ࡱ>  f2\p Sain, Joe Ba==xN%58X@"1ZCalibri1ZCalibri1ZCalibri1ZCalibri1ZCalibri1h8ZCambria1,8ZCalibri18ZCalibri18ZCalibri1ZCalibri1ZCalibri1<ZCalibri1>ZCalibri1?ZCalibri14ZCalibri14ZCalibri1 ZCalibri1 ZCalibri1ZCalibri1ZCalibri1 ZCalibri1ZArial1ZArial1ZArial1ZArial1ZVerdana1ZArial1 ZArial1ZArial1ZCalibri1 ZArial1ZArial1<ZArial1ZCalibri1ZArial"$"#,##0_);\("$"#,##0\)!"$"#,##0_);[Red]\("$"#,##0\)""$"#,##0.00_);\("$"#,##0.00\)'""$"#,##0.00_);[Red]\("$"#,##0.00\)7*2_("$"* #,##0_);_("$"* \(#,##0\);_("$"* "-"_);_(@_).))_(* #,##0_);_(* \(#,##0\);_(* "-"_);_(@_)?,:_("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_)6+1_(* #,##0.00_);_(* \(#,##0.00\);_(* "-"??_);_(@_)[$-409]General                                                                       ( (     ff + ) , *      P  P         `  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d (   !                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           (   (                   "                   #   a>   (x  (<  (<  (x (8  (x (x3  (x2  x  8  x x x3  x2  8  )x  )<  )<  )x !8  )x )x3  )x2  (x  (x )<  )x )x  )8  )x  )|  !x )x )x q)x ||]X}-} 00\);_(*}-} 00\);_(*}-} 00\);_(*}-} 00\);_(*}-} 00\);_(*}-} 00\);_(*}-} 00\);_(*}-} 00\);_(*}-} 00\);_(*}-}  00\);_(*}-}  00\);_(*}-}  00\);_(*}-}  00\);_(*}-}  00\);_(*}-} 00\);_(*}-} 00\);_(*}-}/ 00\);_(*}-}0 00\);_(*}-}1 00\);_(*}-}2 00\);_(*}-}5 00\);_(*}-}7 00\);_(*}A}6 00\);_(*;_(@_) }A}7 00\);_(*?;_(@_) }A}8 00\);_(*23;_(@_) }-}9 00\);_(*}A}5 a00\);_(*;_(@_) }A}) 00\);_(*;_(@_) }A} e00\);_(*;_(@_) }}; ??v00\);_(*̙;_(@_)    }}4 ???00\);_(*;_(@_) ??? ??? ??? ???}}- }00\);_(*;_(@_)    }A}< }00\);_(*;_(@_) }}. 00\);_(*;_(@_) ??? ??? ??? ???}-}9 00\);_(*}}2 00\);_(*;_(@_)    }-}4 00\);_(*}U}8 00\);_(*;_(@_)  }A}" 00\);_(*;_(@_) }A} 00\);_(*ef;_(@_) }A} 00\);_(*L;_(@_) }A} 00\);_(*23;_(@_) }A}# 00\);_(*;_(@_) }A} 00\);_(*ef;_(@_) }A} 00\);_(*L;_(@_) }A} 00\);_(*23;_(@_) }A}$ 00\);_(*;_(@_) }A} 00\);_(*ef;_(@_) }A} 00\);_(*L;_(@_) }A} 00\);_(*23;_(@_) }A}% 00\);_(*;_(@_) }A} 00\);_(*ef;_(@_) }A} 00\);_(*L;_(@_) }A} 00\);_(*23;_(@_) }A}& 00\);_(*;_(@_) }A} 00\);_(*ef;_(@_) }A} 00\);_(*L;_(@_) }A}  00\);_(*23;_(@_) }A}' 00\);_(* ;_(@_) }A} 00\);_(*ef ;_(@_) }A} 00\);_(*L ;_(@_) }A}! 00\);_(*23 ;_(@_) }d};00\);_(*3 ;_(   }(}@00\);_(*}(}AP00\);_(*}(}F00\);_(*}(}GP00\);_(*}-}K 00\);_(*}d}M00\);_(*3 ;_(   }(}O00\);_(*}(}PP00\);_(*}d}Y00\);_(*3 ;_(   }-}Z 00\);_(*}(}H 00\);_(*}-}[ 00\);_(*}-} 00\);_(*}-}\ 00\);_(*}<}( 00\);_(* 3 ;_(}<}* 00\);_(*3 ;_(}(}+00\);_(*}(}3 00\);_(*}<} e00\);_(*3 ;_(}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(}+ 00\);_(*}(}- 00\);_(*}(}. 00\);_(*}(}/ 00\);_(*}(}0 00\);_(*}(}1 00\);_(*}(}2 00\);_(*}(}3 00\);_(*}(}4 00\);_(*}(}5 00\);_(*}(}6 00\);_(*}(}8 00\);_(*}(}9 00\);_(*}(}: 00\);_(*}(}; 00\);_(*}(}< 00\);_(*}(}= 00\);_(*}(}> 00\);_(*}(}? 00\);_(*}(}@ 00\);_(*}(}A 00\);_(*}(}C 00\);_(*}(}D 00\);_(*}(}E 00\);_(*}(}F 00\);_(*}(}G 00\);_(*}(}H 00\);_(*}(}I 00\);_(*}(}J 00\);_(*}(}K 00\);_(*}(}L 00\);_(*}(}N 00\);_(*}(}O 00\);_(*}(}P 00\);_(*}(}Q 00\);_(*}(}R 00\);_(*}(}S 00\);_(*}(}T 00\);_(*}(}U 00\);_(*}(}V 00\);_(*}(}W 00\);_(*}(}Y 00\);_(*}(}Z 00\);_(*}(}[ 00\);_(*}(}\ 00\);_(*}(}] 00\);_(*}(}^ 00\);_(*}(}_ 00\);_(*}(}` 00\);_(*}(}a 00\);_(*}(}b 00\);_(*}(}d 00\);_(*}(}e 00\);_(*}(}f 00\);_(*}(}  00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(}  00\);_(*}(}  00\);_(*}(}  00\);_(*}(}  00\);_(*}}*}}3 00\);_(*3 ;_(    20% - Accent1M 20% - Accent1 ef % 20% - Accent2M" 20% - Accent2 ef % 20% - Accent3M& 20% - Accent3 ef % 20% - Accent4M* 20% - Accent4 ef % 20% - Accent5M. 20% - Accent5 ef % 20% - Accent6M2 20% - Accent6  ef % 40% - Accent1M 40% - Accent1 L % 40% - Accent2M# 40% - Accent2 L渷 % 40% - Accent3M' 40% - Accent3 L % 40% - Accent4M+ 40% - Accent4 L % 40% - Accent5M/ 40% - Accent5 L % 40% - Accent6M3 40% - Accent6  Lմ % 60% - Accent1M 60% - Accent1 23 % 60% - Accent2M$ 60% - Accent2 23ږ % 60% - Accent3M( 60% - Accent3 23כ % 60% - Accent4M, 60% - Accent4 23 % 60% - Accent5M0 60% - Accent5 23 %! 60% - Accent6M4 60% - Accent6  23 % "Accent1AAccent1 O % #Accent2A!Accent2 PM % $Accent3A%Accent3 Y % %Accent4A)Accent4 d % &Accent5A-Accent5 K % 'Accent6A1Accent6  F %( Accent6 2@ Accent6 2  F )Bad9Bad  % *Bad 28Bad 2  +Blue Background@Blue Background  ,Bold- Calculation Calculation  }% . Check Cell Check Cell  %????????? ???/ Comma0( Comma [0]1&Currency2. Currency [0]3Excel Built-in Normal 1PExcel Built-in Normal 1 4Explanatory TextG5Explanatory Text % 5Good;Good  a%6 Heading 1G Heading 1 I}%O7 Heading 2G Heading 2 I}%?8 Heading 3G Heading 3 I}%239 Heading 49 Heading 4 I}%: Hyperlink 2 ;InputuInput ̙ ??v% < Linked CellK Linked Cell }% =Mine >Mine 10 ?Mine 11 @Mine 12 AMine 13 BMine 14 CMine 15 DMine 16 EMine 17 FMine 18 GMine 19 HMine 2I Mine 2 10J Mine 2 11K Mine 2 12L Mine 2 13M Mine 2 14N Mine 2 15O Mine 2 16P Mine 2 17Q Mine 2 18R Mine 2 19 SMine 2 2T Mine 2 20U Mine 2 21V Mine 2 22W Mine 2 23X Mine 2 24Y Mine 2 25Z Mine 2 26[ Mine 2 27\ Mine 2 28] Mine 2 29 ^Mine 2 3_ Mine 2 30` Mine 2 31a Mine 2 32b Mine 2 33c Mine 2 34d Mine 2 35e Mine 2 36f Mine 2 37g Mine 2 38h Mine 2 39 iMine 2 4j Mine 2 40k Mine 2 41l Mine 2 42m Mine 2 43n Mine 2 44o Mine 2 45p Mine 2 46q Mine 2 47r Mine 2 48s Mine 2 49 tMine 2 5u Mine 2 50v Mine 2 51w Mine 2 52x Mine 2 53y Mine 2 54 zMine 2 6 {Mine 2 7 |Mine 2 8 }Mine 2 9 ~Mine 20 Mine 21 Mine 22 Mine 23 Mine 24 Mine 25 Mine 26 Mine 27 Mine 28 Mine 29 Mine 3 Mine 30 Mine 31 Mine 32 Mine 33 Mine 34 Mine 35 Mine 36 Mine 37 Mine 38 Mine 39 Mine 4 Mine 40 Mine 41 Mine 42 Mine 43 Mine 44 Mine 45 Mine 46 Mine 47 Mine 48 Mine 49 Mine 5 Mine 50 Mine 51 Mine 52 Mine 53 Mine 54 Mine 6 Mine 7 Mine 8 Mine 9 My Normal NeutralANeutral  e% Neutral 2@ Neutral 2  e3Normal % Normal 10 Normal 10 2 Normal 109 Normal 109 2 Normal 109 3 Normal 11 Normal 110 Normal 110 2 Normal 110 3 Normal 12 Normal 127 Normal 127 2 Normal 13 Normal 135 Normal 135 2 Normal 136 Normal 136 2 Normal 137 Normal 137 2 Normal 138 Normal 138 2 Normal 139 Normal 139 2 Normal 14 Normal 140 Normal 140 2 Normal 143 Normal 143 2 Normal 144 Normal 144 2 Normal 15 Normal 16 Normal 17 Normal 18 Normal 19 Normal 2 Normal 2 10 Normal 2 10 2 Normal 2 11 Normal 2 12 Normal 2 13 Normal 2 14 Normal 2 15 Normal 2 16 Normal 2 17 Normal 2 18Normal 2 18 10Normal 2 18 10 2Normal 2 18 10 3Normal 2 18 11Normal 2 18 11 2Normal 2 18 12Normal 2 18 12 2Normal 2 18 13Normal 2 18 13 2Normal 2 18 14Normal 2 18 14 2Normal 2 18 15Normal 2 18 15 2Normal 2 18 16Normal 2 18 16 2Normal 2 18 17Normal 2 18 17 2Normal 2 18 18Normal 2 18 18 2Normal 2 18 19Normal 2 18 19 2 Normal 2 18 2Normal 2 18 20Normal 2 18 20 2Normal 2 18 21Normal 2 18 21 2Normal 2 18 22Normal 2 18 22 2Normal 2 18 23Normal 2 18 23 2Normal 2 18 24Normal 2 18 25Normal 2 18 26Normal 2 18 27 Normal 2 18 3Normal 2 18 3 2Normal 2 18 3 3 Normal 2 18 4Normal 2 18 4 2Normal 2 18 4 3 Normal 2 18 5Normal 2 18 5 2Normal 2 18 5 3 Normal 2 18 6Normal 2 18 6 2Normal 2 18 6 3 Normal 2 18 7Normal 2 18 7 2 Normal 2 18 7 3  Normal 2 18 8 Normal 2 18 8 2 Normal 2 18 8 3  Normal 2 18 9Normal 2 18 9 2Normal 2 18 9 3 Normal 2 19Normal 2 19 10Normal 2 19 10 2Normal 2 19 10 3Normal 2 19 11Normal 2 19 11 2Normal 2 19 12Normal 2 19 12 2Normal 2 19 13Normal 2 19 13 2Normal 2 19 14Normal 2 19 14 2Normal 2 19 15Normal 2 19 15 2Normal 2 19 16Normal 2 19 16 2 Normal 2 19 17!Normal 2 19 17 2"Normal 2 19 18#Normal 2 19 18 2$Normal 2 19 19%Normal 2 19 19 2& Normal 2 19 2'Normal 2 19 20(Normal 2 19 20 2)Normal 2 19 21*Normal 2 19 21 2+Normal 2 19 22,Normal 2 19 22 2-Normal 2 19 23.Normal 2 19 23 2/Normal 2 19 240Normal 2 19 251Normal 2 19 262Normal 2 19 273 Normal 2 19 34Normal 2 19 3 25Normal 2 19 3 36 Normal 2 19 47Normal 2 19 4 28Normal 2 19 4 39 Normal 2 19 5:Normal 2 19 5 2;Normal 2 19 5 3< Normal 2 19 6=Normal 2 19 6 2>Normal 2 19 6 3? Normal 2 19 7@Normal 2 19 7 2ANormal 2 19 7 3B Normal 2 19 8CNormal 2 19 8 2DNormal 2 19 8 3E Normal 2 19 9FNormal 2 19 9 2GNormal 2 19 9 3H Normal 2 26 Normal 2 2 I Normal 2 2 10J Normal 2 2 11K Normal 2 2 12L Normal 2 2 13M Normal 2 2 14N Normal 2 2 15O Normal 2 2 16P Normal 2 2 17Q Normal 2 2 18R Normal 2 2 19S Normal 2 2 2TNormal 2 2 2 10UNormal 2 2 2 10 2VNormal 2 2 2 10 3WNormal 2 2 2 11XNormal 2 2 2 11 2YNormal 2 2 2 11 3ZNormal 2 2 2 12[Normal 2 2 2 12 2\Normal 2 2 2 12 3]Normal 2 2 2 13^Normal 2 2 2 13 2_Normal 2 2 2 13 3`Normal 2 2 2 14aNormal 2 2 2 14 2bNormal 2 2 2 14 3cNormal 2 2 2 15dNormal 2 2 2 15 2eNormal 2 2 2 16fNormal 2 2 2 16 2gNormal 2 2 2 17hNormal 2 2 2 17 2iNormal 2 2 2 18jNormal 2 2 2 18 2kNormal 2 2 2 19lNormal 2 2 2 2mNormal 2 2 2 20nNormal 2 2 2 21oNormal 2 2 2 22pNormal 2 2 2 23qNormal 2 2 2 24rNormal 2 2 2 25sNormal 2 2 2 26tNormal 2 2 2 27uNormal 2 2 2 28vNormal 2 2 2 29wNormal 2 2 2 3xNormal 2 2 2 3 2yNormal 2 2 2 3 3zNormal 2 2 2 3 4{Normal 2 2 2 3 5|Normal 2 2 2 3 6}Normal 2 2 2 30~Normal 2 2 2 30 2Normal 2 2 2 31Normal 2 2 2 31 2Normal 2 2 2 32Normal 2 2 2 32 2Normal 2 2 2 33Normal 2 2 2 33 2Normal 2 2 2 34Normal 2 2 2 34 2Normal 2 2 2 35Normal 2 2 2 35 2Normal 2 2 2 36Normal 2 2 2 36 2Normal 2 2 2 37Normal 2 2 2 37 2Normal 2 2 2 38Normal 2 2 2 39Normal 2 2 2 4Normal 2 2 2 40Normal 2 2 2 41Normal 2 2 2 42Normal 2 2 2 43Normal 2 2 2 44Normal 2 2 2 45Normal 2 2 2 46Normal 2 2 2 47Normal 2 2 2 48Normal 2 2 2 48 2Normal 2 2 2 49Normal 2 2 2 5Normal 2 2 2 5 2Normal 2 2 2 5 3Normal 2 2 2 5 4Normal 2 2 2 50@Normal 2 2 2 50 Normal 2 2 2 50 2DNormal 2 2 2 50 2 Normal 2 2 2 50 3DNormal 2 2 2 50 3 Normal 2 2 2 50 4DNormal 2 2 2 50 4 Normal 2 2 2 50 5DNormal 2 2 2 50 5 Normal 2 2 2 50 6DNormal 2 2 2 50 6 Normal 2 2 2 50 7DNormal 2 2 2 50 7 Normal 2 2 2 50 8DNormal 2 2 2 50 8 Normal 2 2 2 51@Normal 2 2 2 51 Normal 2 2 2 52@Normal 2 2 2 52 Normal 2 2 2 53@Normal 2 2 2 53 Normal 2 2 2 54Normal 2 2 2 55Normal 2 2 2 56Normal 2 2 2 57Normal 2 2 2 58Normal 2 2 2 59Normal 2 2 2 6Normal 2 2 2 60Normal 2 2 2 7Normal 2 2 2 7 2Normal 2 2 2 7 3Normal 2 2 2 8Normal 2 2 2 8 2Normal 2 2 2 8 3Normal 2 2 2 9Normal 2 2 2 9 2Normal 2 2 2 9 3 Normal 2 2 20 Normal 2 2 21 Normal 2 2 22 Normal 2 2 23 Normal 2 2 24 Normal 2 2 25Normal 2 2 25 10Normal 2 2 25 10 2Normal 2 2 25 10 3Normal 2 2 25 11Normal 2 2 25 11 2Normal 2 2 25 12Normal 2 2 25 12 2Normal 2 2 25 13Normal 2 2 25 13 2Normal 2 2 25 14Normal 2 2 25 14 2Normal 2 2 25 15Normal 2 2 25 15 2Normal 2 2 25 16Normal 2 2 25 16 2Normal 2 2 25 17Normal 2 2 25 17 2Normal 2 2 25 18Normal 2 2 25 18 2Normal 2 2 25 19Normal 2 2 25 19 2Normal 2 2 25 2Normal 2 2 25 20Normal 2 2 25 20 2Normal 2 2 25 21Normal 2 2 25 21 2Normal 2 2 25 22Normal 2 2 25 22 2Normal 2 2 25 23Normal 2 2 25 23 2Normal 2 2 25 24Normal 2 2 25 25Normal 2 2 25 3Normal 2 2 25 3 2Normal 2 2 25 3 3Normal 2 2 25 4Normal 2 2 25 4 2Normal 2 2 25 4 3Normal 2 2 25 5Normal 2 2 25 5 2Normal 2 2 25 5 3Normal 2 2 25 6Normal 2 2 25 6 2Normal 2 2 25 6 3Normal 2 2 25 7Normal 2 2 25 7 2Normal 2 2 25 7 3Normal 2 2 25 8Normal 2 2 25 8 2Normal 2 2 25 8 3Normal 2 2 25 9Normal 2 2 25 9 2Normal 2 2 25 9 3 Normal 2 2 26 Normal 2 2 27 Normal 2 2 28Normal 2 2 28 10Normal 2 2 28 10 2Normal 2 2 28 11Normal 2 2 28 11 2Normal 2 2 28 12Normal 2 2 28 12 2Normal 2 2 28 13Normal 2 2 28 13 2Normal 2 2 28 14Normal 2 2 28 14 2Normal 2 2 28 15Normal 2 2 28 15 2Normal 2 2 28 16Normal 2 2 28 16 2Normal 2 2 28 17Normal 2 2 28 17 2 Normal 2 2 28 18 Normal 2 2 28 18 2 Normal 2 2 28 19 Normal 2 2 28 19 2 Normal 2 2 28 2Normal 2 2 28 2 2Normal 2 2 28 2 3Normal 2 2 28 20Normal 2 2 28 20 2Normal 2 2 28 21Normal 2 2 28 21 2Normal 2 2 28 22Normal 2 2 28 22 2Normal 2 2 28 3Normal 2 2 28 3 2Normal 2 2 28 3 3Normal 2 2 28 4Normal 2 2 28 4 2Normal 2 2 28 4 3Normal 2 2 28 5Normal 2 2 28 5 2Normal 2 2 28 5 3Normal 2 2 28 6 Normal 2 2 28 6 2!Normal 2 2 28 6 3"Normal 2 2 28 7#Normal 2 2 28 7 2$Normal 2 2 28 7 3%Normal 2 2 28 8&Normal 2 2 28 8 2'Normal 2 2 28 8 3(Normal 2 2 28 9)Normal 2 2 28 9 2*Normal 2 2 28 9 3+ Normal 2 2 29< Normal 2 2 29 , Normal 2 2 3- Normal 2 2 30< Normal 2 2 30 . Normal 2 2 31< Normal 2 2 31 / Normal 2 2 32< Normal 2 2 32 0 Normal 2 2 33< Normal 2 2 33 1 Normal 2 2 34< Normal 2 2 34 2 Normal 2 2 35< Normal 2 2 35 3 Normal 2 2 36< Normal 2 2 36 4 Normal 2 2 37< Normal 2 2 37 5 Normal 2 2 38< Normal 2 2 38 6 Normal 2 2 39< Normal 2 2 39 7 Normal 2 2 48 Normal 2 2 40< Normal 2 2 40 9 Normal 2 2 41< Normal 2 2 41 : Normal 2 2 42< Normal 2 2 42 ; Normal 2 2 43< Normal 2 2 43 < Normal 2 2 44< Normal 2 2 44 = Normal 2 2 45< Normal 2 2 45 > Normal 2 2 46< Normal 2 2 46 ? Normal 2 2 47< Normal 2 2 47 @ Normal 2 2 48< Normal 2 2 48 A Normal 2 2 49< Normal 2 2 49 B Normal 2 2 5C Normal 2 2 50< Normal 2 2 50 D Normal 2 2 51< Normal 2 2 51 E Normal 2 2 52< Normal 2 2 52 F Normal 2 2 53< Normal 2 2 53 G Normal 2 2 54< Normal 2 2 54 H Normal 2 2 55< Normal 2 2 55 I Normal 2 2 56< Normal 2 2 56 J Normal 2 2 57< Normal 2 2 57 K Normal 2 2 58< Normal 2 2 58 L Normal 2 2 59< Normal 2 2 59 M Normal 2 2 6N Normal 2 2 60< Normal 2 2 60 O Normal 2 2 61< Normal 2 2 61 P Normal 2 2 62< Normal 2 2 62 Q Normal 2 2 63< Normal 2 2 63 R Normal 2 2 64< Normal 2 2 64 S Normal 2 2 65< Normal 2 2 65 T Normal 2 2 66< Normal 2 2 66 U Normal 2 2 67< Normal 2 2 67 V Normal 2 2 68< Normal 2 2 68 W Normal 2 2 69< Normal 2 2 69 X Normal 2 2 7Y Normal 2 2 70< Normal 2 2 70 Z Normal 2 2 71< Normal 2 2 71 [ Normal 2 2 72< Normal 2 2 72 \ Normal 2 2 73< Normal 2 2 73 ] Normal 2 2 74< Normal 2 2 74 ^ Normal 2 2 75< Normal 2 2 75 _ Normal 2 2 76< Normal 2 2 76 ` Normal 2 2 77< Normal 2 2 77 a Normal 2 2 78< Normal 2 2 78 b Normal 2 2 79< Normal 2 2 79 c Normal 2 2 8d Normal 2 2 80< Normal 2 2 80 e Normal 2 2 85< Normal 2 2 85 f Normal 2 2 86< Normal 2 2 86 g Normal 2 2 9h Normal 2 20iNormal 2 20 10jNormal 2 20 10 2kNormal 2 20 10 3lNormal 2 20 11mNormal 2 20 11 2nNormal 2 20 12oNormal 2 20 12 2pNormal 2 20 13qNormal 2 20 13 2rNormal 2 20 14sNormal 2 20 14 2tNormal 2 20 15uNormal 2 20 15 2vNormal 2 20 16wNormal 2 20 16 2xNormal 2 20 17yNormal 2 20 17 2zNormal 2 20 18{Normal 2 20 18 2|Normal 2 20 19}Normal 2 20 19 2~ Normal 2 20 2Normal 2 20 20Normal 2 20 20 2Normal 2 20 21Normal 2 20 21 2Normal 2 20 22Normal 2 20 22 2Normal 2 20 23Normal 2 20 23 2Normal 2 20 24Normal 2 20 25Normal 2 20 26Normal 2 20 27 Normal 2 20 3Normal 2 20 3 2Normal 2 20 3 3 Normal 2 20 4Normal 2 20 4 2Normal 2 20 4 3 Normal 2 20 5Normal 2 20 5 2Normal 2 20 5 3 Normal 2 20 6Normal 2 20 6 2Normal 2 20 6 3 Normal 2 20 7Normal 2 20 7 2Normal 2 20 7 3 Normal 2 20 8Normal 2 20 8 2Normal 2 20 8 3 Normal 2 20 9Normal 2 20 9 2Normal 2 20 9 3 Normal 2 21Normal 2 21 10Normal 2 21 10 2Normal 2 21 10 3Normal 2 21 11Normal 2 21 11 2Normal 2 21 12Normal 2 21 12 2Normal 2 21 13Normal 2 21 13 2Normal 2 21 14Normal 2 21 14 2Normal 2 21 15Normal 2 21 15 2Normal 2 21 16Normal 2 21 16 2Normal 2 21 17Normal 2 21 17 2Normal 2 21 18Normal 2 21 18 2Normal 2 21 19Normal 2 21 19 2 Normal 2 21 2Normal 2 21 20Normal 2 21 20 2Normal 2 21 21Normal 2 21 21 2Normal 2 21 22Normal 2 21 22 2Normal 2 21 23Normal 2 21 23 2Normal 2 21 24Normal 2 21 25Normal 2 21 26Normal 2 21 27 Normal 2 21 3Normal 2 21 3 2Normal 2 21 3 3 Normal 2 21 4Normal 2 21 4 2Normal 2 21 4 3 Normal 2 21 5Normal 2 21 5 2Normal 2 21 5 3 Normal 2 21 6Normal 2 21 6 2Normal 2 21 6 3 Normal 2 21 7Normal 2 21 7 2Normal 2 21 7 3 Normal 2 21 8Normal 2 21 8 2Normal 2 21 8 3 Normal 2 21 9Normal 2 21 9 2Normal 2 21 9 3 Normal 2 22Normal 2 22 10Normal 2 22 10 2Normal 2 22 10 3Normal 2 22 11Normal 2 22 11 2Normal 2 22 12Normal 2 22 12 2Normal 2 22 13Normal 2 22 13 2Normal 2 22 14Normal 2 22 14 2Normal 2 22 15Normal 2 22 15 2Normal 2 22 16Normal 2 22 16 2Normal 2 22 17Normal 2 22 17 2Normal 2 22 18Normal 2 22 18 2Normal 2 22 19Normal 2 22 19 2 Normal 2 22 2Normal 2 22 20Normal 2 22 20 2Normal 2 22 21Normal 2 22 21 2Normal 2 22 22Normal 2 22 22 2Normal 2 22 23Normal 2 22 23 2Normal 2 22 24Normal 2 22 25Normal 2 22 26Normal 2 22 27 Normal 2 22 3Normal 2 22 3 2Normal 2 22 3 3 Normal 2 22 4Normal 2 22 4 2Normal 2 22 4 3 Normal 2 22 5Normal 2 22 5 2Normal 2 22 5 3 Normal 2 22 6Normal 2 22 6 2Normal 2 22 6 3 Normal 2 22 7Normal 2 22 7 2 Normal 2 22 7 3  Normal 2 22 8 Normal 2 22 8 2 Normal 2 22 8 3  Normal 2 22 9Normal 2 22 9 2Normal 2 22 9 3 Normal 2 23Normal 2 23 10Normal 2 23 10 2Normal 2 23 10 3Normal 2 23 11Normal 2 23 11 2Normal 2 23 12Normal 2 23 12 2Normal 2 23 13Normal 2 23 13 2Normal 2 23 14Normal 2 23 14 2Normal 2 23 15Normal 2 23 15 2Normal 2 23 16Normal 2 23 16 2 Normal 2 23 17!Normal 2 23 17 2"Normal 2 23 18#Normal 2 23 18 2$Normal 2 23 19%Normal 2 23 19 2& Normal 2 23 2'Normal 2 23 20(Normal 2 23 20 2)Normal 2 23 21*Normal 2 23 21 2+Normal 2 23 22,Normal 2 23 22 2-Normal 2 23 23.Normal 2 23 23 2/Normal 2 23 240Normal 2 23 251Normal 2 23 262Normal 2 23 273 Normal 2 23 34Normal 2 23 3 25Normal 2 23 3 36 Normal 2 23 47Normal 2 23 4 28Normal 2 23 4 39 Normal 2 23 5:Normal 2 23 5 2;Normal 2 23 5 3< Normal 2 23 6=Normal 2 23 6 2>Normal 2 23 6 3? Normal 2 23 7@Normal 2 23 7 2ANormal 2 23 7 3B Normal 2 23 8CNormal 2 23 8 2DNormal 2 23 8 3E Normal 2 23 9FNormal 2 23 9 2GNormal 2 23 9 3H Normal 2 24INormal 2 24 10JNormal 2 24 10 2KNormal 2 24 10 3LNormal 2 24 11MNormal 2 24 11 2NNormal 2 24 12ONormal 2 24 12 2PNormal 2 24 13QNormal 2 24 13 2RNormal 2 24 14SNormal 2 24 14 2TNormal 2 24 15UNormal 2 24 15 2VNormal 2 24 16WNormal 2 24 16 2XNormal 2 24 17YNormal 2 24 17 2ZNormal 2 24 18[Normal 2 24 18 2\Normal 2 24 19]Normal 2 24 19 2^ Normal 2 24 2_Normal 2 24 20`Normal 2 24 20 2aNormal 2 24 21bNormal 2 24 21 2cNormal 2 24 22dNormal 2 24 22 2eNormal 2 24 23fNormal 2 24 23 2gNormal 2 24 24hNormal 2 24 25iNormal 2 24 26jNormal 2 24 27k Normal 2 24 3lNormal 2 24 3 2mNormal 2 24 3 3n Normal 2 24 4oNormal 2 24 4 2pNormal 2 24 4 3q Normal 2 24 5rNormal 2 24 5 2sNormal 2 24 5 3t Normal 2 24 6uNormal 2 24 6 2vNormal 2 24 6 3w Normal 2 24 7xNormal 2 24 7 2yNormal 2 24 7 3z Normal 2 24 8{Normal 2 24 8 2|Normal 2 24 8 3} Normal 2 24 9~Normal 2 24 9 2Normal 2 24 9 3 Normal 2 25Normal 2 25 10Normal 2 25 10 2Normal 2 25 10 3Normal 2 25 11Normal 2 25 11 2Normal 2 25 12Normal 2 25 12 2Normal 2 25 13Normal 2 25 13 2Normal 2 25 14Normal 2 25 14 2Normal 2 25 15Normal 2 25 15 2Normal 2 25 16Normal 2 25 16 2Normal 2 25 17Normal 2 25 17 2Normal 2 25 18Normal 2 25 18 2Normal 2 25 19Normal 2 25 19 2 Normal 2 25 2Normal 2 25 20Normal 2 25 20 2Normal 2 25 21Normal 2 25 21 2Normal 2 25 22Normal 2 25 22 2Normal 2 25 23Normal 2 25 23 2Normal 2 25 24Normal 2 25 25Normal 2 25 26Normal 2 25 27 Normal 2 25 3Normal 2 25 3 2Normal 2 25 3 3 Normal 2 25 4Normal 2 25 4 2Normal 2 25 4 3 Normal 2 25 5Normal 2 25 5 2Normal 2 25 5 3 Normal 2 25 6Normal 2 25 6 2Normal 2 25 6 3 Normal 2 25 7Normal 2 25 7 2Normal 2 25 7 3 Normal 2 25 8Normal 2 25 8 2Normal 2 25 8 3 Normal 2 25 9Normal 2 25 9 2Normal 2 25 9 3 Normal 2 26Normal 2 26 10Normal 2 26 10 2Normal 2 26 10 3Normal 2 26 11Normal 2 26 11 2Normal 2 26 12Normal 2 26 12 2Normal 2 26 13Normal 2 26 13 2Normal 2 26 14Normal 2 26 14 2Normal 2 26 15Normal 2 26 15 2Normal 2 26 16Normal 2 26 16 2Normal 2 26 17Normal 2 26 17 2Normal 2 26 18Normal 2 26 18 2Normal 2 26 19Normal 2 26 19 2 Normal 2 26 2Normal 2 26 20Normal 2 26 20 2Normal 2 26 21Normal 2 26 21 2Normal 2 26 22Normal 2 26 22 2Normal 2 26 23Normal 2 26 23 2Normal 2 26 24Normal 2 26 25Normal 2 26 26Normal 2 26 27 Normal 2 26 3Normal 2 26 3 2Normal 2 26 3 3 Normal 2 26 4Normal 2 26 4 2Normal 2 26 4 3 Normal 2 26 5Normal 2 26 5 2Normal 2 26 5 3 Normal 2 26 6Normal 2 26 6 2Normal 2 26 6 3 Normal 2 26 7Normal 2 26 7 2Normal 2 26 7 3 Normal 2 26 8Normal 2 26 8 2Normal 2 26 8 3 Normal 2 26 9Normal 2 26 9 2Normal 2 26 9 3 Normal 2 27Normal 2 27 10Normal 2 27 10 2Normal 2 27 10 3Normal 2 27 11Normal 2 27 11 2Normal 2 27 12Normal 2 27 12 2Normal 2 27 13Normal 2 27 13 2Normal 2 27 14Normal 2 27 14 2Normal 2 27 15Normal 2 27 15 2Normal 2 27 16Normal 2 27 16 2Normal 2 27 17Normal 2 27 17 2Normal 2 27 18Normal 2 27 18 2Normal 2 27 19Normal 2 27 19 2 Normal 2 27 2Normal 2 27 20Normal 2 27 20 2 Normal 2 27 21 Normal 2 27 21 2 Normal 2 27 22 Normal 2 27 22 2 Normal 2 27 23Normal 2 27 23 2Normal 2 27 24Normal 2 27 25Normal 2 27 26Normal 2 27 27 Normal 2 27 3Normal 2 27 3 2Normal 2 27 3 3 Normal 2 27 4Normal 2 27 4 2Normal 2 27 4 3 Normal 2 27 5Normal 2 27 5 2Normal 2 27 5 3 Normal 2 27 6Normal 2 27 6 2Normal 2 27 6 3 Normal 2 27 7 Normal 2 27 7 2!Normal 2 27 7 3" Normal 2 27 8#Normal 2 27 8 2$Normal 2 27 8 3% Normal 2 27 9&Normal 2 27 9 2'Normal 2 27 9 3( Normal 2 28)Normal 2 28 10*Normal 2 28 10 2+Normal 2 28 10 3,Normal 2 28 11-Normal 2 28 11 2.Normal 2 28 12/Normal 2 28 12 20Normal 2 28 131Normal 2 28 13 22Normal 2 28 143Normal 2 28 14 24Normal 2 28 155Normal 2 28 15 26Normal 2 28 167Normal 2 28 16 28Normal 2 28 179Normal 2 28 17 2:Normal 2 28 18;Normal 2 28 18 2<Normal 2 28 19=Normal 2 28 19 2> Normal 2 28 2?Normal 2 28 20@Normal 2 28 20 2ANormal 2 28 21BNormal 2 28 21 2CNormal 2 28 22DNormal 2 28 22 2ENormal 2 28 23FNormal 2 28 23 2GNormal 2 28 24HNormal 2 28 25INormal 2 28 26JNormal 2 28 27K Normal 2 28 3LNormal 2 28 3 2MNormal 2 28 3 3N Normal 2 28 4ONormal 2 28 4 2PNormal 2 28 4 3Q Normal 2 28 5RNormal 2 28 5 2SNormal 2 28 5 3T Normal 2 28 6UNormal 2 28 6 2VNormal 2 28 6 3W Normal 2 28 7XNormal 2 28 7 2YNormal 2 28 7 3Z Normal 2 28 8[Normal 2 28 8 2\Normal 2 28 8 3] Normal 2 28 9^Normal 2 28 9 2_Normal 2 28 9 3` Normal 2 29a Normal 2 3b Normal 2 30cNormal 2 30 10dNormal 2 30 10 2eNormal 2 30 10 3fNormal 2 30 11gNormal 2 30 11 2hNormal 2 30 12iNormal 2 30 12 2jNormal 2 30 13kNormal 2 30 13 2lNormal 2 30 14mNormal 2 30 14 2nNormal 2 30 15oNormal 2 30 15 2pNormal 2 30 16qNormal 2 30 16 2rNormal 2 30 17sNormal 2 30 17 2tNormal 2 30 18uNormal 2 30 18 2vNormal 2 30 19wNormal 2 30 19 2x Normal 2 30 2yNormal 2 30 20zNormal 2 30 20 2{Normal 2 30 21|Normal 2 30 21 2}Normal 2 30 22~Normal 2 30 22 2Normal 2 30 23Normal 2 30 23 2Normal 2 30 24Normal 2 30 25Normal 2 30 26Normal 2 30 27 Normal 2 30 3Normal 2 30 3 2Normal 2 30 3 3 Normal 2 30 4Normal 2 30 4 2Normal 2 30 4 3 Normal 2 30 5Normal 2 30 5 2Normal 2 30 5 3 Normal 2 30 6Normal 2 30 6 2Normal 2 30 6 3 Normal 2 30 7Normal 2 30 7 2Normal 2 30 7 3 Normal 2 30 8Normal 2 30 8 2Normal 2 30 8 3 Normal 2 30 9Normal 2 30 9 2Normal 2 30 9 3 Normal 2 31Normal 2 31 10Normal 2 31 10 2Normal 2 31 10 3Normal 2 31 11Normal 2 31 11 2Normal 2 31 12Normal 2 31 12 2Normal 2 31 13Normal 2 31 13 2Normal 2 31 14Normal 2 31 14 2Normal 2 31 15Normal 2 31 15 2Normal 2 31 16Normal 2 31 16 2Normal 2 31 17Normal 2 31 17 2Normal 2 31 18Normal 2 31 18 2Normal 2 31 19Normal 2 31 19 2 Normal 2 31 2Normal 2 31 20Normal 2 31 20 2Normal 2 31 21Normal 2 31 21 2Normal 2 31 22Normal 2 31 22 2Normal 2 31 23Normal 2 31 23 2Normal 2 31 24Normal 2 31 25Normal 2 31 26Normal 2 31 27 Normal 2 31 3Normal 2 31 3 2Normal 2 31 3 3 Normal 2 31 4Normal 2 31 4 2Normal 2 31 4 3 Normal 2 31 5Normal 2 31 5 2Normal 2 31 5 3 Normal 2 31 6Normal 2 31 6 2Normal 2 31 6 3 Normal 2 31 7Normal 2 31 7 2Normal 2 31 7 3 Normal 2 31 8Normal 2 31 8 2Normal 2 31 8 3 Normal 2 31 9Normal 2 31 9 2Normal 2 31 9 3 Normal 2 32Normal 2 32 10Normal 2 32 10 2Normal 2 32 10 3Normal 2 32 11Normal 2 32 11 2Normal 2 32 12Normal 2 32 12 2Normal 2 32 13Normal 2 32 13 2Normal 2 32 14Normal 2 32 14 2Normal 2 32 15Normal 2 32 15 2Normal 2 32 16Normal 2 32 16 2Normal 2 32 17Normal 2 32 17 2Normal 2 32 18Normal 2 32 18 2Normal 2 32 19Normal 2 32 19 2 Normal 2 32 2Normal 2 32 20Normal 2 32 20 2Normal 2 32 21Normal 2 32 21 2Normal 2 32 22Normal 2 32 22 2Normal 2 32 23Normal 2 32 23 2Normal 2 32 24Normal 2 32 25Normal 2 32 26Normal 2 32 27 Normal 2 32 3Normal 2 32 3 2Normal 2 32 3 3 Normal 2 32 4Normal 2 32 4 2Normal 2 32 4 3 Normal 2 32 5Normal 2 32 5 2Normal 2 32 5 3 Normal 2 32 6Normal 2 32 6 2Normal 2 32 6 3 Normal 2 32 7Normal 2 32 7 2Normal 2 32 7 3 Normal 2 32 8Normal 2 32 8 2Normal 2 32 8 3 Normal 2 32 9Normal 2 32 9 2 Normal 2 32 9 3  Normal 2 33 Normal 2 33 10 Normal 2 33 10 2 Normal 2 33 10 3Normal 2 33 11Normal 2 33 11 2Normal 2 33 12Normal 2 33 12 2Normal 2 33 13Normal 2 33 13 2Normal 2 33 14Normal 2 33 14 2Normal 2 33 15Normal 2 33 15 2Normal 2 33 16Normal 2 33 16 2Normal 2 33 17Normal 2 33 17 2Normal 2 33 18Normal 2 33 18 2Normal 2 33 19Normal 2 33 19 2  Normal 2 33 2!Normal 2 33 20"Normal 2 33 20 2#Normal 2 33 21$Normal 2 33 21 2%Normal 2 33 22&Normal 2 33 22 2'Normal 2 33 23(Normal 2 33 23 2)Normal 2 33 24*Normal 2 33 25+Normal 2 33 26,Normal 2 33 27- Normal 2 33 3.Normal 2 33 3 2/Normal 2 33 3 30 Normal 2 33 41Normal 2 33 4 22Normal 2 33 4 33 Normal 2 33 54Normal 2 33 5 25Normal 2 33 5 36 Normal 2 33 67Normal 2 33 6 28Normal 2 33 6 39 Normal 2 33 7:Normal 2 33 7 2;Normal 2 33 7 3< Normal 2 33 8=Normal 2 33 8 2>Normal 2 33 8 3? Normal 2 33 9@Normal 2 33 9 2ANormal 2 33 9 3B Normal 2 34CNormal 2 34 10DNormal 2 34 10 2ENormal 2 34 10 3FNormal 2 34 11GNormal 2 34 11 2HNormal 2 34 12INormal 2 34 12 2JNormal 2 34 13KNormal 2 34 13 2LNormal 2 34 14MNormal 2 34 14 2NNormal 2 34 15ONormal 2 34 15 2PNormal 2 34 16QNormal 2 34 16 2RNormal 2 34 17SNormal 2 34 17 2TNormal 2 34 18UNormal 2 34 18 2VNormal 2 34 19WNormal 2 34 19 2X Normal 2 34 2YNormal 2 34 20ZNormal 2 34 20 2[Normal 2 34 21\Normal 2 34 21 2]Normal 2 34 22^Normal 2 34 22 2_Normal 2 34 23`Normal 2 34 23 2aNormal 2 34 24bNormal 2 34 25cNormal 2 34 26dNormal 2 34 27e Normal 2 34 3fNormal 2 34 3 2gNormal 2 34 3 3h Normal 2 34 4iNormal 2 34 4 2jNormal 2 34 4 3k Normal 2 34 5lNormal 2 34 5 2mNormal 2 34 5 3n Normal 2 34 6oNormal 2 34 6 2pNormal 2 34 6 3q Normal 2 34 7rNormal 2 34 7 2sNormal 2 34 7 3t Normal 2 34 8uNormal 2 34 8 2vNormal 2 34 8 3w Normal 2 34 9xNormal 2 34 9 2yNormal 2 34 9 3z Normal 2 35{Normal 2 35 10|Normal 2 35 10 2}Normal 2 35 10 3~Normal 2 35 11Normal 2 35 11 2Normal 2 35 12Normal 2 35 12 2Normal 2 35 13Normal 2 35 13 2Normal 2 35 14Normal 2 35 14 2Normal 2 35 15Normal 2 35 15 2Normal 2 35 16Normal 2 35 16 2Normal 2 35 17Normal 2 35 17 2Normal 2 35 18Normal 2 35 18 2Normal 2 35 19Normal 2 35 19 2 Normal 2 35 2Normal 2 35 20Normal 2 35 20 2Normal 2 35 21Normal 2 35 21 2Normal 2 35 22Normal 2 35 22 2Normal 2 35 23Normal 2 35 23 2Normal 2 35 24Normal 2 35 25Normal 2 35 26Normal 2 35 27 Normal 2 35 3Normal 2 35 3 2Normal 2 35 3 3 Normal 2 35 4Normal 2 35 4 2Normal 2 35 4 3 Normal 2 35 5Normal 2 35 5 2Normal 2 35 5 3 Normal 2 35 6Normal 2 35 6 2Normal 2 35 6 3 Normal 2 35 7Normal 2 35 7 2Normal 2 35 7 3 Normal 2 35 8Normal 2 35 8 2Normal 2 35 8 3 Normal 2 35 9Normal 2 35 9 2Normal 2 35 9 3 Normal 2 36 Normal 2 36 2Normal 2 36 2 10Normal 2 36 2 10 2Normal 2 36 2 11Normal 2 36 2 11 2Normal 2 36 2 12Normal 2 36 2 12 2Normal 2 36 2 13Normal 2 36 2 13 2Normal 2 36 2 14Normal 2 36 2 14 2Normal 2 36 2 15Normal 2 36 2 15 2Normal 2 36 2 16Normal 2 36 2 16 2Normal 2 36 2 17Normal 2 36 2 17 2Normal 2 36 2 18Normal 2 36 2 18 2Normal 2 36 2 19Normal 2 36 2 19 2Normal 2 36 2 2Normal 2 36 2 2 2Normal 2 36 2 2 3Normal 2 36 2 20Normal 2 36 2 20 2Normal 2 36 2 21Normal 2 36 2 21 2Normal 2 36 2 22Normal 2 36 2 22 2Normal 2 36 2 23Normal 2 36 2 24Normal 2 36 2 3Normal 2 36 2 3 2Normal 2 36 2 3 3Normal 2 36 2 4Normal 2 36 2 4 2Normal 2 36 2 4 3Normal 2 36 2 5Normal 2 36 2 5 2Normal 2 36 2 5 3Normal 2 36 2 6Normal 2 36 2 6 2Normal 2 36 2 6 3Normal 2 36 2 7Normal 2 36 2 7 2Normal 2 36 2 7 3Normal 2 36 2 8Normal 2 36 2 8 2Normal 2 36 2 8 3Normal 2 36 2 9Normal 2 36 2 9 2Normal 2 36 2 9 3 Normal 2 36 3 Normal 2 36 4 Normal 2 36 5 Normal 2 36 6 Normal 2 37 Normal 2 37 2Normal 2 37 2 10Normal 2 37 2 10 2Normal 2 37 2 11Normal 2 37 2 11 2Normal 2 37 2 12Normal 2 37 2 12 2Normal 2 37 2 13Normal 2 37 2 13 2Normal 2 37 2 14Normal 2 37 2 14 2Normal 2 37 2 15Normal 2 37 2 15 2Normal 2 37 2 16Normal 2 37 2 16 2Normal 2 37 2 17Normal 2 37 2 17 2Normal 2 37 2 18Normal 2 37 2 18 2Normal 2 37 2 19Normal 2 37 2 19 2Normal 2 37 2 2Normal 2 37 2 2 2Normal 2 37 2 2 3Normal 2 37 2 20Normal 2 37 2 20 2Normal 2 37 2 21Normal 2 37 2 21 2 Normal 2 37 2 22 Normal 2 37 2 22 2 Normal 2 37 2 23 Normal 2 37 2 24 Normal 2 37 2 3Normal 2 37 2 3 2Normal 2 37 2 3 3Normal 2 37 2 4Normal 2 37 2 4 2Normal 2 37 2 4 3Normal 2 37 2 5Normal 2 37 2 5 2Normal 2 37 2 5 3Normal 2 37 2 6Normal 2 37 2 6 2Normal 2 37 2 6 3Normal 2 37 2 7Normal 2 37 2 7 2Normal 2 37 2 7 3Normal 2 37 2 8Normal 2 37 2 8 2Normal 2 37 2 8 3Normal 2 37 2 9 Normal 2 37 2 9 2!Normal 2 37 2 9 3" Normal 2 37 3# Normal 2 37 4$ Normal 2 37 5% Normal 2 37 6& Normal 2 38' Normal 2 38 2(Normal 2 38 2 10)Normal 2 38 2 10 2*Normal 2 38 2 11+Normal 2 38 2 11 2,Normal 2 38 2 12-Normal 2 38 2 12 2.Normal 2 38 2 13/Normal 2 38 2 13 20Normal 2 38 2 141Normal 2 38 2 14 22Normal 2 38 2 153Normal 2 38 2 15 24Normal 2 38 2 165Normal 2 38 2 16 26Normal 2 38 2 177Normal 2 38 2 17 28Normal 2 38 2 189Normal 2 38 2 18 2:Normal 2 38 2 19;Normal 2 38 2 19 2<Normal 2 38 2 2=Normal 2 38 2 2 2>Normal 2 38 2 2 3?Normal 2 38 2 20@Normal 2 38 2 20 2ANormal 2 38 2 21BNormal 2 38 2 21 2CNormal 2 38 2 22DNormal 2 38 2 22 2ENormal 2 38 2 23FNormal 2 38 2 24GNormal 2 38 2 3HNormal 2 38 2 3 2INormal 2 38 2 3 3JNormal 2 38 2 4KNormal 2 38 2 4 2LNormal 2 38 2 4 3MNormal 2 38 2 5NNormal 2 38 2 5 2ONormal 2 38 2 5 3PNormal 2 38 2 6QNormal 2 38 2 6 2RNormal 2 38 2 6 3SNormal 2 38 2 7TNormal 2 38 2 7 2UNormal 2 38 2 7 3VNormal 2 38 2 8WNormal 2 38 2 8 2XNormal 2 38 2 8 3YNormal 2 38 2 9ZNormal 2 38 2 9 2[Normal 2 38 2 9 3\ Normal 2 39] Normal 2 39 2^Normal 2 39 2 10_Normal 2 39 2 10 2`Normal 2 39 2 11aNormal 2 39 2 11 2bNormal 2 39 2 12cNormal 2 39 2 12 2dNormal 2 39 2 13eNormal 2 39 2 13 2fNormal 2 39 2 14gNormal 2 39 2 14 2hNormal 2 39 2 15iNormal 2 39 2 15 2jNormal 2 39 2 16kNormal 2 39 2 16 2lNormal 2 39 2 17mNormal 2 39 2 17 2nNormal 2 39 2 18oNormal 2 39 2 18 2pNormal 2 39 2 19qNormal 2 39 2 19 2rNormal 2 39 2 2sNormal 2 39 2 2 2tNormal 2 39 2 2 3uNormal 2 39 2 20vNormal 2 39 2 20 2wNormal 2 39 2 21xNormal 2 39 2 21 2yNormal 2 39 2 22zNormal 2 39 2 22 2{Normal 2 39 2 23|Normal 2 39 2 24}Normal 2 39 2 3~Normal 2 39 2 3 2Normal 2 39 2 3 3Normal 2 39 2 4Normal 2 39 2 4 2Normal 2 39 2 4 3Normal 2 39 2 5Normal 2 39 2 5 2Normal 2 39 2 5 3Normal 2 39 2 6Normal 2 39 2 6 2Normal 2 39 2 6 3Normal 2 39 2 7Normal 2 39 2 7 2Normal 2 39 2 7 3Normal 2 39 2 8Normal 2 39 2 8 2Normal 2 39 2 8 3Normal 2 39 2 9Normal 2 39 2 9 2Normal 2 39 2 9 3 Normal 2 4 Normal 2 40Normal 2 40 10Normal 2 40 10 2Normal 2 40 11Normal 2 40 11 2Normal 2 40 12Normal 2 40 12 2Normal 2 40 13Normal 2 40 13 2Normal 2 40 14Normal 2 40 14 2Normal 2 40 15Normal 2 40 15 2Normal 2 40 16Normal 2 40 16 2Normal 2 40 17Normal 2 40 17 2Normal 2 40 18Normal 2 40 18 2Normal 2 40 19Normal 2 40 19 2 Normal 2 40 2Normal 2 40 2 2Normal 2 40 2 3Normal 2 40 20Normal 2 40 20 2Normal 2 40 21Normal 2 40 21 2Normal 2 40 22Normal 2 40 22 2Normal 2 40 23Normal 2 40 24 Normal 2 40 3Normal 2 40 3 2Normal 2 40 3 3 Normal 2 40 4Normal 2 40 4 2Normal 2 40 4 3 Normal 2 40 5Normal 2 40 5 2Normal 2 40 5 3 Normal 2 40 6Normal 2 40 6 2Normal 2 40 6 3 Normal 2 40 7Normal 2 40 7 2Normal 2 40 7 3 Normal 2 40 8Normal 2 40 8 2Normal 2 40 8 3 Normal 2 40 9Normal 2 40 9 2Normal 2 40 9 3 Normal 2 41Normal 2 41 10Normal 2 41 10 2Normal 2 41 11Normal 2 41 11 2Normal 2 41 12Normal 2 41 12 2Normal 2 41 13Normal 2 41 13 2Normal 2 41 14Normal 2 41 14 2Normal 2 41 15Normal 2 41 15 2Normal 2 41 16Normal 2 41 16 2Normal 2 41 17Normal 2 41 17 2Normal 2 41 18Normal 2 41 18 2Normal 2 41 19Normal 2 41 19 2 Normal 2 41 2Normal 2 41 2 2Normal 2 41 2 3Normal 2 41 20Normal 2 41 20 2Normal 2 41 21Normal 2 41 21 2Normal 2 41 22Normal 2 41 22 2 Normal 2 41 3Normal 2 41 3 2Normal 2 41 3 3 Normal 2 41 4Normal 2 41 4 2Normal 2 41 4 3 Normal 2 41 5Normal 2 41 5 2Normal 2 41 5 3 Normal 2 41 6Normal 2 41 6 2Normal 2 41 6 3 Normal 2 41 7Normal 2 41 7 2Normal 2 41 7 3 Normal 2 41 8Normal 2 41 8 2Normal 2 41 8 3 Normal 2 41 9Normal 2 41 9 2Normal 2 41 9 3 Normal 2 42 Normal 2 43 Normal 2 44 Normal 2 45 Normal 2 46 Normal 2 47 Normal 2 48 Normal 2 49 Normal 2 5 Normal 2 50 Normal 2 51 Normal 2 52 Normal 2 6 Normal 2 7  Normal 2 8  Normal 2 808 Normal 2 80   Normal 2 9  Normal 20  Normal 21 Normal 22 Normal 23 Normal 24 Normal 25 Normal 26 Normal 27 Normal 28 Normal 29 Normal 3 Normal 3 10 Normal 3 11 Normal 3 12 Normal 3 13 Normal 3 14 Normal 3 15 Normal 3 16 Normal 3 17 Normal 3 18  Normal 3 19! Normal 3 2" Normal 3 20# Normal 3 21$ Normal 3 22% Normal 3 23& Normal 3 24' Normal 3 25( Normal 3 26) Normal 3 27* Normal 3 28+ Normal 3 29, Normal 3 3- Normal 3 30. Normal 3 4/ Normal 3 50 Normal 3 61 Normal 3 72 Normal 3 83 Normal 3 94 Normal 305 Normal 316 Normal 327 Normal 338 Normal 349 Normal 35: Normal 36; Normal 37< Normal 38= Normal 39 >Normal 4? Normal 40@ Normal 41A Normal 42B Normal 43C Normal 44D Normal 45E Normal 46F Normal 47G Normal 48H Normal 49 INormal 5J Normal 50K Normal 51L Normal 52M Normal 53N Normal 54O Normal 55P Normal 56Q Normal 57R Normal 58S Normal 59 TNormal 6U Normal 6 2V Normal 6 2 10WNormal 6 2 10 2XNormal 6 2 10 3Y Normal 6 2 11ZNormal 6 2 11 2[ Normal 6 2 12\Normal 6 2 12 2] Normal 6 2 13^Normal 6 2 13 2_ Normal 6 2 14`Normal 6 2 14 2a Normal 6 2 15bNormal 6 2 15 2c Normal 6 2 16dNormal 6 2 16 2e Normal 6 2 17fNormal 6 2 17 2g Normal 6 2 18hNormal 6 2 18 2i Normal 6 2 19jNormal 6 2 19 2k Normal 6 2 2l Normal 6 2 20mNormal 6 2 20 2n Normal 6 2 21oNormal 6 2 21 2p Normal 6 2 22qNormal 6 2 22 2r Normal 6 2 23sNormal 6 2 23 2t Normal 6 2 24u Normal 6 2 25v Normal 6 2 26w Normal 6 2 27x Normal 6 2 3yNormal 6 2 3 2zNormal 6 2 3 3{ Normal 6 2 4|Normal 6 2 4 2}Normal 6 2 4 3~ Normal 6 2 5Normal 6 2 5 2Normal 6 2 5 3 Normal 6 2 6Normal 6 2 6 2Normal 6 2 6 3 Normal 6 2 7Normal 6 2 7 2Normal 6 2 7 3 Normal 6 2 8Normal 6 2 8 2Normal 6 2 8 3 Normal 6 2 9Normal 6 2 9 2Normal 6 2 9 3 Normal 6 3 Normal 60 Normal 61 Normal 62 Normal 63 Normal 64 Normal 65 Normal 66 Normal 67 Normal 68 Normal 69 Normal 7 108 Normal 7 10  Normal 7 118 Normal 7 11  Normal 7 128 Normal 7 12  Normal 7 138 Normal 7 13  Normal 7 148 Normal 7 14  Normal 7 158 Normal 7 15  Normal 7 168 Normal 7 16  Normal 7 178 Normal 7 17  Normal 7 188 Normal 7 18  Normal 7 198 Normal 7 19  Normal 7 2 Normal 7 2 10 Normal 7 2 11 Normal 7 2 12 Normal 7 2 13 Normal 7 2 14 Normal 7 2 15 Normal 7 2 16 Normal 7 2 17 Normal 7 2 18 Normal 7 2 19 Normal 7 2 2Normal 7 2 2 2Normal 7 2 2 3Normal 7 2 2 4Normal 7 2 2 5Normal 7 2 2 6 Normal 7 2 20 Normal 7 2 21 Normal 7 2 22 Normal 7 2 23 Normal 7 2 24 Normal 7 2 25 Normal 7 2 26 Normal 7 2 27 Normal 7 2 28 Normal 7 2 29 Normal 7 2 3 Normal 7 2 30 Normal 7 2 31 Normal 7 2 32 Normal 7 2 33 Normal 7 2 34 Normal 7 2 35 Normal 7 2 36 Normal 7 2 37 Normal 7 2 38 Normal 7 2 39 Normal 7 2 4 Normal 7 2 40 Normal 7 2 41 Normal 7 2 42 Normal 7 2 43 Normal 7 2 44 Normal 7 2 45 Normal 7 2 46 Normal 7 2 47 Normal 7 2 48< Normal 7 2 48 Normal 7 2 48 2@Normal 7 2 48 2 Normal 7 2 48 3@Normal 7 2 48 3 Normal 7 2 48 4@Normal 7 2 48 4 Normal 7 2 48 5@Normal 7 2 48 5 Normal 7 2 48 6@Normal 7 2 48 6 Normal 7 2 48 7@Normal 7 2 48 7 Normal 7 2 48 8@Normal 7 2 48 8  Normal 7 2 49< Normal 7 2 49  Normal 7 2 5 Normal 7 2 50< Normal 7 2 50  Normal 7 2 51< Normal 7 2 51  Normal 7 2 52 Normal 7 2 53 Normal 7 2 54 Normal 7 2 55 Normal 7 2 56 Normal 7 2 57 Normal 7 2 6 Normal 7 2 7 Normal 7 2 8 Normal 7 2 9 Normal 7 208 Normal 7 20  Normal 7 218 Normal 7 21  Normal 7 228 Normal 7 22  Normal 7 238 Normal 7 23  Normal 7 248 Normal 7 24  Normal 7 258 Normal 7 25  Normal 7 268 Normal 7 26  Normal 7 278 Normal 7 27  Normal 7 288 Normal 7 28  Normal 7 298 Normal 7 29  Normal 7 3 Normal 7 308 Normal 7 30  Normal 7 318 Normal 7 31  Normal 7 328 Normal 7 32  Normal 7 338 Normal 7 33  Normal 7 348 Normal 7 34  Normal 7 358 Normal 7 35  Normal 7 368 Normal 7 36  Normal 7 378 Normal 7 37  Normal 7 388 Normal 7 38  Normal 7 398 Normal 7 39  Normal 7 4 Normal 7 408 Normal 7 40  Normal 7 418 Normal 7 41  Normal 7 428 Normal 7 42  Normal 7 438 Normal 7 43  Normal 7 448 Normal 7 44  Normal 7 458 Normal 7 45  Normal 7 468 Normal 7 46  Normal 7 478 Normal 7 47  Normal 7 488 Normal 7 48  Normal 7 498 Normal 7 49  Normal 7 5; Normal 7 5 % Normal 7 508 Normal 7 50   Normal 7 51  Normal 7 66 Normal 7 6   Normal 7 76 Normal 7 7   Normal 7 86 Normal 7 8   Normal 7 96 Normal 7 9  Normal 70 Normal 71 Normal 72 Normal 73 Normal 74 Normal 75 Normal 76 Normal 76 2 Normal 77 Normal 78 Normal 78 2 Normal 79 Normal 8 Normal 80 Normal 81 Normal 82 Normal 83 Normal 84  Normal 85! Normal 86" Normal 87# Normal 88$ Normal 89 %Normal 9& Normal 9 2' Normal 9 3( Normal 9 4) Normal 90* Normal 91+ Normal 92, Normal 93- Normal 94. Normal 95/ Normal 960 Normal 971 Normal_Sheet2 2Noteb Note   3Note 2fNote 2   4OutputwOutput  ???%????????? ???5$Percent 6Style 1 7Title1Title I}% 8TotalMTotal %OO9 Warning Text? Warning Text %XTableStyleMedium2PivotStyleLight16``win2k3cce-COMBINED-5.xlsaix5.3 hpux11.23ie7ie8 office2k7 office2010rhel4rhel5solaris8solaris9 solaris10weblogicserver11gwin2kwinxpwin2k3vistawin2k8win7win2k8r2YYYYYYYYYY Y Y Y Y YYYYYb:B1\:G4b1:8 ^Last modified: 2010-04-20Version: 5.20100428CCE IDCCE DescriptionCCE ParametersCCE Technical Mechanisms Old v4 CCE ID0Microsoft Security Guide for Windows Server 20030Center for Internet Security Windows Server 2003DISA Stig for Windows 2003DMicrosoft Windows Server 2003 Security Guide, version April 26, 2006Microsoft Online Documentation CCE-3062-7jThe "deny access to this computer from the network" user right should be assigned to the correct accounts.(1) set of accounts(1) defined by the SeDenyNetworkLogonRight setting in Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the networkCCE-898Table 3.28 Deny access to this computer from the network: ANONYMOUS LOGON; Built-in Administrator, Guests; Support_388945a0; Guest; all NON-Operating System service accounts (Legacy Client, Enterprise Client, and High Security)K4.2.15 Deny access to this computer from the network (minimum): Not DefinedTable 4.11 User Rights Assignments Setting Recommendations: Deny access to this computer from the network, ANONOYMOUS LOGON; Guests; Support_388945a0; all NON-Operating System service accounts (Legacy, Enterprise, and Specialized Security) Table 4.30 Manually Added User Rights Assignments: Deny access to this computer from the network, Built-in Administrator; Support_388945a0; Guest; all NON-Operating System service accounts (Legacy, Enterprise, and Specialized Security) Table 5.8 Manually Added User Rights Assignments:Deny access to this computer from the network, Built-in Administrator; Support_388945a0; Guest; all NON-Operating System service accounts (Legacy, Enterprise, and Specialized Security) Table 9.10 Manually Added User Rights Assignments: Deny access to this computer from the network, Built-in Administrator; Support_388945a0; Guest; all NON-Operating System service accounts (Legacy, Enterprise and Specialized Security)8http://technet.microsoft.com/en-us/library/cc758316.aspx CCE-3322-5dThe "access this computer from the network" user right should be assigned to the correct accounts. (1) defined by the SeNetworkLogonRight setting in Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-532Table 4.2 Access this computer from the network: Administrators, Authenticated Users, Enterprise Domain Controllers (High Security); Legacy Client and Enterprise Client are not defined4.2.1 Access this computer from the network: Not Defined; Administrators, Authenticated Users, Enterprise Domain Controllers (Specialized Security)5.1 User Rights: (4.015: CAT I) Built-in Guest account, Everyone group, guests group, and Domain Guests group DO NOT have the right to "access this computer from the network"@Table 4.11 User Rights Assignments Setting Recommendations: Access this computer from the network, not defined (Legacy and Enterprise), Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS (Specialized Security) Table 5.4 Recommended User Rights Assignments Settings: Access this computer from the network 9http://technet.microsoft.com/en-us/library/cc740196.aspx CCE-3490-0bThe "act as part of the operating system" user right should be assigned to the correct accounts. (1) defined the SeTcbPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-162Table 3.21 Act as part of the operating system: Not defined (Legacy Client and Enterprise Client); revoke all security groups and accounts (High Security)/4.2.2 Act as part of the operating system: none|5.1 User Rights: (4.009: CAT I) Individual and group accounts DO NOT have the right to "act as part of the operating system"Table 4.11 User Rights Assignments Setting Recommendations: Act as part of the operating system, Not defined (Legacy and Enterprise), No one Specialized Security) CCE-2869-6\The "back up files and directories" user right should be assigned to the correct accounts. (1) defined the SeBackupPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-931J4.2.36 Backup files and directories: Administrators (Specialized Security)Table 4.11 User Rights Assignments Setting Recommendations, Back up files and directories Not defined (Legacy and Enterprise), Administrators (Specialized Security) CCE-3375-3WThe "bypass traverse checking" user right should be assigned to the correct accounts. (1) defined the SeChangeNotifyPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-376+4.2.8 Bypass traverse checking: Not DefinedTable 4.11 User Rights Assignments Setting Recommendations: Bypass traverse checking, Not defined (Legacy and Enterprise), Authenticated Users (Specialized Security) CCE-3397-7UThe "change the system time" user right should be assigned to the correct accounts. (1) defined the SeSystemTimePrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-799Table 3.26 Change the system time: Administrators and Power Users (default); Administrators (High Security); Legacy client and Enterprise Client are not defined,4.2.9 Change the system time: AdministratorsJTable 4.11 User Rights Assignments Setting Recommendations: Change the system time, Not defined (Legacy and Enterprise), Administrators, LOCAL SERVICE (Specialized Security) Table 5.4 Recommended User Rights Assignments Settings: Change the system time, Administrators, LOCAL SERVICE (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc786461.aspx CCE-3538-6PThe "create a pagefile" user right should be assigned to the correct accounts. (1) defined the SeCreatePagefilePrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-895?4.2.10 Create a pagefile: Administrators (Specialized Security)Table 4.11 User Rights Assignments Setting Recommendations: Create a pagefile, Not defined (Legacy and Enterprise), Administrators (Specialized Security) CCE-3498-3TThe "Create a token object" user right should be assigned to the correct accounts. (1) defined the SeCreateTokenPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-926"4.2.11 Create a token object: NoneTable 4.11 User Rights Assignments Setting Recommendations: Create a token object, Not defined (Legacy and Enterprise), No one (Specialized Security) CCE-3269-8^The "create permanent shared objects" user right should be assigned to the correct accounts. (1) defined the SeCreatePermanentPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-335,4.2.13 Create permanent shared objects: NoneTable 4.11 User Rights Assignments Setting Recommendations: Create permanent shared objects, Not defined (Legacy and Enterprise), No one (Specialized Security) CCE-2576-7MThe "debug programs" user right should be assigned to the correct accounts. (1) defined the SeDebugPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-842Table 3.27 Debug programs: Administrators (default); Revoke all security groups and accounts (Legacy Client, Enterprise client and High Security)4.2.14 Debug Programs: NoneTable 4.11 User Rights Assignments Setting Recommendations: Debug programs, Not defined (Legacy), Administrators (Enterprise), No one (Specialized Security) CCE-3359-7bThe "force shutdown from a remote system" user right should be assigned to the correct< accounts. (1) defined the SeRemoteShutdownPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-754Table 3.32 Force shutdown from a remote system: Administrators (High Security): Legacy client and Enterprise Client are not definedQ4.2.21 Force shutdown from a remote system: Administrators (Specialized Security)Table 4.11 User Rights Assignments Setting Recommendations: Force shutdown from a remote system, Not defined (Legacy and Enterprise), Administrators (Specialized Security) CCE-3491-8WThe "generate security audits" user right should be assigned to the correct accounts. (1) defined the SeAuditPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-939Table 3.33 Generate security audits: Network Service, Local Service (High Security): Legacy Client and Enterprise Client are not definedV4.2.22 Generate security audits: Local Service, Network Service (Specialized Security)Table 4.11 User Rights Assignments Setting Recommendations: Generate security audits, Not defined (Legacy and Enterprise), NETWORK SERVICE, LOCAL SERVICE (Specialized Security) CCE-3147-6aThe "adjust memory quotas for a process" user right should be assigned to the correct accounts. (1) defined the SeIncreaseQuotaPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-807Table 3.23 Adjust memory quotas for a process: Administrators, Network Service, Local Service (High Security); Legacy client and Enterprise Client are not definedo4.2.4 Adjust memory quotas for a process: Network Service, Local Service, Administrators (Specialized Security)Table 4.11 User Rights Assignments Setting Recommendations: Adjust memory quotas for a process, Not defined (Legacy and Enterprise), Administrators, NETWORK SERVICE, LOCAL SERVICE (Specialized Security) CCE-3539-4[The "increase scheduling priority" user right should be assigned to the correct accounts. (1) defined the SeIncreaseBasePriorityPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-349|Table 3.35 Increase scheduling priority: Administrators (High Security): Legacy Client and Enterprise Client are not definedJ4.2.24 Increase scheduling priority: Administrators (Specialized Security)Table 4.11 User Rights Assignments Setting Recommendations: Increase scheduling priority, Not defined (Legacy and Enterprise), Administrators (Specialized Security) CCE-3293-8]The "load and unload device drivers" user right should be assigned to the correct accounts. (1) defined the SeLoadDriverPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-860~Table 3.36 Load and unload device drivers: Administrators (High Security): Legacy Client and Enterprise Client are not defined54.2.25 Load and unload device drivers: Administrators<Table 4.11 User Rights Assignments Setting Recommendations: Load and unload device drivers, Not defined (Legacy and Enterprise), Administrators (Specialized Security) Table 5.4 Recommended User Rights Assignments Settings: Load and unload device drivers, Administrators (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc782779.aspx CCE-2936-3SThe "lock pages in memory" user right should be assigned to the correct accounts. (1) defined the SeLockMemoryPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-749tTable 3.37 Lock pages in memory: Administrators (High Security): Legacy Client and Enterprise Client are not definedB4.2.26 Lock pages in memory: Administrators (Specialized Security)Table 4.11 User Rights Assignments Setting Recommendations: Lock pages in memory, Not defined (Legacy and Enterprise), No one (Specialized Security CCE-3191-4TThe "log on as a batch job" user right should be assigned to the correct accounts. (1) defined the SeBatchLogonRight setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-177Table 3.38 Log on as a batch job: Support_388945a0, Local Service (Default); Revoke all security groups and accounts (High Security); Legacy Client and Enterprise Client are not defined"4.2.27 Log on as a batch job: NoneTable 4.11 User Rights Assignments Setting Recommendations: Log on as a batch job, Not defined (Legacy, Enterprise, and Specialized Security), CCE-3332-4RThe "log on as a service" user right should be assigned to the correct accounts. (1) defined the SeServiceLogonRight setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-216'4.2.28 Log on as a service: Not DefinedTable 4.11 User Rights Assignments Setting Recommendations: Log on as a service, Not defined (Legacy and Enterprise), NETWORK SERVICE (Specialized Security) CCE-3557-6MThe "log on locally" user right should be assigned to the correct accounts. (1) defined the SeInteractiveLogonRight setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-965dTable 4.4 Allow log on locally: Administrators (Legacy client, Enterprise Client, and High Security)*4.2.5 Allow log on locally: Administrators5.1 User rights: (4.026: CAT II) Built-in Guest account, guests group, and Domain guests group, HelpAssistant, and Suppor_388945a0 are assigned the right to DENY log on locally Table 4.11 User Rights Assignments Setting Recommendations: Allow log on locally, Administrators, Backup Operators, Power Users(Legacy and Enterprise), Administrators (Specialized Security) Table 5.4 Recommended User Rights Assignments Settings: Allow log on locally8http://technet.microsoft.com/en-us/library/cc756809.aspx CCE-3575-8_The "manage auditing and security log" user right should be assigned to the correct accounts. (1) defined the SeSecurityPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-850Table 3.39 Manage auditing and security log: Administrators (High Security); Legacy Client and Enterprise Client are not definedN4.2.29 Manage auditing and security log: Administrators (Specialized Security)Table 4.11 User Rights Assignments Setting Recommendations: Manage auditing and security log, Not defined (Legacy and Enterprise), Administrators (Specialized Security)8http://technet.microsoft.com/en-us/library/aa996080.aspx CCE-3218-5aThe "modify firmware environment values" user right should be assigned to the correct accounts. (1) defined the SeSystemEnvironmentPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-17Table 3.40 Modify firmware environment values: Administrators (High Security); Legacy client and Enterprise Client are not definedP4.2.30 Modify firmware environment values: Administrators (Specialized Security)Table 4.11 User Rights Assignments Setting Recommendations: Not defined (Legacy and Enterprise), Administrators (Specialized Security) CCE-2861-3UThe "profile single process" user right should be assigned to the correct accounts. (1) defined the SeProfileSingleProcessPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-260vTable 3.42 Profile single process: Administrators (High Security); Legacy Client and Enterprise Client are not definedD4.2.32 Profile single process: Administrators (Specialized Security)< Table 4.11 User Rights Assignments Setting Recommendations: Profile single process, Not defined (Legacy and Enterprise), Administrators (Specialized Security) CCE-3002-3YThe "profile system performance" user right should be assigned to the correct accounts. (1) defined the SeSystemProfilePrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-599zTable 3.43 Profile system performance: Administrators (High Security); Legacy client and Enterprise Client are not definedH4.2.33 Profile system performance: Administrators (Specialized Security)Table 4.11 User Rights Assignments Setting Recommendations: Profile system performance, Not defined (Legacy and Enterprise), Administrators (Specialized Security) CCE-2663-3cThe "remove computer from docking station" user right should be assigned to the correct accounts. (1) defined the SeUndockPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-656Table 3.44 Remove computer from docking station: Administrators, Power Users (Default)/Administrators (High Security); Legacy client and Enterprise Client are not definedR4.2.34 Remove computer from docking station: Administrators (Specialized Security)Table 4.11 User Rights Assignments Setting Recommendations: Remove computer from docking station, Not defined (Legacy and Enterprise), Administrators (Specialized Security) CCE-3447-0\The "replace a process-level token" user right should be assigned to the correct accounts. (1) defined the SeAssignPrimaryTokenPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-667Table 3.45 Replace a process level token: Local Service, Network Service (High Security); Legacy Client and Enterprise Client are not definedD4.2.35 Replace a process level token: Network Service, Local ServiceTable 4.11 User Rights Assignments Setting Recommendations: Replace a process level token, Not defined (Legacy and Enterprise), LOCAL SERVICE, NETWORK SERVICE (Specialized Security), Administrators (Specialized Security) CCE-3465-2\The "restore files and directories" user right should be assigned to the correct accounts. (1) defined the SeRestorePrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-553Table 3.46 Restore files and directories: Administrators and Backup Operators (Default)/Administrators (High Security); Legacy Client and Enterprise Client are not definedK4.2.36 Restore files and directories: Administrators (Specialized Security):Table 4.11 User Rights Assignments Setting Recommendations: Restore files and directories, Not defined (Legacy and Enterprise), Administrators (Specialized Security) Table 5.4 Recommended User Rights Assignments Settings: Restore files and directories, Administrators (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc957236.aspx CCE-3346-4SThe "shut down the system" user right should be assigned to the correct accounts. (1) defined the SeShutdownPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-839Table 3.47 Shut down the system: Backup Operators, Power Users and Administrators (Default)/Administrators (High Security); Legacy Client and Enterprise Client are not definedN4.2.37 Shut down the system: Administrators (Enterprise, Specialized Security)'Table 4.11 User Rights Assignments Setting Recommendations: Shut down the system, Not defined (Legacy and Enterprise), Administrators (Specialized Security) Table 5.4 Recommended User Rights Assignments Settings: Shutdown the system, Administrators (Legacy, Enterprise, and Specialized Security)?http://technet.microsoft.com/en-us/library/cc759478(WS.10).aspx CCE-2848-0gThe "take ownership of files or other objects" user right should be assigned to the correct accounts. (1) defined the SeTakeOwnershipPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-492Table 3.49 Take ownership of files or other objects: Administrators (High Security); Legacy Client and Enterprise Client are not defined>4.2.39 Take ownership of file or other objects: AdministratorsTable 4.11 User Rights Assignments Setting Recommendations: Take ownership of files or other objects, Not defined (Legacy and Enterprise), Administrators (Specialized Security) CCE-3368-8aThe "synchronize directory service data" user right should be assigned to the correct accounts. (1) defined the SeSynchAgentPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-381Table 3.48 Synchronize directory service data: Revoke all security groups and accounts (High Security); legacy client and Enterprise Client are not defined/4.2.38 Synchronize directory service data: NoneTable 4.11 User Rights Assignments Setting Recommendations: Synchronize directory service data, Not defined (Legacy and Enterprise), No one (Specialized Security) CCE-3531-1QThe "deny logon locally" user right should be assigned to the correct accounts. (1) defined the SeDenyInteractiveLogonRight setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-64&4.2.18 Deny logon locally: Not DefinedTable 4.11 User Rights Assignments Setting Recommendations: Deny logon locally, Not defined (Legacy and Enterprise), Guests; Support_388945a0 (Specialized Security) CCE-3473-6}The "enable computer and user accounts to be trusted for delegation" user right should be assigned to the correct accounts. (1) defined the SeEnableDelegationPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-15Table 4.7 Enable computer and user accounts to be trusted for delegation: Administrators (High Security); Legacy client and Enterprise Client are not definedK4.2.20 enable computer and user accounts to be trusted for delegation: None@Table 4.11 User Rights Assignments Setting Recommendations: Enable computer and user accounts to be trusted for delegation, Not defined (Legacy and Enterprise), Administrators (Specialized Security) Table 5.4 Recommended User Rights Assignments Settings: Enable computer and user accounts to be trusted for delegation, 8http://technet.microsoft.com/en-us/library/cc782684.aspx CCE-3354-8YThe "add workstations to domain" user right should be assigned to the correct accounts. (1) defined the SeMachineAccountPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-183zTable 3.22 Add workstations to domain: Administrators (High Security); Legacy Client and Enterprise Client are not definedJ4.2.3 Add workstations to domain: Not Defined; None (Specialized Security)Table 5.4 Recommended User Rights Assignments Settings: Add workstations to domain, Not defined (Legacy and Enterprise), Administrators (Specialized Security)8http://technet.microsoft.com/en-us/library/cc780195.aspx CCE-3499-1dThe "allow logon through Terminal Services" user right should be assigned to the correct accounts. (1) defined the SeRemoteInteractiveLogonRight setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-883Table 3.25 Allow log on through Terminal Services: Administrators (High Security); Administrators and Remote Desktop Users (Legacy Client and Enterprise Client);4.2.6 Allow logon through terminal services: Administrators5.1 User < Rights: (4.040: CAT I) No one has the right to allow logn through Terminal Services unless the machine is performing the role of a Terminal ServerATable 4.11 User Rights Assignments Setting Recommendations: Allow log on through Terminal Services, Administrators and Remote Desktop Users (Legacy and Enterprise), Administrators (Specialized Security) Table 5.4 Recommended User Rights Assignments Settings: Administrators, (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc758613.aspx CCE-2649-2XThe "deny logon as a batch job" user right should be assigned to the correct accounts. (1) defined the SeDenyBatchLogonRight setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as batch jobCCE-165wTable 4.18 Deny log on as a batch job: Support_388945a0 and Guest (Legacy Client, Enterprise Client, and High Security)-4.2.16 Deny logon as a batch job: Not DefinedTable 4.11 User Rights Assignments Setting Recommendations: Deny logon as a batch job, Guests; Support_388945a0 (Legacy, Enterprise, and Specialized Security) Table 4.30 Manually Added User Rights Assignments: Deny log on as a batch job, Support_388945a0 and Guest (Legacy, Enterprise, and Specialized Security) Table 5.8 Manually Added User Rights Assignments: Deny log on as a batch job (Legacy, Enterprise, and Specialized Security)?http://technet.microsoft.com/en-us/library/cc738621(WS.10).aspx CCE-3543-6VThe "deny logon as a service" user right should be assigned to the correct accounts. (1) defined the SeDenyServiceLogonRight setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-597+4.2.17 Deny logon as a service: Not DefinedTable 4.11 User Rights Assignments Setting Recommendations: Deny logon as a service, Not defined (Legacy and Enterprise), No one (Specialized Security) CCE-3438-9cThe "deny logon through Terminal Services" user right should be assigned to the correct accounts. (1) defined the SeDenyRemoteInteractiveLogonRight setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on through Terminal ServicesCCE-108Table 4.18 Deny log on through Terminal Services: Built-in Administrator; all NON-operating system service accounts (Legacy Client, Enterprise Client, and High Security)84.2.19 Deny logon through Terminal Services: Not Defined5.1 User Rights: (4.041: CAT II) The Everyone group is assigned the right to deny logon through Terminal Services unless the machine is performing the roale of a Terminal Server, then the Guests group is assignedCUser Rights Assignments Setting Recommendations: Deny logon through Terminal Services, Guests (Legacy, Enterprise, and Specialized Security) Table 4.30 Manually Added User Rights Assignments: Deny log on through Terminal Services, Built-in Administrator; Guests; Support_388945a0; Guest ; all NON-operating system service accounts (Legacy, Enterprise, and Specialized Security) Table 5.8 Manually Added User Rights Assignments: Deny log on through Terminal Services, Built-in Administrator; all NON-operating system service accounts (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc737453.aspx CCE-3319-1_The "perform volume maintenance tasks" user right should be assigned to the correct accounts. (1) defined the SeManageVolumePrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\CCE-314Table 3.41 Perform volume maintenance tasks: Administrators (High Security); Legacy client and Enterprise Client are not definedN4.2.31 Perform volume maintenance tasks: Administrators (Specialized Security)V5.4.5.1 [AP] User Rights Assignments: Perform Volume Maintenance Tasks: AdministratorsTable 4.11 User Rights Assignments Setting Recommendations: Perform volume maintenance tasks, Not defined (Legacy and Enterprise), Administrators (Specialized Security) CCE-3574-1TThe "reset account lockout counter after" policy should meet minimum requirements. (1) number of minutes(1) Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter afterCCE-733Table 2.11 Reset account lockout counter after: 30 minutes; 15 minutes (High Security); 30 minutes (Legacy Client and Enterprise Client)/2.2.3.3 Reset Account Lockout After: 15 minutes/5.4.2.2 [A] Bad Logon Counter Reset: 15 minutesTable 3.2 Account Lockout Policy Settings: Reset account lockout counter after 30 minutes (Legacy and Enterprise), 15 minutes (Specialized Security) CCE-2627-8IThe "account lockout duration" policy should meet minimum requirements. (1) Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration CCE-980pTable 2.9 Account lockout duration: 15 minutes (High Security); 30 minutes (Legacy Client and Enterprise Client),2.2.3.1 Account Lockout Duration: 15 minutes\4.5.3 Password Policy (4.004: CAT II) The Account Lockout duration set to 15 minutes or moreTable 3.2 Account Lockout Policy Settings: Account lockout duration, 30 minutes (Legacy and Enterprise), 15 minutes (Specialized Security) CCE-3551-9JThe "account lockout threshold" policy should meet minimum requirements. (1) number of attempts(1) Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold CCE-658Table 2.10 Account lockout threshold: 50 invalid login attempts (Legacy Client and Enterprise Client); 10 invalid login attempts (High Security)R2.2.3.2 Account Lockout Threshold: 15 attempts; 10 attempts (Specialized Security)\4.5.3 Password Policy (4.002: CAT II) The Account Lockout Threshold will be set to 3 or lessTable 3.2 Account Lockout Policy Settings: Account lockout threshold, 50 invalid login attempts (Legacy and Enterprise) 10 invalid login attempts (Specialized Security) CCE-3321-7\Auditing of "account logon" events on success should be enabled or disabled as appropriate..(1) enabled/disabledt(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account logon eventsCCE-2628kTable 3.2 Audit account logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security)32.2.1.1 Audit Account Logon Events: Success/FailuresTable 4.2 Audit Policy Settings: Audit account logon events, enabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc787176.aspx CCE-3467-8\Auditing of "account logon" events on failure should be enabled or disabled as appropriate..CCE-2543[Table 4.2 Audit Policy Settings: Audit account logon events, enabled (Specialized Security) CCE-3427-2aAuditing of "account management" events on success should be enabled or disabled as appropriate..t(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management CCE-2000iTable 3.4 Audit account management: Success/Failure (Legacy Client, Enterprise Client, and High Security)12.2.1.2 Audit Account Management: Success/FailuremTable 4.2 Audit Policy Settings: Audit account management, enabled (Legacy, Enterprise, Specialized Security)8http://technet.microsoft.com/en-us/library/cc737542.aspx CCE-3449-6aAuditing of "account management" events on failure should be enabled or disabled as appropriate..CCE-1646YTable 4.2 Audit Policy Settings: Audit account management, enabled (Specialized Security) CCE-2827-4gAuditing of "directory service access" events on success should be enabled or disabled as appropriate..Z(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy CCE-2118oTable 3.6 Audit directory service access: Success/Failure (Legacy Client, Enterprise Client, and High Security)< 32.2.1.3 Audit Directory Service Access: Not DefinedF6.4 System Audit Settings: Audit directory service access: Not DefinedTable 5.2 Recommended Audit Policy Settings: Audit directory service access, no auditing (Legacy and Enterprise), Failure (Specialized Security)8http://technet.microsoft.com/en-us/library/cc960052.aspx CCE-3101-3gAuditing of "directory service access" events on failure should be enabled or disabled as appropriate..&(1) defined by Local or Group Policy CCE-2390 CCE-3603-8TAuditing of "logon" events on success should be enabled or disabled as appropriate..l(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon eventsCCE-1686cTable 3.8 Audit logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security)/2.2.1.4 Audit Logon Events: Success and Failure?6.4 System Audit Settings: Audit logon events: Success, FailurekTable 4.2 Audit Policy Settings: Audit logon events, enabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc787567.aspx CCE-3391-0TAuditing of "logon" events on failure should be enabled or disabled as appropriate..CCE-1744STable 4.2 Audit Policy Settings: Audit Logon events, enabled (Specialized Security) CCE-3286-2\Auditing of "object access" events on success should be enabled or disabled as appropriate..m(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit object accessCCE-2640eTable 3.10 Audit object access: Success/Failure (Legacy Client, Enterprise Client, and High Security),2.2.1.5 Audit Object Access: Success/FailuremTable 4.2 Audit Policy Settings: Audit object access, disabled (Legacy, Enterprise, and Specialized Security)9 http://technet.microsoft.com/en-us/library/cc776774.aspx CCE-3290-4\Auditing of "object access" events on failure should be enabled or disabled as appropriate..CCE-1991TTable 4.2 Audit Policy Settings: Audit object access, enabled (Specialized Security) CCE-3546-9\Auditing of "policy change" events on success should be enabled or disabled as appropriate..m(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit policy changeCCE-2412]Table 3.12 Audit policy change: Success (legacy client, Enterprise Client, and High Security)$2.2.1.6 Audit Policy Change: Success@6.4 System Audit Settings: Audit policy change: Success, FailurelTable 4.2 Audit Policy Settings: Audit policy change, enabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc776774.aspx CCE-3312-6\Auditing of "policy change" events on failure should be enabled or disabled as appropriate..CCE-2347 CCE-3211-0\Auditing of "privilege use" events on success should be enabled or disabled as appropriate..m(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit privilege useCCE-2431yTable 3.14 Audit privilege use: Success/Failure (High Security); No Auditing (Legacy Client); Failure (Enterprise Client)(2.2.1.7 Audit Privilege Use: Not Defined76.4 System Audit Settings: Audit privilege use: FailuremTable 4.2 Audit Policy Settings: Audit privilege use, disabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc784501.aspx CCE-3383-7\Auditing of "privilege use" events on failure should be enabled or disabled as appropriate..CCE-2584TTable 4.2 Audit Policy Settings: Audit privilege use, enabled (Specialized Security) CCE-3510-5_Auditing of "process tracking" events on success should be enabled or disabled as appropriate..q(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\ Audit Process trackingCCE-2529>6.4 System Audit Settings: Audit process tracking: Not DefinedpTable 4.2 Audit Policy Settings: Audit Process tracking, disabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc775520.aspx CCE-3453-8_Auditing of "process tracking" events on failure should be enabled or disabled as appropriate..CCE-2617 CCE-3594-9UAuditing of "system" events on success should be enabled or disabled as appropriate..n(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\ Audit system eventsCCE-2420]Table 3.18 Audit system events: Success (Legacy Client, Enterprise Client, and High Security)$2.2.1.9 Audit System Events: Success@6.4 System Audit Settings: Audit system events: Success, FailurelTable 4.2 Audit Policy Settings: Audit system events: enabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc782518.aspx CCE-3611-1UAuditing of "system" events on failure should be enabled or disabled as appropriate..CCE-1680XTable 4.2 Audit Policy Settings: disabled (Legacy, Enterprise, and Specialized Security) CCE-2884-5]The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly. CCE-396Table 3.102 Shutdown: Allow system to be shut down without having to log on: Disabled (Legacy Client, Enterprise Client, and High Security) CCE-3281-3PThe "restrict guest access to application log" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\RestrictGuestAccess (2) defined by Group Policy CCE-299(2.2.4.1.2 Restrict Guest Access: EnabledTable 4.27 Event Log Setting Recommendations: Prevent local guests group from accessing application log, Enabled (Legacy, Enterprise, Specialized Security)?http://technet.microsoft.com/en-us/library/cc775983(WS.10).aspx CCE-3550-1CThe application log maximum size should be configured correctly.. (1) size of file(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\MaxSize CCE-185iTable 3.110 Maximum application log size: 16,384 KB (Legacy Client, Enterprise Client, and High Security)&2.2.4.1.1 Maximum Event Log Size: 16MBJ5.4.7.1 [A] Event Log Sizes: Maximum application log size: 16384 kilobytesTable 4.27 Event Log Setting Recommendations: Maximum application log size, 16,384KB (Legacy, Enterprise, and Specialized Security)?http://technet.microsoft.com/en-us/library/cc779100(WS.10).aspx CCE-3567-5If the Application log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.(1) number of daysCCE-951qTable 3.116 Retention method for application log: As needed (Legacy Client, Enterprise Client, and High Security)+2.2.4.1.3 Log Retention Method: Not Defined{5.4.7.3 [AP] Preserving Security Events: Retention method for application log: Do not overwrite events (clear log manually)Table 4.27 Event Log Setting Recommendations: Retention method for application log, As needed (Legacy, Enterprise, and Specialized Security)?http://technet.microsoft.com/en-us/library/cc778157(WS.10).aspx CCE-2946-2MThe "restrict guest access to security log" policy should be set correctly. ~(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\RestrictGuestAccess (2) defined by Group Policy CCE-462(2.2.4.2.2 Restrict Guest Access: Enabled.3.5 [M] Access to Security Event Log: AuditorsTable 4.27 Event Log Setting Recommendations: Prevent local guests group from accessing security log, Enabled (Legacy, Enterprise, and Specialized Security)?http://technet.microsoft.com/en-us/library/cc736845(WS.10).aspx CCE-3343-1@The security log maximum size should be configured correctly.. (1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\MaxSize CCE-757fTable 3.111 Maximum security log size: 81,920 KB (Legacy Client, Enterprise Client, and High Security)G5.4.7.1 [A] Event Log Sizes: Maximum security log size: 16384 kilobytesTable 4.27 Event Log Setting Recommendations: Maximum security lo< g size, 81,920 KB (Legacy, Enterprise, and Specialized Security) CCE-3484-3_The "when maximum log size is reached" property should be set correctly for the Security log. (1) type of retentionw(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy CCE-523>6.2 Audit Log Requirements: (5.002: CAT II) minimum of 81920KB CCE-3127-8If the Security log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.CCE-682nTable 3.117 Retention method for security log: As needed (Legacy Client, Enterprise Client, and High Security)+2.2.4.2.3 Log Retention Method: Not DefinedTable 4.27 Event Log Setting Recommendations: Retention method for security log, As needed (Legacy, Enterprise, and Specialized Security) CCE-3488-4KThe "restrict guest access to system log" policy should be set correctly. |(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\RestrictGuestAccess (2) defined by Group Policy CCE-726(2.2.4.3.2 Restrict Guest Access: Enableds5.4.7.2 [A] Restrict Event Log Access Over Network: Prevent local guests group from accessing security log: Enabled CCE-3506-3>The system log maximum size should be configured correctly.. (1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\MaxSize CCE-735dTable 3.112 Maximum system log size: 16,384 KB (Legacy Client, Enterprise Client, and High Security)&2.2.4.3.1 Maximum Event Log Size: 16MBD5.4.7.1 [A] Even Log Sizes: Maximum system log size: 16384 kilobytes CCE-3422-3]The "when maximum log size is reached" property should be set correctly for the System log. CCE-664 CCE-3512-1If the System log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.CCE-210f3.118 Retention method for system log: As needed (Legacy Client, Enterprise Client, and High Security)Table 4.27 Event Log Setting Recommendations: Retention method for system log, As needed (Legacy, Enterprise, Specialized Security)?http://technet.microsoft.com/en-us/library/cc785245(WS.10).aspx CCE-3530-3EThe "maximum password age" policy should meet minimum requirements. CCE-871]Table 2.4 Maximum password age: 42 days (Legacy Client, Enterprise Client, and High Security)#2.1.2 Maximum Password Age: 90 DaysU4.5.3 Password Policy: (4.011: CAT II) Maximum password age is set to 90 days or lesseTable 3.1 Password Policy Setting Recommendations: 42 days (Legacy, Enterprise, Specialized Security) CCE-3548-5EThe "minimum password age" policy should meet minimum requirements. CCE-324\Table 2.5 Minimum password age: 2 days (Legacy Client, Enterprise Client, and High Security)#2.2.2.1 Minimum Password Age: 1 dayS4.5.3 Password Policy: (4.012: CAT II) Minimum password age is set to 1 day or morecTable 3.1 Password Policy Setting Recommendations: 1 day (Legacy, Enterprise, Specialized Security) CCE-3424-9HThe "minimum password length" policy should meet minimum requirements. CCE-100tTable 2.6 Minimum password length: 12 characters (High Security); 8 characters (Legacy Client and Enterprise Client)S2.2.2.3 Minimum Password Length: 8 characters; 12 characters (Specialized Security)25.4.1.3 [AP] Minimum Password Length: 8 characters}Table 3.1 Password Policy Setting Recommendations: 8 characters (Legacy and Enterprise), 12 characters (Specialized Security) CCE-3442-1QThe "password must meet complexity requirments" policy should be set correctly. CCE-633tTable 2.7 Password must meet complexity requirements: Enabled (Legacy Client, Enterprise Client, and High Security)$2.2.2.4 Password Complexity: Enableda5.4.1.5 [M] Enable strong Password Filtering: Password must meet complexity requirements: EnablediTable 3.1 Password Policy Setting Recommendations: Enabled (Legacy, Enterprise, and Specialized Security) CCE-3446-2IThe "enforce password history" policy should meet minimum requirements. "(1) number of passwords rememberedCCE-60qTable 2.3 Enforce password history: 24 passwords remembered (Legacy Client, Enterprise Client, and High Security)12.2.2.5 Password History: 24 passwords rememberedG5.4.1.4 [A] Password Uniqueness: Enforce password history: 24 passwordsTable 3.1 Password Policy Setting Recommendations: Enforce password History 24 passwords remembered Legacy, Enterprise, Specialized Security) CCE-2644-3nThe "store password using reversible encryption for all users in the domain" policy should be set correctly. CCE-479tTable 2.8 Store password using reversible encryption: Disabled (Legacy Client, Enterprise Client, and High Security)=2.2.2.6 Store Passwords Using Reversible Encryption: Disabled<5.4.1.6 [M] Disable Reversible Password Encryption: DisabledTable 3.1 Password Policy Setting Recommendations: Store password using reversible encryption Disabled (Legacy, Enterprise, and Specialized Security) CCE-3635-0<The startup type of the Alerter service should be correct. (1) disabled/manual/automatic(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-487[Table 3.119 Alerter Service: Disabled (Legacy Client, Enterprise Client, and High Security)4.1.1 Alerter: Disabled CCE-2671-6EThe startup type of the Automatic Update service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv (2) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate (3) defined by the Services Administrative Tool (4) definied by Group Policy CCE-496Table 3.123 Automatic updates service: Automatic (Legacy Client, Enterprise Client, and High Security), Table 11.3 Automatic Update Service: Disabled67.6.1 Automatic Updates Service: Disable if not needed CCE-3200-3cThe startup type of the Background Intelligent Transfer Service (BITS) service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-148qTable 3.124 Background Intelligent Transfer Service: Manual (Legacy Client, Enterprise Client, and High Security)K7.6.2 Background Intelligent Transfer Service (BITs): Disable if not needed CCE-3350-6=The startup type of the ClipBook service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-954\Table 3.127 Clipbook service: Disabled (Legacy Client, Enterprise Client, and High Security)4.1.3 Clipbook: Disabled CCE-3565-98The startup type of the Fax service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-78pTable 3.143 Fax Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)4.1.4 Fax Service: Disabled CCE-3582-4CThe startup type of the FTP Publishing service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-712{Table 3.146 FTP Publishing Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)&4.1.7 FTP Publishing Service: Disabled7.6.3 FTP Service: Disabled CCE-3353-0>The startup type of the IIS Admin service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-311vTable 3.151 IIS Admin Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)"4.1.10 IIS Admin Service: Disabled CCE-3618-6=The startup type of the Indexing servi< ce should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-738\Table 3.153 Indexing Service: Disabled (Legacy Client, Enterprise Client, and High Security)!4.1.11 Indexing Service: Disabled CCE-3494-2>The startup type of the Messenger service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-729]Table 3.167 Messenger Service: Disabled (Legacy Client, Enterprise Client, and High Security)4.1.13 Messenger: Disabled!8.3.4 Windows Messenger: Disabled CCE-3640-0CThe startup type of the .NET Framework service should be correct. P(1) defined by the Services Administrative Tool (2) definied by Group Policy CCE-650Table 3.172 .NET Framework Support Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)8.4.3 .NET Framework: (5.069: CAT II) the .NET Framwork is not active on the system unless it only supports locally developed .NET applications CCE-2909-0VThe startup type of the NetMeeting Remote Desktop Sharing service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-232mTable 3.174 NetMeeting Remote Desktop Sharing: Disabled (Legacy Client, Enterprise Client, and High Security)24.1.15 NetMeeting Remote Desktop Sharing: DisabledI7.6.4 NetMeeting Remote Desktop Sharing Service: (5.063: CAT II) Disabled CCE-3552-7LThe startup type of the Print Services for Unix service should be correct. CCE-857E7.6.5 Print Services for Unix: (5.026: CAT II) Remove if not required CCE-3428-0ZThe startup type of the Remote Access Auto connection Manager service should be correct. CCE-267Table 3.187 Remote Access Auto Connection Manager: Manual (default); Disabled (Legacy Client, Enterprise Client, and High Security)64.1.20 Remote Access Auto Connection Manager: DisabledM7.6.7 Remote Access Auto Connection Manager Service: (5.064: CAT II) Disabled CCE-3556-8XThe startup type of the Remote Desktop Help Session Manager service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-663Table 3.190 Remote Desktop Help Session Manager: Manual (default); Disabled (Legacy Client, Enterprise Client, and High Security)44.1.23 Remote Desktop Help Session Manager: DisabledC7.6.8 Remote Desktop Help Session Manager: (5.065: CAT II) Disabled CCE-2678-1PThe startup type of the Internet Connection Sharing service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-6728.3.9.1 Internet Connection Sharing: (3.085: CAT II) Prohibit use of Internet Connection Sharing on your DNS domain networks is Enabled CCE-3612-9DThe startup type of the Remote Registry service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-73dTable 3.194 Remote Registry Service: Automatic (Legacy Client, Enterprise Client, and High Security)?4.1.26 Remote Registry Service: Disabled (Specialized Security)'7.6.9 Remote Registry Service: Disabled CCE-3621-0NThe startup type of the Routing and Remote Access service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-223mTable 3.201 Routing and Remote Access Service: Disabled (Legacy Client, Enterprise Client, and High Security)R7.6.11 Routing and Remote Access Service: (5.067: CAT II) Disabled if not required CCE-3602-0AThe startup type of the Remote Shell service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RshSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-522u7.6.10 Remote Shell Service: (5.008: CAT II) Service is removed by typing instsrv rshsvc remove at the command prompt CCE-3497-5BThe startup type of the Simple TCP/IP service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SIMPTCP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-531{Table 3.208 Simple TCP/IP Services: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)J7.6.16 Telnet Servers: (5.010: CAT II) Simple TCP/IP services are disabled CCE-3386-0ZThe startup type of the Simple Mail Transport Protocol (SMTP) service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-870Table 3.207 Simple Mail Transport Protocol (SMTP): Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security).4.1.31 Simple Mail Transfer Protocol: Disabled CCE-3532-9AThe startup type of the SNMP Service service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-975qTable 3.211 SNMP Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security);4.1.32 Simple Network Management Protocol Service: DisabledE7.6.13 SNMP Service: (5.026: CAT II) SNMP is disabled if not required CCE-3536-0FThe startup type of the SNMP Trap Service service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMPTRAP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-892vTable 3.212 SNMP Trap Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)84.1.33 Simple Network Management Protocol Trap: Disabled CCE-3541-0CThe startup type of the SSDP Discovery service should be correct. CCE-940O7.6.14 Simple Service Discovery Protocol (SSDP) Service: 5.019: CAT I) Disabled CCE-3558-4CThe startup type of the Task Scheduler service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-40oTable 3.216 Task Scheduler: Automatic (default); Disabled (Legacy Client, Enterprise Client, and High Security)77.6.15 Task Scheduler Service: (5.009: CAT II) Disabled CCE-3078-3;The startup type of the Telnet service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-75ZTable 3.220 Telnet Service: Disabled (Legacy Client, Enterprise Client, and High Security)4.1.35 Telnet: Disabled CCE-2832-4FThe startup type of the Terminal Services service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-974pTable 3.221 Terminal Services: Manual (default); Automatic (Legacy Client, Enterprise Client, and High Security)94.1.36 Terminal Services: Disabled (Specialized Security)i7.6.17 Terminal Services: (5.020: CAT I) Disabled on machines that are not performing as Terminal Servers CCE-3475-1_The startup type of the Universal Plug and Play Device Host (UPnP) service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-608ZTable 3.182 Plug and Play: Automatic (Legacy Client, Enterprise Client, and High Security) CCE-3492-6NThe startup type of th< e World Wide Web Publishing service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-758Table 3.245 World Wide Web Publishing Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)34.1.39 World Wide Web Publishing Services: Disabled CCE-3633-5"DEPRECATED in favor of CCE-2671-6. CCE-3638-4CCE-445<Table 11.4 Background Intelligent Transfer Service: Disabled CCE-3175-7CCE-115 CCE-2695-5MThe correct service permissions for the Alerter service should be assigned. +(1) set of accounts (2) list of permissions?(1) set via Security Templates (2) definied by Group Policy CCE-6694.1.1. Alerter: Disabled CCE-3637-6WThe correct service permissions for the Automatic Updates service should be assigned. CCE-889gTable 3.123 Automatic Updates Service: Automatic (Legacy Client, Enterprise Client, and High Security) CCE-3642-6NThe correct service permissions for the ClipBook service should be assigned. CCE-476 CCE-3664-0IThe correct service permissions for the Fax service should be assigned. CCE-87 CCE-3435-5TThe correct service permissions for the FTP Publishing service should be assigned. CCE-4 CCE-3580-8OThe correct service permissions for the IIS Admin service should be assigned. CCE-792 CCE-3474-4NThe correct service permissions for the Indexing service should be assigned. CCE-444 CCE-3496-7OThe correct service permissions for the Messenger service should be assigned. CCE-79 CCE-3483-5PThe correct service permissions for the NetMeeting service should be assigned. CCE-21 CCE-3254-0MThe correct service permissions for the Printer service should be assigned. CCE-10954.1.19 Print Spooler: Disabled (Specialized Security) CCE-3523-8CCE-157 CCE-3673-1iThe correct service permissions for the Remote Desktop Help Session Manager service should be assigned. CCE-915 CCE-3193-0UThe correct service permissions for the Remote Registry service should be assigned. CCE-219 CCE-3461-1JThe correct service permissions for the SMTP service should be assigned. CCE-426 CCE-3355-5JThe correct service permissions for the SNMP service should be assigned. CCE-56 CCE-2687-2OThe correct service permissions for the SNMP Trap service should be assigned. CCE-521 CCE-3583-2LThe correct service permissions for the Telnet service should be assigned. CCE-944 CCE-3226-8WThe correct service permissions for the Terminal Services service should be assigned. CCE-605 CCE-3569-1TThe correct service permissions for the WWW Publishing service should be assigned. CCE-143 CCE-3591-5sThe behavior surrounding Anonymous users' abiliity to display lists of SAM accounts and shares should be correct. (1) restricted/unrestricted(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts and sharesCCE-1953.86 Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled (Legacy Client, Enterprise Client, and High Security)3.1.3 Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled (Enterprise and Specialized Security)|5.4.6.53 [AP] Restrict Anonymous Network Shares: Network Access: Do not allow anonymous enumeration of SAM accounts: EnabledTable 4.19 Security Options: Network Access Setting Recommendations: Do not allow anonymous enumeration of SAM accounts and shares, Enabled (Legacy, Enterprise and Specialized Security)?http://technet.microsoft.com/en-us/library/cc782569(WS.10).aspx CCE-3631-9fThe behavior surrounding Anonymous users' abiliity to display lists of SAM accounts should be correct.(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts CCE-3183.85 Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled (Legacy Client, Enterprise Client, and High Security)Table 4.19 Security Options: Network Access Setting Recommendations: Do not allow anonymous enumeration of SAM accounts, Enabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc740088.aspx CCE-3402-5LThe behavior surrounding Anonymous SID/Name translation should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AnonymousNameLookup (2)Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Allow anonymous SID/NAME translationCCE-953ITable 2.13 Network Access: Allow anonymous SID/NAME translation: Disabled[3.1.1 Network Access: Allow Anonymous SID/Name Translation: Disabled (Specialized Security)G5/4/6/52 Network Access: Allow anonymous SID/Name translation: Disabledd(1) Table 3.3 Security Options Settings: Microsoft network server: Network Access: Allow anonymous SID/NAME translation, Disabled (Legacy, Enterprise, and Specialized Security) (2) Table 4.19 Security Options: Network Access Setting Recommendations: Allow anonymous SID/NAME translation, Not defined (Legacy and Enterprise), Disabled (Specialized Security)8http://technet.microsoft.com/en-us/library/cc728431.aspx CCE-3525-3RThe "Anonymous access to the security event log" policy should be set correctly. )(1) exist/not exist (2) enabled/disabledL(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security CCE-653 CCE-2908-2OUse of the built-in Guest account should be enabled or disabled as appropriate.(1) Local Users and Groups MMC (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Accounts: Guest account statusCCE-332C5.2 Windows Server 2003 Built-in Accounts: (4.048: CAT II) DisabledTable 4.12 Security Options: Accounts Setting Recommendations: Guest account status, Disabled (Legacy, Enterprise, and Specialized Security) CCE-2790-4TThe "Message title for users attempting to log on" policy should be set correctly. (1) text caption(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Interactive logon: Message title for users attempting to log on CCE-23Table 3.73 Interactive logon: Message title for users attempting to log on: "It is an offense to continue without proper authorization" (Legacy Client, Enterprise Client, and High Security)a3.2.1.27 Interactive Logon: Message Title for Users Attmpting to Log On: 5.4.6.22 [AP] Display Legal Notice: Interactive Logon: Message title for users attempting to log on: US Deparment of Defense Warning StatementTable 4.16 Security Options: Interactive Logon Setting Recommendations: Message title for users attempting to log on, "Consult with the relevant people in your organization." (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc778393.aspx CCE-3672-3SThe "Message text for users attempting to log on" policy should be set correctly. (1) text statement(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Interactive logon: Message text for users attempting to log on CCE-829eTable 3.72 Interactive logon: Message text for users attempting to log on: "This system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted. If unauthorized, terminate access now! Clicking on OK indicates your acceptance of the information in the background. (Legacy Client, Enterprise Client, and High Security)< a3.2.1.26 Interactive Logon: Message Text for Users Attempting to Log On: G5.4.6.22 Interactive Logon: Message text for users attempting to log onTable 4.16 Security Options: Interactive Logon Setting Recommendations: Message text for users attempting to log on, "Consult with the relevant people in your organization" (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc779661.aspx CCE-3690-50Automatic Logon should be properly configured. ](1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon CCE-283<5.4.6.38 [A] Disable Administrator Automatic Logon: DisabledTable 4.29 Other Registry Entry Recommendations: MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended), 0 (Legacy, Enterprise, and Specialized Security)&http://support.microsoft.com/kb/324737 CCE-3597-2<Autoplay on all Drive Types should be properly configured. g(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun CCE-44l5.4.6.47 [A] Disable Media Autoplay: MSS: Disable Autorun on all drives: 255, disable Autorun for all drivesTable 4.29 Other Registry Entry Recommendations: MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended), 0xFF (Legacy, Enterprise and Specialized Security)&http://support.microsoft.com/kb/895108 CCE-3725-9/ICMP Redirects should be properly configured. (1) enabled/ignored](1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesTcpip\Parameters\EnableICMPRedirect CCE-150w5.4.6.41 [A] ICMP Redirects: MSS: (EnablEICMPRedirect) Allow ICMP redirects to override OSPF generated routes: DisabledvTable 4.28 TCP/IP Registry Entry Recommendations: EnableICMPRedirect, 0 (Legacy, Enterprise, and Specialized Security)?http://technet.microsoft.com/en-us/library/cc739622(WS.10).aspx CCE-3227-62IP Source Routing should be properly configured. b(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting CCE-564n3.2.1.69 MSS: IP Source Routing protection level: Highest Protection, source routing is automatically disabled5.4.6.39 MISS: DisableIPSourceRouting, IP source routing packet spoofing: Highest protection, source routing is completely disabled CCE-3509-7%IRDP should be properly configured. b(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery CCE-952S3.2.1.74 MSS: Allow IRDP to detect and configure DefaultGateway addresses: DisabledzTable 4.28 TCP/IP Registry Entry Recommendations: PerformRouterDiscovery, 0 (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc962464.aspx CCE-3527-9GDisplay Last User Name in Logon Screen should be properly configured. (1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Do not display last user nameCCE-65Table 3.70 Interactive logon: Do not display last user name: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)B3.2.1.24 Interactive Logon: Do Not Display Last User Name: EnabledTable 4.16 Security Options: Interactive Logon Setting Recommendations: Do not display last user name, Enabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc938084.aspx CCE-2919-9>TCP/IP Dead Gateway Detection should be properly configured. ^(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect CCE-897Table. 3.246 Security Consideration for Network Attack: EnableDeadGWDetect = 0 (Legacy Client, Enterprise Client, and High Security)J3.2.1.70 MSS: Allow automatic detection of dead network gateways: Disabled5.4.6.40 [A] Detection of Dead Gateways: MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways: DisabledvTable 4.28 TCP/IP Registry Entry Recommendations: EnableDeadGWDetect, 0 (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc960464.aspx CCE-2812-65The TCP/IP KeepAlive Time should be set correctly . (1) number of millisecondsY(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime CCE-188Table 3.246 Security Consideration for Network Attacks: KeepAliveTime = 300,000 (Legacy Client, Enterprise Client, and High Security)J3.2.1.82 MSS: How often keepalive packets are sent in milliseconds: 300000J5.4.6.49 MSS: How often keepalive packets are sent in milliseconds: 300000wTable 4.28 TCP/IP Registry Entry Recommendations: KeepAliveTime, 300,000 (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc957549.aspx CCE-2817-5QTCP/IP NetBIOS Name Release on Request Prevented should be properly configured. a(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand CCE-817Table 3.248 Configure NetBIOS Name Release Security: Allow the computer to ignore NetBIOS name release requests except from WINS server: NoNameReleaseOnDemand = 1 (Legacy Client, Enterprise Client, and High Security)m3.2.1.73 MSS: Allow the computer to ignore NetBIOS name release requestions except from WINS servers: Enabled5.4.6.42 [A] NetBIOS Name Release: MSS: (NoNameReleaseOnDemand) Allow computer to ignore NetBIOS name release requests except from WINS Servers: EnabledTable 4.29 Other Registry Entry Recommendations: MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers, 1 (Legacy, Enterprise and Specialized Security)8http://technet.microsoft.com/en-us/library/cc766102.aspx CCE-3739-06TCP/IP PMTU Discovery should be properly configured. _(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery CCE-998Table 3.246 Security Consideration for Network Attacks: EnablePMTUDiscovery = 0 (Legacy Client, Enterprise Client, and High Security)h3.2.1.72 MSS: EnablePMTUDiscovery, Allow automatic detection of MTU size: Enabled (Specialized Security) CCE-3616-0CTCP/IP SYN Flood Attack Protection should be properly configured. \(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect CCE-284Table 3.246 Security Consideration for Network Attacks: SynAttackProtect = 1 (Legacy Client, Enterprise Client, and High Security)t5.4.6.44 MSS (SynAttackProtect) Syn attack protection level: Connections time out sooner if a SYN attack is detectedtTable 4.28 TCP/IP Registry Entry Recommendations: SynAttackProtect, 1 (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc781167.aspx CCE-3757-2DDisable saving of dial-up passwords should be properly configured. `(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\DisableSavePassword CCE-156E5.4.6.6 ConGp: Prevent the dial-up password from being saved: EnabledTable 4.29 Other Registry Entry Recommendations: MSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended), 1 (Legacy, Enterprise, and Specialized Security)?http://technet.microsoft.com/en-us/library/cc784187(WS.10).aspx CCE-3796-0mThe "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel (2) defined by Local or Group Policy CCE-601Table 3.64 Domain member: Digitally encrypt or sign secure channel data (always): Enabled (High Security); Disabled (Legacy Client and Enterprise Client)V3.2.1.19 Domain Member: Digitally Encrypt Secure Channel Data (When Possible): Enabled5.4.6.16 [A] Encryption of Secure Channel Traffic: Domain Member: Digitally encrypt secure channel data (when possible): Enabled CCE-3514-7jThe "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\< System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel (2) defined by Local or Group Policy CCE-614Table 3.65 Domain member: Digitally encrypt or sign secure channel data (when possible): Enabled (Legacy Client, Enterprise Client, and High Security)S3.2.1.20 Domain Member: Digitally Sign Secure Channel Data (When Possible): Enabled|5.4.6.17: [A] Signing of Secure Channel Traffic: Domain Membore: Digitally sign secure channel data (when possible): Enabled CCE-3778-85Safe DLL Search Mode should be properly configured. S(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Session Manager\SafeDllSearchMode CCE-271Table 3.253 Enable Safe DLL Search Order: Enable Safe DLL search mode (recommended): SafeDllSearchMode = 1 (Legacy Client, Enterprise Client, and High Security)23.2.1.80 MSS: Enable Safe DLL search mode: EnabledL5.4.6.48 [A] Safe DLL Search Mode: MSS: Enable Safe DLL search mode: EnabledTable 4.29 Other Registry Entry Recommendations: MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended), 1 (Legacy, Enterprise, and Specialized Security)5http://msdn.microsoft.com/en-us/library/ms682586.aspx CCE-3549-3ZAlways Wait for the Network at Computer Startup and Logon should be properly configured. l(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon\SyncForegroundPolicy CCE-707>8.3.5 Always wait for the network at computer startup: Enabled CCE-3298-7CBackground Refresh of Group Policy should be properly configured. s(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Policies\system\DisableBkGndGroupPolicy CCE-50a8.3.6 Group Policy: (3.080: CAT II) Turn off backroung refresh of Group Policy is set to Disabled CCE-3443-9kInstallation and Configuration of Network Bridge on the DNS Domain Network should be properly configured. f(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA CCE-8968.3.9.2 Network Bridge: (3.086: CAT II) The setting Prohibit installation and configuration of network Bridge on your DNS doman network is set to Enabled CCE-3708-5\Disallow Installation of Printers Using Kernel-mode Drivers should be properly configured. ](1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\KMPrintersAreBlocked CCE-5748.3.10 Installation of Printers Using Kernel-mode Drivers: (3.087: CAT II) the setting Disallow installation of printers using kernel-mode drivers is set to Enabled CCE-3479-3PThe "Allow Server Operators to Schedule Tasks" policy should be set correctly. (1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain controller: Allow server operators to schedule tasksCCE-257Table 3.61 Domain controller: Allow server operators to schedule tasks: Not Defined (default); Disabled (Legacy Client, Enterprise Client, and High Security)N3.2.1.15 Domain Controller: Allow Server Operators to Schedule Tasks: Disabledt5.4.6.12 [A] Server Operators Scheduling Tasks: Domain Controller: Allo server operators to schedule tasks: DisabledTable 5.5 Security Options: Domain Controller Setting Recommendations: Allow server operators to schedule tasks, Disabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc778844.aspx CCE-2853-0?The built-in Administrator account should be correctly named. (1) valid namesCCE-438K5.4.6.3 Accounts: Rename administrator account: Should not be Administrator}Rename the Administrator and Guest accounts, and change their passwords to long and complex values on every domain and server CCE-3743-27The built-in Guest account should be correctly named. CCE-834C5.4.6.4 Account: Rename guest account: Any value other than  Guest CCE-3761-4ZThe amount of idle time required before disconnecting a session should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Amount of idle time required before suspending sessionCCE-222Table 3.81 Microsoft network server: Amount of idle time required before suspending session: 15 minutes (Legacy Client, Enterprise Client, and High Security)`5.4.6.30[A] Idle Time Before Suspending a Session: Microsoft Network Server: Amount of idle time required before suspending a session: 15 minutesTable 4.18 Security Options: Microsoft Network Server Setting Recommendations: Amount of idle time required before suspending session, 15 minutes (Legacy, Enterprise and Specialized Security)?http://technet.microsoft.com/en-us/library/cc776037(WS.10).aspx CCE-3774-7QThe "Audit the access of global system objects" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Audit: Audit the access of global system objects CCE-2{Table 3.52 Audit: Audit the access of global system objects: Disabled (Legacy Client, Enterprise Client, and High Security)E3.2.1.6 Audit: Audit the access of global system objects: Not Defined5.4.7.76 [A] Global System Object Permission Strength: System objects: Strengthen default permissions of internal system objects: EnabledTable 4.13 Security Options: Audit Setting Recommendations: Audit the access of global system objects, Disabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc776742.aspx CCE-3814-1UThe "Audit the use of backup and restore privilege" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Audit: Audit the use of Backup and Restore privilege CCE-905Table 3.53 Audit: Audit the use of backup and restore privilege: Disabled (Legacy Client, Enterprise Client, and High Security)I3.2.1.7 Audit: Audit the use of backup and restore privilege: Not DefinedTable 4.13 Security Options: Audit Setting Recommendations: Audit the use of Backup and Restore privilege, Disabled (Legacy, Enterprise, and Specialized Security)9http://technet.microsoft.com/en-us/library/cc759769.aspx CCE-3060-1UThe "Disable CTRL+ALT+Delete Requirement for Logon" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DELCCE-133yTable 3.71 Interactive logon: Do not require CRTL+ALT+DEL: Disabled (Legacy Client, Enterprise Client, and High Security)o5.4.6.21 [A] CTRL+ALT+DEL Security Attention Sequence: Interactive Logon: Do not require CTRL+ALT+DEL: DisabledTable 4.16 Security Options: Interactive Logon Setting Recommendations: Do not require CTRL+ALT+DEL, Disabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc780932.aspx CCE-3703-6HThe "LAN Manager Authentication Level" policy should be set correctly. (1) authentication level(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication levelCCE-719Table 3.96 Network security: LAN Manager authentication level: Send NTLM response only (default); Send NTLMv2 response only\refuse LM & NTLM (High Security); Send NTLMv2 responses only (Legacy Client and Enterprise Client)3.2.1.50 Network Security: LAN Manager Authentication Level: Send NTLMv2 (Legacy), Send NTLMv2, refuse LM (Enterprise), Send NTLMv2, refuse LM and NTLM (Specialized Security)5.4.6.64 [AP] LanMan Compatible Password Option Not Properly Set: Network Security: LAN Manager aut< hentication level: Send NTLMv2 response only/refuse LM & NTLMTable 4.20 Security Options: Network Security Setting Recommendations: LAN Manager authentication level, Send NTLMv2 responses only (Legacy), Send NTLMv2 response only\refuse LM (Enterprise), Send NTLMv2 response only\refuse LM & NTLM (Specialized Security)8http://technet.microsoft.com/en-us/library/cc738867.aspx CCE-3769-7UThe "Prevent Users from Installing Printer Drivers" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Devices: Prevent users from installing printer driversCCE-402Table 3.57 Devices: Prevent users from installing printer drivers: Enabled (Legacy Client, Enterprise Client, and High Security)H3.2.1.11 Devices: Prevent users from installing printer drivers: Enabledm5.4.6.9 [A] Secure Print Driver Installation: Devices: Prevent users from installing printer drivers: EnabledTable 4.14 Security Options: Devices Setting Recommendations: Prevent users from installing printer drivers, Enabled (Legacy, Enterprise and Specialized Security)8http://technet.microsoft.com/en-us/library/cc787926.aspx CCE-3659-0^The "Recovery Console: Allow Automatic Administrative Logon" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Recovery console: Allow automatic administrative logonCCE-410Table 3.100 Recovery console: Allow automatic administrative logon: Disabled (Legacy Client, Enterprise Client, and High Security)I3.2.1.54 Recovery Console: Allow Automatic Administrative Logon: Disabled_5.4.6.68 [A] Recovery Console - Automatic Logon: Allow automatic administrative logon: DisabledTable 4.22 Security Options: Recovery Console Setting Recommendations: Allow automatic administrative logon, Disabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc776592.aspx CCE-3676-4tThe "Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Recovery console: Allow floppy copy and access to all drives and all folders CCE-76Table 3.101 Recovery console: Allow floppy copy and access to all drives and all folders: Disabled (High Security); Enabled (Legacy Client and Enterprise Client)b3.2.1.55 Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders: Not Defined5.4.6.69 [A] Recovery Console - Set Command: Recovery console: Allow floppy copy and access to all drives and folders: DisabledTable 4.22 Security Options: Recovery Console Setting Recommendations: Allow floppy copy and access to all drives and all folders, Enabled (Legacy and Enterprise), Disabled (Specialized Security)8http://technet.microsoft.com/en-us/library/cc779593.aspx CCE-3694-7]The "Restrict CD-ROM Access to Locally Logged-On User Only" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Devices: Restrict CD-ROM access to locally logged-on user onlyCCE-565T3.2.1.12 Devices: Restrict CD-ROM Access to Locally Logged-On User Only: Not DefinedTable 4.14 Security Options: Devices Setting Recommendations: Restrict CD-ROM access to locally logged-on user only, Not defined (Legacy and Enterprise), Disabled (Specialized Security)8http://technet.microsoft.com/en-us/library/cc738129.aspx CCE-2822-5]The "Restrict Floppy Access to Locally Logged-On User Only" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Devices: Restrict floppy access to locally logged-on user only CCE-463fTable 10.2 Devices: Restrict floppy access to locally logged-on user only: Enabled (Enterprise Client)T3.2.1.13 Devices: Restrict Floppy Access to Locally Logged-On User only: Not Definedl5.4.6.10 [A] Secure Removable Media: Devices: Restrict floppy access to locally logged-on user only: EnabledTable 4.14 Security Options: Devices Setting Recommendations: Restrict floppy access to locally logged-on user only, Not defined (Legacy and Enterprise), and Disabled (Specialized Security)8http://technet.microsoft.com/en-us/library/cc784198.aspx CCE-2963-7_The "Strengthen Default Permissions of Global System Objects" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)CCE-508Table 3.108 System ojects: Strengthen default permissions of internal system objects: Enabled (Legacy Client, Enterprise Client, and High Security)[3.2.1.62 System Objects: Strengthen default permissions of internal system objects: Enabled5.4.6.76 [A] Global System Object Permission Strength: System Objects: Strengthen default permissions of internal system objects: EnabledTable 4.25 Security Options: System Objects Setting Recommendations: Strengthen default permissions of internal system objects (for example, Symbolic Links), Enabled (Legacy, Enterprise, and Specialized Security)@http://technet.microsoft.com/en-us/library/cc739013(WS.10).aspx CCE-3478-5ZThe "Require Strong (Windows 2000 or later) Session Key" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Domain member: Require strong (Windows 2000 or later) session keyCCE-417Table 3.69 Domain member: Require strong (W2K or later) session key: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)W3.2.1.23 Domain Member: Require Strong (Windows 2000 or later) Session Key: Not Defined5.4.6.20 [AP] Strong Session Key (WIN2K/W2K3 Native Domains): Domain Member: Require Strong (Windows 2000 or later) Session Key: EnabledTable 4.15 Security Options: Domain Member Setting Recommendations: Require strong (Windows 2000, Windows XP, or Windows Server 2003) session key, Enabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc938309.aspx CCE-2870-4gThe "Send Unencrypted Password to Connect to Third-Party SMB Servers" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Send unencrypted password to third-party SMB serversCCE-228Table 3.80 Microsoft network client: Send unencrypted password to third-party SMB servers: Disabled (Legacy Client, Enterprise Client, and High Security)k3.2.1.35 Microsoft Network Client: Send Unencrypted Password to Connect to Third-Party SMB Server: DisabledE5.4.6.29 [A] Unencrypted Passwords to 3rd party SMB Servers: DisabledTable 4.17 Security Options: Microsoft Network Client Setting Recommendations: Send unencrypted password to third-party SMB servers, Disabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc782276.aspx CCE-3787-9MThe "Unsigned Driver Installation Behavior" policy should be set correctly. (1) behavior(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Driver Signing\Policy (2) Computer Configuration\Windows Se< ttings\Security Settings\ Local Policies\Security Options\Devices: Unsigned driver installation behaviorCCE-413Q3.2.1.14 Devices: Unsigned driver installation behavior: "Warn, but allow . . . "P5.4.6.11 [AP] Unsigned Driver installation Behavior: Warn but allow installationTable 4.14 Security Options: Devices Setting Recommendations: Unsigned driver installation behavior, Warn but allow installation (Legacy, Enterprise and Specialized Security)9http://technet.microsoft.com/en-us/library/cc775492.aspx CCE-3804-2ZThe "Users Prompted to Change Password Before Expiration" policy should be set correctly. &(1) number of days prior to expiration(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expirationCCE-814Table 3.75 Interactive logon: Prompt user to change password before expiration: 14 days (Legacy Client, Enterprise Client, and High Security)U3.2.1.29 Interactive Logon: Prompt User to Change Password Before Expiration: 14 daysv5.4.6.24 [A] Password Expiration Warning: Interactive Logon: Prompt user to change password before expiration: 14 daysTable 4.16 Security Options: Interactive Logon Setting Recommendations: Prompt user to change password before expiration, 14 days (Legacy, Enterprise and Specialized Security)8http://technet.microsoft.com/en-us/library/cc783344.aspx CCE-3430-6eThe "Shut Down system immediately if unable to log security audits" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Audit: Shut down system immediately if unable to log security auditsCCE-92Table 3.54 Audit: Shut down system immediately if unable to log security audits: Disabled (Legacy Client and Enterprise Client); Enabled (High Security)l3.2.1.8 Audit: Shut down system immediately if unable to log security alerts: Enabled (Specialized Security)q5.4.6.5 [AP] Halt on Audit Failure: Audit: Shut down system immediately if unable to log security audits: EnabledTable 4.13 Security Options: Audit Setting Recommendations: Shut down system immediately if unable to log security audits, Disabled (Legacy and Enterprise), Enabled (Specialized Security)?http://technet.microsoft.com/en-us/library/cc739010(WS.10).aspx CCE-3448-8(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log onCCE-224R3.2.1.56 Shutdown: Allow system to be shut down without having to log on: DisabledTable 4.23 Security Options: Shutdown Setting Recommendations: Allow system to be shut down without having to log on, Disabled (Legacy, Enterprise and Specialized Security)8http://technet.microsoft.com/en-us/library/cc957282.aspx CCE-3593-1QThe "Clear Virtual Memory Pagefile at shutdown" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Recovery console: Clear virtual memory page fileCCE-422}Table 3.103 Shutdown: Clear virtual memory page file: Disabled (Legacy Client and Enterprise Client); Enabled (High Security)=3.2.1.57 Shutdown: Clear virtual memory pagefule: Not Definedf5.4.6.71 [AP] Clear System Page File During Shutdown: Shutdown: Clear virtual memory pagefile: EnabledTable 4.23 Security Options: Shutdown Setting Recommendations: Clear virtual memory page file, Disabled (Legacy, Enterprise and Specialized Security)8http://technet.microsoft.com/en-us/library/cc938011.aspx CCE-3652-5TThe "Digitally Sign Client Communication (Always)" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always)CCE-576i3.2.1.33 Microsoft Network Client: Digitally sign communications (always): Enabled (Specialized Security)z5.4.6.27 [A] SMB Client Packet Signing (Always): Microsoft Network Client: Digitally sign communications (always): EnabledTable 4.17 Security Options: Microsoft Network Client Setting Recommendations: Digitally sign communications (always), Disabled (Legacy), Enabled (Enterprise and Specialized Security)8http://technet.microsoft.com/en-us/library/cc728025.aspx CCE-3295-3TThe "Digitally Sign Server Communication (Always)" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (always)CCE-171V3.2.1.37 Microsoft Network Server: Digitally sign communications (always): Not Definedz5.4.6.31 [A] SMB Server Packet Signing (Always): Microsoft Network Server: Digitally sign communications (always): EnabledTable 4.18 Security Options: Microsoft Network Server Setting Recommendations: Digitally sign communications (always), Disabled (Legacy), Enabled (Enterprise and Specialized Security) Table 8.2 Recommended Settings for Digitally Signing Communications (Always)8http://technet.microsoft.com/en-us/library/cc938043.aspx CCE-3189-8[The "Digitally Sign Server Communication (When Possible)" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (if client agrees)CCE-104TMicrosoft network server: Digitally sign communications (if client agrees): Disabledc5.4.6.32 Microsoft Network Server: digitally sign server communications (if client agrees): EnabledTable 4.18 Security Options: Microsoft Network Server Setting Recommendations: Digitally sign communications (if client agrees), Enabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc759474.aspx CCE-3709-3JThe "Number of Previous Logons to Cache" policy should be set correctly. (1) number of logons (1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Number of previous logons to cache (in case domain controller is not available)CCE-773|Table 3.74 Interactive logon: Number of previous logons to cache: 1 (Legacy Client); 0 (Enterprise Client and High Security)K3.2.1.28 Interactive Logon: Number of Previous Logons to Cache: Not Defined~5.4.6.23 Interactive Logon: Number of previous logons to cache (in case Domain Controller is unavailable): 0 logons or 1 logonTable 4.16 Security Options: Interactive Logon Setting Recommendations: Number of previous logons to cache (in case domain controller is not available), 1 (Legacy), 0 (Enterprise and Specialized Security)8http://technet.microsoft.com/en-us/library/cc755473.aspx CCE-3586-5XThe "Allowed to Format and Eject Removable NTFS Media" policy should be set correctly. (1) Group(s)(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Devices: Allowed to format and eject removable mediaCCE-919Table 3.56 Devices: Allowed to format and eject removable media: Administrators (Legacy Client, Enterprise Client, and High Security)M3.2.1.10 Devices: Allowed to format and eject removable media: Administratorsr5.4.6.8 [A] Format< and Eject Removable Media: Devices: Allowed to Format and Eject Removable Media: AdministratorsTable 4.14 Security Options: Devices Setting Recommendations: Allowed to format and eject removable media, Administrators (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc740126.aspx CCE-3731-7nThe "Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Domain member: Digitally encrypt or sign secure channel data (always)CCE-549Table 3.64 Domain member: Digitally encrypt or sign secure channel data: Enabled (High Security); disabled (Legacy Client and Enterprise Client)[3.2.1.18 Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always): Not Defined5.4.6.15 [A] Encrypting and Signing of Secure Channel Traffic: Domain Member: Digitally encrypt or sign secure channel data (always): EnabledTable 4.15 Security Options: Domain Member Setting Recommendations: Digitally encrypt or sign secure channel data (always), Disabled (Legacy), Enabled (Enterprise and Specialized Security)8http://technet.microsoft.com/en-us/library/cc736800.aspx CCE-3370-4(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Domain member: Digitally encrypt secure channel data (when possible)CCE-161Table 3.65 Domain member: Digitally encrypt secure channel data (when possible): Enabled (Legacy Client, Enterprise Client, and High Security)Table 4.15 Security Options: Domain Member Setting Recommendations: Digitally encrypt secure channel data (when possible), Enabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc757973.aspx CCE-3511-3(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Domain member: Digitally sign secure channel data (when possible)CCE-918Table 3.66 Domain member: Digitally sign secure channel data (when possible): Enabled (Legacy Client, Enterprise Client, and High Security)z5.4.6.17 [A] Signing of Secure Channel Traffic: Domain Member: Digitally sign secure channel data (when possible): EnabledTable 4.15 Security Options: Domain Member Setting Recommendations: Digitally sign secure channel data (when possible), Enabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc785086.aspx CCE-3674-9CThe "Smart Card Removal Behavior" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behaviorCCE-443Table 3.77 Interactive logon: Smart card removal behavior: Lock Workstation (Enterprise Client and High Security); Legacy Client is not definedJ3.2.1.32 Interactive Logon: Smart Card Removale Behavior: Lock Workstationx5.4.6.26 [A] Smart Card Removal Option: interactive Logon: Smart card removal behavior: Lock Workstation or Force LogoffTable 4.16 Security Options: Interactive Logon Setting Recommendations: Smart card removal behavior, Not defined (Legacy), Lock Workstation (Enterprise and Specialized Security)?http://technet.microsoft.com/en-us/library/cc776917(WS.10).aspx CCE-3441-3jThe "Use FIPS compliant algorithms for encryption, hashing, and signing" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signingCCE-55Table 3.105 System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Disabled (Legacy Client, Enterprise Client, and High Security)m3.2.1.59 System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Not Defined5.4.6.73 [A] FIPS compliant algorithms: System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: EnablednTable 4.24 Security Options: System Cryptography Setting Recommendations: Use FIPS compliant algorithms for encryption, hashing, and signing, Disabled (Legacy and Enterprise), Enabled (Specialized Security) Table 11.1 Recommended Security Options Settings: System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, Enabled (Enterprise)8http://technet.microsoft.com/en-us/library/cc780081.aspx CCE-2947-0pThe "Default owner for objects created by members of the Administrators group" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Default owner for objects created by members of the Administrators groupCCE-575Table 3.106 System objects: Default owner for objects created by members of the Administrators group: Administrators group (default); Object creator (Legacy Client, Enterprise Client, and High Security)q3.2.1.60 System Objects: Default owner for objects created by members of the Administrators group: Object Creator5.4.6.74 [A] Object Created by members of the Administrators Group: System ojects: Default owner for object created by members of the Administrators groups: Object creatorTable 4.25 Security Options: System Objects Setting Recommendations: Default owner for objects created by members of the Administrators group: Default owner for objects created by members of the Administrators group, Object creator (Legacy, Enterprise, and Specialized Security)?http://technet.microsoft.com/en-us/library/cc775434(WS.10).aspx CCE-3714-3]The "Require Case Insensitivity for Non-Windows Sybsystems" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Require case insensitivity for non-Windows subsystemsCCE-300Table 3.107 System objects: Require case insensitivity for non-Windows subsystems: Enabled (Legacy Client, Enterprise Client, and High Security)[3.2.1.61 System objects: Require case insensitivity for non-Windows subsystems: Not Defined5.4.6.75 [A] Case Insensitivity for Non-Windows Subsystems: System object: Require Case Insensitivity for non-Windows Subsystems: EnabledTable 4.25 Security Options: System Objects Setting Recommendations:Require case insensitivity for non-Windows subsystems, Enabled (Legacy, Enterprise, and Specialized Security)?http://technet.microsoft.com/en-us/library/cc775971(WS.10).aspx CCE-3357-1iThe "Limit local account user of blank passwords to console logon only" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Accounts: Limit local account use of blank passwords to console logon onlyCCE-533Table 3.51 Accounts: Limit local account use of blank passwords to console logon only: Enabled (Legacy Client, Enterprise Client, and High Security)[3.2.1.3 Accounts: Limit local account use of blank passwords to console logon only: Enabledv5.4.6.2 [A] Limit Blank Passwords: Accounts: Limit local account use of blank passwords to console logon only: EnabledTable 4.12 Security Options: Accounts Setting Recommendations: Limit local account use of blank passwords to console logon only, Enabled (Legacy, Enterprise, and Specialized Security) CCE-3613-7LThe "Allow undock without having to l< ogon" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Devices: Allow undock without having to log on CCE-186Table 3.55 Devices: Allow undock without having to log on: Enabled (default); Disabled (Legacy Client, Enterprise Client, and High Security)V3.2.1.9 Devices: Allow undock without having to log on: Enabled (Specialized Security)^5.4.6.7 [A] Undock Without Loggon On: Devices: Allow Undock Without Having to Log On: DisabledTable 4.14 Security Options: Devices Setting Recommendations: Allow undock without having to log on, Disabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc737384.aspx CCE-3801-8HThe "LDAP server signing requirements" policy should be set correctly. (1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain controller: LDAP server signing requirementsCCE-710Table 3.62 Domain controller: LDAP server signing requirements: Not Defined (Legacy Client and Enterprise Client); Require signing (High Security)d3.2.1.16 Domain Controller: LDAP Server Signing Requirements: Require Signing (Specialized Security)5.4.6.13 [A] LDA Signing Requirements (Domain Controller): Domain controller: LDAP Server signing requirements: Require signingTable 5.5 Security Options: Domain Controller Setting Recommendations: LDAP server signing requirements, Not defined (Legacy, and Enterprise), Require signing (Specialized Security)8http://technet.microsoft.com/en-us/library/cc778124.aspx CCE-2819-1HThe "LDAP client signing requirements" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LDAP client signing requirementsCCE-732Table 3.97 Network security: LDAP client signing requirements: Negotiate signing (Legacy Client, Enterprise Client, and High Security)a3.2.1.51 Network Security: LDAP client signing requirements: Negotiate Signing or Require Signingg5.4.6.65 [A] LDAP Client Signing: Network security: LDAP client signing requirements: Negotiate signingTable 4.20 Security Options: Network Security Setting Recommendations: LDAP client signing requirements, Negotiate signing (Legacy, Enterprise, and Specialized Security)?http://technet.microsoft.com/en-us/library/cc738915(WS.10).aspx CCE-3605-3NThe "Refuse machine account password change" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain controller: Refuse machine account password changesCCE-490Table 3.63 Domain controller: Refuse machine account password changes: Not Defined (default); Disabled (Legacy Client, Enterprise Client, and High Security)M3.2.1.17 Domain Controller: Refuse machine account password changes: Disabled|5.4.6.14 [A] computer Account Password change Requests: Domain Controller: Refuse machine account password changes: DisabledTable 5.5 Security Options: Domain Controller Setting Recommendations: Refuse machine account password changes, Disabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc739351.aspx CCE-2984-3LThe "Maximum machine account password age" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Domain member: Maximum machine account password ageCCE-194}Table 3.68 Domain member: Maximum machine account password age: 30 days (Legacy Client, Enterprise Client, and High Security)E3.2.1.22 Domain Member: Maximum Machine Account Password Age: 30 daysj5.4.6.19 [A] Maximum Machine Account Password Age: Domain Member: Maximum Machine Account Password Age: 30Table 4.15 Security Options: Domain Member Setting Recommendations: Maximum machine account password age, 30 days (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc781050.aspx CCE-3504-8fThe "Require Domain Controller authentication to unlock workstation" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Interactive logon: Require Domain Controller authentication to unlock workstation CCE-374Table 3.76 Interactive logon: Require domain controller authentication to unlock workstation: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)j3.2.1.30 Interactive Logon: Require Domain Controller authentication to unlock workstation: Not Applicable5.4.6.25 [A] Domain Controller Authentication to Unlock Workstation: Interactive logon: Require domain controller authentication to unlock workstation: EnabledTable 4.16 Security Options: Interactive Logon Setting Recommendations: Require Domain Controller authentication to unlock workstation, Enabled (Legacy, Enterprise, and Specialized Security) CCE-3773-9RThe "Disconnect clients when logon hours expire" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogoff (2) defined by Local or Group Policy CCE-278Table 3.84 Microsoft network server: Disconnect clients when logon hours expire: Enabled (Legacy Client, Enterprise Client, and High Security)V3.2.1.30 Microsoft Network Server: Disconnect clients when logon hours expire: Enabled5.4.6.33 [A] forcibly disconnect when logon hours expire: Microsoft network Server: Disconnect clients when logon hours expire: EnabledZ(1) Table 3.3 Security Options Settings: Microsoft network server: Disconnect clients when logon hours expire, Enabled (Legacy, Enterprise and Specialized Security) (2) Table 4.18 Security Options: Microsoft Network Server Setting Recommendations: Disconnect clients when logon hours expire, Enabled (Legacy, Enterprise, and Specialized Security) CCE-3420-7]The "Do not allow storage of credentials or .NET Passports" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow storage of credentials or .NET Passports for network authenticationCCE-542Table 3.87 Network access: Do not allow storage of credentials or .NET Passports for network authentications: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)3.2.1.40 Network Access: Do not allow storage of credentials or .NET passports for network authentication: Enabled (Specialized Security)5.4.6.54 [A] Storage of credentials or .NET passports: Network Access: Do not allow storage of credentials or .NET passports for network authentication: EnabledTable 4.19 Security Options: Network Access Setting Recommendations: Do not allow storage of credentials or .NET Passports for network authentication, Enabled (Legacy, Enterprise, Specialized Security)8http://technet.microsoft.com/en-us/library/cc779377.aspx CCE-3817-4YThe "Let Everyone permissions apply to anonymous users" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Let Everyone permissions apply to anonymous users CCE-18Table 3.88 Network access: Let Everyone permissions apply to anonymous users: Disabled (Legacy Client, Enterprise Client, and High Security)T3.2.1.41 Network Access: Let Everyone permissions apply to anonymous users: Disabled< 5.4.6.55 [AP] Everyone Permissions Apply to Anonymous Users: Network Access: Let everyone permissions apply to anonymous users: DisabledTable 4.19 Security Options: Network Access Setting Recommendations: Let Everyone permissions apply to anonymous users, Disabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc778182.aspx CCE-3711-9TThe "Named Pipes that can be accessed anonymously" policy should be set correctly. (1) list of named pipes(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Access: Named Pipes that can be accessed anonymouslyCCE-136Table 3.89 Network access: Named Pipes that can be accessed anonymously: None (Legacy Client, Enterprise Client, and High Security)K3.2.1.42 Network Access: Named pipes that can be accessed anonymously: None5.4.6.56 [MA] Anonymous Access to Named Pipes: Network Access: Named pipes that can be accessed anonymously: COMNAP, COMNODE, SQL\QUERY, SPOOLSS, EPMAPPER, LOCATOR, TrkWks, and TrkSvrTable 4.19 Security Options: Network Access Setting Recommendations: Named Pipes that can be accessed anonymously, Not defined (Legacy and Enterprise), COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC, netlogon, lsarpc, samr, browser (Specialized Security)8http://technet.microsoft.com/en-us/library/cc785123.aspx CCE-3729-1JThe "Remotely accessible registry paths" policy should be set correctly. (1) set of paths(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPathsHKLM (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry pathsCCE-189 Table 3.90 Network access: Remotely accessible registry paths: System\currentControlSet\Control\Products Options; System\CurrentControlSet\Control\server Applications; Software\Microsoft\Windows NT\CurrentVersion (Legacy Client, Enterprise Client, and High Security)3.2.1.43 Network Access: Remotely accessible registry paths: System\CurrentControlSet\Control\Product Options, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\WindowsNT\CurrentVersion5.4.6.57 [MA] Remotely Accessible Registry Paths: Network Access: Remotely accessible registry paths: System\currentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion2Table 4.19 Security Options: Network Access Setting Recommendations: Remotely accessible registry paths, System\ CurrentControlSet\Control\ Product Options; System\ CurrentControlSet\Control\ Server Applications; Software\Microsoft\ Windows NT\ CurrentVersion (Legacy, Enterprise, and Specialized security)8http://technet.microsoft.com/en-us/library/cc786180.aspx CCE-3592-3OThe "Shares that can be accessed anonymously" policy should be set correctly. (1) set of shares(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Shares that can be accessed anonymouslyCCE-942~Table 3.93 Network Access: Shares that can be accessed anonymously: None (Legacy Client, Enterprise Client, and High Security)F3.2.1.46 Network Access: Shares that can be accessed anonymously: None|5.4.6.60 [MA] Anonymous Access to Network Shares: Network Access: Shares that can be accessed anonymously: Table 4.19 Security Options: Network Access Setting Recommendations: Shares that can be accessed anonymously, Not defined (Legacy and Enterprise), None (Specialized Security)8http://technet.microsoft.com/en-us/library/cc776860.aspx CCE-3112-0UThe "Sharing and security model for local accounts" policy should be set correctly. (1) Classic/Guest only(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Sharing and security model for local accountsCCE-343Table 3.94 Network Access: Sharing and security model for local accounts: Classic - local users authenticate as themselves (Legacy Client, Enterprise Client, and High Security)O3.2.1.47 Network Access: Sharing and security model for local accounts: Classic5.4.6.61 [A] Sharing and Security Model for Local Accounts: Network Access: Sharing and security model for local accounts: "Classis - local users authenticate as themselves"Table 4.19 Security Options: Network Access Setting Recommendations: Sharing and security model for local accounts, Classic local users authenticate as themselves (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc786449.aspx CCE-3632-7cThe "Do not store LAN Manager hash value on next password change" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Do not store LAN Manager hash value on next password changeCCE-233Table 3.95 Network Security: Do not store LAN Manager hash value on next password change: Enabled (Legacy Client, Enterprise Client, and High Security) ~3.2.1.48 Network Security:Do not store LAN Manager password hash value on next password change: Enabled (Specialized Security)|5.4.6.62 [AP] LAN Manager Hash Value: network security: Do not store LAN Manager hash value on next password change: Enabled=Table 4.20 Security Options: Network Security Setting Recommendations: Do not store LAN Manager hash value on next password change, Enabled (Legacy, Enterprise, and Specialized Security) Table 5.6 Security Options: Network Security Settings Recommendations: Do not store LAN Manager hash value on next password change8http://technet.microsoft.com/en-us/library/cc757582.aspx CCE-3719-2LThe "Force logoff when logon hours expire" policy should be set correctly. (1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Disconnect clients when logon hours expireCCE-775Table 2.14 Network Security: Force Logoff when logon hours expire: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)L3.2.1.49 Network Security: Force logoff when logon hours expire: Not Defined:5.4.6.63 [A] force Logoff when Logon Hours Expire: EnabledL(1) Table 3.3 Security Options Settings: Network Security: Force Logoff when Logon Hours expire, Enabled (Legacy, Enterprise and Specialized Security) (2) Table 4.18 Security Options: Microsoft Network Server Setting Recommendations: Disconnect clients when logon hours expire, Enabled (Legacy, Enterprise and Specialized Security) 8http://technet.microsoft.com/en-us/library/cc758192.aspx CCE-3614-5[The "Minimum session security for NTLM SSP based clients" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Minimum session security for NTLM SSP based (including secure RPC) clientsCCE-674Table 3.98 Network Security: Minimum session security for NTLM SSP based clients: No minimum (Legacy Client); Enabled all settings (Enterprise Client and High Security)3.2.1.52 Network Security: Minimum session security for NTLM SSP based clients: Require Message Integrity, Message Confidentiality, NTLMv2 Session Security, 128-bit Encryption (Specialized Security)5.4.6.66 [A] Minimum Session Security for NTLM SSP-based Clients: "Require NTLMv2 session security", "Require 128-bit encryption", "Require Message Integrity", and "Require Messa< ge Confidentiality"Table 4.20 Security Options: Network Security Setting Recommendations: Minimum session security for NTLM SSP based (including secure RPC) clients: No minimum (Legacy), Enabled all settings (Enterprise and Security) CCE-3759-8[The "Minimum session security for NTLM SSP based servers" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) serversCCE-766Table 3.99 Network Security: Minimum session security for NTLM SSP based servers: No minimum (Legacy Client); Enabled all settings (Enterprise Client and High Security)5.4.6.67 [A] Minimum Session Security for NTLM SSP-based servers: "Require NTLMv2 session security", Require 128-bit encryption", Require Message Integrity", and "Require Message Confidentiality"Table 4.20 Security Options: Network Security Setting Recommendations: Minimum session security for NTLM SSP based (including secure RPC) servers, No minimum (Legacy), Enabled all settings (Enterprise and Specialized Security)8http://technet.microsoft.com/en-us/library/cc776157.aspx CCE-3526-1^The "Screensaver Executable Name" setting should be configured correctly for the current user.:(1) HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE CCE-764C5.5.1 [AP] Password Protected Screen Savers: Passwords are required CCE-3764-8PThe "screensaver timeout" policy should be set correctly for the current user. (1) time in seconds?(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut CCE-830_7.5.1 Configuring Default User Screensaver Options: ScreenSaveTimeout: 900 Seconds (15 minutes) CCE-3781-2"DEPRECATED in favor of CCE-3182-3.CCE-949 CCE-3799-4RThe screensaver should be enabled or disabled as appropriate for the current user.>(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive CCE-742G7.5.1 Configuring Default User Screensaver Options: ScreenSaveActive: 1 CCE-3693-9PThe "screensaver timeout" policy should be set correctly for the default user. @(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaveTimeOut CCE-517 CCE-3698-8^The "Password protect the screensaver" setting should be set correctly for the default user. B(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaverIsSecure CCE-433J7.5.1 Configuring Default User Screensaver Options: ScreenSaverIsSecure: 1 CCE-3715-0RThe screensaver should be enabled or disabled as appropriate for the default user.?(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaveActive CCE-103 CCE-3609-5"DEPRECATED in favor of CCE-3526-1.CCE-54 CCE-3253-2"DEPRECATED in favor of CCE-3764-8.CCE-221 CCE-2900-9CCE-235 CCE-3671-5"DEPRECATED in favor of CCE-3799-4.CCE-287 CCE-3182-3dThe "Password protect the screen saver" setting should be configured correctly for the current user.(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure (2) GPO path: User Configuration\Administrative Templates\Control Panel\Display\Password protect the screen saverCCE-442(1) 7.5.1 Configuring Default User Screensaver Options: ScreenSaverIsSecure: 1 (2) 5.5.1 [AP] Password Protected Screen Savers: Passwords are required CCE-3534-5.DEPRECATED in favor of CCE-3764-8, CCE-3693-9.CCE-481 CCE-3794-5OThe "Always Install with Elevated Privileges" policy should be set correctly. \(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated CCE-736I8.3.3.1 Always Install with Elevated Privileges: (4.037: CAT II) Disabled CCE-3547-7IThe "Enable User Control Over Installs" policy should be set correctly. X(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableUserControl CCE-415C8.3.3.3 Enable User Control Over Installs: (5.051: CAT II) Disabled CCE-3190-6XThe "Enable User to Browser for Source While Elevated" policy should be set correctly. Z(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownBrowse CCE-794Q8.3.3.4 Enable User to Browse for Source While Elevated: (5.052: CAT II) Disabled CCE-3587-3VThe "Enable User to Use Media Source While Elevated" policy should be set correctly. Y(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownMedia CCE-107P8.3.3.5 Enable User to Use Media Source While Elevated: (5.053: CAT II) Disabled CCE-2837-3eThe "Allow Administrator to Install from Terminal Services Session" policy should be set correctly. Z(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableAdminTSRemote CCE-256W8.3.3.7 Allow Admin to Install from Terminal Services Session: (5.055: CAT II) Disabled CCE-3803-4NThe "Enable User to Patch Elevated Products" policy should be set correctly. Y(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownPatch CCE-662H8.3.3.6 Enable User to Patch Elevated Products: (5.054: CAT II) Disabled CCE-3702-8KThe "Cache Transforms in Secure Location" policy should be set correctly. V(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\TransformSecure CCE-424S8.3.3.8 Cache Transforms in Secure Location on Workstation: (5.056: CAT II) Enabled CCE-3720-0RThe "Disable Media Player for automatic updates" policy should be set correctly. Y(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer\DisableAutoupdate CCE-455P5.6.4.1 [A] Media Player - Disabling Media Player for Automatic Updates: Enabled CCE-2863-9VThe "Prevent Codec Download" policy should be set correctly for Windows MediaPlayer. [(1) HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer\PreventCodecDownload CCE-124c8.3.11 Media Player - Automatic Downloads: (5.061: CAT II) Prevent Codec Download is set to Enabled CCE-3636-8GInternet access for Windows Messenger should be configured correctly. (1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\{9b017612-c9f1-11d2-8d9f-0000f875c541}\Disabled (2) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MessengerService CCE-525:5.6.5.3 [A] Windows Messenger - internet Access Blocked: 1 CCE-3658-2PThe "Do Not Allow Windows Messenger to be Run" policy should be set correctly. P(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventRun CCE-802UTable 3.167 Messenger: Disabled (Legacy Client, Enterprise Client, and High Security)H8.3.4.1 Do Not Allow Windows Messenger to be Run: (5.017: CAT I) Enabled CCE-3306-8TThe "Do Not Automatically Start Windows Messenger" policy should be set correctly. T(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventAutoRun CCE-309U8.3.4.2 Do Not Automatically Start Windows Messenger Intially: (5.029: CAT I) Enabled CCE-3728-3RThe "Hide Property Pages" policy should be set correctly for the Task Scheduler. ](1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Property Pages CCE-785M7.6.15 Task Scheduler Service: (5.035: CAT III) Hide Property Page is Enabled CCE-3746-5WThe "Prohibit New Task Creation" policy should be set correctly for the Task Scheduler.\(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Task Creation CCE-578U7.6.15 Task Scheduler Service: (5.036: CAT III) Prohibit New Task Creation is Enabled CCE-3654-1_The "Limit Users to One Remote Session" policy should be set correctly for Terminal Services. h(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fSingleSessionPerUser CCE-507A8.3.2.2 Limit User to One Remote Session: (5.038: CAT II) Enabled CCE-3786-1WThe "Limit Number of Connections" policy should be set correctly for Terminal Services.)(1) Maximum number of connections allowedc(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxInstanceCount CCE-80<8.3.2.3 Limit Number of Connections: (5.039: CAT II) Ena< bled CCE-3790-3_The "Do Not Allow New Client Connections" policy should be set correctly for Terminal Services.e(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections CCE-401D8.3.2.4 Do Not Allow New Client Connections: (5.040: CAT II) Enabled CCE-3808-3vThe "Do Not Allow Local Administrators to Customize Permissions" policy should be set correctly for Terminal Services.g(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fWritableTSCCPermTab CCE-824c5.6.3.3 [A] Terminal Services - Do Not Allow Local Administrators to Customize Permissions: Enabled CCE-3848-9SThe "Remote Control Settings" policy should be set correctly for Terminal Services.Y(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\Shadow CCE-1905.6.3.4 [A] Terminal Services - Remote Control Settings: "Set rules for remote control of Terminal Services user settings: Enabled CCE-3666-5mThe "Always Prompt Client for Password upon Connection" policy should be set correctly for Terminal Services.e(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword CCE-855[5.6.3.5 [A] Terminal Services - Always prompt client for password upon connections: Enabled CCE-3812-5bThe "Set Client connection Encryption Level" policy should be set correctly for Terminal Services.(1) encryption level(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel (2) Computer Configuration\Administrative Templates\Windows Components\ Terminal Services\Encryption and Security\Set client connection encryption levelCCE-397nTable 3.255 Set client connection encryption level: High (Legacy Client, Enterprise Client, and High Security)O5.6.3.6 [A] Terminal Services - Set Client Connection Encryption Level: EnabledTable 4.31 Client Connection Encryption Level Setting Recommendation: Set client connection encryption level, High (Legacy, Enterprise, and Specialized Security) Table 5.10 Recommended Terminal Services Settings: Set client connection encryption level CCE-3710-1_The "Do not Use Temp folders per Session" policy should be set correctly for Terminal Services.c(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\PerSessionTempDir CCE-670E8.3.2.5 Do Not Use Temp Folders per Session: (5.044: CAT II) Disabled CCE-3627-7]The "Do not Delete Temp folder on exit" policy should be set correctly for Terminal Services.f(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\DeleteTempDirsOnExit CCE-961E8.3.2.6 Do Not Delete Temp Folder upon Exit: (5.045: CAT II) Disabled CCE-2875-3dThe "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services.(1) Time Limit (minutes)f(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime CCE-9205.6.3.10 [A] Terminal Services - Set time Limit for Disconnected Sessions: Enabled ("End a disconnected session" is set to "1") CCE-3665-7\The "Set time limit for idle sessions" policy should be set correctly for Terminal Services.(1) Time limit (minutes)](1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime CCE-123d8.3.2.7 Set Time Limit for Idle Sessions: (5.047: CAT II) Enabled and set to no more than 15 minutes CCE-3683-0hThe "Allow Reconnection from Original Client Only" policy should be set correctly for Terminal Services.a(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fReconnectSame CCE-524V5.6.3.12 [A] Terminal Services - Allow Reconnection from Original Client Only: Enabled CCE-3577-4jThe "Terminate session when time limits are reached" policy should be set correctly for Terminal Services.^(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fResetBroken CCE-568O8.3.2.8 Terminate Session When Time Limits are Reached: (5.049: CAT II) Enabled CCE-3828-1VThe "Enable Keep-Alive Messages" policy should be set correctly for Terminal Services.b(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\KeepAliveEnable CCE-70558.3.2.1 Keep-Alive Messages: (5.037: CAT III) Enabled CCE-3599-8]The "Allow Solicited Remote Assistance" policy should be set correctly for Terminal Services.b(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp CCE-859E5.6.8.1 [A] Remote Assistance - Solicited Remote Assistance: Disabled CCE-3617-8_The "Allow Unsolicited Remote Assistance" policy should be set correctly for Terminal Services.c(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited CCE-434A5.6.8.2 [A] Remote Assistance - Offer Remote Assistance: Disabled CCE-3758-0>The "Enable Error Reporting" policy should be set correctly. (1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\ErrorReporting\DoReport (2) Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communications settings\Tuff off Windows Error ReportingCCE-592[Table 3.257 Error Reporting: Disabled (Legacy Client, Enterprise Client, and High Security)5.6.9.1 Report Errors: DisabledCTable 4.33 Recommended Error Reporting Settings: Turn off Windows Error Reporting, Enabled (Legacy, Enterprise, and Specialized Security) Table 5.12 Recommended Error Reporting Settings: Turn off Windows Error Reporting Table 12.4 Recommended Error Reporting Settings, Enabled (Legacy, Enterprise, and Specialized Security) CCE-3700-2GThe "Enforce user logon restrictions" policy should be set correctly. CCE-227M5.4.3.1 [M] User Logon Restrictions: Enforce user logon restrictions: Enabled CCE-3237-5HThe "Maximum Service Ticket Litfetime" policy should be set correctly. CCE-6U5.4.3.2 [M] Service Ticket Lifetime: Maximum lifetime for service ticket: 600 minutes CCE-3625-1DThe "Maximum User Ticket Lifetime" policy should be set correctly. (1) number of hoursCCE-37L5.4.3.3 [M] User Ticket Lifetime: Maximum lifetime for user ticket: 10 hours CCE-3396-9\The "Maximum tolerance for computer clock synchronization" policy should be set correctly. CCE-588l5.4.3.5 [M] Computer Clock Synchronization: Maximum tolerance for computer clock synchronizations: 5 minutes CCE-3788-7DThe startup type of the Removable Storage service should be correct.(1) automatic/manual/disabledv(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtmsSvc\Start (2) defined by the Services Administrative ToolCCE-420]Table 3.199 Removable Storage: Disabled (Legacy Client, Enterprise Client, and High Security) CCE-3806-7jThe "Allow automatic updates immediate installation" setting should be enabled or disabled as appropriate.(1) Computer Configuration/Administrative Templates/Windows Components/Windows Update/Allow Automatic Updates immediate installationCCE-861&Table 11.3 Automatic Updates: Disabled CCE-3608-7DThe "Automatic Updates detection frequency" should be set correctly.{(1) Computer Configuration/Administrative Templates/Windows Components/Windows Update/Automatic Updates detection frequencyCCE-244 CCE-3740-8?Automatic updates should be enabled or disabled as appropriate.q(1) Computer Configuration/Administrative Templates/Windows Components/Windows Update/Configure Automatic UpdatesCCE-306 CCE-3277-1The "No auto-restart with logged on users for scheduled automatic updates installations" setting should be enabled or disabled as appropriate.(1) Computer Configuration/Administrative Templates/Windows Components/Windows Update/No auto-restart with logged on users for scheduled automatic updates installationsCCE-641 CCE-3661-6pThe "Reschedule Automatic Updates scheduled installations" setting should be enabled or disabled as appropriate.(1) Computer Configuration/Administrative Templates/Windows Components/Windows Update/Reschedule Automatic Updates scheduled i< nstallationsCCE-804 CCE-3730-9nThe "Specify intranet Microsoft update service location" setting should be enabled or disabled as appropriate.(1) Computer Configuration/Administrative Templates/Windows Components/Windows Update/Specify intranet Microsoft update service locationCCE-932f2.2.2 Microsoft Software Updates Services: Specify intranet Microsoft update service location: enabled CCE-3250-8?The TCPMaxPortsExhausted setting should be properly configured.)(1) number of dropped connection requestsZHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxPortsExhaustedCCE-418j3.2.1.78 MSS: TCPMaxPortsExhausted, How many dropped connect requests to initiate SYN attack protection: 5 CCE-3413-2WThe "Security Zones: Use Only Machine Settings" setting should be configured correctly.I HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Use_HKLM_only Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_onlyCCE-5J8.3.1.1 Security Zones: Use Only Machine Settings: (5.028: CAT II) Enabled CCE-3039-5dThe "Security Zones: Do Not Allow Users to Add/Delete Sites" setting should be configured correctly.X HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_Zones_Map_Edit Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_zones_map_editCCE-146W8.3.1.3 Security Zones: Do Not Allow Users to Add/Delete Sites: (5.030: CAT II) Enabled CCE-3810-9kThe "Disable Periodic Check For Internet Explorer Software Updates" setting should be configured correctly.J HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoUpdateCheck Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoUpdateCheckCCE-212^8.3.1.6 Disable Peridoic Check for Internet Explorer Software Updates: (5.033: CAT II) Enabled CCE-3832-3kThe "Disable Software Update Shell Notifications on Program Launch" setting should be configured correctly.(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoMSAppLogo5ChannelNotify (2) Local Internet Options: (3) GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict File Download (4) Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\(Reserved) (5) [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\explorer.exe (6) [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\iexplore.exeCCE-622`8.3.1.7 Disable Software Update Shell Notificiations on Program Launch: (5.034: CAT II) Disabled CCE-3598-0gThe "Disable Automatic Install of Internet Explorer Components" setting should be configured correctly.R(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoJITSetup (2) Local Internet Options: (3) GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer (4) Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoJITSetupCCE-684Z8.3.1.5 Disable Automatic Install of Internet Explorer Components: (5.032: CAT II) Enabled CCE-3713-5dThe "Make Proxy Settings Per-Machine (Rather Then Per-User)" setting should be configured correctly.(1) number of proxy settingsc(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser, (2) Local Internet Options: (3) GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, (4) Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUserCCE-693@8.3.1.4 Make Proxy Settings Per Machine: (5.031: CAT II) Enabled CCE-3480-1cThe "Security Zones: Do Not Allow Users to Change Policies" setting should be configured correctly.d(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit (2) Local Internet Options: (3) GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer (4) Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit CCE-833V8.3.1.2 Security Zones: Do Not Allow Users to Change Policies: (5.029: CAT II) Enabled CCE-5026-0CAdministrative Shares should be enabled or disabled as appropriate.w(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (AutoShareServer) Enable Administrative Shares (recommended except for highly secure environments) (2) HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer (3) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWkshMSS: (AutoShareServer) Enable Administrative Shares (recommended except for highly secure environments) Table 4.29 Other Registry Entry Recommendations: MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments), 1 (Legacy), 0 (Enterprise and Specialized Security)&http://support.microsoft.com/kb/245117 CCE-8544-9The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly.(1) number of secondsc(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriodTable 3.251 Make screensaver password protection immediate: the time in seconds before the screen saver grace period expires: 0 (Legacy Client, Enterprise Client, and High Security)Q3.2.1.84 MSS: The time in seconds before the screen saver grace period expires: 0Table 4.29 Other Registry Entry Recommendations: MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires, 0 (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc785331.aspx CCE-8049-9YUse of the built-in Administrator account should be enabled or disabled as appropriate. (1) 0 = Enabled | 1 = Disabledr(1) Computer Configuration\Windows Settings\Local Policies\Security Options\Accounts: Administrator account statusCCE-499Table 4.12 Security Options: Accounts Setting Recommendations: Administrator account status, Not defined (Legacy and Enterprise), Enabled (Specialized Security) CCE-7604-2RThe "Create global objects" user right should be assigned to the correct accounts.(1) Set of accountsy(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create global objectsCCE-383Table 4.11 User Rights Assignments Setting Recommendations: Not defined (Legacy and Enterprise), Administrators, SERVICE (Specialized Security) CCE-7773-5The "DCOM: Machine access Restrictions in Security Descriptor Definition Language (SDDL) syntax" setting should be configured correctly.(1) SDDL string(1) HKLM\Software\policies\Microsoft\windows NT\DCOM\MachineLaunchRestriction (2) Computer Configuration\Windows Settings\Local Policies\Security Options\DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntaxCCE-458 CCE-8561-3The "DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax" security option should be set correctly.(1) HKLM\Software\policies\Microsoft\windows NT\DCOM\MachineLaunchRestriction (2) Computer Configuration\Windows Settings\Local Policies\Security Options\DCOM: Machine Launch Restr< ictions in Security Descriptor Definition Language (SDDL) syntaxCCE-740 CCE-8592-8_The "Prevent System Maintenance of Computer Account Password" policy should be set correctly. (1) HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\disablepasswordchange (2) Computer Configuration\Windows Settings\Local Policies\Security Options\Domain member: Disable machine account password changesCCE-831Table 4.15 Security Options: Domain Member Setting Recommendations: Disable machine account password changes, Disabled (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/cc785826.aspx CCE-8013-5gThe "Impersonate a client after authentication" user right should be assigned to the correct accounts.(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Impersonate a client after authenticationCCE-304Table 4.11 User Rights Assignments Setting Recommendations: Impersonate a client after authentication, Not defined (Legacy and Enterprise), Administrators, SERVICE (Specialized Security) CCE-8542-3RThe "Interactive logon: Requre smart card" setting should be configured correctly.E(1) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\scforceoption, Computer Configuration\Windows Settings\Local Policies\Security Options\Interactive logon: Require smart card (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Interactive logon: Require smart card CCE-828Table 4.16 Security Options: Interactive Logon Setting Recommendations: Require smart card, Not defined (Legacy, and Enterprise), Disabled (Specialized Security)8http://technet.microsoft.com/en-us/library/cc782056.aspx CCE-7606-7EThe "Maximum User Renewal Lifetime" policy should be set correctly. (1) Number of days(1) Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy\Maximum lifetime for user ticket renewalCCE-33 CCE-8534-0[The "Digitally Sign Client Communication (When Possible)" policy should be set correctly. (1) HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature (2) Computer Configuration\Windows Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (if server agrees)CCE-519Table 4.17 Security Options: Microsoft Network Client Setting Recommendations: Digitally sign communications (if server agrees), Enabled (Legacy, Enterprise and Specialized Security) CCE-7611-7SAutomatic Reboot After System Crash should be enabled or disabled as appropriate. (1) HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot (2) Computer Configuration\Windows Settings\Local Policies\Security Options\MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments)CCE-137Table 4.29 Other Registry Entry Recommendations: MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments), 1 (Legacy and Enterprise), 0 (Specialized Security)8http://technet.microsoft.com/en-us/library/cc976049.aspx CCE-8380-8FSystem availability to Master Browser should be properly configured. (1) HKLM\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden (2) Computer Configuration\Windows Settings\Local Policies\Security Options\MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)CCE-139 CCE-8601-7MKerberos and RSVP Traffic Protected by IPSec should be properly configured. (1) HKLM\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt (2) Computer Configuration\Windows Settings\Local Policies\Security Options\MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network trafficCCE-501Table 4.29 Other Registry Entry Recommendations: MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended), 3 (Legacy, Enterprise, and Specialized Security)8http://technet.microsoft.com/en-us/library/bb727063.aspx CCE-8508-4aThe automatic generation of 8.3 file names for NTFS should be enabled or disabled as appropriate. (1) HKLM\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation (2) Computer Configuration\Windows Settings\Local Policies\Security Options\MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)CCE-511Table 4.29 Other Registry Entry Recommendations: MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended), 0 (Legacy, Enterprise and Specialized Security)8http://technet.microsoft.com/en-us/library/cc959352.aspx CCE-8472-3vThe number of SYN-ACK retransmissions sent when attempting to respond to a SYN request should be configured correctly.(1) Number of retransmissions (1) HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions (2) Computer Configuration\Windows Settings\Local Policies\Security Options\MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledgedCCE-577Table 4.28 TCP/IP Registry Entry Recommendations: TcpMaxConnectResponseRetransmissions, 2 (Legacy, Enterprise and Specialized Security)8http://technet.microsoft.com/en-us/library/cc938208.aspx CCE-7613-3qThe number of retransmissions sent of TCP data segments before the connection is dropped should be set correctly.(1) HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions (2) Computer Configuration\Windows Settings\Local Policies\Security Options\MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)CCE-872}Table 4.28 TCP/IP Registry Entry Recommendations: TcpMaxDataRetransmissions, 3 (Legacy, Enterprise, and Specialized Security)?http://technet.microsoft.com/en-us/library/cc780586(WS.10).aspx CCE-8479-8CThe Security Audit log warning level should be properly configured.(1) Percentage(1) HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel (2) Computer Configuration\Windows Settings\Local Policies\Security Options\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warningCCE-125Table 4.29 Other Registry Entry Recommendations: MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning, 90 (Legacy, Enterprise and Specialized Security) CCE-8325-3WThe "Remotely accessible registry paths and subpaths" policy should be set correctly. (1) HKLM\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine (2) Computer Configuration\Windows Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths and subpathsCCE-1185@Table 4.19 Security Options: Network Access Setting Recommendations: Remotely accessible registry paths and sub-paths, System\ CurrentControlSet\Control\ Product Options; System\ CurrentControlSet\Control\ Server Applications; Software\Microsoft\ Windows NT\ CurrentVersion (Legacy, Enterprise, and Specialized Security) CCE-8091-1hAnonymous access to Named Pipes and Shares via the network should be enabled or disabled as appropriate.(1) HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\restrictnullsessaccess (2) Computer Configuration\Windows Settings\Local Policies\Security Options\Network access: Restrict anonymous access to Named Pipes and SharesCCE-638Table 4.19 Security Options: Network Access Setting Recommendations: Restrict anonymous access to Named Pipes and Shares, Enabled (Legacy, Enterprise, and Specialized Security)9http://technet.microsoft.com/en-us/library/cc778473.aspx CCE-8043-2UThe "Registry policy processing" policy should be enabled or disabled as appropriate.(1) HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\ NoBackgroundPolicy (2) Computer Configur<ation\Administrataive Templates\System\Group Policy\Registry policy processingCCE-584 CCE-8527-4OAuthentication requirements for RPC clients should be configured appropriately.9(1) Authenticated, Authenticated without exceptions, None(1) HKLM\Software\Policies\Microsoft\Windows NT\Rpc\RestrictRemoteClients (2) Computer Configuration\Administrative Templates\System\Remote Procedure Call\Restrictions for Unauthenticated RPC clientsCCE-423 CCE-8151-3WRPC Endpoint Mapper Client Authentication should be enabled or disabled as appropriate.(1) HKLM\Software\Policies\Microsoft\Windows NT\Rpc\EnableAuthEpResolution (2) Computer Configuration\Administrative Templates\System\Remote Procedure Call\RPC Endpoint Mapper Client AuthenticationCCE-145 CCE-8462-4The "System cryptography: Force strong key protection for user keys stored on the computer" policy should be enabled or disabled as appropriate.(1) HKLM\Software\Policies\Microsoft\Cryptography\ForceKeyProtection (2) Computer Configuration\Windows Settings\Local Policies\Security Options\System cryptography: Force strong key protection for user keys stored on the computerCCE-647Table 4.24 Security Options: System Cryptography Setting Recommendations: Force strong key protection for user keys stored on the computer, User is prompted when the key is first used (Legacy and Enterprise), User must enter a password each time they use a key (Specialized Security)8http://technet.microsoft.com/en-us/library/cc738035.aspx CCE-7936-8The "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies" setting should be configured properly.(1) HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled (2) Computer Configuration\Windows Settings\Local Policies\Security Options\System settings: Use Certificate Rules on Windows Executables for Software Restriction PoliciesCCE-572Table 4.26 Security Options: System Setting Recommendations: System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies, Not defined (Legacy), Disable (Enterprise), Enabled (Specialized Security) CCE-9994-5eThe "Change Password" option in the Ctrl+Alt+Del dialog should be enabled or disabled as appropriate.(1) User Configuration/Administrative Templates/System/Ctrl+Alt+Del Options/Remove Change Password (2) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword]How to Prevent Users from Changing a Password Except When Required (High Security Enviroment)YHow to Prevent Users from Changing a Password Except When Required (Specialized Security))http://support.microsoft.com/?kbid=324744 CCE-10633-6aThe "Display user information when the session is locked" setting should be configured correctly.^(1) name, domain and user names (2) User display name only (3) Do not display user information(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Display user information when the session is locked (2) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLockedUserIdTable 4.16 Security Options: Interactive Logon Setting Recommendations: Display user information when the session is locked, Not defined (Legacy and Enterprise), User display name, domain and user names (Specialized Security)khttp://blogs.technet.com/askds/archive/2009/02/06/how-to-hide-user-information-when-computer-is-locked.aspx CCE-9710-5\The account description for the built-in Administrator account should be set as appropriate.(1) description7Computer Management>Local Users and Groups>Users>Renamepg 112: Change the account descriptions to something other than the defaults to help prevent easy identification of the accounts CCE-10688-0User-initiated system crashes via the CTRL+SCROLL LOCK+SCROLL LOCK sequence should be enabled or disabled for PS/2 keyboards as appropriate.(1) enabled / disabled^(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\i8042prt\Parameters\CrashOnCtrlScrollWindows Server 2003 with SP1 includes a feature that you can use to halt the computer and generate a Memory.dmp file. You must explicitly enable this feature, and it may not be appropriate for all servers in your organization.6http://support.microsoft.com/default.aspx?kbid=244139. CCE-10710-2User-initiated system crashes via the CTRL+SCROLL LOCK+SCROLL LOCK sequence should be enabled or disabled for USB keyboards as appropriate.\(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbdhid\Parameters\CrashOnCtrlScroll CCE-10463-8/The Syskey mode should be configured correctly.(1) mode(1) syskey commandTable 5.9 Syskey Modes, Mode 1: System Generated Password, Store Startup Key Locally, Mode 2: Administrator generated password, Password Startup, Mode 3: System Generated Password, Store Startup Key on Floppy Disk (Modes 2 and 3 are considered more secure options) K  W4Z 24.);$*]/% 7Se<B/II)OC Vy[_cg$k"n|rz vy}kEkEgA< CBʝjvP$E+ HUATLDR^o @Zk;  9,23  !R(9.h5C~:A(lGwM MSX Y_1e<3l)r xi,|I Z8FtNd  hL1~U c .&A y(`# ).4 :?F&KR WccB f2 8,LqZ̿6 Z%  dMbP?_*+%&?'?('}'}?)'}'}?M\\MBPS1\1S412-OC.  od XXʀ0CourierArial 0X o   COPIES@PJL JOB NAME="!JOBNAME" @PJL SET GUISTARTJOB=1 @PJL EOJ Сpxxxxb Ц Oce im2830 Series PS3MckinleyU  X !                                                    q q 18050,E211111111111111111111111C,1003,E211,2124,E1,q q q Pq q q @q q q 0q q аq q pq q q `q q q Pq q q @q q q 0q q "d,, ` `? ` `?&`U} :} <} <} 2<} =}  >} ?} m?} $?} I.@} $A} $ >,     H                               ; ; B C C CD C E E E  F  G I J J KL M N NN  O  P I J J KL M N N N  O  P I J J K L M! N" N# N$  O% P I& J' J J(L M)N N*N  O+ P I, J- J J.L M/N N0N  O1 P I2 J3 J J4L M5 N6 N7N  O8  P9 I: J; J J< L M= N N> N O? P I@ JA J JB L MC N ND N OE P IF JG J JH L MI N NJ N OK P IL JM J JN L MO NP NQ N OR P IS JT J JU L MV NW NX N OY P IZ J[ J J\L M] N^ N_N  O` P Ia Jb J JcL Md Ne NfN  Og P Ih Ji J JjL Mk Nl NmN  On P Io Jp J JqL Mr Ns NtN  Ou  Pv Iw Jx J JyL Mz N{ N|N  O} P I~ J J JL M N NN  O P I J J JL MN NN  O P I J J JL M N N N  O  P I J J JL M N NN  O  P I J J JL M N NN  O P I J J JL M N NN  O P I J J JL M N NN  O P I J J JL M N NN  O P I J J JL M N NN  O P I J J JL M N NN  O  P I J J JL M N NN  O  P I J J JL M N NN  O P I J J JL M N NN  O PD\l ! " # Q$ Q% Q& Q' Q( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ?  I J J J L M N N N O P !I !J !J !J!L !M !N !N!N ! O ! P "I "J "J "J"L "M "N "N"N " O " P #I #J #J #J#L #M #N #N #N # O # P $I $J $J $J$L $M $N $N$N $ O $ P %I %J %J %J%L %M%N %N%N % O % P &I  &J  &J &J &L &M  &N &N &N & O & P 'I 'J 'J 'J'L 'M 'N 'N 'N ' O' P (I (J (J (J(L (M (N  (N! (N" ( O#( P )I$ )J% )J )J&)L )M' )N( )N) )N* ) O+) P *I, *J- *J. *J/*L *M0 *N1 *N2 *N3 * O4* P +I5 +J6 +J7 +J8+L +M9 +N: +N;+N + O< + P= ,I> ,J? ,J7 ,J8,L ,M@ ,N: ,N;,N , OA , P= -IB -JC -J7 -JD-L -ME -NF -NG-N - OH - PI .IJ .JK .J7 .JD.L .ML .NF .NG.N . OM . PI /IN /JO /J7 /JP/L /MQ /NR /NS /NT / OU / PV 0IW 0JX 0J7 0JY0L 0MZ 0NR 0NS 0NT 0 OP 1I[ 1J\ 1J7 1J]1L 1M^ 1N_ 1N` 1Na 1 Ob 1 Pc 2Id 2Je 2J7 2J]2L 2Mf 2N_ 2N` 2Na 2 Og 2 Pc 3Ih 3Ji 3J7 3Jj3L 3Mk 3Nl 3Nm3N 3 On 3 Po 4Ip 4Jq 4J7 4Jj4L 4Mr 4Nl 4Nm4N 4 Os 4 Po 5It 5Ju 5J7 5Jv5L 5Mw 5Nx 5Ny 5Nz 5 O{ 5 P| 6I} 6J~ 6J7 6JY6L 6M 6Nx 6Ny 6Nz 6 OP 7I 7J 7J7 7J7L 7M 7N 7N 7N 7 O 7 P 8I 8J 8J7 8J8L 8M 8N 8N 8N 8 O 8 P 9I 9J 9J7 9J9L 9M 9NN 9N 9 O 9 P :I :J :J7 :J:L :M :NN :N : O : P ;I ;J ;J7 ;J;L ;M ;N ;N ;N ; O ; P <I <J <J7 <J<L <M <N <N <N < O < P =I =J =J7 =JY=L =M =N=NNOP >I >J >J7 >J>L >M>N >N>N > O > P ?I ?J ?J ?J?L ?M ?N ?N ?N ? O ? PDlp@ RA B C RD RE F G RH RI J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _  @I @J @J @JL @M @N @N @N @ O @ P AI AJ AJ7 AJAL AMAN AN AN A O A P BI BJ BJ BJBL BM BNBN BN B OB P CI CJ CJ CJCL CM CNN CN C OP DI DJ DJ DJL DM DN DNDN D O D P EI EJ EJ7 EJEL EMEN EN EN E OE P FI FJ FJ FJFL FM FN FN FN F OP GI GJ GJ GJGL GM GNN GN G OP HI HJ HJ HJL HM HN HNN H O H P II IJ IJ IJYIL IM IN IN IN I OI P JI JJ JJ JJYJL JM JN JN JN J OJ P KI KJ KJ KJYKL KM KN KN KN K OK P LI  LJ  LJ7 LJYLL LM  LN  LN  LN L OL P MI MJ MJ MJYML MM MN MN MN M OM P NI NJ NJ7 NJYNL NM NN NN NN N ON P OI OJ  OJ! OJ"OL OM# ON$ ON% ONOP PI& PJ' PJ! PJ(PL PM) PN*PN PN+ P OP QI, QJ- QJ! QJ.QL QM/ QN0QN QN1 Q OP RI2 RJ3 RJ! RJ4RL RM5 RN6 RN7 RNOP SI8 SJ9 SJ! SJ:SL SM; SN< SN= SNOP TI> TJ? TJ! TJ@TL TMA TNB TNC TND T OP UIE UJF UJ! UJGUL UMH UNI UNJ UNOP VIK VJL VJ! VJMVL VMN VNO VNP VNOP WIQ WJR WJ! WJSWL WMT WNU WNV WNW W OP XIX XJY XJ! XJZXL XM[ XN\XN XN] X OP YI^ YJ_ YJ! YJ`YL YMa YNb YNc YNd Y OP ZIe ZJf ZJ! ZJZZL ZMg ZNN ZNh Z OP [Ii [Jj [J! [JZ[L [Mk [Nl [Nm [Nn [ OP \Io \Jp \J! \Jq\L \Mr \Ns \Nt \Nu \ OP ]Iv ]Jw ]J! ]Jx]L ]My ]NN ]Nz ] OP ^I{ ^J| ^J! ^J}^L ^M~ ^N ^N ^N ^ OP _I _J _J! _J_L _M _N_N _N _ OP DHlzz~|||||zz` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~   `I `J `J! `J`L `M `NN `N ` OP aI aJ aJ! aJaL aM aNaN aN a OP bI bJ bJ! bJbL bM bN bN bNOP cI cJ cJ! cJcL cM cN cN cN c OP dI dJ dJ! dJdL dM dN dN dNOP eI eJ eJ! eJZeL eM eNN eN e OP fI fJ fJ! fJfL fM fNfN fN f OP gI gJ gJ! gJgL gM gN gN gNOP hI hJ hJ! hJhL hM hN hN hN h OP iI iJ iJ! iJiL iM iNiNNOP jI jJ jJ! jJjL jM jN jN jNOP kI kSkJJLMNNNOP lI lJ- lJ! lJ.lL lM lNlN lN1 l OP mI mJf mJ! mJZmL mM mNN mNh m OP nI nJ nJ nJnL nM nN$ nN nNOP oI oJ oJ oJoL oM oNoNNOP pI pJ pJ pJpL pMpN pN7 pNOP qI qJ qJ qJqL qMqN qN= qNOP rI rJ rJ rJrL rMrN rNC rNOP sI sJ sJ sJsL sMsN sNJ sNOP tI tJ tJ tJtL tMtN tNP tNOP uI uJ uJ uJuL uMuN uNV uNOP vI vJ vJ vJvL vMvN vNc vNOP wI wJ wJ wJwL wMwN wN wNOP xI xJj xJ! xJZxL xMxN xNm xNn x OP yI yJ yJ yJyL yMyN yNt yNOP zI zJ zJ zJzL zMzN zN zNOP {I {J {J {J{L {M{N {N {NOP |I |J |J |J|L |M|N |N |NOP }I }J }J }J}L }M}N }N }NOP ~I ~J ~J ~J~L ~M~N ~N ~NOP I J J JL MN N NOP Dlz||z|p|8z|pxxxxxxxxxxxxxx  Q Q                              I  J  J JL M N N NOP I  J  J JL M N N N O P I J J JL M N NN O P I J J7 JL M  N! N" N# O$ P% I& J' J( J)L M* NN N OP I+ J, J7 J-L M. NN N/ O0 P I1 J2 J3 J4L M5 N6 N7 N8 O9 P: I; J< J= J>L M? N@ NA NB OC PD IE JF J7 JGL MH NN NI OJ PK IL JM J7 JNL MO NN NP OQ PR IS JT JU JVL MW NN NX OY PZ I[ J\ J7 J]L M^N N_ N` OP Ia Jb J7 JcL MdN NeN Of Pg Ih Ji J7 JjL Mk Nl NmN On Po Ip Jq J7 JrL Ms Nt Nu Nv Ow Px Iy Jz J{ J|L M} N~ N N O P I J J7 JL M N N N O P I J J7 JL M N N NOP I J J7 JL M NN N O P I J J7 JL M NN N O P I J J7 JL M N N N OP I J J7 JL M N N N OP I J J7 JL M N N N O P I J J7 JL M NN N OP I J J7 JL M NN N OP I J J7 JL M NN N OP I J J7 JL M NN N OP I J J7 JL M N N N O P I J J JYL M NN N O P I J J JYL M NN N O P I J J JL M N N N O P I J J7 JL M N N N O PDlxz|zzzz                                 I J J7 JL M N NN O P I J J7 JL M NN N O P I J J JL M N N N O  P  I  J  J7 J L M N N N O P I J J7 JL M N N N O P I J J7 JL M  N! N" N# O$ P% I& J' J7 J(L M)N N*N O+ P, I- J. J7 J/L M0 N1 N2 N3 O4 P5 I6 J7 J7 J8L M9 N: N; N< O= P> I? J@ J7 JAL MB NC ND NE OF PG IH JI J7 JJL MK NL NM NN OO PP IQ JR JS JTL MUN NV NW OX PY IZ J[ J\ J]L M^ N_ N` Na Ob Pc Id Je J7 JfL Mg Nh Ni Nj Ok Pl Im J J7 JnL Mo N NpN Oq Pr Is Jt J7 JuL Mv Nw Nx Ny Oz P{ I| J} J7 J~L MN N N O P I J J7 JL MN N N O P I J J7 JL MN T N O P I J J JL M N N N O P I J J JL M N N N O P I J J7 JL M N N N O P I J J7 JL M N N N O P I J J7 JL M N N N O P I J JS JL M N N N O P I J J7 JL M N N N O P I J J7 JL M N N N O P I J J7 JL M N N N O P I J J7 JL M N N N O P I J J7 JL M N N N O P I J J7 JL M N N N O P I J J7 JL M N N N O PDl                                 I J J7 JL M N  N  N  O  P  I J J7 JL M N N N O P I J J7 JL M N N N O P I J  J7 J!L M" N# N$ N% O& P I' J( J7 J)L M* N+ N, N- O. P/ I0 J1 J7 J2L M3 N4 N5 N6 O7 P8 I9 J: J; J<L M= N> N? N@ OA PB IC JD JE JFL MG NH NI NJ OK PL IM JN JO JPL MQ NR NS NT OU PV IW JX JY JZL M[ N\ N] N^ O_ P` Ia Jb J7 JcL Md Ne Nf Ng Oh Pi Ij Jk J7 JlL Mm Nn No Np Oq Pr Is Jt J7 JuL Mv Nw Nx Ny Oz P I{ J| J7 J}L M~ N Nx N O P I U J7 JL M NN N OP I J J JL M NN N OP I I JJL MNNNOP I J J7 JL M NN N OP I J J JL M NN N OP I J J7 JL M NN N OP I J J7 JL M NN N OP I I JJL MNNNOP I I JJL MNNNOP I I JJL MNNNOP I I JJL MNNNOP I J J7 JL M NN N OP I I JJL MNNNOP I J J7 JL M NN N OP I J J7 JL M NN N OP I J J7 JL M NN N OP I J J7 JL M NN N OP I J J7 JL M NN N OP D8lzzNzzzzNNNNzNzzzz                                 I J J7 JL M NN N OP I J J7 JL M NN N OP I J J7 JL M NN N OP I J J7 JL M NN N OP I J J7 JL M NN N OP I J J7 JL M N NV N OP I J J7 JL M NN N OP I J J7 JL M NN N OP I J J7 JL M NN N OP I J J7 JL M NN N OP I J J JL M NN N OP I J  J7 J L M  NN N  OP I  J J7 JL M NN N OP I J J7 JL M NN N OP I J J7 JL M NN N OP I J J JL M  N!N N" O# P I$ J% J7 J&L M' NN N( OP I) J* J7 J+L M, NN N- OP I. J/ J0 J1L M2 NN N3 OP I4 J5 J6 J7L M8 NN N9 OP I: J; J7 J<L M= NN N> OP I? J@ J7 JAL MB NN NC OP ID JE J7 JFL MG NN NH OP II JJ J7 JKL ML NN NM OP IN JO J7 JPL MQ NN NR OP IS JT J7 JUL MV NWN NX OY P IZ J[ J7 JL M\ NN N] OP I^ J_ J JL M` NN Na OP Ib Jc Jd JL Me NN Nf OP Ig Jh J JL Mi NN Nj OP Ik Kl Km KnL Mo NpNNOP Iq Jr J7 JsL Mt NuNNOP Dlzzzzzzzzzzzzzzzzzzzzzzzppppp                          4 4      `  4 4 `  `  `  4   Iv Jw Jd JxL My NuNNOP Iz J{ J7 J|L M} NuNNOP I~ J J7 JL M NuNNOP I J J7 JL M NuNNOP I J J7 JL M NN N  OP I J J JL VN N NOP W X X7 XL Y NN N  OP W X X7 XL Y NN N  OP W X X7 XL Y NN N  OP W Z X7 X L Y NN N  OP W Z X7 X L Y NN N  OP W Z X X L Y NN N  OP W Z X7 X L Y NN N  OP W J J7 J LV N NN  O  P W [ J \ LV N NN  O  P W Z Z ZL U NNN  O P W Z Z ZL U NNN  O P W Z Z ZL UNNNOP W Z Z ZL UNNNOP W Z Z ZL U NNN  O  P W Z Z ZL U NNN  O P W Z Z ZL U NNN  O  P W Z Z ZL UNNNOP W Z Z ZL U NNN  O  P W Z Z ZL U NNN  O  P W Z Z ZL UNNNOP W Z Z ZL U NNN  O  P W Z Z ZL U NNN  O  P W  Z  Z  Z L U  NNN  O  P W Z Z  ZL U NNN  O  P W Z Z ZL U NNN  O  P W Z ZE ZL U NNN  O  PDZlppppzxzzzzzzz~xxdd|x|d||d|||||  ! 4" # $ 4% 4& ' ( ) * +  W! Z" Z Z# L U$ NNN  O%  P& !W' !Z( !Z !Z)!L !U*!NNNOP "W+ "Z, "Z- "Z."L "U/"NNNOP #W0 #Z1 #Z #Z2#L #U3#NNNOP $W4 $Z5 $Z $Z6$L $U7 $NNN $ O8 $ P9 %W: %Z; %Z %Z<%L %U= %NNN % O>% P &I? &J@ &X7 &JA &LV &NB &NN & OC & PD 'IE 'KF 'JG 'JH'LVNNN ' OI ' PJ (IK (JL (JM (JN(LVNNN ( OO( P )IP )JQ )JR )JS)LVNNN ) OT ) PU *IV *JW *JR *JX*LVNNN * OT * PU +IY +JZ +J[ +J\+LVNNN + O]+ P |ddd|x~hdhh>@dNJA ggD Oh+'0@H\p  Sain, Joe Sain, JoeMicrosoft Excel@v@5v՜.+,0 PXx  The MITRE Corporation win2k3  Worksheets  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root Entry FWorkbooko&SummaryInformation(DocumentSummaryInformation8