Controls¶
The CloudInfra Secure control library (301 controls). Each control exists once and may be used by many baselines.
Compliance disclaimer
CloudInfra Secure controls are designed to help organisations implement technical security requirements commonly found in recognised security standards. They do not constitute certification or proof of compliance.
Coverage summary¶
Controls tagged GPO are delivered through a Group Policy registry value that a domain policy can override; the rest are direct system settings.
| # | ID | Name | Severity | Category | Provider | Delivery |
|---|---|---|---|---|---|---|
| WIN-ACCT-001 | Block Microsoft Accounts | Medium | Access Control | Registry | GPO | |
| WIN-ACCT-002 | Guest Account Disabled | Medium | Access Control | SecEdit | Direct | |
| WIN-ACCT-003 | Force Logoff When Logon Hours Expire | Low | Account Policy | SecEdit | Direct | |
| WIN-ASR-001 | ASR: Block Credential Stealing from LSASS | High | Attack Surface Reduction | Registry | GPO | |
| WIN-ASR-002 | ASR: Block Office Apps Creating Child Processes | Medium | Attack Surface Reduction | Registry | GPO | |
| WIN-ASR-003 | ASR: Block Executable Content from Email and Webmail | Medium | Attack Surface Reduction | Registry | GPO | |
| WIN-ASR-004 | ASR: Block Obfuscated Scripts | Medium | Attack Surface Reduction | Registry | GPO | |
| WIN-ASR-005 | ASR: Block Untrusted Processes from USB | Medium | Attack Surface Reduction | Registry | GPO | |
| WIN-ASR-006 | ASR: Block Process Creation from PSExec and WMI | Medium | Attack Surface Reduction | Registry | GPO | |
| WIN-ASR-007 | ASR: Advanced Protection Against Ransomware | High | Attack Surface Reduction | Registry | GPO | |
| WIN-ASR-008 | ASR: Block Office Apps Injecting Code into Other Processes | Medium | Attack Surface Reduction | Registry | GPO | |
| WIN-ASR-009 | ASR: Block Office Apps Creating Executable Content | Medium | Attack Surface Reduction | Registry | GPO | |
| WIN-ASR-010 | ASR: Block Persistence Through WMI Event Subscription | Medium | Attack Surface Reduction | Registry | GPO | |
| WIN-ASR-011 | ASR: Block Win32 API Calls from Office Macros | Medium | Attack Surface Reduction | Registry | GPO | |
| WIN-ASR-012 | ASR: Block Untrusted Executables by Prevalence, Age, or Trust | Medium | Attack Surface Reduction | Registry | GPO | |
| WIN-ASR-013 | ASR: Block Adobe Reader from Creating Child Processes | Medium | Attack Surface Reduction | Registry | GPO | |
| WIN-ASR-014 | ASR: Block Webshell Creation for Servers | High | Attack Surface Reduction | Registry | GPO | |
| WIN-ASR-015 | ASR: Block Rebooting Machine in Safe Mode | Medium | Attack Surface Reduction | Registry | GPO | |
| WIN-AUD-001 | Audit Logon Failures | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-002 | Audit Account Lockout Events | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-003 | Audit Process Creation | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-004 | Audit Credential Validation | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-005 | Audit Security Group Management | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-006 | Audit Special Logon | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-007 | Audit Sensitive Privilege Use | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-008 | Audit System Integrity | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-009 | Audit Logoff | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-010 | Audit Removable Storage | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-011 | Audit Authentication Policy Change | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-012 | Audit User Account Management | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-013 | Audit Computer Account Management | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-014 | Audit Audit Policy Change | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-015 | Audit Other Logon/Logoff Events | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-016 | Audit MPSSVC Rule-Level Policy Change | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-017 | Audit PNP Activity | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-018 | Audit Group Membership | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-019 | Audit Other Object Access Events | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-020 | Audit Detailed File Share | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-021 | Force Audit Policy Subcategory Settings | Medium | Logging and Monitoring | Registry | Direct | |
| WIN-AUD-022 | Audit Other Account Management Events | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-023 | Audit File Share | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-024 | Audit Authorization Policy Change | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-025 | Audit Other Policy Change Events | Low | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-026 | Audit IPsec Driver | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-027 | Audit Other System Events | Low | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-028 | Audit Security State Change | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-029 | Audit Security System Extension | Medium | Logging and Monitoring | AuditPol | Direct | |
| WIN-AUD-030 | Include Command Line in Process Creation Events | Medium | Logging and Monitoring | Registry | GPO | |
| WIN-AUTORUN-001 | Disable AutoRun on All Drives | Medium | Attack Surface Reduction | Registry | GPO | |
| WIN-AUTORUN-002 | Disallow Autoplay for Non-Volume Devices | Medium | Attack Surface Reduction | Registry | GPO | |
| WIN-AUTORUN-003 | Set Default AutoRun Behavior to Do Not Execute | Medium | Attack Surface Reduction | Registry | GPO | |
| WIN-CG-001 | Enable Credential Guard | High | Credential Protection | Registry | Direct | |
| WIN-CLOUD-001 | Turn Off Microsoft Consumer Experiences | Low | Attack Surface Reduction | Registry | GPO | |
| WIN-CREDDEL-001 | Encryption Oracle Remediation (Force Updated Clients) | High | Credential Protection | Registry | GPO | |
| WIN-CREDDEL-002 | Remote Host Allows Delegation of Non-Exportable Credentials | Medium | Credential Protection | Registry | GPO | |
| WIN-CREDUI-001 | Do Not Display the Password Reveal Button | Low | Credential Protection | Registry | GPO | |
| WIN-CREDUI-002 | Do Not Enumerate Administrator Accounts on Elevation | Medium | Credential Protection | Registry | GPO | |
| WIN-CREDUI-003 | Prevent Use of Security Questions for Local Accounts | Low | Credential Protection | Registry | GPO | |
| WIN-DEF-001 | Microsoft Defender Antivirus Enabled | High | Endpoint Protection | Defender | Direct | |
| WIN-DEF-002 | Enable Potentially Unwanted Application (PUA) Protection | High | Endpoint Protection | Registry | GPO | |
| WIN-DEF-003 | Enable Defender Real-Time Protection | High | Endpoint Protection | Registry | GPO | |
| WIN-DEF-004 | Enable Cloud-Delivered Protection | Medium | Endpoint Protection | Registry | GPO | |
| WIN-DEF-005 | Enable Network Protection | Medium | Endpoint Protection | Registry | GPO | |
| WIN-DEF-006 | Enable Controlled Folder Access | Medium | Endpoint Protection | Registry | GPO | |
| WIN-DEF-007 | Scan Removable Drives During Full Scan | Low | Endpoint Protection | Registry | GPO | |
| WIN-DEF-008 | Enable Block at First Sight | Medium | Endpoint Protection | Registry | GPO | |
| WIN-DEF-009 | Enable Defender Behavior Monitoring | High | Endpoint Protection | Registry | GPO | |
| WIN-DEF-010 | Enable Email Scanning | Medium | Endpoint Protection | Registry | GPO | |
| WIN-DEF-011 | Enable Archive Scanning | Medium | Endpoint Protection | Registry | GPO | |
| WIN-DEF-012 | Scan Mapped Network Drives During Full Scan | Low | Endpoint Protection | Registry | GPO | |
| WIN-DEF-013 | Scan Downloaded Files and Attachments | High | Endpoint Protection | Registry | GPO | |
| WIN-DEF-014 | Disable Local Admin Merge of Defender Preferences | Medium | Endpoint Protection | Registry | GPO | |
| WIN-DEF-015 | Enable Real-Time Script Scanning | Medium | Endpoint Protection | Registry | GPO | |
| WIN-DEF-016 | Enable Defender File Hash Computation | Low | Endpoint Protection | Registry | GPO | |
| WIN-DEF-017 | Notify Antivirus When Opening Attachments (Default Profile) | Medium | Endpoint Protection | Registry | GPO | |
| WIN-ELAM-001 | Boot-Start Driver Initialization Policy | Medium | Endpoint Protection | Registry | GPO | |
| WIN-EVTLOG-001 | Application Event Log Maximum Size (>= 32 MB) | Medium | Logging and Monitoring | Registry | GPO | |
| WIN-EVTLOG-002 | Application Event Log Retention (Overwrite as Needed) | Low | Logging and Monitoring | Registry | GPO | |
| WIN-EVTLOG-003 | Security Event Log Maximum Size (>= 192 MB) | High | Logging and Monitoring | Registry | GPO | |
| WIN-EVTLOG-004 | Security Event Log Retention (Overwrite as Needed) | Low | Logging and Monitoring | Registry | GPO | |
| WIN-EVTLOG-005 | Setup Event Log Maximum Size (>= 32 MB) | Low | Logging and Monitoring | Registry | GPO | |
| WIN-EVTLOG-006 | Setup Event Log Retention (Overwrite as Needed) | Low | Logging and Monitoring | Registry | GPO | |
| WIN-EVTLOG-007 | System Event Log Maximum Size (>= 32 MB) | Medium | Logging and Monitoring | Registry | GPO | |
| WIN-EVTLOG-008 | System Event Log Retention (Overwrite as Needed) | Low | Logging and Monitoring | Registry | GPO | |
| WIN-EVTLOG-009 | Security Log Near-Capacity Warning Threshold | Low | Logging and Monitoring | Registry | Direct | |
| WIN-FW-001 | Windows Firewall Enabled (All Profiles) | High | Host Firewall | Firewall | Direct | |
| WIN-FW-002 | Block Inbound Connections by Default (Domain Profile) | Medium | Host Firewall | Registry | GPO | |
| WIN-FW-003 | Block Inbound Connections by Default (Private Profile) | Medium | Host Firewall | Registry | GPO | |
| WIN-FW-004 | Block Inbound Connections by Default (Public Profile) | Medium | Host Firewall | Registry | GPO | |
| WIN-FW-005 | Log Dropped Packets (Public Profile) | Low | Host Firewall | Registry | GPO | |
| WIN-GPO-001 | Registry Policy Processing: Apply During Background Refresh | Low | Access Control | Registry | GPO | |
| WIN-GPO-002 | Registry Policy Processing: Process Even If Unchanged | Low | Access Control | Registry | GPO | |
| WIN-GPO-003 | Disable Continue Experiences (Connected Devices Platform) | Low | Attack Surface Reduction | Registry | GPO | |
| WIN-INET-001 | Turn Off Downloading of Print Drivers Over HTTP | Low | Network Protocols | Registry | GPO | |
| WIN-INET-002 | Turn Off Printing Over HTTP | Low | Network Protocols | Registry | GPO | |
| WIN-INET-003 | Turn Off Windows Error Reporting | Low | Attack Surface Reduction | Registry | GPO | |
| WIN-INET-004 | Turn Off Windows Customer Experience Improvement Program | Low | Attack Surface Reduction | Registry | GPO | |
| WIN-INET-005 | Turn Off Internet Download for Web Publishing and Online Ordering | Low | Attack Surface Reduction | Registry | GPO | |
| WIN-INET-006 | Turn Off Internet Connection Wizard If URL Connection | Low | Attack Surface Reduction | Registry | GPO | |
| WIN-INET-007 | Turn Off Search Companion Content File Updates | Low | Attack Surface Reduction | Registry | GPO | |
| WIN-INSTALL-001 | Disable Always Install Elevated | High | Privilege Management | Registry | GPO | |
| WIN-INSTALL-002 | Disable User Control Over Windows Installer | Medium | Privilege Management | Registry | GPO | |
| WIN-KRB-001 | Configure Kerberos Encryption Types (AES only) | Medium | Authentication | Registry | GPO | |
| WIN-LDAP-001 | LDAP Client Signing | Medium | Authentication | Registry | Direct | |
| WIN-LOCK-001 | Account Lockout Threshold | Medium | Account Policy | SecEdit | Direct | |
| WIN-LOCK-002 | Account Lockout Duration | Medium | Account Policy | SecEdit | Direct | |
| WIN-LOCK-003 | Reset Account Lockout Counter | Medium | Account Policy | SecEdit | Direct | |
| WIN-LOGON-001 | Machine Inactivity Limit | Medium | Access Control | Registry | GPO | |
| WIN-LOGON-002 | Do Not Display Last Signed-In User | Low | Access Control | Registry | GPO | |
| WIN-LOGON-003 | Limit Number of Cached Logons | Medium | Access Control | Registry | Direct | |
| WIN-LOGON-004 | Require Ctrl+Alt+Del at Logon | Low | Access Control | Registry | GPO | |
| WIN-LOGON-005 | Smart Card Removal Behavior (Lock Workstation) | Low | Access Control | Registry | Direct | |
| WIN-LOGON-006 | Disable Automatic Logon | Medium | Access Control | Registry | Direct | |
| WIN-LOGON-007 | Do Not Allow System to Be Shut Down Without Logging On | Low | Access Control | Registry | GPO | |
| WIN-LOGON-008 | Require Domain Controller Authentication to Unlock Workstation | Medium | Access Control | Registry | Direct | |
| WIN-LOGON-009 | Do Not Enumerate Connected Users on Domain-Joined Computers | Medium | Access Control | Registry | GPO | |
| WIN-LOGON-010 | Do Not Enumerate Local Users on Domain-Joined Computers | Medium | Access Control | Registry | GPO | |
| WIN-LOGON-011 | Block User From Showing Account Details on Sign-In | Low | Access Control | Registry | GPO | |
| WIN-LOGON-012 | Do Not Display Network Selection UI | Low | Access Control | Registry | GPO | |
| WIN-LOGON-013 | Turn Off App Notifications on the Lock Screen | Low | Access Control | Registry | GPO | |
| WIN-LOGON-014 | Disable Convenience PIN Sign-In | Medium | Access Control | Registry | GPO | |
| WIN-LOGON-015 | Disable Automatic Restart Sign-On (ARSO) | Medium | Access Control | Registry | GPO | |
| WIN-LOGON-016 | Screen Saver Grace Period | Low | Access Control | Registry | Direct | |
| WIN-LOGON-017 | Turn Off Toast Notifications on the Lock Screen (Default Profile) | Low | Access Control | Registry | GPO | |
| WIN-LOGON-018 | Logon Legal Notice Text | Low | Access Control | Registry | GPO | |
| WIN-LOGON-019 | Logon Legal Notice Title | Low | Access Control | Registry | GPO | |
| WIN-LSA-001 | Do Not Store LAN Manager Hash | High | Credential Protection | Registry | Direct | |
| WIN-LSA-002 | Restrict Anonymous SID Enumeration | Medium | Access Control | Registry | Direct | |
| WIN-LSA-003 | Enable LSASS Protection (RunAsPPL) | High | Credential Protection | Registry | Direct | |
| WIN-LSA-004 | Do Not Allow Anonymous Enumeration of SAM Accounts | Medium | Access Control | Registry | Direct | |
| WIN-LSA-005 | Enable Structured Exception Handling Overwrite Protection (SEHOP) | Medium | Exploit Protection | Registry | Direct | |
| WIN-LSA-006 | Digitally Encrypt or Sign Secure Channel Data (Always) | Medium | Authentication | Registry | Direct | |
| WIN-LSA-007 | Do Not Apply Everyone Permissions to Anonymous Users | Medium | Access Control | Registry | Direct | |
| WIN-LSA-008 | Restrict Clients Allowed to Make Remote SAM Calls | Medium | Access Control | Registry | Direct | |
| WIN-LSA-009 | Limit Local Account Use of Blank Passwords | High | Access Control | Registry | Direct | |
| WIN-LSA-010 | Sharing and Security Model for Local Accounts (Classic) | Medium | Access Control | Registry | Direct | |
| WIN-LSA-011 | Disallow LocalSystem NULL Session Fallback | Medium | Access Control | Registry | Direct | |
| WIN-LSA-012 | Strengthen Default Permissions of Internal System Objects | Low | Access Control | Registry | Direct | |
| WIN-LSA-013 | Digitally Encrypt Secure Channel Data (When Possible) | Medium | Authentication | Registry | Direct | |
| WIN-LSA-014 | Digitally Sign Secure Channel Data (When Possible) | Medium | Authentication | Registry | Direct | |
| WIN-LSA-015 | Do Not Disable Machine Account Password Changes | Medium | Authentication | Registry | Direct | |
| WIN-LSA-016 | Maximum Machine Account Password Age (30 Days) | Low | Authentication | Registry | Direct | |
| WIN-LSA-017 | Require Strong (Windows 2000 or Later) Session Key | Medium | Authentication | Registry | Direct | |
| WIN-LSA-018 | Do Not Store Passwords and Credentials for Network Authentication | High | Credential Protection | Registry | Direct | |
| WIN-LSA-019 | Require Case Insensitivity for Non-Windows Subsystems | Low | Access Control | Registry | Direct | |
| WIN-NET-001 | Disable LLMNR | Medium | Network Protocols | Registry | GPO | |
| WIN-NET-002 | Disable IPv4 Source Routing | Medium | Network Protocols | Registry | Direct | |
| WIN-NET-003 | Disable ICMP Redirects | Low | Network Protocols | Registry | Direct | |
| WIN-NET-004 | Disable IPv6 Source Routing | Medium | Network Protocols | Registry | Direct | |
| WIN-NET-005 | Ignore NetBIOS Name Release Requests | Low | Network Protocols | Registry | Direct | |
| WIN-NET-006 | Disable mDNS | Medium | Network Protocols | Registry | Direct | |
| WIN-NET-007 | Enable Safe DLL Search Mode | Medium | Exploit Protection | Registry | Direct | |
| WIN-NET-008 | Hardened UNC Path for SYSVOL | High | Network Protocols | Registry | GPO | |
| WIN-NET-009 | Hardened UNC Path for NETLOGON | High | Network Protocols | Registry | GPO | |
| WIN-NET-010 | Disable Font Providers | Low | Attack Surface Reduction | Registry | GPO | |
| WIN-NET-011 | Turn Off Smart Multi-Homed Name Resolution | Medium | Network Protocols | Registry | GPO | |
| WIN-NET-012 | Prohibit Installation of Network Bridge | Low | Network Protocols | Registry | GPO | |
| WIN-NET-013 | Prohibit Internet Connection Sharing | Low | Network Protocols | Registry | GPO | |
| WIN-NET-014 | Require Domain Users to Elevate When Setting Network Location | Low | Network Protocols | Registry | GPO | |
| WIN-NET-015 | Minimize Simultaneous Internet and Domain Connections | Low | Network Protocols | Registry | GPO | |
| WIN-NET-016 | Prohibit Non-Domain Networks When on Domain Network | Low | Network Protocols | Registry | GPO | |
| WIN-NET-017 | Disable Windows Connect Now Registrars | Low | Network Protocols | Registry | GPO | |
| WIN-NET-018 | Prohibit Access of Windows Connect Now Wizards | Low | Network Protocols | Registry | GPO | |
| WIN-NET-019 | Turn Off Link-Layer Topology Mapper I/O Driver | Low | Network Protocols | Registry | GPO | |
| WIN-NET-020 | Turn Off Link-Layer Topology Responder Driver | Low | Network Protocols | Registry | GPO | |
| WIN-NET-021 | TCP Maximum Data Retransmissions (IPv4) | Low | Network Protocols | Registry | Direct | |
| WIN-NET-022 | TCP Maximum Data Retransmissions (IPv6) | Low | Network Protocols | Registry | Direct | |
| WIN-NET-023 | TCP Keep-Alive Time | Low | Network Protocols | Registry | Direct | |
| WIN-NET-024 | Disable Dead Gateway Detection | Low | Network Protocols | Registry | Direct | |
| WIN-NTLM-001 | LAN Manager Authentication Level (NTLMv2 Only) | High | Authentication | Registry | Direct | |
| WIN-NTLM-002 | Minimum NTLM Session Security (Clients) | Medium | Authentication | Registry | Direct | |
| WIN-NTLM-003 | Minimum NTLM Session Security (Servers) | Medium | Authentication | Registry | Direct | |
| WIN-NTLM-004 | Allow LocalSystem to Use Computer Identity for NTLM | Medium | Authentication | Registry | Direct | |
| WIN-NTLM-005 | Disallow PKU2U Online Identities | Medium | Authentication | Registry | Direct | |
| WIN-NTLM-006 | Audit Incoming NTLM Traffic | Low | Authentication | Registry | Direct | |
| WIN-NTLM-007 | Audit Outgoing NTLM Traffic to Remote Servers | Low | Authentication | Registry | Direct | |
| WIN-PRINT-001 | Restrict Point and Print Driver Installation to Administrators | High | Attack Surface Reduction | Registry | GPO | |
| WIN-PRINT-002 | Require Elevation for New Point and Print Connections | Medium | Attack Surface Reduction | Registry | GPO | |
| WIN-PRINT-003 | Prevent Users From Installing Printer Drivers | Medium | Attack Surface Reduction | Registry | Direct | |
| WIN-PSL-001 | Enable PowerShell Script Block Logging | Medium | Logging and Monitoring | Registry | GPO | |
| WIN-PSL-002 | Enable PowerShell Module Logging | Medium | Logging and Monitoring | Registry | GPO | |
| WIN-PSL-003 | Enable PowerShell Transcription | Medium | Logging and Monitoring | Registry | GPO | |
| WIN-PWD-001 | Minimum Password Length | High | Account Policy | SecEdit | Direct | |
| WIN-PWD-002 | Password Complexity Enabled | High | Account Policy | SecEdit | Direct | |
| WIN-PWD-003 | Maximum Password Age | Medium | Account Policy | SecEdit | Direct | |
| WIN-PWD-004 | Minimum Password Age | Low | Account Policy | SecEdit | Direct | |
| WIN-PWD-005 | Enforce Password History | Medium | Account Policy | SecEdit | Direct | |
| WIN-PWD-006 | Disable Reversible Password Encryption | High | Account Policy | SecEdit | Direct | |
| WIN-RA-001 | Disable Solicited Remote Assistance | Medium | Remote Access | Registry | GPO | |
| WIN-RA-002 | Disable Offer (Unsolicited) Remote Assistance | Medium | Remote Access | Registry | GPO | |
| WIN-RDP-001 | Require Network Level Authentication for RDP | High | Remote Access | Registry | Direct | |
| WIN-RDP-002 | RDP Minimum Encryption Level (High) | Medium | Remote Access | Registry | Direct | |
| WIN-RDP-003 | RDP Security Layer (TLS) | Medium | Remote Access | Registry | Direct | |
| WIN-RDP-004 | Disable RDP Drive Redirection | Medium | Remote Access | Registry | Direct | |
| WIN-RDP-005 | Always Prompt for Password on RDP Connection | Medium | Remote Access | Registry | GPO | |
| WIN-RDP-006 | Disable RDP Clipboard Redirection | Low | Remote Access | Registry | GPO | |
| WIN-RDP-007 | Set RDP Idle Session Time Limit | Low | Remote Access | Registry | GPO | |
| WIN-RDP-008 | Set RDP Disconnected Session Time Limit | Low | Remote Access | Registry | GPO | |
| WIN-RDP-009 | Do Not Allow Saved RDP Passwords | Medium | Remote Access | Registry | GPO | |
| WIN-RDP-010 | Disable RDP COM Port Redirection | Low | Remote Access | Registry | GPO | |
| WIN-RDP-011 | Disable RDP LPT Port Redirection | Low | Remote Access | Registry | GPO | |
| WIN-RDP-012 | Disable RDP Plug and Play Device Redirection | Low | Remote Access | Registry | GPO | |
| WIN-RDP-013 | Require Secure RPC for Remote Desktop | Medium | Remote Access | Registry | GPO | |
| WIN-RDP-014 | Use Temporary Folders Per RDP Session | Low | Remote Access | Registry | GPO | |
| WIN-RPC-001 | Restrict Unauthenticated RPC Clients | Medium | Network Protocols | Registry | GPO | |
| WIN-RPC-002 | Enable RPC Endpoint Mapper Client Authentication | Medium | Network Protocols | Registry | GPO | |
| WIN-SCRSVR-001 | Enable Screen Saver (Default Profile) | Low | Access Control | Registry | GPO | |
| WIN-SCRSVR-002 | Password Protect the Screen Saver (Default Profile) | Medium | Access Control | Registry | GPO | |
| WIN-SCRSVR-003 | Screen Saver Timeout (Default Profile) | Low | Access Control | Registry | GPO | |
| WIN-SMARTSCREEN-001 | Configure Windows Defender SmartScreen | Medium | Endpoint Protection | Registry | GPO | |
| WIN-SMB-001 | Disable SMBv1 | High | Network Protocols | Registry | Direct | |
| WIN-SMB-003 | Require SMB Signing (Server) | High | Network Protocols | Registry | Direct | |
| WIN-SMB-004 | Disable SMBv1 Client | High | Network Protocols | Registry | Direct | |
| WIN-SMB-005 | Require SMB Client Signing | Medium | Network Protocols | Registry | Direct | |
| WIN-SMB-006 | Restrict Anonymous Access to Named Pipes and Shares | Medium | Network Protocols | Registry | Direct | |
| WIN-SMB-007 | Disable SMB Client Insecure Guest Logons | Medium | Network Protocols | Registry | GPO | |
| WIN-SMB-008 | Do Not Send Unencrypted Password to Third-Party SMB Servers | Medium | Network Protocols | Registry | Direct | |
| WIN-SMB-009 | Digitally Sign Client Communications (If Server Agrees) | Low | Network Protocols | Registry | Direct | |
| WIN-SMB-010 | Digitally Sign Server Communications (If Client Agrees) | Low | Network Protocols | Registry | Direct | |
| WIN-SMB-011 | Idle Time Required Before Suspending an SMB Session (15 min) | Low | Network Protocols | Registry | Direct | |
| WIN-SMB-012 | Disconnect Clients When Logon Hours Expire | Low | Network Protocols | Registry | Direct | |
| WIN-SMB-013 | Server SPN Target Name Validation Level | Medium | Network Protocols | Registry | Direct | |
| WIN-SVC-001 | Disable Remote Registry Service | Medium | Attack Surface Reduction | Service | Direct | |
| WIN-SVC-002 | Disable Print Spooler Service | Medium | Attack Surface Reduction | Service | Direct | |
| WIN-TELEM-001 | Limit Diagnostic Data to Required or Less | Low | Attack Surface Reduction | Registry | GPO | |
| WIN-TELEM-002 | Disable OneSettings Downloads | Low | Attack Surface Reduction | Registry | GPO | |
| WIN-TELEM-003 | Do Not Show Feedback Notifications | Low | Attack Surface Reduction | Registry | GPO | |
| WIN-TELEM-004 | Enable OneSettings Auditing | Low | Logging and Monitoring | Registry | GPO | |
| WIN-TELEM-005 | Disable Windows Insider Preview Builds | Medium | Attack Surface Reduction | Registry | GPO | |
| WIN-TLS-001 | Enable TLS 1.2 (Server) | Medium | Cryptography | Registry | Direct | |
| WIN-TLS-002 | Enable TLS 1.2 (Client) | Medium | Cryptography | Registry | Direct | |
| WIN-TLS-003 | Disable RC4 128/128 Cipher | High | Cryptography | Registry | Direct | |
| WIN-TLS-004 | Disable RC4 40/128 Cipher | High | Cryptography | Registry | Direct | |
| WIN-TLS-005 | Disable Triple DES 168 Cipher | Medium | Cryptography | Registry | Direct | |
| WIN-TLS-006 | Disable RC4 56/128 Cipher | High | Cryptography | Registry | Direct | |
| WIN-TLS-007 | Disable RC4 64/128 Cipher | High | Cryptography | Registry | Direct | |
| WIN-TLS-008 | Disable DES 56/56 Cipher | Medium | Cryptography | Registry | Direct | |
| WIN-TLS-009 | Disable NULL Cipher | Medium | Cryptography | Registry | Direct | |
| WIN-TLS-010 | Disable TLS 1.0 (Server) | High | Cryptography | Registry | Direct | |
| WIN-TLS-011 | Disable TLS 1.1 (Server) | High | Cryptography | Registry | Direct | |
| WIN-TLS-012 | Disable SSL 3.0 (Server) | High | Cryptography | Registry | Direct | |
| WIN-TLS-013 | Disable SSL 2.0 (Server) | High | Cryptography | Registry | Direct | |
| WIN-UAC-001 | User Account Control Enabled | High | Privilege Management | Registry | GPO | |
| WIN-UAC-002 | UAC Elevation Prompt for Administrators | Medium | Privilege Management | Registry | GPO | |
| WIN-UAC-003 | UAC Detect Application Installations | Medium | Privilege Management | Registry | GPO | |
| WIN-UAC-004 | Deny UAC Elevation Prompt for Standard Users | Medium | Privilege Management | Registry | GPO | |
| WIN-UAC-005 | UAC Switch to the Secure Desktop for Elevation | Medium | Privilege Management | Registry | GPO | |
| WIN-UAC-006 | Only Elevate UIAccess Apps in Secure Locations | Medium | Privilege Management | Registry | GPO | |
| WIN-UAC-007 | Apply UAC Token Filtering to Remote Local Accounts | High | Privilege Management | Registry | GPO | |
| WIN-UAC-008 | Admin Approval Mode for the Built-in Administrator | Medium | Privilege Management | Registry | GPO | |
| WIN-UAC-009 | Virtualize File and Registry Write Failures to Per-User Locations | Low | Privilege Management | Registry | GPO | |
| WIN-URA-001 | Access Credential Manager as a Trusted Caller = No One | High | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-002 | Act as Part of the Operating System = No One | High | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-003 | Create a Token Object = No One | High | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-004 | Create Permanent Shared Objects = No One | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-005 | Debug Programs = Administrators Only | High | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-006 | Deny Access to This Computer From the Network (includes Guests) | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-007 | Deny Log On as a Batch Job (includes Guests) | Low | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-008 | Deny Log On as a Service (includes Guests) | Low | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-009 | Deny Log On Locally (includes Guests) | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-010 | Deny Log On Through Remote Desktop Services (includes Guests) | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-011 | Force Shutdown From a Remote System = Administrators Only | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-012 | Generate Security Audits = Local Service, Network Service | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-013 | Impersonate a Client After Authentication = Service Accounts and Administrators | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-014 | Load and Unload Device Drivers = Administrators Only | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-015 | Manage Auditing and Security Log = Administrators Only | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-016 | Take Ownership of Files or Other Objects = Administrators Only | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-017 | Access This Computer From the Network = Administrators, Authenticated Users | High | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-018 | Allow Log On Locally = Administrators | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-019 | Allow Log On Through Remote Desktop Services = Administrators, Remote Desktop Users | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-020 | Back Up Files and Directories = Administrators | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-021 | Restore Files and Directories = Administrators | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-022 | Change the System Time = Administrators, Local Service | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-023 | Change the Time Zone = Administrators, Local Service, Users | Low | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-024 | Create a Pagefile = Administrators | Low | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-025 | Create Global Objects = Administrators and Service Accounts | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-026 | Create Symbolic Links = Administrators | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-027 | Adjust Memory Quotas for a Process = Administrators and Service Accounts | Low | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-028 | Increase Scheduling Priority = Administrators, Window Manager | Low | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-029 | Lock Pages in Memory = No One | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-030 | Perform Volume Maintenance Tasks = Administrators | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-031 | Profile Single Process = Administrators | Low | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-032 | Replace a Process Level Token = Local Service, Network Service | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-033 | Shut Down the System = Administrators | Low | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-034 | Modify Firmware Environment Values = Administrators | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-035 | Enable Accounts to Be Trusted for Delegation = No One | High | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-036 | Obtain an Impersonation Token for Another User = No One | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-037 | Modify an Object Label = No One | Low | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-038 | Synchronize Directory Service Data = No One | Medium | User Rights Assignment | SecEdit | Direct | |
| WIN-URA-039 | Profile System Performance = Administrators, WdiServiceHost | Low | User Rights Assignment | SecEdit | Direct | |
| WIN-VBS-001 | Enable Virtualization Based Security | High | Credential Protection | Registry | Direct | |
| WIN-VBS-002 | Require Secure Boot for VBS | Medium | Credential Protection | Registry | Direct | |
| WIN-VBS-003 | Enable Memory Integrity (HVCI) | High | Exploit Protection | Registry | Direct | |
| WIN-WDIGEST-001 | Disable WDigest Credential Caching | High | Credential Protection | Registry | Direct | |
| WIN-WINRM-001 | Disable WinRM Client Basic Authentication | Medium | Remote Management | Registry | GPO | |
| WIN-WINRM-002 | Disallow WinRM Unencrypted Traffic | Medium | Remote Management | Registry | GPO | |
| WIN-WINRM-003 | Disable WinRM Client Digest Authentication | Medium | Remote Management | Registry | GPO | |
| WIN-WINRM-004 | Disable WinRM Service Basic Authentication | Medium | Remote Management | Registry | GPO | |
| WIN-WINRM-005 | Disallow WinRM Storing RunAs Credentials | Medium | Remote Management | Registry | GPO | |
| WIN-WINRM-006 | Disallow WinRM Client Unencrypted Traffic | Medium | Remote Management | Registry | GPO | |
| WIN-WINRS-001 | Disable Windows Remote Shell Access | Medium | Remote Management | Registry | GPO |
Control reference¶
WIN-ACCT-001 - Block Microsoft Accounts¶
Severity: Medium Category: Access Control Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent users from adding or logging on with Microsoft accounts. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Consumer Microsoft accounts on servers bypass enterprise identity controls and complicate auditing.
Remediation. Set Policies System NoConnectedUser to 3 (users cannot add or log on with Microsoft accounts).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-ACCT-002 - Guest Account Disabled¶
Severity: Medium Category: Access Control Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
The built-in Guest account must be disabled.
Rationale. An enabled Guest account permits anonymous, unattributed access.
Remediation. Disable the built-in Guest account (EnableGuestAccount = 0).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-ACCT-003 - Force Logoff When Logon Hours Expire¶
Severity: Low Category: Account Policy Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard Applies to: Domain-joined only
Force users to log off when their logon hours expire.
Rationale. Sessions outliving permitted hours bypass time-based access controls.
Remediation. Enable Force logoff when logon hours expire (ForceLogoffWhenHourExpire = 1).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-ASR-001 - ASR: Block Credential Stealing from LSASS¶
Severity: High Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Enterprise
The Attack Surface Reduction rule blocking credential theft from the LSASS process must be enabled in block mode. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Credential theft from LSASS enables lateral movement and privilege escalation.
Remediation. Enable ASR rule 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 in block mode (1).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
WIN-ASR-002 - ASR: Block Office Apps Creating Child Processes¶
Severity: Medium Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Enterprise
The Attack Surface Reduction rule blocking Office applications from creating child processes must be enabled. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Office child-process creation is a common malware/macro execution technique.
Remediation. Enable ASR rule d4f940ab-401b-4efc-aadc-ad5f3c50688a in block mode (1).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
WIN-ASR-003 - ASR: Block Executable Content from Email and Webmail¶
Severity: Medium Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Enterprise
The Attack Surface Reduction rule blocking executable content from email and webmail must be enabled. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Executable email attachments are a primary malware delivery vector.
Remediation. Enable ASR rule be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 in block mode (1).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
WIN-ASR-004 - ASR: Block Obfuscated Scripts¶
Severity: Medium Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Enterprise
Block execution of potentially obfuscated scripts, a common malware evasion technique. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Obfuscated scripts hide malicious behaviour from analysis and detection.
Remediation. Enable ASR rule 5beb7efe-fd9a-4556-801d-275e5ffc04cc in block mode (1).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
WIN-ASR-005 - ASR: Block Untrusted Processes from USB¶
Severity: Medium Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Enterprise
Block untrusted and unsigned executables from running from USB removable media. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Removable media is a common malware ingress vector.
Remediation. Enable ASR rule b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 in block mode (1).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
WIN-ASR-006 - ASR: Block Process Creation from PSExec and WMI¶
Severity: Medium Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Enterprise
Block processes created via PsExec and WMI commands, commonly used for lateral movement. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. PsExec/WMI process creation enables remote code execution and lateral movement.
Remediation. Enable ASR rule d1e49aac-8f56-4280-b9ba-993a6d77406c in block mode (1).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
WIN-ASR-007 - ASR: Advanced Protection Against Ransomware¶
Severity: High Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Enterprise
Enable advanced heuristic and cloud protection against ransomware. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Ransomware can rapidly encrypt data across the host and network.
Remediation. Enable ASR rule c1db55ab-c21a-4637-bb3f-a12568109d35 in block mode (1).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
WIN-ASR-008 - ASR: Block Office Apps Injecting Code into Other Processes¶
Severity: Medium Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Enterprise
Block Office applications from injecting code into other processes. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Code injection from Office lets malware masquerade as trusted processes.
Remediation. Enable ASR rule 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 in block mode (1).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
WIN-ASR-009 - ASR: Block Office Apps Creating Executable Content¶
Severity: Medium Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Enterprise
Block Office applications from writing executable content to disk. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Office-dropped executables are used for persistence and payload delivery.
Remediation. Enable ASR rule 3b576869-a4ec-4529-8536-b80a7769e899 in block mode (1).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
WIN-ASR-010 - ASR: Block Persistence Through WMI Event Subscription¶
Severity: Medium Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Enterprise
Block malware from establishing persistence via WMI event subscription. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. WMI event subscriptions are a stealthy, fileless persistence mechanism.
Remediation. Enable ASR rule e6db77e5-3df2-4cf1-b95a-636979351e5b in block mode (1).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
WIN-ASR-011 - ASR: Block Win32 API Calls from Office Macros¶
Severity: Medium Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Enterprise
Block Office macros from calling Win32 APIs. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Macro Win32 API calls are used to download and execute malware.
Remediation. Enable ASR rule 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b in block mode (1).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
WIN-ASR-012 - ASR: Block Untrusted Executables by Prevalence, Age, or Trust¶
Severity: Medium Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Enterprise
Block executable files from running unless they meet a prevalence, age, or trusted-list criterion. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Newly seen, low-prevalence executables are frequently malware.
Remediation. Enable ASR rule 01443614-cd74-433a-b99e-2ecdc07bfc25 in block mode (1).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
WIN-ASR-013 - ASR: Block Adobe Reader from Creating Child Processes¶
Severity: Medium Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Enterprise
Block Adobe Reader from spawning child processes. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Malicious PDFs abuse Adobe Reader to launch payloads.
Remediation. Enable ASR rule 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c in block mode (1).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
WIN-ASR-014 - ASR: Block Webshell Creation for Servers¶
Severity: High Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Enterprise
Block the creation of web shells on server roles (e.g. Exchange, IIS). Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Web shells give attackers persistent remote command execution on internet-facing servers.
Remediation. Enable ASR rule a8f5898e-1dc8-49a9-9878-85004b8a61e6 in block mode (1).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
WIN-ASR-015 - ASR: Block Rebooting Machine in Safe Mode¶
Severity: Medium Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Enterprise
Block attempts to reboot the machine into Safe Mode to bypass security tooling. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Attackers reboot to Safe Mode to disable endpoint protection that does not load there.
Remediation. Enable ASR rule 33ddedf1-c6e0-47cb-833e-de6133960387 in block mode (1).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
WIN-AUD-001 - Audit Logon Failures¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
The advanced audit policy must log failed logon events (subcategory 'Logon') to support detection of unauthorized access attempts.
Rationale. Failed authentication attempts go unrecorded, hindering intrusion detection.
Remediation. Enable failure auditing for the Logon subcategory (auditpol /set /subcategory:Logon /failure:enable).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2
References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-logon
WIN-AUD-002 - Audit Account Lockout Events¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
The advanced audit policy must log account lockout events (subcategory 'Account Lockout') to support detection of brute-force activity.
Rationale. Account lockouts from attacks go unrecorded.
Remediation. Enable failure auditing for the Account Lockout subcategory via auditpol (subcategory Account Lockout, failure enable).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2
WIN-AUD-003 - Audit Process Creation¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Enterprise
Process creation events must be audited to support detection and forensic investigation.
Rationale. Without process auditing, malicious execution is hard to detect or investigate.
Remediation. Enable success auditing for the Process Creation subcategory (Detailed Tracking).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-004 - Audit Credential Validation¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Credential validation events must be audited to detect authentication attacks.
Rationale. Unaudited credential validation hides brute-force and password-spray activity.
Remediation. Enable success and failure auditing for the Credential Validation subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-005 - Audit Security Group Management¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Changes to security groups must be audited to detect privilege escalation via group membership.
Rationale. Unaudited group changes hide privilege escalation and persistence.
Remediation. Enable success auditing for the Security Group Management subcategory (Account Management).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-006 - Audit Special Logon¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Special logon events (privileged logons) must be audited.
Rationale. Unaudited privileged logons hide administrative and attacker activity.
Remediation. Enable success auditing for the Special Logon subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-007 - Audit Sensitive Privilege Use¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Enterprise
Use of sensitive privileges must be audited to detect privilege abuse.
Rationale. Unaudited sensitive privilege use hides privilege-escalation and abuse.
Remediation. Enable success and failure auditing for the Sensitive Privilege Use subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-008 - Audit System Integrity¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
System integrity events (audit subsystem failures, driver issues) must be audited.
Rationale. Unaudited integrity events hide tampering with the audit subsystem.
Remediation. Enable success and failure auditing for the System Integrity subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-009 - Audit Logoff¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Logoff events must be audited to correlate session activity.
Rationale. Unaudited logoffs leave gaps in the session timeline.
Remediation. Enable success auditing for the Logoff subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
References: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-logoff
WIN-AUD-010 - Audit Removable Storage¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Access to removable storage must be audited to detect data exfiltration.
Rationale. Unaudited removable-storage use hides data theft.
Remediation. Enable success and failure auditing for the Removable Storage subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-011 - Audit Authentication Policy Change¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Changes to authentication policy must be audited.
Rationale. Unaudited authentication-policy changes hide tampering with security controls.
Remediation. Enable success auditing for the Authentication Policy Change subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-012 - Audit User Account Management¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Changes to user accounts (create, delete, enable, password reset) must be audited.
Rationale. Unaudited account changes hide account creation and privilege abuse.
Remediation. Enable success and failure auditing for the User Account Management subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-013 - Audit Computer Account Management¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Changes to computer accounts must be audited.
Rationale. Unaudited computer-account changes hide rogue machine joins and tampering.
Remediation. Enable success auditing for the Computer Account Management subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-014 - Audit Audit Policy Change¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Changes to the audit policy itself must be audited.
Rationale. Unaudited audit-policy changes let an attacker disable logging undetected.
Remediation. Enable success and failure auditing for the Audit Policy Change subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-015 - Audit Other Logon/Logoff Events¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Other logon/logoff events (RDP reconnects, workstation lock/unlock) must be audited.
Rationale. These events reveal remote-session and screen-lock activity useful for detection.
Remediation. Enable success and failure auditing for the Other Logon/Logoff Events subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-016 - Audit MPSSVC Rule-Level Policy Change¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Changes to Windows Firewall rules must be audited.
Rationale. Unaudited firewall-rule changes hide attempts to open the host to attack.
Remediation. Enable success and failure auditing for the MPSSVC Rule-Level Policy Change subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-017 - Audit PNP Activity¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Audit when Plug and Play detects an external device (e.g. USB).
Rationale. Unaudited device attachment hides data-exfiltration and rogue-hardware events.
Remediation. Enable success auditing for the Plug and Play Events subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-018 - Audit Group Membership¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Record the group memberships in each logon token.
Rationale. Without group-membership auditing it is harder to detect privileged-group logons.
Remediation. Enable success auditing for the Group Membership subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-019 - Audit Other Object Access Events¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Audit scheduled-task and COM+ object operations.
Rationale. Scheduled tasks and COM+ objects are common persistence mechanisms.
Remediation. Enable success and failure auditing for the Other Object Access Events subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-020 - Audit Detailed File Share¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Audit failed attempts to access files and folders on shared folders.
Rationale. Failed share-access attempts can indicate reconnaissance or unauthorized access.
Remediation. Enable failure auditing for the Detailed File Share subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-021 - Force Audit Policy Subcategory Settings¶
Severity: Medium Category: Logging and Monitoring Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Force advanced audit subcategory settings to override legacy category-level audit policy.
Rationale. Without this, granular advanced audit policy may not take effect.
Remediation. Set Lsa SCENoApplyLegacyAuditPolicy to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-022 - Audit Other Account Management Events¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Audit account-management events not covered by the other account-management subcategories.
Rationale. Some account-management actions would otherwise go unrecorded.
Remediation. Enable success and failure auditing for the Other Account Management Events subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-023 - Audit File Share¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Audit creation, deletion, modification, and access of network shares.
Rationale. Share tampering and unauthorized share access would go undetected.
Remediation. Enable success and failure auditing for the File Share subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-024 - Audit Authorization Policy Change¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Audit changes to authorization policy, including user-rights assignment changes.
Rationale. Unaudited authorization-policy changes hide privilege tampering.
Remediation. Enable success auditing for the Authorization Policy Change subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-025 - Audit Other Policy Change Events¶
Severity: Low Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Audit failures applying security policy and cryptographic (CNG) operations.
Rationale. Failed policy application and crypto errors would go unrecorded.
Remediation. Enable failure auditing for the Other Policy Change Events subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-026 - Audit IPsec Driver¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Audit IPsec driver activities such as dropped packets and integrity failures.
Rationale. IPsec failures and attacks against IPsec would go undetected.
Remediation. Enable success and failure auditing for the IPsec Driver subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-027 - Audit Other System Events¶
Severity: Low Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Audit other system events such as Windows Firewall service state and start/stop.
Rationale. Firewall service state changes would otherwise go unrecorded.
Remediation. Enable success and failure auditing for the Other System Events subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-028 - Audit Security State Change¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Audit changes in the security state of the system, such as startup and shutdown.
Rationale. System start/stop and time changes would go unrecorded.
Remediation. Enable success auditing for the Security State Change subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-029 - Audit Security System Extension¶
Severity: Medium Category: Logging and Monitoring Provider: AuditPol Delivery: Direct Reboot: No Tier: Standard
Audit the loading of authentication/security packages and service installations.
Rationale. Malicious security packages and service installs are critical events to detect.
Remediation. Enable success auditing for the Security System Extension subcategory.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUD-030 - Include Command Line in Process Creation Events¶
Severity: Medium Category: Logging and Monitoring Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Record the full command line in process-creation (4688) events. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Without command lines, process auditing misses the arguments that reveal malicious intent.
Remediation. Set Policies System Audit ProcessCreationIncludeCmdLine_Enabled to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-AUTORUN-001 - Disable AutoRun on All Drives¶
Severity: Medium Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
AutoRun/AutoPlay must be disabled on all drive types to prevent automatic execution from removable media. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. AutoRun can automatically execute malware from removable or network media.
Remediation. Set Policies Explorer NoDriveTypeAutoRun to 255 to disable AutoRun on all drives.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-AUTORUN-002 - Disallow Autoplay for Non-Volume Devices¶
Severity: Medium Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Disable AutoPlay for non-volume devices such as MTP cameras and phones. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. AutoPlay on such devices can auto-launch malicious content.
Remediation. Set Explorer NoAutoplayfornonVolume to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-AUTORUN-003 - Set Default AutoRun Behavior to Do Not Execute¶
Severity: Medium Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Set the default AutoRun behavior to never execute autorun commands. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. AutoRun command execution is a classic removable-media infection vector.
Remediation. Set Explorer NoAutorun to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-CG-001 - Enable Credential Guard¶
Severity: High Category: Credential Protection Provider: Registry Delivery: Direct Reboot: Yes Tier: Enterprise
Enable Credential Guard (with UEFI lock) to isolate and protect NTLM hashes and Kerberos tickets in VBS.
Rationale. Without Credential Guard, tools like Mimikatz can extract domain credentials from LSASS.
Remediation. Set Control Lsa LsaCfgFlags to 1 (Credential Guard with UEFI lock). Requires VBS and a reboot.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure
WIN-CLOUD-001 - Turn Off Microsoft Consumer Experiences¶
Severity: Low Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Disable Microsoft consumer experiences (app suggestions, consumer content). Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Consumer content downloads and installs unwanted software over the internet.
Remediation. Set CloudContent DisableWindowsConsumerFeatures to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-CREDDEL-001 - Encryption Oracle Remediation (Force Updated Clients)¶
Severity: High Category: Credential Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Require patched CredSSP on both ends of RDP to block the CVE-2018-0886 encryption-oracle attack. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Unpatched CredSSP allows remote code execution against RDP sessions.
Remediation. Set Policies System CredSSP Parameters AllowEncryptionOracle to 0 (Force Updated Clients).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-CREDDEL-002 - Remote Host Allows Delegation of Non-Exportable Credentials¶
Severity: Medium Category: Credential Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Allow only non-exportable (Remote Credential Guard) credential delegation to remote hosts. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Exportable delegated credentials can be stolen from a compromised remote host.
Remediation. Set CredentialsDelegation AllowProtectedCreds to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-CREDUI-001 - Do Not Display the Password Reveal Button¶
Severity: Low Category: Credential Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Hide the password-reveal (eye) button in credential dialogs. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. The reveal button can expose a typed password to a shoulder-surfer.
Remediation. Set CredUI DisablePasswordReveal to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-CREDUI-002 - Do Not Enumerate Administrator Accounts on Elevation¶
Severity: Medium Category: Credential Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Do not list administrator accounts when a UAC elevation prompt appears. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Enumerating admins on elevation discloses privileged account names.
Remediation. Set CredUI EnumerateAdministrators to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-CREDUI-003 - Prevent Use of Security Questions for Local Accounts¶
Severity: Low Category: Credential Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Disable security questions as a local-account password reset method. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Security questions are weak, guessable recovery credentials.
Remediation. Set System NoLocalPasswordResetQuestions to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-DEF-001 - Microsoft Defender Antivirus Enabled¶
Severity: High Category: Endpoint Protection Provider: Defender Delivery: Direct Reboot: No Tier: Essential
Microsoft Defender Antivirus must be enabled and providing real-time protection.
Rationale. Absence of endpoint antivirus protection allows malware execution.
Remediation. Ensure Microsoft Defender Antivirus is enabled with real-time protection. Managed by platform/AV policy; enable via Windows Security or Group Policy (not auto-applied by CloudInfra Secure).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP CMMC Level 2 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows
WIN-DEF-002 - Enable Potentially Unwanted Application (PUA) Protection¶
Severity: High Category: Endpoint Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Essential
Microsoft Defender must block potentially unwanted applications (PUA) such as adware and bundled software. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. PUAs degrade performance and can be a foothold for further compromise.
Remediation. Set Windows Defender PUAProtection policy value to 1 (block).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows
WIN-DEF-003 - Enable Defender Real-Time Protection¶
Severity: High Category: Endpoint Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Essential
Microsoft Defender real-time protection must not be disabled by policy. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. Disabling real-time protection removes continuous malware scanning.
Remediation. Ensure Real-Time Protection DisableRealtimeMonitoring is 0 (or absent).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows
WIN-DEF-004 - Enable Cloud-Delivered Protection¶
Severity: Medium Category: Endpoint Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Microsoft Defender cloud-delivered protection (MAPS) must be enabled for faster protection against new threats. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Without cloud protection, response to emerging threats is slower.
Remediation. Set Windows Defender Spynet SpynetReporting to 2 (Advanced MAPS).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows
WIN-DEF-005 - Enable Network Protection¶
Severity: Medium Category: Endpoint Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Enterprise
Enable Defender network protection to block connections to dangerous domains and IP addresses. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Without network protection, users and processes can reach phishing and exploit domains.
Remediation. Set Exploit Guard Network Protection EnableNetworkProtection to 1 (block mode). On Windows Server, AllowNetworkProtectionOnWinServer must also be enabled.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection
WIN-DEF-006 - Enable Controlled Folder Access¶
Severity: Medium Category: Endpoint Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Enterprise
Enable controlled folder access to protect key folders from unauthorized changes by untrusted apps (ransomware). Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Ransomware can encrypt files in unprotected folders.
Remediation. Set Exploit Guard Controlled Folder Access EnableControlledFolderAccess to 1 (block mode).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/controlled-folder-access-configure
WIN-DEF-007 - Scan Removable Drives During Full Scan¶
Severity: Low Category: Endpoint Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Scan removable drives (such as USB) during a full antivirus scan. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Malware on removable media can go undetected if such drives are skipped.
Remediation. Set Windows Defender Scan DisableRemovableDriveScanning to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows
WIN-DEF-008 - Enable Block at First Sight¶
Severity: Medium Category: Endpoint Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Enable Defender block-at-first-sight rapid cloud verdicts for newly seen files. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Novel malware may execute before traditional signatures are available.
Remediation. Set Windows Defender Spynet DisableBlockAtFirstSeen to 0 (requires cloud-delivered protection).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows
WIN-DEF-009 - Enable Defender Behavior Monitoring¶
Severity: High Category: Endpoint Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Enable Defender behavior monitoring to detect malicious activity by behaviour, not just signatures. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. Disabling behaviour monitoring removes detection of fileless and living-off-the-land attacks.
Remediation. Set Windows Defender Real-Time Protection DisableBehaviorMonitoring to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows
WIN-DEF-010 - Enable Email Scanning¶
Severity: Medium Category: Endpoint Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Scan email bodies and attachments for malware. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Malware delivered by email can go undetected if email scanning is off.
Remediation. Set Windows Defender Scan DisableEmailScanning to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows
WIN-DEF-011 - Enable Archive Scanning¶
Severity: Medium Category: Endpoint Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Scan inside archive files (such as .zip and .rar) for malware. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Malware hidden in archives evades scanning if archive scanning is off.
Remediation. Set Windows Defender Scan DisableArchiveScanning to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows
WIN-DEF-012 - Scan Mapped Network Drives During Full Scan¶
Severity: Low Category: Endpoint Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Include mapped network drives when running a full antivirus scan. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Malware staged on mapped drives can be missed by full scans.
Remediation. Set Windows Defender Scan DisableScanningMappedNetworkDrivesForFullScan to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows
WIN-DEF-013 - Scan Downloaded Files and Attachments¶
Severity: High Category: Endpoint Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Scan downloaded files and attachments in real time (IOAV protection). Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. Disabling IOAV protection lets downloaded malware execute unscanned.
Remediation. Set Windows Defender Real-Time Protection DisableIOAVProtection to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows
WIN-DEF-014 - Disable Local Admin Merge of Defender Preferences¶
Severity: Medium Category: Endpoint Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent local administrators from merging their own Defender exclusions and preferences with policy. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Local admin merge lets an attacker with local admin hide exclusions from central policy.
Remediation. Set Windows Defender DisableLocalAdminMerge to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows
WIN-DEF-015 - Enable Real-Time Script Scanning¶
Severity: Medium Category: Endpoint Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Scan scripts as they run (real-time script scanning). Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. Malicious scripts execute unscanned when script scanning is disabled.
Remediation. Set Windows Defender Real-Time Protection DisableScriptScanning to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows
WIN-DEF-016 - Enable Defender File Hash Computation¶
Severity: Low Category: Endpoint Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Compute file hashes for all executed files so indicators can be matched. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Without hash computation, hash-based threat indicators cannot match.
Remediation. Set Windows Defender MpEngine EnableFileHashComputation to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-DEF-017 - Notify Antivirus When Opening Attachments (Default Profile)¶
Severity: Medium Category: Endpoint Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Have antivirus scan file attachments when they are opened, for the default profile. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Unscanned attachments are a primary malware delivery vector.
Remediation. Set default-profile Policies Attachments ScanWithAntiVirus to 3.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-ELAM-001 - Boot-Start Driver Initialization Policy¶
Severity: Medium Category: Endpoint Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Let Early Launch Antimalware evaluate boot-start drivers (Good, Unknown, and Bad but Critical). Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Unvetted boot-start drivers can load rootkits before antimalware starts.
Remediation. Set EarlyLaunch DriverLoadPolicy to 3.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-EVTLOG-001 - Application Event Log Maximum Size (>= 32 MB)¶
Severity: Medium Category: Logging and Monitoring Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
The Application event log must be at least 32,768 KB so events are retained long enough to investigate. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. A small log wraps quickly and loses evidence of an incident.
Remediation. Set EventLog Application MaxSize to at least 32768 (KB).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-EVTLOG-002 - Application Event Log Retention (Overwrite as Needed)¶
Severity: Low Category: Logging and Monitoring Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
The Application event log must overwrite oldest events when full rather than halting logging. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. A non-overwriting full log can stop new events or the system.
Remediation. Set EventLog Application Retention to 0 (overwrite events as needed).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-EVTLOG-003 - Security Event Log Maximum Size (>= 192 MB)¶
Severity: High Category: Logging and Monitoring Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
The Security event log must be at least 196,608 KB given its high event volume. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. A small Security log wraps quickly and loses critical audit evidence.
Remediation. Set EventLog Security MaxSize to at least 196608 (KB).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-EVTLOG-004 - Security Event Log Retention (Overwrite as Needed)¶
Severity: Low Category: Logging and Monitoring Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
The Security event log must overwrite oldest events when full rather than halting logging. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. A non-overwriting full Security log can stop new events or the system.
Remediation. Set EventLog Security Retention to 0 (overwrite events as needed).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-EVTLOG-005 - Setup Event Log Maximum Size (>= 32 MB)¶
Severity: Low Category: Logging and Monitoring Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
The Setup event log must be at least 32,768 KB. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. A small Setup log loses servicing and setup history.
Remediation. Set EventLog Setup MaxSize to at least 32768 (KB).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-EVTLOG-006 - Setup Event Log Retention (Overwrite as Needed)¶
Severity: Low Category: Logging and Monitoring Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
The Setup event log must overwrite oldest events when full rather than halting logging. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. A non-overwriting full Setup log can stop new events.
Remediation. Set EventLog Setup Retention to 0 (overwrite events as needed).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-EVTLOG-007 - System Event Log Maximum Size (>= 32 MB)¶
Severity: Medium Category: Logging and Monitoring Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
The System event log must be at least 32,768 KB. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. A small System log wraps quickly and loses evidence.
Remediation. Set EventLog System MaxSize to at least 32768 (KB).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-EVTLOG-008 - System Event Log Retention (Overwrite as Needed)¶
Severity: Low Category: Logging and Monitoring Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
The System event log must overwrite oldest events when full rather than halting logging. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. A non-overwriting full System log can stop new events or the system.
Remediation. Set EventLog System Retention to 0 (overwrite events as needed).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
WIN-EVTLOG-009 - Security Log Near-Capacity Warning Threshold¶
Severity: Low Category: Logging and Monitoring Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Raise an event when the Security log reaches 90% of capacity.
Rationale. Without a warning, the Security log can fill silently and lose events.
Remediation. Set Eventlog Security WarningLevel to 90 or fewer.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-FW-001 - Windows Firewall Enabled (All Profiles)¶
Severity: High Category: Host Firewall Provider: Firewall Delivery: Direct Reboot: No Tier: Essential
The Windows Defender Firewall must be enabled for the Domain, Private and Public profiles to enforce host-based network filtering.
Rationale. Unrestricted inbound network access if the host firewall is disabled.
Remediation. Enable Windows Defender Firewall on the Domain, Private and Public profiles (Set-NetFirewallProfile -Enabled True).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP CMMC Level 2 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/
WIN-FW-002 - Block Inbound Connections by Default (Domain Profile)¶
Severity: Medium Category: Host Firewall Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
The domain firewall profile must block inbound connections that do not match a rule. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. A permissive default inbound action exposes unlisted services to the network.
Remediation. Set WindowsFirewall DomainProfile DefaultInboundAction to 1 (Block).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/
WIN-FW-003 - Block Inbound Connections by Default (Private Profile)¶
Severity: Medium Category: Host Firewall Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
The private firewall profile must block inbound connections that do not match a rule. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. A permissive default inbound action exposes unlisted services to the network.
Remediation. Set WindowsFirewall StandardProfile DefaultInboundAction to 1 (Block).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/
WIN-FW-004 - Block Inbound Connections by Default (Public Profile)¶
Severity: Medium Category: Host Firewall Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
The public firewall profile must block inbound connections that do not match a rule. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. A permissive default inbound action exposes unlisted services on untrusted networks.
Remediation. Set WindowsFirewall PublicProfile DefaultInboundAction to 1 (Block).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/
WIN-FW-005 - Log Dropped Packets (Public Profile)¶
Severity: Low Category: Host Firewall Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
The public firewall profile must log dropped packets for troubleshooting and detection. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Without firewall logging, blocked-connection attempts leave no forensic trail.
Remediation. Set WindowsFirewall PublicProfile Logging LogDroppedPackets to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/
WIN-GPO-001 - Registry Policy Processing: Apply During Background Refresh¶
Severity: Low Category: Access Control Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Apply registry Group Policy during periodic background refresh. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. If background processing is off, security policy drift is not re-corrected.
Remediation. Set Group Policy {35378EAC-683F-11D2-A89A-00C04FBBCFA2} NoBackgroundPolicy to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-GPO-002 - Registry Policy Processing: Process Even If Unchanged¶
Severity: Low Category: Access Control Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Reapply registry Group Policy even when the GPOs have not changed. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Local tampering with policy-set values persists until the GPO changes if this is off.
Remediation. Set Group Policy {35378EAC-683F-11D2-A89A-00C04FBBCFA2} NoGPOListChanges to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-GPO-003 - Disable Continue Experiences (Connected Devices Platform)¶
Severity: Low Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Disable the Connected Devices Platform used for cross-device continue experiences. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. CDP opens network discovery and data-sharing not needed on servers.
Remediation. Set System EnableCdp to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-INET-001 - Turn Off Downloading of Print Drivers Over HTTP¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent downloading printer drivers over HTTP. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. HTTP driver download can deliver untrusted driver code.
Remediation. Set Printers DisableWebPnPDownload to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-INET-002 - Turn Off Printing Over HTTP¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent the client from printing over HTTP. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. HTTP printing exposes an unnecessary outbound channel.
Remediation. Set Printers DisableHTTPPrinting to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-INET-003 - Turn Off Windows Error Reporting¶
Severity: Low Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Disable Windows Error Reporting so crash data is not sent externally. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Error reports can leak sensitive memory contents off the host.
Remediation. Set Windows Error Reporting Disabled to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-INET-004 - Turn Off Windows Customer Experience Improvement Program¶
Severity: Low Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Disable the Windows CEIP telemetry channel. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. CEIP sends usage telemetry that is unnecessary on hardened servers.
Remediation. Set SQMClient Windows CEIPEnable to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-INET-005 - Turn Off Internet Download for Web Publishing and Online Ordering¶
Severity: Low Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Disable Web publishing and online ordering wizards that fetch content from the internet. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. These wizards create unnecessary outbound web interactions.
Remediation. Set Explorer NoWebServices to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-INET-006 - Turn Off Internet Connection Wizard If URL Connection¶
Severity: Low Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent the Internet Connection Wizard from contacting Microsoft. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Unneeded internet connectivity checks widen the outbound surface.
Remediation. Set Internet Connection Wizard ExitOnMSICW to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-INET-007 - Turn Off Search Companion Content File Updates¶
Severity: Low Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent Search Companion from downloading content updates over the internet. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Automatic content downloads are unnecessary outbound traffic.
Remediation. Set SearchCompanion DisableContentFileUpdates to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-INSTALL-001 - Disable Always Install Elevated¶
Severity: High Category: Privilege Management Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Windows Installer must not install packages with elevated privileges for standard users. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. AlwaysInstallElevated lets any user install software as SYSTEM - a privilege-escalation path.
Remediation. Ensure Installer AlwaysInstallElevated is 0 (or absent). Remove any policy enabling it.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-INSTALL-002 - Disable User Control Over Windows Installer¶
Severity: Medium Category: Privilege Management Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent users from changing installer options that are normally admin-only. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. User control over installs can be abused to elevate or bypass policy.
Remediation. Set Installer EnableUserControl to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-KRB-001 - Configure Kerberos Encryption Types (AES only)¶
Severity: Medium Category: Authentication Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Allow only AES (and future) encryption types for Kerberos, disabling weak DES and RC4. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Weak Kerberos ciphers (DES, RC4) are susceptible to Kerberoasting and cracking.
Remediation. Set Kerberos Parameters SupportedEncryptionTypes to 2147483640 (AES128, AES256, future types).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LDAP-001 - LDAP Client Signing¶
Severity: Medium Category: Authentication Provider: Registry Delivery: Direct Reboot: No Tier: Standard
The LDAP client must negotiate signing to protect directory queries from tampering and relay.
Rationale. Unsigned LDAP traffic is vulnerable to man-in-the-middle and relay attacks.
Remediation. Set Services LDAP LDAPClientIntegrity to 1 (negotiate signing).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOCK-001 - Account Lockout Threshold¶
Severity: Medium Category: Account Policy Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
The account lockout threshold must be set to a non-zero value of 5 or fewer invalid logon attempts to resist password guessing.
Rationale. Unlimited logon attempts enable brute-force password attacks.
Remediation. Set the account lockout threshold to a non-zero value of 5 or fewer invalid attempts (Account Policies, Account Lockout Policy).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 CMMC Level 2 PCI DSS v4.0 ISO/IEC 27001 Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOCK-002 - Account Lockout Duration¶
Severity: Medium Category: Account Policy Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
A locked account should remain locked long enough to slow automated password guessing.
Rationale. A short lockout duration lets attackers resume guessing quickly.
Remediation. Set the account lockout duration to 15 minutes or more.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOCK-003 - Reset Account Lockout Counter¶
Severity: Medium Category: Account Policy Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
The failed-logon counter should persist long enough to make lockout thresholds effective.
Rationale. A short reset window weakens the lockout threshold against slow guessing.
Remediation. Set the reset account lockout counter to 15 minutes or more.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOGON-001 - Machine Inactivity Limit¶
Severity: Medium Category: Access Control Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
The machine must lock after a period of inactivity to protect unattended sessions. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Unattended, unlocked sessions can be hijacked by anyone with physical or console access.
Remediation. Set Policies System InactivityTimeoutSecs to 900 (15 minutes) or fewer.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOGON-002 - Do Not Display Last Signed-In User¶
Severity: Low Category: Access Control Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
The last signed-in username must not be displayed at the logon screen. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Displaying the last user discloses a valid account name to attackers.
Remediation. Set Policies System DontDisplayLastUserName to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOGON-003 - Limit Number of Cached Logons¶
Severity: Medium Category: Access Control Provider: Registry Delivery: Direct Reboot: No Tier: Standard
The number of cached domain logon credentials must be limited to reduce offline credential-theft exposure.
Rationale. Cached credentials can be extracted and cracked offline.
Remediation. Set Winlogon CachedLogonsCount to 4 or fewer.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOGON-004 - Require Ctrl+Alt+Del at Logon¶
Severity: Low Category: Access Control Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Users must press Ctrl+Alt+Del before signing in to guarantee a trusted logon path. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. Without the secure attention sequence, credential-harvesting spoofed logon screens are possible.
Remediation. Set Policies System DisableCAD to 0 (require Ctrl+Alt+Del).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOGON-005 - Smart Card Removal Behavior (Lock Workstation)¶
Severity: Low Category: Access Control Provider: Registry Delivery: Direct Reboot: No Tier: Enterprise
Lock the workstation when a logged-on user removes their smart card.
Rationale. An unlocked, unattended session after card removal is open to misuse.
Remediation. Set Winlogon ScRemoveOption to 1 (Lock Workstation).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOGON-006 - Disable Automatic Logon¶
Severity: Medium Category: Access Control Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Disable automatic logon, which stores a plaintext password in the registry.
Rationale. AutoAdminLogon stores credentials in cleartext and logs in without authentication.
Remediation. Set Winlogon AutoAdminLogon to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOGON-007 - Do Not Allow System to Be Shut Down Without Logging On¶
Severity: Low Category: Access Control Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Require authentication before the system can be shut down. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. Unauthenticated shutdown from the logon screen enables denial of service.
Remediation. Set Policies System ShutdownWithoutLogon to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOGON-008 - Require Domain Controller Authentication to Unlock Workstation¶
Severity: Medium Category: Access Control Provider: Registry Delivery: Direct Reboot: No Tier: Enterprise
Require a domain controller to authenticate the account when unlocking a locked session.
Rationale. Cached-credential unlock ignores recent account disable/lockout changes.
Remediation. Set Winlogon ForceUnlockLogon to 1 (best paired with cached logons = 0).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOGON-009 - Do Not Enumerate Connected Users on Domain-Joined Computers¶
Severity: Medium Category: Access Control Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Do not show connected users on the sign-in screen of domain-joined servers. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Enumerating users discloses valid account names to anyone at the console.
Remediation. Set System DontEnumerateConnectedUsers to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOGON-010 - Do Not Enumerate Local Users on Domain-Joined Computers¶
Severity: Medium Category: Access Control Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Do not enumerate local users on domain-joined servers. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. Enumerating local users discloses valid account names.
Remediation. Set System EnumerateLocalUsers to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOGON-011 - Block User From Showing Account Details on Sign-In¶
Severity: Low Category: Access Control Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent display of account details (such as email) on the sign-in screen. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Exposed account details aid social-engineering and targeting.
Remediation. Set System BlockUserFromShowingAccountDetailsOnSignin to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOGON-012 - Do Not Display Network Selection UI¶
Severity: Low Category: Access Control Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Hide the network selection UI on the sign-in screen. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. The network UI lets an unauthenticated user change connectivity from the lock screen.
Remediation. Set System DontDisplayNetworkSelectionUI to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOGON-013 - Turn Off App Notifications on the Lock Screen¶
Severity: Low Category: Access Control Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent app notifications from appearing on the lock screen. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Lock-screen notifications can leak sensitive information.
Remediation. Set System DisableLockScreenAppNotifications to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOGON-014 - Disable Convenience PIN Sign-In¶
Severity: Medium Category: Access Control Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Disable domain convenience PIN sign-in. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. A convenience PIN is a weaker credential than a full domain password.
Remediation. Set System AllowDomainPINLogon to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOGON-015 - Disable Automatic Restart Sign-On (ARSO)¶
Severity: Medium Category: Access Control Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Do not automatically sign in and lock the last user after a restart. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. ARSO caches credentials to auto-sign-in after updates, a credential-exposure risk.
Remediation. Set System DisableAutomaticRestartSignOn to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOGON-016 - Screen Saver Grace Period¶
Severity: Low Category: Access Control Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Limit the grace period before a password-protected screen saver locks the session.
Rationale. A long grace period lets someone dismiss the screen saver without the password.
Remediation. Set Winlogon ScreenSaverGracePeriod to 5 (seconds) or fewer.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOGON-017 - Turn Off Toast Notifications on the Lock Screen (Default Profile)¶
Severity: Low Category: Access Control Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent toast notifications from appearing on the lock screen for the default profile. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Lock-screen notifications can leak sensitive information.
Remediation. Set default-profile PushNotifications NoToastApplicationNotificationOnLockScreen to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOGON-018 - Logon Legal Notice Text¶
Severity: Low Category: Access Control Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Display a legal warning banner (message text) before interactive and Remote Desktop logon. Audits that a non-empty banner is set; the applied default authorized-use text can be replaced with your own wording. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Without a logon banner, users are not warned that access is authorized-only and monitored, weakening legal and deterrence posture.
Remediation. Set Policies System LegalNoticeText to your organisation authorized-use warning (any non-empty value). Customise by editing this control apply value.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LOGON-019 - Logon Legal Notice Title¶
Severity: Low Category: Access Control Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Set the title bar caption for the logon warning banner. Audits that a non-empty caption is set; the applied default can be replaced with your own wording. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. A banner with no title is less clear and less authoritative as a legal warning.
Remediation. Set Policies System LegalNoticeCaption to a non-empty title. Customise by editing this control apply value.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LSA-001 - Do Not Store LAN Manager Hash¶
Severity: High Category: Credential Protection Provider: Registry Delivery: Direct Reboot: No Tier: Essential
The weak LAN Manager hash of passwords must not be stored on next password change.
Rationale. LM hashes are easily cracked, exposing account passwords.
Remediation. Set Lsa NoLMHash to 1 so LM hashes are not stored.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LSA-002 - Restrict Anonymous SID Enumeration¶
Severity: Medium Category: Access Control Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Anonymous users must not be able to enumerate SIDs and account names.
Rationale. Anonymous enumeration aids reconnaissance and targeted attacks.
Remediation. Set Lsa RestrictAnonymous to 1 to restrict anonymous enumeration.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LSA-003 - Enable LSASS Protection (RunAsPPL)¶
Severity: High Category: Credential Protection Provider: Registry Delivery: Direct Reboot: Yes Tier: Enterprise
LSASS must run as a protected process (PPL) to resist credential theft tools.
Rationale. Unprotected LSASS memory can be dumped to steal credentials.
Remediation. Set Lsa RunAsPPL to 1 to run LSASS as a protected process. Requires a reboot.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LSA-004 - Do Not Allow Anonymous Enumeration of SAM Accounts¶
Severity: Medium Category: Access Control Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Anonymous users must not be able to enumerate SAM accounts.
Rationale. Anonymous SAM enumeration aids account discovery and password attacks.
Remediation. Set Lsa RestrictAnonymousSAM to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LSA-005 - Enable Structured Exception Handling Overwrite Protection (SEHOP)¶
Severity: Medium Category: Exploit Protection Provider: Registry Delivery: Direct Reboot: No Tier: Standard
SEHOP must be enabled to block Structured Exception Handler overwrite exploitation.
Rationale. SEH overwrite is a common memory-corruption exploitation technique.
Remediation. Ensure Session Manager kernel DisableExceptionChainValidation is 0 (SEHOP enabled).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LSA-006 - Digitally Encrypt or Sign Secure Channel Data (Always)¶
Severity: Medium Category: Authentication Provider: Registry Delivery: Direct Reboot: No Tier: Standard
All domain secure-channel traffic must be signed or encrypted.
Rationale. Unsigned secure-channel traffic is vulnerable to tampering and replay.
Remediation. Set Netlogon Parameters RequireSignOrSeal to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LSA-007 - Do Not Apply Everyone Permissions to Anonymous Users¶
Severity: Medium Category: Access Control Provider: Registry Delivery: Direct Reboot: No Tier: Standard
The Everyone SID must not be applied to anonymous connections.
Rationale. Applying Everyone permissions to anonymous users grants broad unauthenticated access.
Remediation. Set Lsa EveryoneIncludesAnonymous to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LSA-008 - Restrict Clients Allowed to Make Remote SAM Calls¶
Severity: Medium Category: Access Control Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Restrict remote SAM (SAMRPC) enumeration to the local Administrators group.
Rationale. Remote SAM enumeration lets low-privilege attackers map users, groups, and admins.
Remediation. Set Lsa RestrictRemoteSam to the SDDL O:SYG:SYD:(A;;RC;;;BA) (Administrators only).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LSA-009 - Limit Local Account Use of Blank Passwords¶
Severity: High Category: Access Control Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Restrict local accounts with blank passwords to console logon only (no remote/network logon).
Rationale. Blank-password local accounts allow trivial remote access if guessed or known.
Remediation. Set Lsa LimitBlankPasswordUse to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LSA-010 - Sharing and Security Model for Local Accounts (Classic)¶
Severity: Medium Category: Access Control Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Local accounts authenticate as themselves (Classic), not mapped to Guest.
Rationale. The Guest-only model weakens access control by treating all local network logons equally.
Remediation. Set Lsa ForceGuest to 0 (Classic - local users authenticate as themselves).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LSA-011 - Disallow LocalSystem NULL Session Fallback¶
Severity: Medium Category: Access Control Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Prevent LocalSystem services from falling back to unprotected NULL-session authentication.
Rationale. NULL-session fallback transmits data with a well-known key, providing no confidentiality or integrity.
Remediation. Set Lsa MSV1_0 AllowNullSessionFallback to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LSA-012 - Strengthen Default Permissions of Internal System Objects¶
Severity: Low Category: Access Control Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Strengthen the default DACL on shared system objects so non-administrators cannot modify objects they did not create.
Rationale. Weak default object permissions enable symbolic-link and predictable-name attacks.
Remediation. Set Session Manager ProtectionMode to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LSA-013 - Digitally Encrypt Secure Channel Data (When Possible)¶
Severity: Medium Category: Authentication Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Encrypt domain secure-channel traffic whenever the domain controller supports it.
Rationale. Unencrypted secure-channel data can be read in transit.
Remediation. Set Netlogon Parameters SealSecureChannel to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LSA-014 - Digitally Sign Secure Channel Data (When Possible)¶
Severity: Medium Category: Authentication Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Sign domain secure-channel traffic whenever the domain controller supports it.
Rationale. Unsigned secure-channel data can be tampered with in transit.
Remediation. Set Netlogon Parameters SignSecureChannel to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LSA-015 - Do Not Disable Machine Account Password Changes¶
Severity: Medium Category: Authentication Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Allow periodic machine-account password changes.
Rationale. A static machine-account password is easier to compromise and replay.
Remediation. Set Netlogon Parameters DisablePasswordChange to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LSA-016 - Maximum Machine Account Password Age (30 Days)¶
Severity: Low Category: Authentication Provider: Registry Delivery: Direct Reboot: No Tier: Standard
The machine-account password must be rotated at least every 30 days.
Rationale. Infrequent rotation extends the window for a stolen machine password.
Remediation. Set Netlogon Parameters MaximumPasswordAge to 30.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LSA-017 - Require Strong (Windows 2000 or Later) Session Key¶
Severity: Medium Category: Authentication Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Require a strong 128-bit secure-channel session key.
Rationale. Weak 64-bit session keys are more vulnerable to eavesdropping and hijacking.
Remediation. Set Netlogon Parameters RequireStrongKey to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LSA-018 - Do Not Store Passwords and Credentials for Network Authentication¶
Severity: High Category: Credential Protection Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Prevent caching of network-authentication passwords and credentials.
Rationale. Cached network credentials can be harvested from a compromised host.
Remediation. Set Lsa DisableDomainCreds to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-LSA-019 - Require Case Insensitivity for Non-Windows Subsystems¶
Severity: Low Category: Access Control Provider: Registry Delivery: Direct Reboot: Yes Tier: Standard
Enforce case insensitivity for all subsystems, including POSIX.
Rationale. Case-sensitive object names can be used to bypass name-based access checks.
Remediation. Set Session Manager Kernel ObCaseInsensitive to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-001 - Disable LLMNR¶
Severity: Medium Category: Network Protocols Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Link-Local Multicast Name Resolution (LLMNR) must be disabled to prevent name-resolution poisoning and credential capture. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. LLMNR enables responder-style spoofing and NTLM credential theft.
Remediation. Set DNSClient EnableMulticast to 0 to disable LLMNR.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-002 - Disable IPv4 Source Routing¶
Severity: Medium Category: Network Protocols Provider: Registry Delivery: Direct Reboot: No Tier: Standard
IPv4 source routing must be disabled to prevent source-routed packet spoofing.
Rationale. Source routing lets attackers dictate the network path of packets, aiding spoofing.
Remediation. Set Tcpip Parameters DisableIPSourceRouting to 2 (highest protection).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-003 - Disable ICMP Redirects¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Direct Reboot: No Tier: Standard
ICMP redirects must not override OSPF-generated routes.
Rationale. ICMP redirects can be abused to reroute traffic through an attacker.
Remediation. Set Tcpip Parameters EnableICMPRedirect to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-004 - Disable IPv6 Source Routing¶
Severity: Medium Category: Network Protocols Provider: Registry Delivery: Direct Reboot: No Tier: Standard
IPv6 source routing must be disabled to prevent source-routed packet spoofing.
Rationale. IPv6 source routing enables path manipulation and spoofing.
Remediation. Set Tcpip6 Parameters DisableIPSourceRouting to 2.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-005 - Ignore NetBIOS Name Release Requests¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Ignore NetBIOS name-release requests except from WINS servers.
Rationale. Malicious name-release requests enable NetBIOS denial-of-service and spoofing.
Remediation. Set Netbt Parameters NoNameReleaseOnDemand to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-006 - Disable mDNS¶
Severity: Medium Category: Network Protocols Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Disable multicast DNS (mDNS) name resolution.
Rationale. mDNS, like LLMNR, can be abused for name-resolution spoofing and credential harvesting.
Remediation. Set Dnscache Parameters EnableMDNS to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-007 - Enable Safe DLL Search Mode¶
Severity: Medium Category: Exploit Protection Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Use safe DLL search order so system locations are searched before the current directory.
Rationale. Unsafe DLL search order enables DLL-planting (DLL hijacking) attacks.
Remediation. Set Session Manager SafeDllSearchMode to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-008 - Hardened UNC Path for SYSVOL¶
Severity: High Category: Network Protocols Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Require mutual authentication and integrity for access to the SYSVOL share. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Unhardened SYSVOL access enables Group Policy man-in-the-middle attacks.
Remediation. Set NetworkProvider HardenedPaths \*\SYSVOL to RequireMutualAuthentication=1, RequireIntegrity=1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-009 - Hardened UNC Path for NETLOGON¶
Severity: High Category: Network Protocols Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Require mutual authentication and integrity for access to the NETLOGON share. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Unhardened NETLOGON access enables logon-script man-in-the-middle attacks.
Remediation. Set NetworkProvider HardenedPaths \*\NETLOGON to RequireMutualAuthentication=1, RequireIntegrity=1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-010 - Disable Font Providers¶
Severity: Low Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent Windows from fetching fonts from online font providers. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Font provider calls are unnecessary outbound network traffic.
Remediation. Set System EnableFontProviders to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-011 - Turn Off Smart Multi-Homed Name Resolution¶
Severity: Medium Category: Network Protocols Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Disable smart multi-homed name resolution, which can send DNS queries on all interfaces. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Multi-homed resolution can leak internal names and enable spoofing responses.
Remediation. Set Windows NT DNSClient DisableSmartNameResolution to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-012 - Prohibit Installation of Network Bridge¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent users from installing and configuring a Network Bridge. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. A network bridge can join isolated network segments and bypass controls.
Remediation. Set Network Connections NC_AllowNetBridge_NLA to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-013 - Prohibit Internet Connection Sharing¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent use of the Internet Connection Sharing feature. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. ICS can expose an internal network through an uncontrolled gateway.
Remediation. Set Network Connections NC_ShowSharedAccessUI to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-014 - Require Domain Users to Elevate When Setting Network Location¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Require elevation before a domain user can change a network location. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Changing a network to Private lowers firewall restrictions.
Remediation. Set Network Connections NC_StdDomainUserSetLocation to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-015 - Minimize Simultaneous Internet and Domain Connections¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent simultaneous connections to the internet and the domain network. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Bridged connectivity can route around perimeter controls.
Remediation. Set WcmSvc GroupPolicy fMinimizeConnections to 3.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-016 - Prohibit Non-Domain Networks When on Domain Network¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Block connections to non-domain networks while connected to the domain network. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Dual-homing to untrusted networks can bridge attacks into the domain.
Remediation. Set WcmSvc GroupPolicy fBlockNonDomain to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-017 - Disable Windows Connect Now Registrars¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Disable configuration of wireless settings using Windows Connect Now. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. WCN registrars allow wireless provisioning not needed on servers.
Remediation. Set WCN Registrars EnableRegistrars to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-018 - Prohibit Access of Windows Connect Now Wizards¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prohibit access to the Windows Connect Now wizards. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. WCN wizards expose unnecessary wireless provisioning UI.
Remediation. Set WCN UI DisableWcnUi to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-019 - Turn Off Link-Layer Topology Mapper I/O Driver¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Disable the Link-Layer Topology Discovery Mapper I/O (LLTDIO) driver on the domain. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. LLTD can be used to map the network for reconnaissance.
Remediation. Set LLTD AllowLLTDIOOnDomain to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-020 - Turn Off Link-Layer Topology Responder Driver¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Disable the Link-Layer Topology Discovery Responder (RSPNDR) driver on the domain. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. The responder advertises the host to network-mapping tools.
Remediation. Set LLTD AllowRspndrOnDomain to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-021 - TCP Maximum Data Retransmissions (IPv4)¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Limit how many times TCP retransmits an unacknowledged data segment (IPv4).
Rationale. Excessive retransmissions increase exposure to SYN-flood style attacks.
Remediation. Set Tcpip Parameters TcpMaxDataRetransmissions to 3 or fewer.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-022 - TCP Maximum Data Retransmissions (IPv6)¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Limit how many times TCP retransmits an unacknowledged data segment (IPv6).
Rationale. Excessive retransmissions increase exposure to SYN-flood style attacks.
Remediation. Set Tcpip6 Parameters TcpMaxDataRetransmissions to 3 or fewer.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-023 - TCP Keep-Alive Time¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Set how often TCP sends keep-alive packets to at most 5 minutes.
Rationale. Long keep-alive intervals leave idle connections open longer than necessary.
Remediation. Set Tcpip Parameters KeepAliveTime to 300000 (ms) or fewer.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NET-024 - Disable Dead Gateway Detection¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Disable TCP dead-gateway detection so the stack does not switch gateways automatically.
Rationale. Automatic gateway switching can be induced to redirect traffic.
Remediation. Set Tcpip Parameters EnableDeadGWDetect to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NTLM-001 - LAN Manager Authentication Level (NTLMv2 Only)¶
Severity: High Category: Authentication Provider: Registry Delivery: Direct Reboot: No Tier: Standard
The system must send NTLMv2 responses only and refuse LM and NTLM, resisting downgrade and relay attacks.
Rationale. Legacy LM/NTLM authentication is vulnerable to cracking and relay.
Remediation. Set Lsa LmCompatibilityLevel to 5 (send NTLMv2 only, refuse LM and NTLM).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NTLM-002 - Minimum NTLM Session Security (Clients)¶
Severity: Medium Category: Authentication Provider: Registry Delivery: Direct Reboot: No Tier: Standard
NTLM SSP clients must require NTLMv2 session security and 128-bit encryption.
Rationale. Weak NTLM session security is vulnerable to downgrade and man-in-the-middle attacks.
Remediation. Set Lsa MSV1_0 NTLMMinClientSec to 537395200 (require NTLMv2 and 128-bit).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NTLM-003 - Minimum NTLM Session Security (Servers)¶
Severity: Medium Category: Authentication Provider: Registry Delivery: Direct Reboot: No Tier: Standard
NTLM SSP servers must require NTLMv2 session security and 128-bit encryption.
Rationale. Weak NTLM session security is vulnerable to downgrade and man-in-the-middle attacks.
Remediation. Set Lsa MSV1_0 NTLMMinServerSec to 537395200 (require NTLMv2 and 128-bit).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NTLM-004 - Allow LocalSystem to Use Computer Identity for NTLM¶
Severity: Medium Category: Authentication Provider: Registry Delivery: Direct Reboot: No Tier: Standard
LocalSystem services authenticate with the computer identity instead of anonymously.
Rationale. Anonymous LocalSystem NTLM weakens session security.
Remediation. Set Lsa UseMachineId to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NTLM-005 - Disallow PKU2U Online Identities¶
Severity: Medium Category: Authentication Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Prevent PKU2U from using online identities to authenticate to this server (on-premises environments).
Rationale. PKU2U online identities can bypass domain-defined access controls.
Remediation. Set Lsa pku2u AllowOnlineID to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NTLM-006 - Audit Incoming NTLM Traffic¶
Severity: Low Category: Authentication Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Log all incoming NTLM authentication so NTLM usage can be measured before restriction.
Rationale. Without auditing, NTLM dependence is invisible and hard to eliminate.
Remediation. Set Lsa MSV1_0 AuditReceivingNTLMTraffic to 2 (all accounts).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-NTLM-007 - Audit Outgoing NTLM Traffic to Remote Servers¶
Severity: Low Category: Authentication Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Log all outgoing NTLM authentication to remote servers.
Rationale. Unmeasured outgoing NTLM makes it hard to move to Kerberos.
Remediation. Set Lsa MSV1_0 RestrictSendingNTLMTraffic to 1 (Audit all).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-PRINT-001 - Restrict Point and Print Driver Installation to Administrators¶
Severity: High Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Only administrators may install printer drivers via Point and Print. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Unrestricted Point and Print driver installation was the basis of the PrintNightmare RCE.
Remediation. Set Printers PointAndPrint RestrictDriverInstallationToAdministrators to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-PRINT-002 - Require Elevation for New Point and Print Connections¶
Severity: Medium Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Warn and require elevation when installing drivers for a new Point and Print connection. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. Silent driver installation lets a malicious print server push a driver without prompting.
Remediation. Set Printers PointAndPrint NoWarningNoElevationOnInstall to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-PRINT-003 - Prevent Users From Installing Printer Drivers¶
Severity: Medium Category: Attack Surface Reduction Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Only administrators may install printer drivers when adding a network printer.
Rationale. User-installed printer drivers can introduce untrusted kernel code on servers.
Remediation. Set Print Providers LanMan Print Services Servers AddPrinterDrivers to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-PSL-001 - Enable PowerShell Script Block Logging¶
Severity: Medium Category: Logging and Monitoring Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
PowerShell Script Block Logging must be enabled to record the content of executed script blocks for detection and forensics. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Reduced visibility of malicious PowerShell activity.
Remediation. Enable PowerShell Script Block Logging by setting EnableScriptBlockLogging to 1 under the ScriptBlockLogging policy key.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2
References: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows
WIN-PSL-002 - Enable PowerShell Module Logging¶
Severity: Medium Category: Logging and Monitoring Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
PowerShell Module Logging must be enabled to record pipeline execution details of PowerShell modules. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Reduced visibility of malicious PowerShell module activity.
Remediation. Enable PowerShell Module Logging by setting EnableModuleLogging to 1 under the ModuleLogging policy key.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2
References: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows
WIN-PSL-003 - Enable PowerShell Transcription¶
Severity: Medium Category: Logging and Monitoring Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Capture a transcript of every PowerShell session. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Transcripts provide a forensic record of interactive and scripted PowerShell use.
Remediation. Set PowerShell Transcription EnableTranscripting to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 SOC 2 ISO/IEC 27001 Microsoft Security Baselines NIS2
References: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows
WIN-PWD-001 - Minimum Password Length¶
Severity: High Category: Account Policy Provider: SecEdit Delivery: Direct Reboot: No Tier: Essential
The local security policy must require a minimum password length of at least 14 characters.
Rationale. Short passwords are susceptible to brute-force and guessing attacks.
Remediation. Set the minimum password length policy to 14 or greater (Local Security Policy, Account Policies, Password Policy).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 CMMC Level 2 PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-PWD-002 - Password Complexity Enabled¶
Severity: High Category: Account Policy Provider: SecEdit Delivery: Direct Reboot: No Tier: Essential
The local security policy must enforce password complexity requirements.
Rationale. Simple passwords are susceptible to guessing and dictionary attacks.
Remediation. Enable the password complexity requirements policy (PasswordComplexity = 1).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 CMMC Level 2 PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-PWD-003 - Maximum Password Age¶
Severity: Medium Category: Account Policy Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Passwords must expire within a defined period so that compromised credentials have a limited useful lifetime.
Rationale. Passwords that never expire remain valid indefinitely if leaked.
Remediation. Set the maximum password age to 365 days or fewer (but not 0) in the account policy.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-PWD-004 - Minimum Password Age¶
Severity: Low Category: Account Policy Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
A minimum password age prevents users from cycling rapidly through passwords to defeat history enforcement.
Rationale. Without a minimum age, users can bypass password history by changing passwords repeatedly.
Remediation. Set the minimum password age to at least 1 day in the account policy.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-PWD-005 - Enforce Password History¶
Severity: Medium Category: Account Policy Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Remembering previous passwords prevents reuse of recently used credentials.
Rationale. Password reuse increases exposure if an old password is compromised.
Remediation. Set the enforce password history policy to 24 or more remembered passwords.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-PWD-006 - Disable Reversible Password Encryption¶
Severity: High Category: Account Policy Provider: SecEdit Delivery: Direct Reboot: No Tier: Essential
Storing passwords using reversible encryption is equivalent to storing plaintext passwords and must be disabled.
Rationale. Reversibly encrypted passwords can be trivially recovered to plaintext.
Remediation. Disable the store-passwords-using-reversible-encryption policy (set to 0).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-RA-001 - Disable Solicited Remote Assistance¶
Severity: Medium Category: Remote Access Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Disable solicited (Ask for help) Remote Assistance. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Remote Assistance can grant an outsider interactive control of the server.
Remediation. Set Terminal Services fAllowToGetHelp to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-RA-002 - Disable Offer (Unsolicited) Remote Assistance¶
Severity: Medium Category: Remote Access Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Disable offer-based (unsolicited) Remote Assistance. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Unsolicited Remote Assistance lets a helper connect without a user request.
Remediation. Set Terminal Services fAllowUnsolicited to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-RDP-001 - Require Network Level Authentication for RDP¶
Severity: High Category: Remote Access Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Remote Desktop connections must require Network Level Authentication (NLA) so users authenticate before a session is established.
Rationale. Pre-authentication exposure of the RDP session host to unauthenticated attackers.
Remediation. Require Network Level Authentication for RDP by setting UserAuthentication to 1 on the RDP-Tcp WinStation.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-RDP-002 - RDP Minimum Encryption Level (High)¶
Severity: Medium Category: Remote Access Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Remote Desktop sessions must use a High minimum encryption level.
Rationale. Weak RDP encryption exposes session data to interception.
Remediation. Set the RDP-Tcp MinEncryptionLevel to 3 (High).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-RDP-003 - RDP Security Layer (TLS)¶
Severity: Medium Category: Remote Access Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Remote Desktop must use the SSL/TLS security layer for connection security.
Rationale. The legacy RDP security layer is susceptible to man-in-the-middle attacks.
Remediation. Set the RDP-Tcp SecurityLayer to 2 (SSL/TLS).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-RDP-004 - Disable RDP Drive Redirection¶
Severity: Medium Category: Remote Access Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Client drive redirection over RDP must be disabled to prevent data exfiltration and malware ingress.
Rationale. Drive redirection allows files to move between client and server, aiding exfiltration.
Remediation. Set the RDP-Tcp fDisableCdm value to 1 to disable client drive redirection.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-RDP-005 - Always Prompt for Password on RDP Connection¶
Severity: Medium Category: Remote Access Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Require Remote Desktop clients to provide a password at connection time. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Saved credentials let a stolen client session reconnect without authentication.
Remediation. Set Terminal Services fPromptForPassword to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-RDP-006 - Disable RDP Clipboard Redirection¶
Severity: Low Category: Remote Access Provider: Registry Delivery: Group Policy Reboot: No Tier: Enterprise
Disable clipboard redirection in Remote Desktop sessions. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Clipboard redirection can exfiltrate data between the session and the client.
Remediation. Set Terminal Services fDisableClip to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-RDP-007 - Set RDP Idle Session Time Limit¶
Severity: Low Category: Remote Access Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
End idle Remote Desktop sessions after a time limit (15 minutes). Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Abandoned idle sessions can be hijacked at the console or over the network.
Remediation. Set Terminal Services MaxIdleTime to 900000 (15 minutes, in milliseconds).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-RDP-008 - Set RDP Disconnected Session Time Limit¶
Severity: Low Category: Remote Access Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
End disconnected Remote Desktop sessions after a time limit (1 minute). Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Disconnected sessions retain a logged-on context that can be resumed by others.
Remediation. Set Terminal Services MaxDisconnectionTime to 60000 (1 minute, in milliseconds).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-RDP-009 - Do Not Allow Saved RDP Passwords¶
Severity: Medium Category: Remote Access Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent Remote Desktop clients from saving passwords. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Saved RDP credentials let a stolen client reconnect without authentication.
Remediation. Set Terminal Services DisablePasswordSaving to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-RDP-010 - Disable RDP COM Port Redirection¶
Severity: Low Category: Remote Access Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent COM port redirection in Remote Desktop sessions. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Device redirection expands the RDP data-exfiltration surface.
Remediation. Set Terminal Services fDisableCcm to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-RDP-011 - Disable RDP LPT Port Redirection¶
Severity: Low Category: Remote Access Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent LPT port redirection in Remote Desktop sessions. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Device redirection expands the RDP data-exfiltration surface.
Remediation. Set Terminal Services fDisableLPT to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-RDP-012 - Disable RDP Plug and Play Device Redirection¶
Severity: Low Category: Remote Access Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent supported Plug and Play device redirection in Remote Desktop sessions. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. PnP redirection can attach untrusted devices to the session.
Remediation. Set Terminal Services fDisablePNPRedir to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-RDP-013 - Require Secure RPC for Remote Desktop¶
Severity: Medium Category: Remote Access Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Require secure (encrypted, authenticated) RPC for Remote Desktop connections. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. Unsecured RPC exposes RDP management traffic.
Remediation. Set Terminal Services fEncryptRPCTraffic to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-RDP-014 - Use Temporary Folders Per RDP Session¶
Severity: Low Category: Remote Access Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Use a separate temporary folder for each Remote Desktop session. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. Shared temp folders can leak data between sessions.
Remediation. Set Terminal Services PerSessionTempDir to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-RPC-001 - Restrict Unauthenticated RPC Clients¶
Severity: Medium Category: Network Protocols Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Require authentication for RPC clients connecting to the RPC runtime. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Unauthenticated RPC is a broad remote attack surface.
Remediation. Set Rpc RestrictRemoteClients to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-RPC-002 - Enable RPC Endpoint Mapper Client Authentication¶
Severity: Medium Category: Network Protocols Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Require authentication when resolving RPC endpoints via the Endpoint Mapper. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Unauthenticated endpoint resolution can be abused for reconnaissance and relay.
Remediation. Set Rpc EnableAuthEpResolution to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-SCRSVR-001 - Enable Screen Saver (Default Profile)¶
Severity: Low Category: Access Control Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Enable the screen saver for the default user profile so new sessions lock when idle. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Without a screen saver, unattended sessions stay unlocked.
Remediation. Set default-profile Control Panel Desktop ScreenSaveActive to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-SCRSVR-002 - Password Protect the Screen Saver (Default Profile)¶
Severity: Medium Category: Access Control Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Require a password to dismiss the screen saver for the default user profile. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. An unprotected screen saver does not actually lock the session.
Remediation. Set default-profile Control Panel Desktop ScreenSaverIsSecure to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-SCRSVR-003 - Screen Saver Timeout (Default Profile)¶
Severity: Low Category: Access Control Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Lock the default-profile session with the screen saver after at most 15 minutes of inactivity. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Long timeouts leave unattended sessions unlocked for too long.
Remediation. Set default-profile Control Panel Desktop ScreenSaveTimeOut to 900 (seconds) or fewer.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-SMARTSCREEN-001 - Configure Windows Defender SmartScreen¶
Severity: Medium Category: Endpoint Protection Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Enable SmartScreen reputation checks for apps and files. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Without SmartScreen, users can run known-malicious downloads.
Remediation. Set System EnableSmartScreen to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-SMB-001 - Disable SMBv1¶
Severity: High Category: Network Protocols Provider: Registry Delivery: Direct Reboot: No Tier: Essential
SMBv1 is a deprecated protocol vulnerable to EternalBlue-class remote code execution and lateral movement. It must be disabled on the server.
Rationale. Remote code execution and lateral movement via legacy SMB protocol.
Remediation. Disable the SMBv1 server by setting the LanmanServer Parameters value SMB1 to 0. CloudInfra Secure applies this automatically; reboot to fully remove the SMBv1 driver.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 CMMC Level 2 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3
WIN-SMB-003 - Require SMB Signing (Server)¶
Severity: High Category: Network Protocols Provider: Registry Delivery: Direct Reboot: No Tier: Standard
The SMB server must require packet signing to prevent tampering and man-in-the-middle attacks on file traffic.
Rationale. Unsigned SMB traffic can be intercepted or modified in transit.
Remediation. Set LanmanServer Parameters RequireSecuritySignature to 1 to require SMB signing.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-SMB-004 - Disable SMBv1 Client¶
Severity: High Category: Network Protocols Provider: Registry Delivery: Direct Reboot: No Tier: Standard
The SMBv1 client driver (mrxsmb10) must be disabled to prevent the host connecting over the vulnerable SMBv1 protocol.
Rationale. SMBv1 client use exposes the host to EternalBlue-class and downgrade attacks.
Remediation. Set the mrxsmb10 service Start value to 4 (disabled) to disable the SMBv1 client driver.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3
WIN-SMB-005 - Require SMB Client Signing¶
Severity: Medium Category: Network Protocols Provider: Registry Delivery: Direct Reboot: No Tier: Standard
The SMB client must require packet signing to protect outbound file traffic from tampering.
Rationale. Unsigned SMB client traffic can be intercepted or modified.
Remediation. Set LanmanWorkstation Parameters RequireSecuritySignature to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-SMB-006 - Restrict Anonymous Access to Named Pipes and Shares¶
Severity: Medium Category: Network Protocols Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Anonymous (null session) access to named pipes and shares must be restricted.
Rationale. Null sessions can enumerate and access shares without authentication.
Remediation. Set LanmanServer Parameters RestrictNullSessAccess to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-SMB-007 - Disable SMB Client Insecure Guest Logons¶
Severity: Medium Category: Network Protocols Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent the SMB client from making insecure guest logons to file servers. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Insecure guest access exposes clients to rogue/man-in-the-middle SMB servers.
Remediation. Set LanmanWorkstation AllowInsecureGuestAuth to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-SMB-008 - Do Not Send Unencrypted Password to Third-Party SMB Servers¶
Severity: Medium Category: Network Protocols Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Prevent the SMB client from sending plaintext passwords to non-Microsoft SMB servers.
Rationale. Plaintext passwords on the wire can be captured by a network eavesdropper.
Remediation. Set LanmanWorkstation Parameters EnablePlainTextPassword to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-SMB-009 - Digitally Sign Client Communications (If Server Agrees)¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Direct Reboot: No Tier: Standard
The SMB client negotiates signing whenever the server supports it.
Rationale. Unsigned SMB sessions are vulnerable to tampering and relay.
Remediation. Set LanmanWorkstation Parameters EnableSecuritySignature to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-SMB-010 - Digitally Sign Server Communications (If Client Agrees)¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Direct Reboot: No Tier: Standard
The SMB server negotiates signing whenever the client supports it.
Rationale. Unsigned SMB sessions are vulnerable to tampering and relay.
Remediation. Set LanmanServer Parameters EnableSecuritySignature to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-SMB-011 - Idle Time Required Before Suspending an SMB Session (15 min)¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Suspend idle SMB sessions after 15 minutes.
Rationale. Idle sessions consume resources and can be resumed by an attacker.
Remediation. Set LanmanServer Parameters AutoDisconnect to 15.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-SMB-012 - Disconnect Clients When Logon Hours Expire¶
Severity: Low Category: Network Protocols Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Force-disconnect SMB clients when their logon hours expire.
Rationale. Sessions that outlive logon hours bypass time-based access controls.
Remediation. Set LanmanServer Parameters EnableForcedLogOff to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-SMB-013 - Server SPN Target Name Validation Level¶
Severity: Medium Category: Network Protocols Provider: Registry Delivery: Direct Reboot: No Tier: Standard
Validate the SPN provided by SMB clients to mitigate SMB relay attacks.
Rationale. Without SPN validation, SMB is exposed to relay attacks.
Remediation. Set LanmanServer Parameters SmbServerNameHardeningLevel to 1 (Accept if provided by client).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-SVC-001 - Disable Remote Registry Service¶
Severity: Medium Category: Attack Surface Reduction Provider: Service Delivery: Direct Reboot: No Tier: Standard
The Remote Registry service must be stopped and disabled to reduce remote attack surface.
Rationale. Remote Registry enables remote reconnaissance and modification of the registry.
Remediation. Stop and disable the RemoteRegistry service.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-SVC-002 - Disable Print Spooler Service¶
Severity: Medium Category: Attack Surface Reduction Provider: Service Delivery: Direct Reboot: No Tier: Enterprise
The Print Spooler service must be stopped and disabled on servers that do not print (PrintNightmare mitigation).
Rationale. The Print Spooler has a history of critical remote code execution vulnerabilities.
Remediation. Stop and disable the Spooler service. Do not apply to print servers.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-TELEM-001 - Limit Diagnostic Data to Required or Less¶
Severity: Low Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Send no more than the required level of diagnostic data. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Higher telemetry levels transmit more potentially sensitive data off the host.
Remediation. Set DataCollection AllowTelemetry to 0 (Security) or 1 (Required).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-TELEM-002 - Disable OneSettings Downloads¶
Severity: Low Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent Windows from downloading configuration from the OneSettings service. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. OneSettings downloads are unnecessary outbound calls on a hardened server.
Remediation. Set DataCollection DisableOneSettingsDownloads to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-TELEM-003 - Do Not Show Feedback Notifications¶
Severity: Low Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Suppress Windows feedback notifications. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Feedback prompts are unnecessary on servers and encourage data submission.
Remediation. Set DataCollection DoNotShowFeedbackNotifications to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-TELEM-004 - Enable OneSettings Auditing¶
Severity: Low Category: Logging and Monitoring Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Audit access to the OneSettings service. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Without auditing, OneSettings activity is invisible.
Remediation. Set DataCollection EnableOneSettingsAuditing to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-TELEM-005 - Disable Windows Insider Preview Builds¶
Severity: Medium Category: Attack Surface Reduction Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent enrollment in Windows Insider preview builds. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. Preview builds are pre-release code not suitable for production servers.
Remediation. Set PreviewBuilds AllowBuildPreview to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-TLS-001 - Enable TLS 1.2 (Server)¶
Severity: Medium Category: Cryptography Provider: Registry Delivery: Direct Reboot: Yes Tier: Standard
Explicitly enable the TLS 1.2 SCHANNEL server endpoint.
Rationale. If TLS 1.2 is not enabled, services may negotiate weaker or no encryption.
Remediation. Set SCHANNEL TLS 1.2 Server Enabled to 1. A reboot is required to take effect.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
WIN-TLS-002 - Enable TLS 1.2 (Client)¶
Severity: Medium Category: Cryptography Provider: Registry Delivery: Direct Reboot: Yes Tier: Standard
Explicitly enable the TLS 1.2 SCHANNEL client endpoint.
Rationale. If TLS 1.2 is not enabled, outbound connections may negotiate weaker encryption.
Remediation. Set SCHANNEL TLS 1.2 Client Enabled to 1. A reboot is required to take effect.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
WIN-TLS-003 - Disable RC4 128/128 Cipher¶
Severity: High Category: Cryptography Provider: Registry Delivery: Direct Reboot: Yes Tier: Standard
Disable the weak RC4 128/128 SCHANNEL cipher.
Rationale. RC4 is a broken stream cipher vulnerable to practical attacks.
Remediation. Set SCHANNEL Ciphers RC4 128/128 Enabled to 0. A reboot is required to take effect.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
WIN-TLS-004 - Disable RC4 40/128 Cipher¶
Severity: High Category: Cryptography Provider: Registry Delivery: Direct Reboot: Yes Tier: Standard
Disable the weak RC4 40/128 SCHANNEL cipher.
Rationale. RC4 40-bit is trivially breakable.
Remediation. Set SCHANNEL Ciphers RC4 40/128 Enabled to 0. A reboot is required to take effect.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
WIN-TLS-005 - Disable Triple DES 168 Cipher¶
Severity: Medium Category: Cryptography Provider: Registry Delivery: Direct Reboot: Yes Tier: Standard
Disable the legacy Triple DES 168 SCHANNEL cipher.
Rationale. 3DES is vulnerable to birthday (Sweet32) attacks and is deprecated.
Remediation. Set SCHANNEL Ciphers Triple DES 168 Enabled to 0. A reboot is required to take effect.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
WIN-TLS-006 - Disable RC4 56/128 Cipher¶
Severity: High Category: Cryptography Provider: Registry Delivery: Direct Reboot: Yes Tier: Standard
Disable the weak RC4 56/128 SCHANNEL cipher.
Rationale. RC4 is a broken stream cipher vulnerable to practical attacks.
Remediation. Set SCHANNEL Ciphers RC4 56/128 Enabled to 0. A reboot is required to take effect.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
WIN-TLS-007 - Disable RC4 64/128 Cipher¶
Severity: High Category: Cryptography Provider: Registry Delivery: Direct Reboot: Yes Tier: Standard
Disable the weak RC4 64/128 SCHANNEL cipher.
Rationale. RC4 is a broken stream cipher vulnerable to practical attacks.
Remediation. Set SCHANNEL Ciphers RC4 64/128 Enabled to 0. A reboot is required to take effect.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
WIN-TLS-008 - Disable DES 56/56 Cipher¶
Severity: Medium Category: Cryptography Provider: Registry Delivery: Direct Reboot: Yes Tier: Standard
Disable the legacy DES 56/56 SCHANNEL cipher.
Rationale. Single DES with a 56-bit key is trivially breakable.
Remediation. Set SCHANNEL Ciphers DES 56/56 Enabled to 0. A reboot is required to take effect.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
WIN-TLS-009 - Disable NULL Cipher¶
Severity: Medium Category: Cryptography Provider: Registry Delivery: Direct Reboot: Yes Tier: Standard
Disable the SCHANNEL NULL cipher (no encryption).
Rationale. The NULL cipher provides authentication without confidentiality.
Remediation. Set SCHANNEL Ciphers NULL Enabled to 0. A reboot is required to take effect.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
WIN-TLS-010 - Disable TLS 1.0 (Server)¶
Severity: High Category: Cryptography Provider: Registry Delivery: Direct Reboot: Yes Tier: Essential
TLS 1.0 is a deprecated protocol with known weaknesses. The SCHANNEL server endpoint for TLS 1.0 must be disabled.
Rationale. Downgrade and cryptographic attacks against legacy TLS.
Remediation. Disable the TLS 1.0 server endpoint by setting the SCHANNEL TLS 1.0 Server Enabled value to 0. A reboot is required to take effect.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
WIN-TLS-011 - Disable TLS 1.1 (Server)¶
Severity: High Category: Cryptography Provider: Registry Delivery: Direct Reboot: Yes Tier: Essential
TLS 1.1 is a deprecated protocol. The SCHANNEL server endpoint for TLS 1.1 must be disabled.
Rationale. Downgrade and cryptographic attacks against legacy TLS.
Remediation. Disable the TLS 1.1 server endpoint by setting the SCHANNEL TLS 1.1 Server Enabled value to 0. A reboot is required to take effect.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 FedRAMP PCI DSS v4.0 ISO/IEC 27001 HIPAA Security Rule Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
WIN-TLS-012 - Disable SSL 3.0 (Server)¶
Severity: High Category: Cryptography Provider: Registry Delivery: Direct Reboot: Yes Tier: Essential
The deprecated SSL 3.0 protocol must be disabled on the SCHANNEL server endpoint.
Rationale. SSL 3.0 is vulnerable to POODLE and other attacks.
Remediation. Set the SCHANNEL SSL 3.0 Server Enabled value to 0. Requires a reboot.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
WIN-TLS-013 - Disable SSL 2.0 (Server)¶
Severity: High Category: Cryptography Provider: Registry Delivery: Direct Reboot: Yes Tier: Essential
The obsolete SSL 2.0 protocol must be disabled on the SCHANNEL server endpoint.
Rationale. SSL 2.0 is fundamentally insecure and must not be offered.
Remediation. Set the SCHANNEL SSL 2.0 Server Enabled value to 0. Requires a reboot.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
WIN-UAC-001 - User Account Control Enabled¶
Severity: High Category: Privilege Management Provider: Registry Delivery: Group Policy Reboot: Yes Tier: Essential
User Account Control (UAC) must be enabled (EnableLUA = 1) to enforce administrative elevation prompts. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Disabling UAC allows silent privilege escalation by malicious code.
Remediation. Enable User Account Control by setting EnableLUA to 1 under the CurrentVersion Policies System key. A reboot is required to take effect.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 CMMC Level 2 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-UAC-002 - UAC Elevation Prompt for Administrators¶
Severity: Medium Category: Privilege Management Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Administrator elevation must prompt for consent on the secure desktop. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Weak elevation prompts allow silent or spoofed privilege escalation.
Remediation. Set Policies System ConsentPromptBehaviorAdmin to 2 (prompt for consent on the secure desktop).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-UAC-003 - UAC Detect Application Installations¶
Severity: Medium Category: Privilege Management Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
UAC must detect application installations and prompt for elevation. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Silent installer elevation allows privilege escalation via installers.
Remediation. Set Policies System EnableInstallerDetection to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-UAC-004 - Deny UAC Elevation Prompt for Standard Users¶
Severity: Medium Category: Privilege Management Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Standard users must not be prompted to elevate; elevation requests are automatically denied. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Prompting standard users to elevate encourages credential sharing and misuse.
Remediation. Set Policies System ConsentPromptBehaviorUser to 0 (automatically deny).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-UAC-005 - UAC Switch to the Secure Desktop for Elevation¶
Severity: Medium Category: Privilege Management Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Elevation prompts must be shown on the secure desktop to resist spoofing. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. Elevation prompts on the interactive desktop can be spoofed to capture credentials.
Remediation. Set Policies System PromptOnSecureDesktop to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-UAC-006 - Only Elevate UIAccess Apps in Secure Locations¶
Severity: Medium Category: Privilege Management Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Only allow UIAccess applications installed in secure file-system locations to elevate. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. UIAccess apps outside secure paths can bypass UI privilege isolation.
Remediation. Set Policies System EnableSecureUIAPaths to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-UAC-007 - Apply UAC Token Filtering to Remote Local Accounts¶
Severity: High Category: Privilege Management Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Force UAC remote-access token filtering for local accounts so they connect without full administrator rights. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. Un-filtered remote local-admin tokens enable pass-the-hash lateral movement.
Remediation. Set Policies System LocalAccountTokenFilterPolicy to 0 (token filtering enabled).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-UAC-008 - Admin Approval Mode for the Built-in Administrator¶
Severity: Medium Category: Privilege Management Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Apply Admin Approval Mode (UAC prompts) to the built-in Administrator account. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Without this, the built-in Administrator runs with full rights and no elevation prompt.
Remediation. Set Policies System FilterAdministratorToken to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-UAC-009 - Virtualize File and Registry Write Failures to Per-User Locations¶
Severity: Low Category: Privilege Management Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Redirect legacy per-machine file and registry writes to per-user locations. Group Policy setting: this control checks the corresponding Group Policy registry value; a domain Group Policy applied after hardening can override the local configuration.
Rationale. Disabling virtualization can cause legacy apps to write to protected locations.
Remediation. Set Policies System EnableVirtualization to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-001 - Access Credential Manager as a Trusted Caller = No One¶
Severity: High Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
No account should hold the Access Credential Manager as a trusted caller right.
Rationale. This right lets a process retrieve stored credentials from Credential Manager.
Remediation. Configure the 'SeTrustedCredManAccessPrivilege' user right so that no account holds it.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-002 - Act as Part of the Operating System = No One¶
Severity: High Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
No account should be able to act as part of the operating system (TCB).
Rationale. This right allows a process to impersonate any user and bypass access controls.
Remediation. Configure the 'SeTcbPrivilege' user right so that no account holds it.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-003 - Create a Token Object = No One¶
Severity: High Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
No account should be able to create an access token object.
Rationale. Creating arbitrary tokens allows privilege escalation to any identity.
Remediation. Configure the 'SeCreateTokenPrivilege' user right so that no account holds it.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-004 - Create Permanent Shared Objects = No One¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
No account should be able to create permanent shared objects.
Rationale. This right can be used to expose sensitive data or cause denial of service via the object namespace.
Remediation. Configure the 'SeCreatePermanentPrivilege' user right so that no account holds it.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-005 - Debug Programs = Administrators Only¶
Severity: High Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Administrators should hold the Debug programs right.
Rationale. Debug rights allow reading and modifying the memory of any process, including LSASS.
Remediation. Assign the 'SeDebugPrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-006 - Deny Access to This Computer From the Network (includes Guests)¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Guests must be denied network logon to this computer.
Rationale. Network logon by guest accounts enables anonymous access and lateral movement.
Remediation. Add the required principals (e.g. Guests) to the 'SeDenyNetworkLogonRight' user right.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-007 - Deny Log On as a Batch Job (includes Guests)¶
Severity: Low Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Guests must be denied batch logon.
Rationale. Batch logon by guests could run scheduled tasks under an untrusted identity.
Remediation. Add the required principals (e.g. Guests) to the 'SeDenyBatchLogonRight' user right.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-008 - Deny Log On as a Service (includes Guests)¶
Severity: Low Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Guests must be denied service logon.
Rationale. Service logon by guests could run services under an untrusted identity.
Remediation. Add the required principals (e.g. Guests) to the 'SeDenyServiceLogonRight' user right.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-009 - Deny Log On Locally (includes Guests)¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Guests must be denied local (interactive) logon.
Rationale. Interactive logon by guests permits console access by untrusted users.
Remediation. Add the required principals (e.g. Guests) to the 'SeDenyInteractiveLogonRight' user right.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-010 - Deny Log On Through Remote Desktop Services (includes Guests)¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Guests must be denied logon through Remote Desktop Services.
Rationale. RDP logon by guests exposes remote sessions to untrusted users.
Remediation. Add the required principals (e.g. Guests) to the 'SeDenyRemoteInteractiveLogonRight' user right.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-011 - Force Shutdown From a Remote System = Administrators Only¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Administrators should be able to shut down the system remotely.
Rationale. Remote shutdown by non-administrators enables denial of service.
Remediation. Assign the 'SeRemoteShutdownPrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-012 - Generate Security Audits = Local Service, Network Service¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Local Service and Network Service should generate security audit entries.
Rationale. This right can be abused to flood or forge the security log.
Remediation. Assign the 'SeAuditPrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-013 - Impersonate a Client After Authentication = Service Accounts and Administrators¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Administrators and the built-in service accounts should hold the Impersonate a client right.
Rationale. Unrestricted impersonation is the basis of many privilege-escalation (potato) attacks.
Remediation. Assign the 'SeImpersonatePrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-014 - Load and Unload Device Drivers = Administrators Only¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Administrators should be able to load and unload device drivers.
Rationale. Loading drivers allows execution of arbitrary kernel-mode code.
Remediation. Assign the 'SeLoadDriverPrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-015 - Manage Auditing and Security Log = Administrators Only¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Administrators should be able to manage auditing and the security log.
Rationale. This right allows clearing the security log to hide malicious activity.
Remediation. Assign the 'SeSecurityPrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-016 - Take Ownership of Files or Other Objects = Administrators Only¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Administrators should be able to take ownership of objects.
Rationale. Taking ownership lets a user override object permissions and access any resource.
Remediation. Assign the 'SeTakeOwnershipPrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-017 - Access This Computer From the Network = Administrators, Authenticated Users¶
Severity: High Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Administrators and Authenticated Users should be able to access this computer from the network.
Rationale. Over-broad network logon rights widen the remote attack surface.
Remediation. Assign the 'SeNetworkLogonRight' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-018 - Allow Log On Locally = Administrators¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Administrators should be able to log on locally to a server.
Rationale. Broad local logon rights allow non-administrators console access.
Remediation. Assign the 'SeInteractiveLogonRight' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-019 - Allow Log On Through Remote Desktop Services = Administrators, Remote Desktop Users¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Administrators and Remote Desktop Users should log on through Remote Desktop Services.
Rationale. Excess RDS logon rights expand remote-access exposure.
Remediation. Assign the 'SeRemoteInteractiveLogonRight' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-020 - Back Up Files and Directories = Administrators¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Administrators should hold the Back up files and directories right.
Rationale. This right bypasses file permissions to read any file on the system.
Remediation. Assign the 'SeBackupPrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-021 - Restore Files and Directories = Administrators¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Administrators should hold the Restore files and directories right.
Rationale. This right bypasses file permissions to overwrite any file, enabling privilege escalation.
Remediation. Assign the 'SeRestorePrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-022 - Change the System Time = Administrators, Local Service¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Administrators and Local Service should be able to change the system time.
Rationale. Altering the clock can defeat time-based security and corrupt audit timelines.
Remediation. Assign the 'SeSystemtimePrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-023 - Change the Time Zone = Administrators, Local Service, Users¶
Severity: Low Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Restrict the Change the time zone right to Administrators, Local Service, and Users.
Rationale. Time-zone changes can confuse local log interpretation if granted too broadly.
Remediation. Assign the 'SeTimeZonePrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-024 - Create a Pagefile = Administrators¶
Severity: Low Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Administrators should be able to create a pagefile.
Rationale. Pagefile manipulation can be used to affect system performance or memory forensics.
Remediation. Assign the 'SeCreatePagefilePrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-025 - Create Global Objects = Administrators and Service Accounts¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Administrators and the built-in service accounts should create global objects.
Rationale. Global object creation can be abused for cross-session attacks and escalation.
Remediation. Assign the 'SeCreateGlobalPrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-026 - Create Symbolic Links = Administrators¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Administrators should be able to create symbolic links (add Virtual Machines on Hyper-V hosts).
Rationale. Symbolic-link creation enables link-following attacks against privileged processes.
Remediation. Assign the 'SeCreateSymbolicLinkPrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-027 - Adjust Memory Quotas for a Process = Administrators and Service Accounts¶
Severity: Low Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Restrict Adjust memory quotas for a process to Administrators, Local Service, and Network Service.
Rationale. This right can be used to starve other processes of memory (denial of service).
Remediation. Assign the 'SeIncreaseQuotaPrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-028 - Increase Scheduling Priority = Administrators, Window Manager¶
Severity: Low Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Restrict Increase scheduling priority to Administrators and Window Manager.
Rationale. Raising process priority can be used to degrade or monopolise system responsiveness.
Remediation. Assign the 'SeIncreaseBasePriorityPrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-029 - Lock Pages in Memory = No One¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
No account should hold the Lock pages in memory right.
Rationale. Locking pages in physical memory can be abused to cause denial of service.
Remediation. Configure the 'SeLockMemoryPrivilege' user right so that no account holds it.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-030 - Perform Volume Maintenance Tasks = Administrators¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Administrators should be able to perform volume maintenance tasks.
Rationale. This right permits raw disk access that can bypass file-level security.
Remediation. Assign the 'SeManageVolumePrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-031 - Profile Single Process = Administrators¶
Severity: Low Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Administrators should be able to profile a single process.
Rationale. Process profiling can reveal sensitive information about running software.
Remediation. Assign the 'SeProfileSingleProcessPrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-032 - Replace a Process Level Token = Local Service, Network Service¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Local Service and Network Service should hold the Replace a process-level token right.
Rationale. This right can be used to launch processes under a different identity.
Remediation. Assign the 'SeAssignPrimaryTokenPrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-033 - Shut Down the System = Administrators¶
Severity: Low Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Administrators should be able to shut down the system.
Rationale. Broad shutdown rights allow non-administrators to cause an availability outage.
Remediation. Assign the 'SeShutdownPrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-034 - Modify Firmware Environment Values = Administrators¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Only Administrators should be able to modify firmware environment values.
Rationale. Firmware/boot variable changes can undermine platform boot integrity.
Remediation. Assign the 'SeSystemEnvironmentPrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-035 - Enable Accounts to Be Trusted for Delegation = No One¶
Severity: High Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
On member servers, no account should be able to enable accounts to be trusted for delegation.
Rationale. Delegation trust can be abused to impersonate users across services.
Remediation. Configure the 'SeEnableDelegationPrivilege' user right so that no account holds it.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-036 - Obtain an Impersonation Token for Another User = No One¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
No account should be able to obtain an impersonation token for another user in the same session.
Rationale. Session impersonation tokens can be used to escalate to another user context.
Remediation. Configure the 'SeDelegateSessionUserImpersonatePrivilege' user right so that no account holds it.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-037 - Modify an Object Label = No One¶
Severity: Low Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
No account should be able to modify an object integrity label.
Rationale. Relabeling objects can subvert mandatory integrity control protections.
Remediation. Configure the 'SeRelabelPrivilege' user right so that no account holds it.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-038 - Synchronize Directory Service Data = No One¶
Severity: Medium Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
On member servers, no account should hold the Synchronize directory service data right.
Rationale. This right allows bulk reading of directory data (a DCSync-style exposure).
Remediation. Configure the 'SeSyncAgentPrivilege' user right so that no account holds it.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-URA-039 - Profile System Performance = Administrators, WdiServiceHost¶
Severity: Low Category: User Rights Assignment Provider: SecEdit Delivery: Direct Reboot: No Tier: Standard
Restrict Profile system performance to Administrators and the WdiServiceHost service.
Rationale. System profiling can expose timing and workload information about the host.
Remediation. Assign the 'SeSystemProfilePrivilege' user right to exactly the expected principals.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-VBS-001 - Enable Virtualization Based Security¶
Severity: High Category: Credential Protection Provider: Registry Delivery: Direct Reboot: Yes Tier: Enterprise
Enable Virtualization Based Security (VBS), the hardware-isolated foundation for Credential Guard and memory integrity.
Rationale. Without VBS, kernel-level malware can compromise credentials and code integrity.
Remediation. Set Control DeviceGuard EnableVirtualizationBasedSecurity to 1 (requires a reboot and compatible hardware).
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
WIN-VBS-002 - Require Secure Boot for VBS¶
Severity: Medium Category: Credential Protection Provider: Registry Delivery: Direct Reboot: Yes Tier: Enterprise
Require Secure Boot as the VBS platform security feature.
Rationale. Without Secure Boot, the boot chain that VBS relies on is not verified.
Remediation. Set Control DeviceGuard RequirePlatformSecurityFeatures to 1 (Secure Boot). A reboot is required.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
WIN-VBS-003 - Enable Memory Integrity (HVCI)¶
Severity: High Category: Exploit Protection Provider: Registry Delivery: Direct Reboot: Yes Tier: Enterprise
Enable hypervisor-enforced code integrity (memory integrity / HVCI) to protect kernel-mode code.
Rationale. Without HVCI, malicious or vulnerable drivers can run unsigned code in the kernel.
Remediation. Set Control DeviceGuard Scenarios HypervisorEnforcedCodeIntegrity Enabled to 1. A reboot is required.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials
References: - https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
WIN-WDIGEST-001 - Disable WDigest Credential Caching¶
Severity: High Category: Credential Protection Provider: Registry Delivery: Direct Reboot: No Tier: Essential
WDigest must not cache plaintext credentials in memory.
Rationale. WDigest plaintext credential caching enables credential theft.
Remediation. Set SecurityProviders WDigest UseLogonCredential to 0 to disable plaintext caching.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark CMMC Level 2 HIPAA Security Rule Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-WINRM-001 - Disable WinRM Client Basic Authentication¶
Severity: Medium Category: Remote Management Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
The WinRM client must not allow Basic authentication. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. WinRM Basic auth transmits credentials with weak protection.
Remediation. Set Policies Microsoft Windows WinRM Client AllowBasic to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-WINRM-002 - Disallow WinRM Unencrypted Traffic¶
Severity: Medium Category: Remote Management Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
The WinRM service must not allow unencrypted traffic. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Unencrypted WinRM traffic exposes management data and credentials.
Remediation. Set Policies Microsoft Windows WinRM Service AllowUnencryptedTraffic to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-WINRM-003 - Disable WinRM Client Digest Authentication¶
Severity: Medium Category: Remote Management Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
The WinRM client must not use Digest authentication. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Digest authentication is weaker than Kerberos/Negotiate and can expose credentials.
Remediation. Set Policies Microsoft Windows WinRM Client AllowDigest to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-WINRM-004 - Disable WinRM Service Basic Authentication¶
Severity: Medium Category: Remote Management Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
The WinRM service must not accept Basic authentication. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Basic auth transmits credentials with weak protection.
Remediation. Set WinRM Service AllowBasic to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-WINRM-005 - Disallow WinRM Storing RunAs Credentials¶
Severity: Medium Category: Remote Management Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Prevent the WinRM service from storing RunAs credentials. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Stored RunAs credentials can be extracted from a compromised host.
Remediation. Set WinRM Service DisableRunAs to 1.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-WINRM-006 - Disallow WinRM Client Unencrypted Traffic¶
Severity: Medium Category: Remote Management Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
The WinRM client must not send unencrypted traffic. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Unencrypted WinRM exposes management data and credentials.
Remediation. Set WinRM Client AllowUnencryptedTraffic to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials
WIN-WINRS-001 - Disable Windows Remote Shell Access¶
Severity: Medium Category: Remote Management Provider: Registry Delivery: Group Policy Reboot: No Tier: Standard
Disable remote shell (WinRS) access. Group Policy setting: this control checks the corresponding Group Policy registry value, so it can report non-compliant until the policy is explicitly configured (even where the effective Windows default is already secure), and a domain Group Policy applied after hardening can override it.
Rationale. Remote Shell provides an additional remote-execution channel.
Remediation. Set WinRM Service WinRS AllowRemoteShellAccess to 0.
Compliance alignment: DISA STIG NIST CSF NIST SP 800-53 Rev 5 NIST SP 800-171 PCI DSS v4.0 ISO/IEC 27001 Microsoft Cloud Security Benchmark Microsoft Security Baselines NIS2 UK Cyber Essentials