevate UIAccess Apps in Secure Locations

Severity: Medium   Category: Privilege Management   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Only allow UIAccess applications installed in secure file-system locations to elevate. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. UIAccess apps outside secure paths can bypass UI privilege isolation.

Remediation. Set Policies System EnableSecureUIAPaths to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations

WIN-UAC-007 - Apply UAC Token Filtering to Remote Local Accounts

Severity: High   Category: Privilege Management   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Force UAC remote-access token filtering for local accounts so they connect without full administrator rights. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. Un-filtered remote local-admin tokens enable pass-the-hash lateral movement.

Remediation. Set Policies System LocalAccountTokenFilterPolicy to 0 (token filtering enabled).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-UAC-008 - Admin Approval Mode for the Built-in Administrator

Severity: Medium   Category: Privilege Management   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Apply Admin Approval Mode (UAC prompts) to the built-in Administrator account. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Without this, the built-in Administrator runs with full rights and no elevation prompt.

Remediation. Set Policies System FilterAdministratorToken to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account

WIN-UAC-009 - Virtualize File and Registry Write Failures to Per-User Locations

Severity: Low   Category: Privilege Management   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Redirect legacy per-machine file and registry writes to per-user locations. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.

Rationale. Disabling virtualization can cause legacy apps to write to protected locations.

Remediation. Set Policies System EnableVirtualization to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations

WIN-URA-001 - Access Credential Manager as a Trusted Caller = No One

Severity: High   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

No account should hold the Access Credential Manager as a trusted caller right.

Rationale. This right lets a process retrieve stored credentials from Credential Manager.

Remediation. Configure the 'SeTrustedCredManAccessPrivilege' user right so that no account holds it.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-002 - Act as Part of the Operating System = No One

Severity: High   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

No account should be able to act as part of the operating system (TCB).

Rationale. This right allows a process to impersonate any user and bypass access controls.

Remediation. Configure the 'SeTcbPrivilege' user right so that no account holds it.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-003 - Create a Token Object = No One

Severity: High   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

No account should be able to create an access token object.

Rationale. Creating arbitrary tokens allows privilege escalation to any identity.

Remediation. Configure the 'SeCreateTokenPrivilege' user right so that no account holds it.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-004 - Create Permanent Shared Objects = No One

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

No account should be able to create permanent shared objects.

Rationale. This right can be used to expose sensitive data or cause denial of service via the object namespace.

Remediation. Configure the 'SeCreatePermanentPrivilege' user right so that no account holds it.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-005 - Debug Programs = Administrators Only

Severity: High   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Administrators should hold the Debug programs right.

Rationale. Debug rights allow reading and modifying the memory of any process, including LSASS.

Remediation. Assign the 'SeDebugPrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-006 - Deny Access to This Computer From the Network (includes Guests)

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Guests must be denied network logon to this computer.

Rationale. Network logon by guest accounts enables anonymous access and lateral movement.

Remediation. Add the required principals (e.g. Guests) to the 'SeDenyNetworkLogonRight' user right.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-007 - Deny Log On as a Batch Job (includes Guests)

Severity: Low   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Guests must be denied batch logon.

Rationale. Batch logon by guests could run scheduled tasks under an untrusted identity.

Remediation. Add the required principals (e.g. Guests) to the 'SeDenyBatchLogonRight' user right.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-008 - Deny Log On as a Service (includes Guests)

Severity: Low   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Guests must be denied service logon.

Rationale. Service logon by guests could run services under an untrusted identity.

Remediation. Add the required principals (e.g. Guests) to the 'SeDenyServiceLogonRight' user right.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-009 - Deny Log On Locally (includes Guests)

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Guests must be denied local (interactive) logon.

Rationale. Interactive logon by guests permits console access by untrusted users.

Remediation. Add the required principals (e.g. Guests) to the 'SeDenyInteractiveLogonRight' user right.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-010 - Deny Log On Through Remote Desktop Services (includes Guests)

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Guests must be denied logon through Remote Desktop Services.

Rationale. RDP logon by guests exposes remote sessions to untrusted users.

Remediation. Add the required principals (e.g. Guests) to the 'SeDenyRemoteInteractiveLogonRight' user right.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-011 - Force Shutdown From a Remote System = Administrators Only

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Administrators should be able to shut down the system remotely.

Rationale. Remote shutdown by non-administrators enables denial of service.

Remediation. Assign the 'SeRemoteShutdownPrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-012 - Generate Security Audits = Local Service, Network Service

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Local Service and Network Service should generate security audit entries.

Rationale. This right can be abused to flood or forge the security log.

Remediation. Assign the 'SeAuditPrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-013 - Impersonate a Client After Authentication = Service Accounts and Administrators

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Administrators and the built-in service accounts should hold the Impersonate a client right.

Rationale. Unrestricted impersonation is the basis of many privilege-escalation (potato) attacks.

Remediation. Assign the 'SeImpersonatePrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-014 - Load and Unload Device Drivers = Administrators Only

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Administrators should be able to load and unload device drivers.

Rationale. Loading drivers allows execution of arbitrary kernel-mode code.

Remediation. Assign the 'SeLoadDriverPrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-015 - Manage Auditing and Security Log = Administrators Only

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Administrators should be able to manage auditing and the security log.

Rationale. This right allows clearing the security log to hide malicious activity.

Remediation. Assign the 'SeSecurityPrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-016 - Take Ownership of Files or Other Objects = Administrators Only

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Administrators should be able to take ownership of objects.

Rationale. Taking ownership lets a user override object permissions and access any resource.

Remediation. Assign the 'SeTakeOwnershipPrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-017 - Access This Computer From the Network = Administrators, Authenticated Users

Severity: High   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Administrators and Authenticated Users should be able to access this computer from the network.

Rationale. Over-broad network logon rights widen the remote attack surface.

Remediation. Assign the 'SeNetworkLogonRight' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-018 - Allow Log On Locally = Administrators

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Administrators should be able to log on locally to a server.

Rationale. Broad local logon rights allow non-administrators console access.

Remediation. Assign the 'SeInteractiveLogonRight' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-019 - Allow Log On Through Remote Desktop Services = Administrators, Remote Desktop Users

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Administrators and Remote Desktop Users should log on through Remote Desktop Services.

Rationale. Excess RDS logon rights expand remote-access exposure.

Remediation. Assign the 'SeRemoteInteractiveLogonRight' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-020 - Back Up Files and Directories = Administrators

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Administrators should hold the Back up files and directories right.

Rationale. This right bypasses file permissions to read any file on the system.

Remediation. Assign the 'SeBackupPrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-021 - Restore Files and Directories = Administrators

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Administrators should hold the Restore files and directories right.

Rationale. This right bypasses file permissions to overwrite any file, enabling privilege escalation.

Remediation. Assign the 'SeRestorePrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-022 - Change the System Time = Administrators, Local Service

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Administrators and Local Service should be able to change the system time.

Rationale. Altering the clock can defeat time-based security and corrupt audit timelines.

Remediation. Assign the 'SeSystemtimePrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-023 - Change the Time Zone = Administrators, Local Service, Users

Severity: Low   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Restrict the Change the time zone right to Administrators, Local Service, and Users.

Rationale. Time-zone changes can confuse local log interpretation if granted too broadly.

Remediation. Assign the 'SeTimeZonePrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-024 - Create a Pagefile = Administrators

Severity: Low   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Administrators should be able to create a pagefile.

Rationale. Pagefile manipulation can be used to affect system performance or memory forensics.

Remediation. Assign the 'SeCreatePagefilePrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-025 - Create Global Objects = Administrators and Service Accounts

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Administrators and the built-in service accounts should create global objects.

Rationale. Global object creation can be abused for cross-session attacks and escalation.

Remediation. Assign the 'SeCreateGlobalPrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-026 - Create Symbolic Links = Administrators

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Administrators should be able to create symbolic links (add Virtual Machines on Hyper-V hosts).

Rationale. Symbolic-link creation enables link-following attacks against privileged processes.

Remediation. Assign the 'SeCreateSymbolicLinkPrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-027 - Adjust Memory Quotas for a Process = Administrators and Service Accounts

Severity: Low   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Restrict Adjust memory quotas for a process to Administrators, Local Service, and Network Service.

Rationale. This right can be used to starve other processes of memory (denial of service).

Remediation. Assign the 'SeIncreaseQuotaPrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-028 - Increase Scheduling Priority = Administrators, Window Manager

Severity: Low   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Restrict Increase scheduling priority to Administrators and Window Manager.

Rationale. Raising process priority can be used to degrade or monopolise system responsiveness.

Remediation. Assign the 'SeIncreaseBasePriorityPrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-029 - Lock Pages in Memory = No One

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

No account should hold the Lock pages in memory right.

Rationale. Locking pages in physical memory can be abused to cause denial of service.

Remediation. Configure the 'SeLockMemoryPrivilege' user right so that no account holds it.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-030 - Perform Volume Maintenance Tasks = Administrators

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Administrators should be able to perform volume maintenance tasks.

Rationale. This right permits raw disk access that can bypass file-level security.

Remediation. Assign the 'SeManageVolumePrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-031 - Profile Single Process = Administrators

Severity: Low   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Administrators should be able to profile a single process.

Rationale. Process profiling can reveal sensitive information about running software.

Remediation. Assign the 'SeProfileSingleProcessPrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-032 - Replace a Process Level Token = Local Service, Network Service

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Local Service and Network Service should hold the Replace a process-level token right.

Rationale. This right can be used to launch processes under a different identity.

Remediation. Assign the 'SeAssignPrimaryTokenPrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-033 - Shut Down the System = Administrators

Severity: Low   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Administrators should be able to shut down the system.

Rationale. Broad shutdown rights allow non-administrators to cause an availability outage.

Remediation. Assign the 'SeShutdownPrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-034 - Modify Firmware Environment Values = Administrators

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Only Administrators should be able to modify firmware environment values.

Rationale. Firmware/boot variable changes can undermine platform boot integrity.

Remediation. Assign the 'SeSystemEnvironmentPrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-035 - Enable Accounts to Be Trusted for Delegation = No One

Severity: High   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

On member servers, no account should be able to enable accounts to be trusted for delegation.

Rationale. Delegation trust can be abused to impersonate users across services.

Remediation. Configure the 'SeEnableDelegationPrivilege' user right so that no account holds it.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-036 - Obtain an Impersonation Token for Another User = No One

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

No account should be able to obtain an impersonation token for another user in the same session.

Rationale. Session impersonation tokens can be used to escalate to another user context.

Remediation. Configure the 'SeDelegateSessionUserImpersonatePrivilege' user right so that no account holds it.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-037 - Modify an Object Label = No One

Severity: Low   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

No account should be able to modify an object integrity label.

Rationale. Relabeling objects can subvert mandatory integrity control protections.

Remediation. Configure the 'SeRelabelPrivilege' user right so that no account holds it.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-038 - Synchronize Directory Service Data = No One

Severity: Medium   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

On member servers, no account should hold the Synchronize directory service data right.

Rationale. This right allows bulk reading of directory data (a DCSync-style exposure).

Remediation. Configure the 'SeSyncAgentPrivilege' user right so that no account holds it.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-URA-039 - Profile System Performance = Administrators, WdiServiceHost

Severity: Low   Category: User Rights Assignment   Provider: SecEdit   Delivery: Direct   Reboot: No   Tier: Standard

Restrict Profile system performance to Administrators and the WdiServiceHost service.

Rationale. System profiling can expose timing and workload information about the host.

Remediation. Assign the 'SeSystemProfilePrivilege' user right to exactly the expected principals.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment

WIN-VBS-001 - Enable Virtualization Based Security

Severity: High   Category: Credential Protection   Provider: Registry   Delivery: Direct   Reboot: Yes   Tier: Enterprise

Enable Virtualization Based Security (VBS), the hardware-isolated foundation for Credential Guard and memory integrity.

Rationale. Without VBS, kernel-level malware can compromise credentials and code integrity.

Remediation. Set Control DeviceGuard EnableVirtualizationBasedSecurity to 1 (requires a reboot and compatible hardware).

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity

WIN-VBS-002 - Require Secure Boot for VBS

Severity: Medium   Category: Credential Protection   Provider: Registry   Delivery: Direct   Reboot: Yes   Tier: Enterprise

Require Secure Boot as the VBS platform security feature.

Rationale. Without Secure Boot, the boot chain that VBS relies on is not verified.

Remediation. Set Control DeviceGuard RequirePlatformSecurityFeatures to 1 (Secure Boot). A reboot is required.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity

WIN-VBS-003 - Enable Memory Integrity (HVCI)

Severity: High   Category: Exploit Protection   Provider: Registry   Delivery: Direct   Reboot: Yes   Tier: Enterprise

Enable hypervisor-enforced code integrity (memory integrity / HVCI) to protect kernel-mode code.

Rationale. Without HVCI, malicious or vulnerable drivers can run unsigned code in the kernel.

Remediation. Set Control DeviceGuard Scenarios HypervisorEnforcedCodeIntegrity Enabled to 1. A reboot is required.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity

WIN-WDIGEST-001 - Disable WDigest Credential Caching

Severity: High   Category: Credential Protection   Provider: Registry   Delivery: Direct   Reboot: No   Tier: Essential

WDigest must not cache plaintext credentials in memory.

Rationale. WDigest plaintext credential caching enables credential theft.

Remediation. Set SecurityProviders WDigest UseLogonCredential to 0 to disable plaintext caching.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-WINRM-001 - Disable WinRM Client Basic Authentication

Severity: Medium   Category: Remote Management   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

The WinRM client must not allow Basic authentication. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. WinRM Basic auth transmits credentials with weak protection.

Remediation. Set Policies Microsoft Windows WinRM Client AllowBasic to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-WINRM-002 - Disallow WinRM Unencrypted Traffic

Severity: Medium   Category: Remote Management   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

The WinRM service must not allow unencrypted traffic. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Unencrypted WinRM traffic exposes management data and credentials.

Remediation. Set Policies Microsoft Windows WinRM Service AllowUnencryptedTraffic to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-WINRM-003 - Disable WinRM Client Digest Authentication

Severity: Medium   Category: Remote Management   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

The WinRM client must not use Digest authentication. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Digest authentication is weaker than Kerberos/Negotiate and can expose credentials.

Remediation. Set Policies Microsoft Windows WinRM Client AllowDigest to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-WINRM-004 - Disable WinRM Service Basic Authentication

Severity: Medium   Category: Remote Management   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

The WinRM service must not accept Basic authentication. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Basic auth transmits credentials with weak protection.

Remediation. Set WinRM Service AllowBasic to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-WINRM-005 - Disallow WinRM Storing RunAs Credentials

Severity: Medium   Category: Remote Management   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Prevent the WinRM service from storing RunAs credentials. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Stored RunAs credentials can be extracted from a compromised host.

Remediation. Set WinRM Service DisableRunAs to 1.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-WINRM-006 - Disallow WinRM Client Unencrypted Traffic

Severity: Medium   Category: Remote Management   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

The WinRM client must not send unencrypted traffic. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Unencrypted WinRM exposes management data and credentials.

Remediation. Set WinRM Client AllowUnencryptedTraffic to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

WIN-WINRS-001 - Disable Windows Remote Shell Access

Severity: Medium   Category: Remote Management   Provider: Registry   Delivery: Group Policy   Reboot: No   Tier: Standard

Disable remote shell (WinRS) access. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.

Rationale. Remote Shell provides an additional remote-execution channel.

Remediation. Set WinRM Service WinRS AllowRemoteShellAccess to 0.

Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials

References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines