ࡱ>  /&'()*+,-. g2ɀ\p Sain, Joe Ba==c28X@"1Calibri1Calibri1Calibri1Calibri1Arial1Arial1Arial1Arial1Arial1Arial1Arial1 Arial1Arial1Calibri1 Calibri1 Arial1Calibri1Arial14Calibri1 Calibri1Calibri1Calibri1Calibri1,8Calibri18Calibri18Calibri1>Calibri14Calibri1<Calibri1<Arial1Arial1Calibri1?Calibri1h8Cambria1Calibri1 Calibri1Arial1Arial"$"#,##0_);\("$"#,##0\)!"$"#,##0_);[Red]\("$"#,##0\)""$"#,##0.00_);\("$"#,##0.00\)'""$"#,##0.00_);[Red]\("$"#,##0.00\)7*2_("$"* #,##0_);_("$"* \(#,##0\);_("$"* "-"_);_(@_).))_(* #,##0_);_(* \(#,##0\);_(* "-"_);_(@_)?,:_("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_)6+1_(* #,##0.00_);_(* \(#,##0.00\);_(* "-"??_);_(@_)[$-409]General                                                                       ( (     ff + ) , *      P  P         `  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  1(d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d  (d (                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              (   (                                  !    " # a> $  (@ @  (@ @  (@ @ (x@ @   (@ @  A(x@ @ 2 A(x@ @  A(x@ @ > A(8@ @  A8@ @ A(x@ @ (|@ @  (x@ @   (x@ @  (<@ @ %(x@ @ A(8@ @  (|@ @ %(8@ @  (8@ @  (|@ @ 1 (|@ @ (x @   (|@ @ (|@ @  1 (|@ @   (|@ @ > ( A(x@ @ A(x@ @   p@ @  0@ @ 1 t@ @  %(8 @  #8 @  A(x@ @   (@  (@ (x@   (x@ A(x@ 2 A(x@   (|@ >A(x@ > A(x@  A(8@ 8Q@ @  xQ@ @   xQ@ @ AxQ@ @ 2 xQ@ @  xQ@ @ >  A8Q@ @ ||n|}-} 00\);_(*}-} 00\);_(*}-} 00\);_(*}-} 00\);_(*}-} 00\);_(*}-} 00\);_(*}-} 00\);_(*}-} 00\);_(*}-} 00\);_(*}-}  00\);_(*}-}  00\);_(*}-}  00\);_(*}-}  00\);_(*}-}  00\);_(*}-} 00\);_(*}-} 00\);_(*}A} 00\);_(*ef;_(@_) }A} 00\);_(*ef;_(@_) }A} 00\);_(*ef;_(@_) }A} 00\);_(*ef;_(@_) }A} 00\);_(*ef;_(@_) }A} 00\);_(*ef ;_(@_) }A} 00\);_(*L;_(@_) }A} 00\);_(*L;_(@_) }A} 00\);_(*L;_(@_) }A} 00\);_(*L;_(@_) }A} 00\);_(*L;_(@_) }A} 00\);_(*L ;_(@_) }A} 00\);_(*23;_(@_) }A} 00\);_(*23;_(@_) }A} 00\);_(*23;_(@_) }A} 00\);_(*23;_(@_) }A}  00\);_(*23;_(@_) }A}! 00\);_(*23 ;_(@_) }A}" 00\);_(*;_(@_) }A}# 00\);_(*;_(@_) }A}$ 00\);_(*;_(@_) }A}% 00\);_(*;_(@_) }A}& 00\);_(*;_(@_) }A}' 00\);_(* ;_(@_) }<}( 00\);_(* ;_(}A}) 00\);_(*;_(@_) }<}* 00\);_(*;_(}(}+00\);_(*}}- }00\);_(*;_(@_)    }}. 00\);_(*;_(@_) ??? ??? ??? ???}-}/ 00\);_(*}-}0 00\);_(*}-}1 00\);_(*}-}2 00\);_(*}(}3 00\);_(*}-}4 00\);_(*}A}5 a00\);_(*;_(@_) }A}6 00\);_(*;_(@_) }A}7 00\);_(*?;_(@_) }A}8 00\);_(*23;_(@_) }-}9 00\);_(*}}; ??v00\);_(*̙;_(@_)    }A}< }00\);_(*;_(@_) }A} e00\);_(*;_(@_) }<} e00\);_(*;_(}(}H 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(}+ 00\);_(*}(}- 00\);_(*}(}. 00\);_(*}(}/ 00\);_(*}(}0 00\);_(*}(}1 00\);_(*}(}2 00\);_(*}(}3 00\);_(*}(}4 00\);_(*}(}5 00\);_(*}(}6 00\);_(*}(}8 00\);_(*}(}9 00\);_(*}(}: 00\);_(*}(}; 00\);_(*}(}< 00\);_(*}(}= 00\);_(*}(}> 00\);_(*}(}? 00\);_(*}(}@ 00\);_(*}(}A 00\);_(*}(}C 00\);_(*}(}D 00\);_(*}(}E 00\);_(*}(}F 00\);_(*}(}G 00\);_(*}(}H 00\);_(*}(}I 00\);_(*}(}J 00\);_(*}(}K 00\);_(*}(}L 00\);_(*}(}N 00\);_(*}(}O 00\);_(*}(}P 00\);_(*}(}Q 00\);_(*}(}R 00\);_(*}(}S 00\);_(*}(}T 00\);_(*}(}U 00\);_(*}(}V 00\);_(*}(}W 00\);_(*}(}Y 00\);_(*}(}Z 00\);_(*}(}[ 00\);_(*}(}\ 00\);_(*}(}] 00\);_(*}(}^ 00\);_(*}(}_ 00\);_(*}(}` 00\);_(*}(}a 00\);_(*}(}b 00\);_(*}(}d 00\);_(*}(}e 00\);_(*}(}f 00\);_(*}(}  00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}-} 00\);_(*}(} 00\);_(*}(}  00\);_(*}(}  00\);_(*}(}  00\);_(*}(}  00\);_(*}}*}}1 00\);_(*;_(@_)    }}2 00\);_(*;_(   }}3 ???00\);_(*;_(??? ???  ???  ???}-}4 00\);_(*}-}6 00\);_(*}U}7 00\);_(*;_( }-}8 00\);_(*}(}=00\);_(*}(}?00\);_(*}(}@O00\);_(*}(}D 00\);_(*}(}E00\);_(*}(}F00\);_(*}(}K 00\);_(*}(}L 00\);_(*}P}M 00\);_(*;_(ef }<}N00\);_(*ef;_(}<}PO00\);_(*ef;_(}}Q 00\);_(*`V@?}t}R`V@?}(}SOV@}(}T V@}<}UV@ef}t}V`V@?}(}YV@}(}Z V@}-}[ V@}(}\V@}(}_V@}(}`V@}(}bV@}<}cOV@}(}dOV@}(}eV@}(}iV@}(}kV@}(}lOV@ 20% - Accent1M 20% - Accent1 ef % 20% - Accent2M" 20% - Accent2 ef % 20% - Accent3M& 20% - Accent3 ef % 20% - Accent4M* 20% - Accent4 ef % 20% - Accent5M. 20% - Accent5 ef % 20% - Accent6M2 20% - Accent6  ef % 40% - Accent1M 40% - Accent1 L % 40% - Accent2M# 40% - Accent2 L渷 % 40% - Accent3M' 40% - Accent3 L % 40% - Accent4M+ 40% - Accent4 L % 40% - Accent5M/ 40% - Accent5 L % 40% - Accent6M3 40% - Accent6  Lմ % 60% - Accent1M 60% - Accent1 23 % 60% - Accent2M$ 60% - Accent2 23ږ % 60% - Accent3M( 60% - Accent3 23כ % 60% - Accent4M, 60% - Accent4 23 % 60% - Accent5M0 60% - Accent5 23 %! 60% - Accent6M4 60% - Accent6  23 % "Accent1AAccent1 O % #Accent2A!Accent2 PM % $Accent3A%Accent3 Y % %Accent4A)Accent4 d % &Accent5A-Accent5 K % 'Accent6A1Accent6  F %( Accent6 2@ Accent6 2  F )Bad9Bad  % *Bad 28Bad 2  +Blue Background@Blue Background  ,Bold- Calculation Calculation  }% . Check Cell Check Cell  %????????? ???/ Comma0( Comma [0]1&Currency2. Currency [0]3Excel Built-in Normal 1PExcel Built-in Normal 1 4Explanatory TextG5Explanatory Text % 5Good;Good  a%6 Heading 1G Heading 1 I}%O7 Heading 2G Heading 2 I}%?8 Heading 3G Heading 3 I}%239 Heading 49 Heading 4 I}%: Hyperlink 2 ;InputuInput ̙ ??v% < Linked CellK Linked Cell }% =Mine >Mine 10 ?Mine 11 @Mine 12 AMine 13 BMine 14 CMine 15 DMine 16 EMine 17 FMine 18 GMine 19 HMine 2I Mine 2 10J Mine 2 11K Mine 2 12L Mine 2 13M Mine 2 14N Mine 2 15O Mine 2 16P Mine 2 17Q Mine 2 18R Mine 2 19 SMine 2 2T Mine 2 20U Mine 2 21V Mine 2 22W Mine 2 23X Mine 2 24Y Mine 2 25Z Mine 2 26[ Mine 2 27\ Mine 2 28] Mine 2 29 ^Mine 2 3_ Mine 2 30` Mine 2 31a Mine 2 32b Mine 2 33c Mine 2 34d Mine 2 35e Mine 2 36f Mine 2 37g Mine 2 38h Mine 2 39 iMine 2 4j Mine 2 40k Mine 2 41l Mine 2 42m Mine 2 43n Mine 2 44o Mine 2 45p Mine 2 46q Mine 2 47r Mine 2 48s Mine 2 49 tMine 2 5u Mine 2 50v Mine 2 51w Mine 2 52x Mine 2 53y Mine 2 54 zMine 2 6 {Mine 2 7 |Mine 2 8 }Mine 2 9 ~Mine 20 Mine 21 Mine 22 Mine 23 Mine 24 Mine 25 Mine 26 Mine 27 Mine 28 Mine 29 Mine 3 Mine 30 Mine 31 Mine 32 Mine 33 Mine 34 Mine 35 Mine 36 Mine 37 Mine 38 Mine 39 Mine 4 Mine 40 Mine 41 Mine 42 Mine 43 Mine 44 Mine 45 Mine 46 Mine 47 Mine 48 Mine 49 Mine 5 Mine 50 Mine 51 Mine 52 Mine 53 Mine 54 Mine 6 Mine 7 Mine 8 Mine 9 My Normal NeutralANeutral  e% Neutral 2@ Neutral 2  e3Normal % Normal 10 Normal 10 2 Normal 109 Normal 109 2 Normal 109 3 Normal 11 Normal 110 Normal 110 2 Normal 110 3 Normal 12 Normal 127 Normal 127 2 Normal 13 Normal 135 Normal 135 2 Normal 136 Normal 136 2 Normal 137 Normal 137 2 Normal 138 Normal 138 2 Normal 139 Normal 139 2 Normal 14 Normal 140 Normal 140 2 Normal 143 Normal 143 2 Normal 144 Normal 144 2 Normal 15 Normal 16 Normal 17 Normal 18 Normal 19 Normal 2 Normal 2 10 Normal 2 10 2 Normal 2 11 Normal 2 12 Normal 2 13 Normal 2 14 Normal 2 15 Normal 2 16 Normal 2 17 Normal 2 18Normal 2 18 10Normal 2 18 10 2Normal 2 18 10 3Normal 2 18 11Normal 2 18 11 2Normal 2 18 12Normal 2 18 12 2Normal 2 18 13Normal 2 18 13 2Normal 2 18 14Normal 2 18 14 2Normal 2 18 15Normal 2 18 15 2Normal 2 18 16Normal 2 18 16 2Normal 2 18 17Normal 2 18 17 2Normal 2 18 18Normal 2 18 18 2Normal 2 18 19Normal 2 18 19 2 Normal 2 18 2Normal 2 18 20Normal 2 18 20 2Normal 2 18 21Normal 2 18 21 2Normal 2 18 22Normal 2 18 22 2Normal 2 18 23Normal 2 18 23 2Normal 2 18 24Normal 2 18 25Normal 2 18 26Normal 2 18 27 Normal 2 18 3Normal 2 18 3 2Normal 2 18 3 3 Normal 2 18 4Normal 2 18 4 2Normal 2 18 4 3 Normal 2 18 5Normal 2 18 5 2Normal 2 18 5 3 Normal 2 18 6Normal 2 18 6 2Normal 2 18 6 3 Normal 2 18 7Normal 2 18 7 2 Normal 2 18 7 3  Normal 2 18 8 Normal 2 18 8 2 Normal 2 18 8 3  Normal 2 18 9Normal 2 18 9 2Normal 2 18 9 3 Normal 2 19Normal 2 19 10Normal 2 19 10 2Normal 2 19 10 3Normal 2 19 11Normal 2 19 11 2Normal 2 19 12Normal 2 19 12 2Normal 2 19 13Normal 2 19 13 2Normal 2 19 14Normal 2 19 14 2Normal 2 19 15Normal 2 19 15 2Normal 2 19 16Normal 2 19 16 2 Normal 2 19 17!Normal 2 19 17 2"Normal 2 19 18#Normal 2 19 18 2$Normal 2 19 19%Normal 2 19 19 2& Normal 2 19 2'Normal 2 19 20(Normal 2 19 20 2)Normal 2 19 21*Normal 2 19 21 2+Normal 2 19 22,Normal 2 19 22 2-Normal 2 19 23.Normal 2 19 23 2/Normal 2 19 240Normal 2 19 251Normal 2 19 262Normal 2 19 273 Normal 2 19 34Normal 2 19 3 25Normal 2 19 3 36 Normal 2 19 47Normal 2 19 4 28Normal 2 19 4 39 Normal 2 19 5:Normal 2 19 5 2;Normal 2 19 5 3< Normal 2 19 6=Normal 2 19 6 2>Normal 2 19 6 3? Normal 2 19 7@Normal 2 19 7 2ANormal 2 19 7 3B Normal 2 19 8CNormal 2 19 8 2DNormal 2 19 8 3E Normal 2 19 9FNormal 2 19 9 2GNormal 2 19 9 3H Normal 2 26 Normal 2 2 I Normal 2 2 10J Normal 2 2 11K Normal 2 2 12L Normal 2 2 13M Normal 2 2 14N Normal 2 2 15O Normal 2 2 16P Normal 2 2 17Q Normal 2 2 18R Normal 2 2 19S Normal 2 2 2TNormal 2 2 2 10UNormal 2 2 2 10 2VNormal 2 2 2 10 3WNormal 2 2 2 11XNormal 2 2 2 11 2YNormal 2 2 2 11 3ZNormal 2 2 2 12[Normal 2 2 2 12 2\Normal 2 2 2 12 3]Normal 2 2 2 13^Normal 2 2 2 13 2_Normal 2 2 2 13 3`Normal 2 2 2 14aNormal 2 2 2 14 2bNormal 2 2 2 14 3cNormal 2 2 2 15dNormal 2 2 2 15 2eNormal 2 2 2 16fNormal 2 2 2 16 2gNormal 2 2 2 17hNormal 2 2 2 17 2iNormal 2 2 2 18jNormal 2 2 2 18 2kNormal 2 2 2 19lNormal 2 2 2 2mNormal 2 2 2 20nNormal 2 2 2 21oNormal 2 2 2 22pNormal 2 2 2 23qNormal 2 2 2 24rNormal 2 2 2 25sNormal 2 2 2 26tNormal 2 2 2 27uNormal 2 2 2 28vNormal 2 2 2 29wNormal 2 2 2 3xNormal 2 2 2 3 2yNormal 2 2 2 3 3zNormal 2 2 2 3 4{Normal 2 2 2 3 5|Normal 2 2 2 3 6}Normal 2 2 2 30~Normal 2 2 2 30 2Normal 2 2 2 31Normal 2 2 2 31 2Normal 2 2 2 32Normal 2 2 2 32 2Normal 2 2 2 33Normal 2 2 2 33 2Normal 2 2 2 34Normal 2 2 2 34 2Normal 2 2 2 35Normal 2 2 2 35 2Normal 2 2 2 36Normal 2 2 2 36 2Normal 2 2 2 37Normal 2 2 2 37 2Normal 2 2 2 38Normal 2 2 2 39Normal 2 2 2 4Normal 2 2 2 40Normal 2 2 2 41Normal 2 2 2 42Normal 2 2 2 43Normal 2 2 2 44Normal 2 2 2 45Normal 2 2 2 46Normal 2 2 2 47Normal 2 2 2 48Normal 2 2 2 48 2Normal 2 2 2 49Normal 2 2 2 5Normal 2 2 2 5 2Normal 2 2 2 5 3Normal 2 2 2 5 4Normal 2 2 2 50@Normal 2 2 2 50 Normal 2 2 2 50 2DNormal 2 2 2 50 2 Normal 2 2 2 50 3DNormal 2 2 2 50 3 Normal 2 2 2 50 4DNormal 2 2 2 50 4 Normal 2 2 2 50 5DNormal 2 2 2 50 5 Normal 2 2 2 50 6DNormal 2 2 2 50 6 Normal 2 2 2 50 7DNormal 2 2 2 50 7 Normal 2 2 2 50 8DNormal 2 2 2 50 8 Normal 2 2 2 51@Normal 2 2 2 51 Normal 2 2 2 52@Normal 2 2 2 52 Normal 2 2 2 53@Normal 2 2 2 53 Normal 2 2 2 54Normal 2 2 2 55Normal 2 2 2 56Normal 2 2 2 57Normal 2 2 2 58Normal 2 2 2 59Normal 2 2 2 6Normal 2 2 2 60Normal 2 2 2 7Normal 2 2 2 7 2Normal 2 2 2 7 3Normal 2 2 2 8Normal 2 2 2 8 2Normal 2 2 2 8 3Normal 2 2 2 9Normal 2 2 2 9 2Normal 2 2 2 9 3 Normal 2 2 20 Normal 2 2 21 Normal 2 2 22 Normal 2 2 23 Normal 2 2 24 Normal 2 2 25Normal 2 2 25 10Normal 2 2 25 10 2Normal 2 2 25 10 3Normal 2 2 25 11Normal 2 2 25 11 2Normal 2 2 25 12Normal 2 2 25 12 2Normal 2 2 25 13Normal 2 2 25 13 2Normal 2 2 25 14Normal 2 2 25 14 2Normal 2 2 25 15Normal 2 2 25 15 2Normal 2 2 25 16Normal 2 2 25 16 2Normal 2 2 25 17Normal 2 2 25 17 2Normal 2 2 25 18Normal 2 2 25 18 2Normal 2 2 25 19Normal 2 2 25 19 2Normal 2 2 25 2Normal 2 2 25 20Normal 2 2 25 20 2Normal 2 2 25 21Normal 2 2 25 21 2Normal 2 2 25 22Normal 2 2 25 22 2Normal 2 2 25 23Normal 2 2 25 23 2Normal 2 2 25 24Normal 2 2 25 25Normal 2 2 25 3Normal 2 2 25 3 2Normal 2 2 25 3 3Normal 2 2 25 4Normal 2 2 25 4 2Normal 2 2 25 4 3Normal 2 2 25 5Normal 2 2 25 5 2Normal 2 2 25 5 3Normal 2 2 25 6Normal 2 2 25 6 2Normal 2 2 25 6 3Normal 2 2 25 7Normal 2 2 25 7 2Normal 2 2 25 7 3Normal 2 2 25 8Normal 2 2 25 8 2Normal 2 2 25 8 3Normal 2 2 25 9Normal 2 2 25 9 2Normal 2 2 25 9 3 Normal 2 2 26 Normal 2 2 27 Normal 2 2 28Normal 2 2 28 10Normal 2 2 28 10 2Normal 2 2 28 11Normal 2 2 28 11 2Normal 2 2 28 12Normal 2 2 28 12 2Normal 2 2 28 13Normal 2 2 28 13 2Normal 2 2 28 14Normal 2 2 28 14 2Normal 2 2 28 15Normal 2 2 28 15 2Normal 2 2 28 16Normal 2 2 28 16 2Normal 2 2 28 17Normal 2 2 28 17 2 Normal 2 2 28 18 Normal 2 2 28 18 2 Normal 2 2 28 19 Normal 2 2 28 19 2 Normal 2 2 28 2Normal 2 2 28 2 2Normal 2 2 28 2 3Normal 2 2 28 20Normal 2 2 28 20 2Normal 2 2 28 21Normal 2 2 28 21 2Normal 2 2 28 22Normal 2 2 28 22 2Normal 2 2 28 3Normal 2 2 28 3 2Normal 2 2 28 3 3Normal 2 2 28 4Normal 2 2 28 4 2Normal 2 2 28 4 3Normal 2 2 28 5Normal 2 2 28 5 2Normal 2 2 28 5 3Normal 2 2 28 6 Normal 2 2 28 6 2!Normal 2 2 28 6 3"Normal 2 2 28 7#Normal 2 2 28 7 2$Normal 2 2 28 7 3%Normal 2 2 28 8&Normal 2 2 28 8 2'Normal 2 2 28 8 3(Normal 2 2 28 9)Normal 2 2 28 9 2*Normal 2 2 28 9 3+ Normal 2 2 29< Normal 2 2 29 , Normal 2 2 3- Normal 2 2 30< Normal 2 2 30 . Normal 2 2 31< Normal 2 2 31 / Normal 2 2 32< Normal 2 2 32 0 Normal 2 2 33< Normal 2 2 33 1 Normal 2 2 34< Normal 2 2 34 2 Normal 2 2 35< Normal 2 2 35 3 Normal 2 2 36< Normal 2 2 36 4 Normal 2 2 37< Normal 2 2 37 5 Normal 2 2 38< Normal 2 2 38 6 Normal 2 2 39< Normal 2 2 39 7 Normal 2 2 48 Normal 2 2 40< Normal 2 2 40 9 Normal 2 2 41< Normal 2 2 41 : Normal 2 2 42< Normal 2 2 42 ; Normal 2 2 43< Normal 2 2 43 < Normal 2 2 44< Normal 2 2 44 = Normal 2 2 45< Normal 2 2 45 > Normal 2 2 46< Normal 2 2 46 ? Normal 2 2 47< Normal 2 2 47 @ Normal 2 2 48< Normal 2 2 48 A Normal 2 2 49< Normal 2 2 49 B Normal 2 2 5C Normal 2 2 50< Normal 2 2 50 D Normal 2 2 51< Normal 2 2 51 E Normal 2 2 52< Normal 2 2 52 F Normal 2 2 53< Normal 2 2 53 G Normal 2 2 54< Normal 2 2 54 H Normal 2 2 55< Normal 2 2 55 I Normal 2 2 56< Normal 2 2 56 J Normal 2 2 57< Normal 2 2 57 K Normal 2 2 58< Normal 2 2 58 L Normal 2 2 59< Normal 2 2 59 M Normal 2 2 6N Normal 2 2 60< Normal 2 2 60 O Normal 2 2 61< Normal 2 2 61 P Normal 2 2 62< Normal 2 2 62 Q Normal 2 2 63< Normal 2 2 63 R Normal 2 2 64< Normal 2 2 64 S Normal 2 2 65< Normal 2 2 65 T Normal 2 2 66< Normal 2 2 66 U Normal 2 2 67< Normal 2 2 67 V Normal 2 2 68< Normal 2 2 68 W Normal 2 2 69< Normal 2 2 69 X Normal 2 2 7Y Normal 2 2 70< Normal 2 2 70 Z Normal 2 2 71< Normal 2 2 71 [ Normal 2 2 72< Normal 2 2 72 \ Normal 2 2 73< Normal 2 2 73 ] Normal 2 2 74< Normal 2 2 74 ^ Normal 2 2 75< Normal 2 2 75 _ Normal 2 2 76< Normal 2 2 76 ` Normal 2 2 77< Normal 2 2 77 a Normal 2 2 78< Normal 2 2 78 b Normal 2 2 79< Normal 2 2 79 c Normal 2 2 8d Normal 2 2 80< Normal 2 2 80 e Normal 2 2 85< Normal 2 2 85 f Normal 2 2 86< Normal 2 2 86 g Normal 2 2 9h Normal 2 20iNormal 2 20 10jNormal 2 20 10 2kNormal 2 20 10 3lNormal 2 20 11mNormal 2 20 11 2nNormal 2 20 12oNormal 2 20 12 2pNormal 2 20 13qNormal 2 20 13 2rNormal 2 20 14sNormal 2 20 14 2tNormal 2 20 15uNormal 2 20 15 2vNormal 2 20 16wNormal 2 20 16 2xNormal 2 20 17yNormal 2 20 17 2zNormal 2 20 18{Normal 2 20 18 2|Normal 2 20 19}Normal 2 20 19 2~ Normal 2 20 2Normal 2 20 20Normal 2 20 20 2Normal 2 20 21Normal 2 20 21 2Normal 2 20 22Normal 2 20 22 2Normal 2 20 23Normal 2 20 23 2Normal 2 20 24Normal 2 20 25Normal 2 20 26Normal 2 20 27 Normal 2 20 3Normal 2 20 3 2Normal 2 20 3 3 Normal 2 20 4Normal 2 20 4 2Normal 2 20 4 3 Normal 2 20 5Normal 2 20 5 2Normal 2 20 5 3 Normal 2 20 6Normal 2 20 6 2Normal 2 20 6 3 Normal 2 20 7Normal 2 20 7 2Normal 2 20 7 3 Normal 2 20 8Normal 2 20 8 2Normal 2 20 8 3 Normal 2 20 9Normal 2 20 9 2Normal 2 20 9 3 Normal 2 21Normal 2 21 10Normal 2 21 10 2Normal 2 21 10 3Normal 2 21 11Normal 2 21 11 2Normal 2 21 12Normal 2 21 12 2Normal 2 21 13Normal 2 21 13 2Normal 2 21 14Normal 2 21 14 2Normal 2 21 15Normal 2 21 15 2Normal 2 21 16Normal 2 21 16 2Normal 2 21 17Normal 2 21 17 2Normal 2 21 18Normal 2 21 18 2Normal 2 21 19Normal 2 21 19 2 Normal 2 21 2Normal 2 21 20Normal 2 21 20 2Normal 2 21 21Normal 2 21 21 2Normal 2 21 22Normal 2 21 22 2Normal 2 21 23Normal 2 21 23 2Normal 2 21 24Normal 2 21 25Normal 2 21 26Normal 2 21 27 Normal 2 21 3Normal 2 21 3 2Normal 2 21 3 3 Normal 2 21 4Normal 2 21 4 2Normal 2 21 4 3 Normal 2 21 5Normal 2 21 5 2Normal 2 21 5 3 Normal 2 21 6Normal 2 21 6 2Normal 2 21 6 3 Normal 2 21 7Normal 2 21 7 2Normal 2 21 7 3 Normal 2 21 8Normal 2 21 8 2Normal 2 21 8 3 Normal 2 21 9Normal 2 21 9 2Normal 2 21 9 3 Normal 2 22Normal 2 22 10Normal 2 22 10 2Normal 2 22 10 3Normal 2 22 11Normal 2 22 11 2Normal 2 22 12Normal 2 22 12 2Normal 2 22 13Normal 2 22 13 2Normal 2 22 14Normal 2 22 14 2Normal 2 22 15Normal 2 22 15 2Normal 2 22 16Normal 2 22 16 2Normal 2 22 17Normal 2 22 17 2Normal 2 22 18Normal 2 22 18 2Normal 2 22 19Normal 2 22 19 2 Normal 2 22 2Normal 2 22 20Normal 2 22 20 2Normal 2 22 21Normal 2 22 21 2Normal 2 22 22Normal 2 22 22 2Normal 2 22 23Normal 2 22 23 2Normal 2 22 24Normal 2 22 25Normal 2 22 26Normal 2 22 27 Normal 2 22 3Normal 2 22 3 2Normal 2 22 3 3 Normal 2 22 4Normal 2 22 4 2Normal 2 22 4 3 Normal 2 22 5Normal 2 22 5 2Normal 2 22 5 3 Normal 2 22 6Normal 2 22 6 2Normal 2 22 6 3 Normal 2 22 7Normal 2 22 7 2 Normal 2 22 7 3  Normal 2 22 8 Normal 2 22 8 2 Normal 2 22 8 3  Normal 2 22 9Normal 2 22 9 2Normal 2 22 9 3 Normal 2 23Normal 2 23 10Normal 2 23 10 2Normal 2 23 10 3Normal 2 23 11Normal 2 23 11 2Normal 2 23 12Normal 2 23 12 2Normal 2 23 13Normal 2 23 13 2Normal 2 23 14Normal 2 23 14 2Normal 2 23 15Normal 2 23 15 2Normal 2 23 16Normal 2 23 16 2 Normal 2 23 17!Normal 2 23 17 2"Normal 2 23 18#Normal 2 23 18 2$Normal 2 23 19%Normal 2 23 19 2& Normal 2 23 2'Normal 2 23 20(Normal 2 23 20 2)Normal 2 23 21*Normal 2 23 21 2+Normal 2 23 22,Normal 2 23 22 2-Normal 2 23 23.Normal 2 23 23 2/Normal 2 23 240Normal 2 23 251Normal 2 23 262Normal 2 23 273 Normal 2 23 34Normal 2 23 3 25Normal 2 23 3 36 Normal 2 23 47Normal 2 23 4 28Normal 2 23 4 39 Normal 2 23 5:Normal 2 23 5 2;Normal 2 23 5 3< Normal 2 23 6=Normal 2 23 6 2>Normal 2 23 6 3? Normal 2 23 7@Normal 2 23 7 2ANormal 2 23 7 3B Normal 2 23 8CNormal 2 23 8 2DNormal 2 23 8 3E Normal 2 23 9FNormal 2 23 9 2GNormal 2 23 9 3H Normal 2 24INormal 2 24 10JNormal 2 24 10 2KNormal 2 24 10 3LNormal 2 24 11MNormal 2 24 11 2NNormal 2 24 12ONormal 2 24 12 2PNormal 2 24 13QNormal 2 24 13 2RNormal 2 24 14SNormal 2 24 14 2TNormal 2 24 15UNormal 2 24 15 2VNormal 2 24 16WNormal 2 24 16 2XNormal 2 24 17YNormal 2 24 17 2ZNormal 2 24 18[Normal 2 24 18 2\Normal 2 24 19]Normal 2 24 19 2^ Normal 2 24 2_Normal 2 24 20`Normal 2 24 20 2aNormal 2 24 21bNormal 2 24 21 2cNormal 2 24 22dNormal 2 24 22 2eNormal 2 24 23fNormal 2 24 23 2gNormal 2 24 24hNormal 2 24 25iNormal 2 24 26jNormal 2 24 27k Normal 2 24 3lNormal 2 24 3 2mNormal 2 24 3 3n Normal 2 24 4oNormal 2 24 4 2pNormal 2 24 4 3q Normal 2 24 5rNormal 2 24 5 2sNormal 2 24 5 3t Normal 2 24 6uNormal 2 24 6 2vNormal 2 24 6 3w Normal 2 24 7xNormal 2 24 7 2yNormal 2 24 7 3z Normal 2 24 8{Normal 2 24 8 2|Normal 2 24 8 3} Normal 2 24 9~Normal 2 24 9 2Normal 2 24 9 3 Normal 2 25Normal 2 25 10Normal 2 25 10 2Normal 2 25 10 3Normal 2 25 11Normal 2 25 11 2Normal 2 25 12Normal 2 25 12 2Normal 2 25 13Normal 2 25 13 2Normal 2 25 14Normal 2 25 14 2Normal 2 25 15Normal 2 25 15 2Normal 2 25 16Normal 2 25 16 2Normal 2 25 17Normal 2 25 17 2Normal 2 25 18Normal 2 25 18 2Normal 2 25 19Normal 2 25 19 2 Normal 2 25 2Normal 2 25 20Normal 2 25 20 2Normal 2 25 21Normal 2 25 21 2Normal 2 25 22Normal 2 25 22 2Normal 2 25 23Normal 2 25 23 2Normal 2 25 24Normal 2 25 25Normal 2 25 26Normal 2 25 27 Normal 2 25 3Normal 2 25 3 2Normal 2 25 3 3 Normal 2 25 4Normal 2 25 4 2Normal 2 25 4 3 Normal 2 25 5Normal 2 25 5 2Normal 2 25 5 3 Normal 2 25 6Normal 2 25 6 2Normal 2 25 6 3 Normal 2 25 7Normal 2 25 7 2Normal 2 25 7 3 Normal 2 25 8Normal 2 25 8 2Normal 2 25 8 3 Normal 2 25 9Normal 2 25 9 2Normal 2 25 9 3 Normal 2 26Normal 2 26 10Normal 2 26 10 2Normal 2 26 10 3Normal 2 26 11Normal 2 26 11 2Normal 2 26 12Normal 2 26 12 2Normal 2 26 13Normal 2 26 13 2Normal 2 26 14Normal 2 26 14 2Normal 2 26 15Normal 2 26 15 2Normal 2 26 16Normal 2 26 16 2Normal 2 26 17Normal 2 26 17 2Normal 2 26 18Normal 2 26 18 2Normal 2 26 19Normal 2 26 19 2 Normal 2 26 2Normal 2 26 20Normal 2 26 20 2Normal 2 26 21Normal 2 26 21 2Normal 2 26 22Normal 2 26 22 2Normal 2 26 23Normal 2 26 23 2Normal 2 26 24Normal 2 26 25Normal 2 26 26Normal 2 26 27 Normal 2 26 3Normal 2 26 3 2Normal 2 26 3 3 Normal 2 26 4Normal 2 26 4 2Normal 2 26 4 3 Normal 2 26 5Normal 2 26 5 2Normal 2 26 5 3 Normal 2 26 6Normal 2 26 6 2Normal 2 26 6 3 Normal 2 26 7Normal 2 26 7 2Normal 2 26 7 3 Normal 2 26 8Normal 2 26 8 2Normal 2 26 8 3 Normal 2 26 9Normal 2 26 9 2Normal 2 26 9 3 Normal 2 27Normal 2 27 10Normal 2 27 10 2Normal 2 27 10 3Normal 2 27 11Normal 2 27 11 2Normal 2 27 12Normal 2 27 12 2Normal 2 27 13Normal 2 27 13 2Normal 2 27 14Normal 2 27 14 2Normal 2 27 15Normal 2 27 15 2Normal 2 27 16Normal 2 27 16 2Normal 2 27 17Normal 2 27 17 2Normal 2 27 18Normal 2 27 18 2Normal 2 27 19Normal 2 27 19 2 Normal 2 27 2Normal 2 27 20Normal 2 27 20 2 Normal 2 27 21 Normal 2 27 21 2 Normal 2 27 22 Normal 2 27 22 2 Normal 2 27 23Normal 2 27 23 2Normal 2 27 24Normal 2 27 25Normal 2 27 26Normal 2 27 27 Normal 2 27 3Normal 2 27 3 2Normal 2 27 3 3 Normal 2 27 4Normal 2 27 4 2Normal 2 27 4 3 Normal 2 27 5Normal 2 27 5 2Normal 2 27 5 3 Normal 2 27 6Normal 2 27 6 2Normal 2 27 6 3 Normal 2 27 7 Normal 2 27 7 2!Normal 2 27 7 3" Normal 2 27 8#Normal 2 27 8 2$Normal 2 27 8 3% Normal 2 27 9&Normal 2 27 9 2'Normal 2 27 9 3( Normal 2 28)Normal 2 28 10*Normal 2 28 10 2+Normal 2 28 10 3,Normal 2 28 11-Normal 2 28 11 2.Normal 2 28 12/Normal 2 28 12 20Normal 2 28 131Normal 2 28 13 22Normal 2 28 143Normal 2 28 14 24Normal 2 28 155Normal 2 28 15 26Normal 2 28 167Normal 2 28 16 28Normal 2 28 179Normal 2 28 17 2:Normal 2 28 18;Normal 2 28 18 2<Normal 2 28 19=Normal 2 28 19 2> Normal 2 28 2?Normal 2 28 20@Normal 2 28 20 2ANormal 2 28 21BNormal 2 28 21 2CNormal 2 28 22DNormal 2 28 22 2ENormal 2 28 23FNormal 2 28 23 2GNormal 2 28 24HNormal 2 28 25INormal 2 28 26JNormal 2 28 27K Normal 2 28 3LNormal 2 28 3 2MNormal 2 28 3 3N Normal 2 28 4ONormal 2 28 4 2PNormal 2 28 4 3Q Normal 2 28 5RNormal 2 28 5 2SNormal 2 28 5 3T Normal 2 28 6UNormal 2 28 6 2VNormal 2 28 6 3W Normal 2 28 7XNormal 2 28 7 2YNormal 2 28 7 3Z Normal 2 28 8[Normal 2 28 8 2\Normal 2 28 8 3] Normal 2 28 9^Normal 2 28 9 2_Normal 2 28 9 3` Normal 2 29a Normal 2 3b Normal 2 30cNormal 2 30 10dNormal 2 30 10 2eNormal 2 30 10 3fNormal 2 30 11gNormal 2 30 11 2hNormal 2 30 12iNormal 2 30 12 2jNormal 2 30 13kNormal 2 30 13 2lNormal 2 30 14mNormal 2 30 14 2nNormal 2 30 15oNormal 2 30 15 2pNormal 2 30 16qNormal 2 30 16 2rNormal 2 30 17sNormal 2 30 17 2tNormal 2 30 18uNormal 2 30 18 2vNormal 2 30 19wNormal 2 30 19 2x Normal 2 30 2yNormal 2 30 20zNormal 2 30 20 2{Normal 2 30 21|Normal 2 30 21 2}Normal 2 30 22~Normal 2 30 22 2Normal 2 30 23Normal 2 30 23 2Normal 2 30 24Normal 2 30 25Normal 2 30 26Normal 2 30 27 Normal 2 30 3Normal 2 30 3 2Normal 2 30 3 3 Normal 2 30 4Normal 2 30 4 2Normal 2 30 4 3 Normal 2 30 5Normal 2 30 5 2Normal 2 30 5 3 Normal 2 30 6Normal 2 30 6 2Normal 2 30 6 3 Normal 2 30 7Normal 2 30 7 2Normal 2 30 7 3 Normal 2 30 8Normal 2 30 8 2Normal 2 30 8 3 Normal 2 30 9Normal 2 30 9 2Normal 2 30 9 3 Normal 2 31Normal 2 31 10Normal 2 31 10 2Normal 2 31 10 3Normal 2 31 11Normal 2 31 11 2Normal 2 31 12Normal 2 31 12 2Normal 2 31 13Normal 2 31 13 2Normal 2 31 14Normal 2 31 14 2Normal 2 31 15Normal 2 31 15 2Normal 2 31 16Normal 2 31 16 2Normal 2 31 17Normal 2 31 17 2Normal 2 31 18Normal 2 31 18 2Normal 2 31 19Normal 2 31 19 2 Normal 2 31 2Normal 2 31 20Normal 2 31 20 2Normal 2 31 21Normal 2 31 21 2Normal 2 31 22Normal 2 31 22 2Normal 2 31 23Normal 2 31 23 2Normal 2 31 24Normal 2 31 25Normal 2 31 26Normal 2 31 27 Normal 2 31 3Normal 2 31 3 2Normal 2 31 3 3 Normal 2 31 4Normal 2 31 4 2Normal 2 31 4 3 Normal 2 31 5Normal 2 31 5 2Normal 2 31 5 3 Normal 2 31 6Normal 2 31 6 2Normal 2 31 6 3 Normal 2 31 7Normal 2 31 7 2Normal 2 31 7 3 Normal 2 31 8Normal 2 31 8 2Normal 2 31 8 3 Normal 2 31 9Normal 2 31 9 2Normal 2 31 9 3 Normal 2 32Normal 2 32 10Normal 2 32 10 2Normal 2 32 10 3Normal 2 32 11Normal 2 32 11 2Normal 2 32 12Normal 2 32 12 2Normal 2 32 13Normal 2 32 13 2Normal 2 32 14Normal 2 32 14 2Normal 2 32 15Normal 2 32 15 2Normal 2 32 16Normal 2 32 16 2Normal 2 32 17Normal 2 32 17 2Normal 2 32 18Normal 2 32 18 2Normal 2 32 19Normal 2 32 19 2 Normal 2 32 2Normal 2 32 20Normal 2 32 20 2Normal 2 32 21Normal 2 32 21 2Normal 2 32 22Normal 2 32 22 2Normal 2 32 23Normal 2 32 23 2Normal 2 32 24Normal 2 32 25Normal 2 32 26Normal 2 32 27 Normal 2 32 3Normal 2 32 3 2Normal 2 32 3 3 Normal 2 32 4Normal 2 32 4 2Normal 2 32 4 3 Normal 2 32 5Normal 2 32 5 2Normal 2 32 5 3 Normal 2 32 6Normal 2 32 6 2Normal 2 32 6 3 Normal 2 32 7Normal 2 32 7 2Normal 2 32 7 3 Normal 2 32 8Normal 2 32 8 2Normal 2 32 8 3 Normal 2 32 9Normal 2 32 9 2 Normal 2 32 9 3  Normal 2 33 Normal 2 33 10 Normal 2 33 10 2 Normal 2 33 10 3Normal 2 33 11Normal 2 33 11 2Normal 2 33 12Normal 2 33 12 2Normal 2 33 13Normal 2 33 13 2Normal 2 33 14Normal 2 33 14 2Normal 2 33 15Normal 2 33 15 2Normal 2 33 16Normal 2 33 16 2Normal 2 33 17Normal 2 33 17 2Normal 2 33 18Normal 2 33 18 2Normal 2 33 19Normal 2 33 19 2  Normal 2 33 2!Normal 2 33 20"Normal 2 33 20 2#Normal 2 33 21$Normal 2 33 21 2%Normal 2 33 22&Normal 2 33 22 2'Normal 2 33 23(Normal 2 33 23 2)Normal 2 33 24*Normal 2 33 25+Normal 2 33 26,Normal 2 33 27- Normal 2 33 3.Normal 2 33 3 2/Normal 2 33 3 30 Normal 2 33 41Normal 2 33 4 22Normal 2 33 4 33 Normal 2 33 54Normal 2 33 5 25Normal 2 33 5 36 Normal 2 33 67Normal 2 33 6 28Normal 2 33 6 39 Normal 2 33 7:Normal 2 33 7 2;Normal 2 33 7 3< Normal 2 33 8=Normal 2 33 8 2>Normal 2 33 8 3? Normal 2 33 9@Normal 2 33 9 2ANormal 2 33 9 3B Normal 2 34CNormal 2 34 10DNormal 2 34 10 2ENormal 2 34 10 3FNormal 2 34 11GNormal 2 34 11 2HNormal 2 34 12INormal 2 34 12 2JNormal 2 34 13KNormal 2 34 13 2LNormal 2 34 14MNormal 2 34 14 2NNormal 2 34 15ONormal 2 34 15 2PNormal 2 34 16QNormal 2 34 16 2RNormal 2 34 17SNormal 2 34 17 2TNormal 2 34 18UNormal 2 34 18 2VNormal 2 34 19WNormal 2 34 19 2X Normal 2 34 2YNormal 2 34 20ZNormal 2 34 20 2[Normal 2 34 21\Normal 2 34 21 2]Normal 2 34 22^Normal 2 34 22 2_Normal 2 34 23`Normal 2 34 23 2aNormal 2 34 24bNormal 2 34 25cNormal 2 34 26dNormal 2 34 27e Normal 2 34 3fNormal 2 34 3 2gNormal 2 34 3 3h Normal 2 34 4iNormal 2 34 4 2jNormal 2 34 4 3k Normal 2 34 5lNormal 2 34 5 2mNormal 2 34 5 3n Normal 2 34 6oNormal 2 34 6 2pNormal 2 34 6 3q Normal 2 34 7rNormal 2 34 7 2sNormal 2 34 7 3t Normal 2 34 8uNormal 2 34 8 2vNormal 2 34 8 3w Normal 2 34 9xNormal 2 34 9 2yNormal 2 34 9 3z Normal 2 35{Normal 2 35 10|Normal 2 35 10 2}Normal 2 35 10 3~Normal 2 35 11Normal 2 35 11 2Normal 2 35 12Normal 2 35 12 2Normal 2 35 13Normal 2 35 13 2Normal 2 35 14Normal 2 35 14 2Normal 2 35 15Normal 2 35 15 2Normal 2 35 16Normal 2 35 16 2Normal 2 35 17Normal 2 35 17 2Normal 2 35 18Normal 2 35 18 2Normal 2 35 19Normal 2 35 19 2 Normal 2 35 2Normal 2 35 20Normal 2 35 20 2Normal 2 35 21Normal 2 35 21 2Normal 2 35 22Normal 2 35 22 2Normal 2 35 23Normal 2 35 23 2Normal 2 35 24Normal 2 35 25Normal 2 35 26Normal 2 35 27 Normal 2 35 3Normal 2 35 3 2Normal 2 35 3 3 Normal 2 35 4Normal 2 35 4 2Normal 2 35 4 3 Normal 2 35 5Normal 2 35 5 2Normal 2 35 5 3 Normal 2 35 6Normal 2 35 6 2Normal 2 35 6 3 Normal 2 35 7Normal 2 35 7 2Normal 2 35 7 3 Normal 2 35 8Normal 2 35 8 2Normal 2 35 8 3 Normal 2 35 9Normal 2 35 9 2Normal 2 35 9 3 Normal 2 36 Normal 2 36 2Normal 2 36 2 10Normal 2 36 2 10 2Normal 2 36 2 11Normal 2 36 2 11 2Normal 2 36 2 12Normal 2 36 2 12 2Normal 2 36 2 13Normal 2 36 2 13 2Normal 2 36 2 14Normal 2 36 2 14 2Normal 2 36 2 15Normal 2 36 2 15 2Normal 2 36 2 16Normal 2 36 2 16 2Normal 2 36 2 17Normal 2 36 2 17 2Normal 2 36 2 18Normal 2 36 2 18 2Normal 2 36 2 19Normal 2 36 2 19 2Normal 2 36 2 2Normal 2 36 2 2 2Normal 2 36 2 2 3Normal 2 36 2 20Normal 2 36 2 20 2Normal 2 36 2 21Normal 2 36 2 21 2Normal 2 36 2 22Normal 2 36 2 22 2Normal 2 36 2 23Normal 2 36 2 24Normal 2 36 2 3Normal 2 36 2 3 2Normal 2 36 2 3 3Normal 2 36 2 4Normal 2 36 2 4 2Normal 2 36 2 4 3Normal 2 36 2 5Normal 2 36 2 5 2Normal 2 36 2 5 3Normal 2 36 2 6Normal 2 36 2 6 2Normal 2 36 2 6 3Normal 2 36 2 7Normal 2 36 2 7 2Normal 2 36 2 7 3Normal 2 36 2 8Normal 2 36 2 8 2Normal 2 36 2 8 3Normal 2 36 2 9Normal 2 36 2 9 2Normal 2 36 2 9 3 Normal 2 36 3 Normal 2 36 4 Normal 2 36 5 Normal 2 36 6 Normal 2 37 Normal 2 37 2Normal 2 37 2 10Normal 2 37 2 10 2Normal 2 37 2 11Normal 2 37 2 11 2Normal 2 37 2 12Normal 2 37 2 12 2Normal 2 37 2 13Normal 2 37 2 13 2Normal 2 37 2 14Normal 2 37 2 14 2Normal 2 37 2 15Normal 2 37 2 15 2Normal 2 37 2 16Normal 2 37 2 16 2Normal 2 37 2 17Normal 2 37 2 17 2Normal 2 37 2 18Normal 2 37 2 18 2Normal 2 37 2 19Normal 2 37 2 19 2Normal 2 37 2 2Normal 2 37 2 2 2Normal 2 37 2 2 3Normal 2 37 2 20Normal 2 37 2 20 2Normal 2 37 2 21Normal 2 37 2 21 2 Normal 2 37 2 22 Normal 2 37 2 22 2 Normal 2 37 2 23 Normal 2 37 2 24 Normal 2 37 2 3Normal 2 37 2 3 2Normal 2 37 2 3 3Normal 2 37 2 4Normal 2 37 2 4 2Normal 2 37 2 4 3Normal 2 37 2 5Normal 2 37 2 5 2Normal 2 37 2 5 3Normal 2 37 2 6Normal 2 37 2 6 2Normal 2 37 2 6 3Normal 2 37 2 7Normal 2 37 2 7 2Normal 2 37 2 7 3Normal 2 37 2 8Normal 2 37 2 8 2Normal 2 37 2 8 3Normal 2 37 2 9 Normal 2 37 2 9 2!Normal 2 37 2 9 3" Normal 2 37 3# Normal 2 37 4$ Normal 2 37 5% Normal 2 37 6& Normal 2 38' Normal 2 38 2(Normal 2 38 2 10)Normal 2 38 2 10 2*Normal 2 38 2 11+Normal 2 38 2 11 2,Normal 2 38 2 12-Normal 2 38 2 12 2.Normal 2 38 2 13/Normal 2 38 2 13 20Normal 2 38 2 141Normal 2 38 2 14 22Normal 2 38 2 153Normal 2 38 2 15 24Normal 2 38 2 165Normal 2 38 2 16 26Normal 2 38 2 177Normal 2 38 2 17 28Normal 2 38 2 189Normal 2 38 2 18 2:Normal 2 38 2 19;Normal 2 38 2 19 2<Normal 2 38 2 2=Normal 2 38 2 2 2>Normal 2 38 2 2 3?Normal 2 38 2 20@Normal 2 38 2 20 2ANormal 2 38 2 21BNormal 2 38 2 21 2CNormal 2 38 2 22DNormal 2 38 2 22 2ENormal 2 38 2 23FNormal 2 38 2 24GNormal 2 38 2 3HNormal 2 38 2 3 2INormal 2 38 2 3 3JNormal 2 38 2 4KNormal 2 38 2 4 2LNormal 2 38 2 4 3MNormal 2 38 2 5NNormal 2 38 2 5 2ONormal 2 38 2 5 3PNormal 2 38 2 6QNormal 2 38 2 6 2RNormal 2 38 2 6 3SNormal 2 38 2 7TNormal 2 38 2 7 2UNormal 2 38 2 7 3VNormal 2 38 2 8WNormal 2 38 2 8 2XNormal 2 38 2 8 3YNormal 2 38 2 9ZNormal 2 38 2 9 2[Normal 2 38 2 9 3\ Normal 2 39] Normal 2 39 2^Normal 2 39 2 10_Normal 2 39 2 10 2`Normal 2 39 2 11aNormal 2 39 2 11 2bNormal 2 39 2 12cNormal 2 39 2 12 2dNormal 2 39 2 13eNormal 2 39 2 13 2fNormal 2 39 2 14gNormal 2 39 2 14 2hNormal 2 39 2 15iNormal 2 39 2 15 2jNormal 2 39 2 16kNormal 2 39 2 16 2lNormal 2 39 2 17mNormal 2 39 2 17 2nNormal 2 39 2 18oNormal 2 39 2 18 2pNormal 2 39 2 19qNormal 2 39 2 19 2rNormal 2 39 2 2sNormal 2 39 2 2 2tNormal 2 39 2 2 3uNormal 2 39 2 20vNormal 2 39 2 20 2wNormal 2 39 2 21xNormal 2 39 2 21 2yNormal 2 39 2 22zNormal 2 39 2 22 2{Normal 2 39 2 23|Normal 2 39 2 24}Normal 2 39 2 3~Normal 2 39 2 3 2Normal 2 39 2 3 3Normal 2 39 2 4Normal 2 39 2 4 2Normal 2 39 2 4 3Normal 2 39 2 5Normal 2 39 2 5 2Normal 2 39 2 5 3Normal 2 39 2 6Normal 2 39 2 6 2Normal 2 39 2 6 3Normal 2 39 2 7Normal 2 39 2 7 2Normal 2 39 2 7 3Normal 2 39 2 8Normal 2 39 2 8 2Normal 2 39 2 8 3Normal 2 39 2 9Normal 2 39 2 9 2Normal 2 39 2 9 3 Normal 2 4 Normal 2 40Normal 2 40 10Normal 2 40 10 2Normal 2 40 11Normal 2 40 11 2Normal 2 40 12Normal 2 40 12 2Normal 2 40 13Normal 2 40 13 2Normal 2 40 14Normal 2 40 14 2Normal 2 40 15Normal 2 40 15 2Normal 2 40 16Normal 2 40 16 2Normal 2 40 17Normal 2 40 17 2Normal 2 40 18Normal 2 40 18 2Normal 2 40 19Normal 2 40 19 2 Normal 2 40 2Normal 2 40 2 2Normal 2 40 2 3Normal 2 40 20Normal 2 40 20 2Normal 2 40 21Normal 2 40 21 2Normal 2 40 22Normal 2 40 22 2Normal 2 40 23Normal 2 40 24 Normal 2 40 3Normal 2 40 3 2Normal 2 40 3 3 Normal 2 40 4Normal 2 40 4 2Normal 2 40 4 3 Normal 2 40 5Normal 2 40 5 2Normal 2 40 5 3 Normal 2 40 6Normal 2 40 6 2Normal 2 40 6 3 Normal 2 40 7Normal 2 40 7 2Normal 2 40 7 3 Normal 2 40 8Normal 2 40 8 2Normal 2 40 8 3 Normal 2 40 9Normal 2 40 9 2Normal 2 40 9 3 Normal 2 41Normal 2 41 10Normal 2 41 10 2Normal 2 41 11Normal 2 41 11 2Normal 2 41 12Normal 2 41 12 2Normal 2 41 13Normal 2 41 13 2Normal 2 41 14Normal 2 41 14 2Normal 2 41 15Normal 2 41 15 2Normal 2 41 16Normal 2 41 16 2Normal 2 41 17Normal 2 41 17 2Normal 2 41 18Normal 2 41 18 2Normal 2 41 19Normal 2 41 19 2 Normal 2 41 2Normal 2 41 2 2Normal 2 41 2 3Normal 2 41 20Normal 2 41 20 2Normal 2 41 21Normal 2 41 21 2Normal 2 41 22Normal 2 41 22 2 Normal 2 41 3Normal 2 41 3 2Normal 2 41 3 3 Normal 2 41 4Normal 2 41 4 2Normal 2 41 4 3 Normal 2 41 5Normal 2 41 5 2Normal 2 41 5 3 Normal 2 41 6Normal 2 41 6 2Normal 2 41 6 3 Normal 2 41 7Normal 2 41 7 2Normal 2 41 7 3 Normal 2 41 8Normal 2 41 8 2Normal 2 41 8 3 Normal 2 41 9Normal 2 41 9 2Normal 2 41 9 3 Normal 2 42 Normal 2 43 Normal 2 44 Normal 2 45 Normal 2 46 Normal 2 47 Normal 2 48 Normal 2 49 Normal 2 5 Normal 2 50 Normal 2 51 Normal 2 52 Normal 2 6 Normal 2 7  Normal 2 8  Normal 2 808 Normal 2 80   Normal 2 9  Normal 20  Normal 21 Normal 22 Normal 23 Normal 24 Normal 25 Normal 26 Normal 27 Normal 28 Normal 29 Normal 3 Normal 3 10 Normal 3 11 Normal 3 12 Normal 3 13 Normal 3 14 Normal 3 15 Normal 3 16 Normal 3 17 Normal 3 18  Normal 3 19! Normal 3 2" Normal 3 20# Normal 3 21$ Normal 3 22% Normal 3 23& Normal 3 24' Normal 3 25( Normal 3 26) Normal 3 27* Normal 3 28+ Normal 3 29, Normal 3 3- Normal 3 30. Normal 3 4/ Normal 3 50 Normal 3 61 Normal 3 72 Normal 3 83 Normal 3 94 Normal 305 Normal 316 Normal 327 Normal 338 Normal 349 Normal 35: Normal 36; Normal 37< Normal 38= Normal 39 >Normal 4? Normal 40@ Normal 41A Normal 42B Normal 43C Normal 44D Normal 45E Normal 46F Normal 47G Normal 48H Normal 49 INormal 5J Normal 50K Normal 51L Normal 52M Normal 53N Normal 54O Normal 55P Normal 56Q Normal 57R Normal 58S Normal 59 TNormal 6U Normal 6 2V Normal 6 2 10WNormal 6 2 10 2XNormal 6 2 10 3Y Normal 6 2 11ZNormal 6 2 11 2[ Normal 6 2 12\Normal 6 2 12 2] Normal 6 2 13^Normal 6 2 13 2_ Normal 6 2 14`Normal 6 2 14 2a Normal 6 2 15bNormal 6 2 15 2c Normal 6 2 16dNormal 6 2 16 2e Normal 6 2 17fNormal 6 2 17 2g Normal 6 2 18hNormal 6 2 18 2i Normal 6 2 19jNormal 6 2 19 2k Normal 6 2 2l Normal 6 2 20mNormal 6 2 20 2n Normal 6 2 21oNormal 6 2 21 2p Normal 6 2 22qNormal 6 2 22 2r Normal 6 2 23sNormal 6 2 23 2t Normal 6 2 24u Normal 6 2 25v Normal 6 2 26w Normal 6 2 27x Normal 6 2 3yNormal 6 2 3 2zNormal 6 2 3 3{ Normal 6 2 4|Normal 6 2 4 2}Normal 6 2 4 3~ Normal 6 2 5Normal 6 2 5 2Normal 6 2 5 3 Normal 6 2 6Normal 6 2 6 2Normal 6 2 6 3 Normal 6 2 7Normal 6 2 7 2Normal 6 2 7 3 Normal 6 2 8Normal 6 2 8 2Normal 6 2 8 3 Normal 6 2 9Normal 6 2 9 2Normal 6 2 9 3 Normal 6 3 Normal 60 Normal 61 Normal 62 Normal 63 Normal 64 Normal 65 Normal 66 Normal 67 Normal 68 Normal 69 Normal 7 108 Normal 7 10  Normal 7 118 Normal 7 11  Normal 7 128 Normal 7 12  Normal 7 138 Normal 7 13  Normal 7 148 Normal 7 14  Normal 7 158 Normal 7 15  Normal 7 168 Normal 7 16  Normal 7 178 Normal 7 17  Normal 7 188 Normal 7 18  Normal 7 198 Normal 7 19  Normal 7 2 Normal 7 2 10 Normal 7 2 11 Normal 7 2 12 Normal 7 2 13 Normal 7 2 14 Normal 7 2 15 Normal 7 2 16 Normal 7 2 17 Normal 7 2 18 Normal 7 2 19 Normal 7 2 2Normal 7 2 2 2Normal 7 2 2 3Normal 7 2 2 4Normal 7 2 2 5Normal 7 2 2 6 Normal 7 2 20 Normal 7 2 21 Normal 7 2 22 Normal 7 2 23 Normal 7 2 24 Normal 7 2 25 Normal 7 2 26 Normal 7 2 27 Normal 7 2 28 Normal 7 2 29 Normal 7 2 3 Normal 7 2 30 Normal 7 2 31 Normal 7 2 32 Normal 7 2 33 Normal 7 2 34 Normal 7 2 35 Normal 7 2 36 Normal 7 2 37 Normal 7 2 38 Normal 7 2 39 Normal 7 2 4 Normal 7 2 40 Normal 7 2 41 Normal 7 2 42 Normal 7 2 43 Normal 7 2 44 Normal 7 2 45 Normal 7 2 46 Normal 7 2 47 Normal 7 2 48< Normal 7 2 48 Normal 7 2 48 2@Normal 7 2 48 2 Normal 7 2 48 3@Normal 7 2 48 3 Normal 7 2 48 4@Normal 7 2 48 4 Normal 7 2 48 5@Normal 7 2 48 5 Normal 7 2 48 6@Normal 7 2 48 6 Normal 7 2 48 7@Normal 7 2 48 7 Normal 7 2 48 8@Normal 7 2 48 8  Normal 7 2 49< Normal 7 2 49  Normal 7 2 5 Normal 7 2 50< Normal 7 2 50  Normal 7 2 51< Normal 7 2 51  Normal 7 2 52 Normal 7 2 53 Normal 7 2 54 Normal 7 2 55 Normal 7 2 56 Normal 7 2 57 Normal 7 2 6 Normal 7 2 7 Normal 7 2 8 Normal 7 2 9 Normal 7 208 Normal 7 20  Normal 7 218 Normal 7 21  Normal 7 228 Normal 7 22  Normal 7 238 Normal 7 23  Normal 7 248 Normal 7 24  Normal 7 258 Normal 7 25  Normal 7 268 Normal 7 26  Normal 7 278 Normal 7 27  Normal 7 288 Normal 7 28  Normal 7 298 Normal 7 29  Normal 7 3 Normal 7 308 Normal 7 30  Normal 7 318 Normal 7 31  Normal 7 328 Normal 7 32  Normal 7 338 Normal 7 33  Normal 7 348 Normal 7 34  Normal 7 358 Normal 7 35  Normal 7 368 Normal 7 36  Normal 7 378 Normal 7 37  Normal 7 388 Normal 7 38  Normal 7 398 Normal 7 39  Normal 7 4 Normal 7 408 Normal 7 40  Normal 7 418 Normal 7 41  Normal 7 428 Normal 7 42  Normal 7 438 Normal 7 43  Normal 7 448 Normal 7 44  Normal 7 458 Normal 7 45  Normal 7 468 Normal 7 46  Normal 7 478 Normal 7 47  Normal 7 488 Normal 7 48  Normal 7 498 Normal 7 49  Normal 7 5; Normal 7 5 % Normal 7 508 Normal 7 50   Normal 7 51  Normal 7 66 Normal 7 6   Normal 7 76 Normal 7 7   Normal 7 86 Normal 7 8   Normal 7 96 Normal 7 9  Normal 70 Normal 71 Normal 72 Normal 73 Normal 74 Normal 75 Normal 76( Normal 76 Normal 76 2 Normal 77 Normal 78 Normal 78 2 Normal 79 Normal 8 Normal 80 Normal 81 Normal 82 Normal 83 Normal 84  Normal 85! Normal 86" Normal 87# Normal 88$ Normal 89 %Normal 9& Normal 9 2' Normal 9 3( Normal 9 4) Normal 90* Normal 91+ Normal 92, Normal 93- Normal 94. Normal 95/ Normal 960 Normal 97 1Noteb Note   2Note 2fNote 2   3OutputwOutput  ???%????????? ???4$Percent 5Style 1 6Title1Title I}% 7TotalMTotal %OO8 Warning Text? Warning Text %XTableStyleMedium2PivotStyleLight16` win78  CCE IDCCE DescriptionCCE ParametersCCE Technical Mechanisms Old v4 CCE IDMicrosoft Security Compliance Management Toolkit for Windows 7, Version 1.0: "Windows 7 Security Baseline Settings.xlsm" spreadsheetnMicrosoft Security Compliance Management Toolkit for Windows 7, Version 1.0: "Windows 7 Security Baseline.xml"Microsoft Online Documentation;USGCB Beta 2010-08-31 XCCDF (USGCB-Windows-7-x86_xccdf.xml)9USGCB Beta 2010-08-31 OVAL (USGCB-Windows-7-x86_oval.xml)#USGCB XCCDF (USGCB-Windows-7-xccdf)!USGCB OVAL (USGCB-Windows-7-oval) CCE-10814-2The 'MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments)' setting should be configured correctly.enabled/disabled#(1) GPO: Computer Configuration\Windows Settings\Local Policies\Security Options\MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\\AutoShareWksCCE-512,Worksheet: Computer Policy Settings; Row: 57Setting Index #111: This setting controls the hidden administrative shares on a server. By default, when Windows networking is active on a server, Windows will create hidden administrative shares which is undesirable on highly secure servers. CCE-10303-6The 'MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments)' setting should be configured correctly.C(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) (2) Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoRebootCCE-137,Worksheet: Computer Policy Settings; Row: 94Setting Index #110: This entry appears as MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) in the SCE. CCE-10014-9yAuditing of 'Policy Change: Authentication Policy Change' events on failure should be enabled or disabled as appropriate.(1) Commandline: auditpol.exeCCE-180)Worksheet: Audit Policy Settings; Row: 37Setting Index #396: The policy setting for this audit category determines whether to audit Authentication Policy changes on computers running Windows Vista or later Windows operating systems. CCE-10021-4pAuditing of 'Policy Change: Audit Policy Change' events on success should be enabled or disabled as appropriate.CCE-1110)Worksheet: Audit Policy Settings; Row: 36Setting Index #395: The Policy Change audit category determines whether to audit every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself. CCE-10049-5wAuditing of 'Policy Change: Other Policy Change Events' events on failure should be enabled or disabled as appropriate.CCE-787)Worksheet: Audit Policy Settings; Row: 41Setting Index #400: The policy setting for this audit category determines whether to audit Other Policy Change events on computers running Windows Vista or later Windows operating systems. CCE-10050-3xAuditing of 'Policy Change: Authorization Policy Change' events on failure should be enabled or disabled as appropriate.CCE-448)Worksheet: Audit Policy Settings; Row: 38Setting Index #397: The policy setting for this audit category determines whether to audit Authorization Policy changes on computers running Windows Vista or later Windows operating systems. CCE-10051-1UThe screen saver should be enabled or disabled as appropriate for the current user. enabled/disabled (1) GPO: User Configuration\Administrative Templates\Control Panel\Personalization\Enable screen saver (2) Registry Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActiveCCE-287(Worksheet: User Policy Settings; Row: 12_Setting Index #504: This policy setting allows you to manage whether or not screen savers run. Rule 'enable_screen_saver' CCE-10061-0IThe 'Turn off printing over HTTP' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off printing over HTTP (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\DisableHTTPPrintingCCE-852-Worksheet: Computer Policy Settings; Row: 185Setting Index #240: This policy setting allows you to disable the client computer s ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. #Rule 'turn_off_printing_over_http' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:236' CCE-10064-4RThe 'Retain old events' setting should be configured correctly for the system log.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Event Log Service\System\Retain old events (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System\Retain system log-Worksheet: Computer Policy Settings; Row: 207Setting Index #517 CCE-10076-8`The 'Notify antivirus programs when opening attachments' setting should be configured correctly.(1) GPO: User Configuration\Administrative Templates\Windows Components\Attachment Manager\Notify antivirus programs when opening attachments (2) Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirusCCE-372'Worksheet: User Policy Settings; Row: 5vSetting Index #282: Antivirus programs are mandatory in many environments and provide a strong defense against attack.:Rule 'notify_antivirus_programs_when_opening_attachments' CCE-10077-6GThe 'Allow Remote Shell Access' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Remote Shell\Allow Remote Shell Access (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS\AllowRemoteShellAccess+Worksheet: Computer Policy Settings; Row: 58Setting Index #1026: Configures access to remote shells. CCE-10078-4eAuditing of 'Object Access:Registry' events on failure should be enabled or disabled as appropriate.CCE-1283)Worksheet: Audit Policy Settings; Row: 26Setting Index #378: This settings determines whether to audit the event of a user who accesses an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to Registry Object access events. CCE-10081-8}Auditing of 'Policy Change: Filtering Platform Policy Change' events on failure should be enabled or disabled as appropriate.CCE-1112)Worksheet: Audit Policy Settings; Row: 39Setting Index #399: The policy setting for this audit category determines whether to audit Filtering Platform Policy changes on computers running Windows Vista or later Windows operating systems. CCE-10082-6dAuditing of 'Audit process tracking' events on failure should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit process tracking (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditProcessTracking' and precedence=1CCE-2617)Worksheet: Audit Policy Settings; Row: 63tSetting Index #22: This policy setting determines whether to audit detailed tracking information for process events.< CCE-10088-3iAuditing of 'System: Other System Events' events on failure should be enabled or disabled as appropriate.CCE-337(Worksheet: Audit Policy Settings; Row: 4Setting Index #367: This policy setting in the System audit category determines whether to audit Other System events on computers that are running Windows Vista or later versions of Windows. CCE-10090-9PThe 'Do not allow passwords to be saved' setting should be configured correctly. (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Do not allow passwords to be saved (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSavingCCE-976-Worksheet: Computer Policy Settings; Row: 201tSetting Index #267: This policy setting helps prevent Terminal Services clients from saving passwords on a computer.*Rule 'do_not_allow_passwords_to_be_saved' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:272' CCE-10092-5eThe 'Require trusted path for credential entry' setting should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Credential User Interface\Require trusted path for credential entry (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnableSecureCredentialPromptingCCE-255-Worksheet: Computer Policy Settings; Row: 191Setting Index #246: This policy setting determines whether users must first press CTRL+ALT+DEL to establish a trusted path before typing account and password information to log on to computers in the environment. CCE-10093-3]The 'Turn off Windows Update device driver searching' setting should be configured correctly.#(1) GPO: Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Windows Update device driver searching (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching\DontSearchWindowsUpdateCCE-927-Worksheet: Computer Policy Settings; Row: 188Setting Index #243: This policy setting specifies whether Windows will search Windows Update for device drivers when no local drivers for a device are present. CCE-10098-2pAuditing of 'Object Access:Handle Manipulation' events on failure should be enabled or disabled as appropriate.CCE-1244)Worksheet: Audit Policy Settings; Row: 23Setting Index #383: This settings determines whether to audit the event of a user who attempts to access an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to Handle Manipulation on Windows objects. CCE-10103-0XThe 'Always prompt for password upon connection' setting should be configured correctly.%(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Always prompt for password upon connection (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPasswordCCE-855-Worksheet: Computer Policy Settings; Row: 197Setting Index #270: This policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection.2Rule 'always_prompt_for_password_upon_connection' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:275' CCE-10118-8`Auditing of 'Audit logon events' events on failure should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon events (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditLogonEvents' and precedence=1CCE-1744)Worksheet: Audit Policy Settings; Row: 59KSetting Index #18: This setting audits and logs logon events as they occur. CCE-10129-5RThe Windows Explorer 'Remove Security tab' setting should be configured correctly.(1) GPO: User Configuration\Administrative Templates\Windows Components\Windows Explorer\Remove Security tab (2) Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTabCCE-1022'Worksheet: User Policy Settings; Row: 7Setting Index #363: This policy setting disables the Security tab on the file and folder properties dialog boxes in Windows Explorer. CCE-10136-0WThe 'Retain old events' setting should be configured correctly for the application log.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Application\Retain old events (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application\Retain application logCCE-NONE-Worksheet: Computer Policy Settings; Row: 203Setting Index #515 CCE-10140-2\The 'Turn off Search Companion content file updates' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Search Companion content file updates (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SearchCompanion\DisableContentFileUpdatesCCE-818-Worksheet: Computer Policy Settings; Row: 186Setting Index #241: This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches.6Rule 'turn_off_search_companion_content_file_updates' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:238' CCE-10144-4aAuditing of 'Audit policy change' events on failure should be enabled or disabled as appropriate. (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit policy change (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditPolicyChange' and precedence=1CCE-2347)Worksheet: Audit Policy Settings; Row: 61Setting Index #20: This policy setting determines whether to audit every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself. CCE-10148-5BThe 'Screen Saver timeout' setting should be configured correctly.time in seconds(1) GPO: User Configuration\Administrative Templates\Control Panel\Display\Screen Saver timeout (2) Registry Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOutCCE-481(Worksheet: User Policy Settings; Row: 11Setting Index #502: If the Screen Saver Timeout setting is enabled, then the screen saver will be launched when the specified amount of time has passed since the last user action.Rule 'screen_saver_timeout' CCE-10154-3NThe 'Do not process the run once list' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\System\Logon\Do not process the run once list (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableLocalMachineRunOnceCCE-583-Worksheet: Computer Policy Settings; Row: 176^Setting Index #231: This policy setting controls the default behavior of the AutoPlay setting. CCE-10156-8VThe 'Maximum Log Size (KB)' setting should be configured correctly for the system log.size in kilobytes(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Event Log Service\System\Maximum Log Size (KB) (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System\MaxSize-Worksheet: Computer Policy Settings; Row: 206Setting Index #507: This policy requires Windows Vista or later versions of Windows, it specifies the maximum size of the log file in kilobytes.Rule 'maximum_system_log_size' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:268' CCE-10166-7bThe 'Do not preserve zone information in file attachments' setting should be configured correctly.(1) GPO: User Configuration\Administrative Templates\Windows Components\Attachment Manag< er\Do not preserve zone information in file attachments (2) Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformationCCE-12'Worksheet: User Policy Settings; Row: 3Setting Index #280: This policy setting allows you to manage whether Windows marks file attachments from Internet Explorer or Microsoft Outlook Express with information about their zone of origin (such as restricted, Internet, intranet, or local). ;Rule 'do_not_preserve_zone_information_in_the_attachments' CCE-10169-1fAuditing of 'Audit account management' events on failure should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditAccountManage' and precedence=1CCE-1646)Worksheet: Audit Policy Settings; Row: 57pSetting Index #16: This policy setting determines whether to audit each account management event on a computer. CCE-10175-8aAuditing of 'Audit privilege use' events on failure should be enabled or disabled as appropriate. (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit privilege use (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditPrivilegeUse' and precedence=1CCE-2584)Worksheet: Audit Policy Settings; Row: 62tSetting Index #21: This policy setting determines whether to audit each instance of a user exercising a user right. CCE-10181-6WThe 'RPC Endpoint Mapper Client Authentication' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\System\Remote Procedure Call\RPC Endpoint Mapper Client Authentication (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc\EnableAuthEpResolutionCCE-145-Worksheet: Computer Policy Settings; Row: 181Setting Index #236: This policy setting allows client computers that communicate with this computer to be forced to provide authentication before an RPC communication is established.1Rule 'rpc_endpoint_mapper_client_authentication' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:252' CCE-10183-2[The 'Prevent the computer from joining a homegroup' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\HomeGroup\Prevent the computer from joining a homegroup (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HomeGroup\DisableHomeGroup-Worksheet: Computer Policy Settings; Row: 208GSetting Index #932: Controls if a computer can be joined to a HomeGroup5Rule 'prevent_the_computer_from_joining_a_homegroup' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:271' CCE-10205-3pThe 'Reschedule Automatic Updates scheduled installations' setting should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Reschedule Automatic Updates scheduled installations (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\RescheduleWaitTimeEnabledCCE-804-Worksheet: Computer Policy Settings; Row: 195Setting Index #277: This policy setting determines the amount of time before previously scheduled Automatic Update installations will proceed after system startup. <Rule 'reschedule_automatic_updates_scheduled_installations' 9Definition 'oval:gov.nist.usgcb.windowsseven:def:100214' CCE-10490-1HThe 'Remove CD Burning features' setting should be configured correctly.(1) GPO: User Configuration\Administrative Templates\Windows Components\ Windows Explorer\Remove CD Burning features (2) Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurningCCE-113'Worksheet: User Policy Settings; Row: 6Setting Index #362: This policy setting removes the built-in Windows Vista features that allow users to burn CDs through Windows Explorer. CCE-8235-4uThe BitLocker 'Allow data recovery agent' setting should be enabled or disabled as appropriate for fixed data drives.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s2-o1\Allow data recovery agent (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVManageDRA,Worksheet: Bitlocker Policy Settings; Row: 8Setting Index #1040: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected fixed data drives can be recovered CCE-8242-0The 'Configure user storage of BitLocker 48-digit recovery password' setting should be configured correctly for fixed data drives.allowed/required/not allowed(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s2-o2\Configure user storage of BitLocker 48-digit recovery password (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVRecoveryPassword,Worksheet: Bitlocker Policy Settings; Row: 9Setting Index #1050: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected fixed data drives can be recovered?http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx CCE-8278-4The 'Choose how BitLocker-protected operating system drives can be recovered' setting should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s2-o0\Choose how BitLocker-protected operating system drives can be recovered (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\OSRecovery-Worksheet: Bitlocker Policy Settings; Row: 23Setting Index #852: CCE-8284-2oThe BitLocker 'Configure TPM platform validation profile' setting should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o0\Configure TPM platform validation profile (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\Enabled-Worksheet: Bitlocker Policy Settings; Row: 32Setting Index #862: CCE-8299-0Validation of the 'Boot Manager' Platform Configuration Register (aka PCR 10) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o11\PCR 10: Boot Manager (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\10-Worksheet: Bitlocker Policy Settings; Row: 35Setting Index #873: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-8301-4Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 14) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o15\PCR 14: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\14-Worksheet: Bitlocker Policy Settings; Row: 39Setting Index #877: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-8303-0sThe BitLocker 'Require additional authentication at startup' setting should be enabled or disabled as appropriate.. (1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s5-o0\Require additional authentication at startup (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\UseAdvancedStartup-Worksheet: Bitlocker Policy Sett< ings; Row: 57Setting Index #887: CCE-8309-7Use of a Trusted Platform Module (TPM) startup key for operating system drives encrypted with BitLocker should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s5-o4\Configure TPM startup key (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\UseTPMKey-Worksheet: Bitlocker Policy Settings; Row: 61Setting Index #891: This is a setting option. Refer to the following parent setting for additional information: Require additional authentication at startup CCE-8370-9bThe BitLocker 'Select the encryption method' setting should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\s2-o2\Select the encryption method (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\EncryptionMethod-Worksheet: Bitlocker Policy Settings; Row: 85Setting Index #821: This is a setting option. Refer to the following parent setting for additional information: Choose drive encryption method and cipher strength CCE-8405-3The BitLocker 'Do not allow write access to devices configured in another organization' setting should be configured correctly. (1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s6-o1\Do not allow write access to devices configured in another organization (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVDenyCrossOrg-Worksheet: Bitlocker Policy Settings; Row: 83Setting Index #917: This is a setting option. Refer to the following parent setting for additional information: Deny write access to removable data drives not protected by BitLocker CCE-8407-9aAuditing of 'Audit system events' events on success should be enabled or disabled as appropriate. (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit system events (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditSystemEvents' and precedence=1CCE-2420)Worksheet: Audit Policy Settings; Row: 64Setting Index #23: This policy setting allows you to monitor system events that succeed and fail, and provides a record of these events that may help determine instances of unauthorized system access. CCE-8414-5YThe 'Bypass traverse checking' user right should be assigned to the appropriate accounts.list of accounts!(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Bypass traverse checking (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeChangeNotifyPrivilege' and precedence=1CCE-376,Worksheet: Computer Policy Settings; Row: 11Setting Index #31: This policy setting allows users who do not have the special "Traverse Folder" access permission to "pass through" folders when they browse an object path in the NTFS file system or the registry. Rule 'bypass_traverse_checking' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:16' CCE-8415-2The 'Configure user storage of BitLocker 48-digit recovery password' setting should be configured correctly for removable data drives.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s2-o2\Configure user storage of BitLocker 48-digit recovery password (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVRecoveryPassword-Worksheet: Bitlocker Policy Settings; Row: 67Setting Index #901: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected removable data drives can be recovered CCE-8417-8~The 'Configure user storage of BitLocker 256-digit recovery key' setting should be configured correctly for fixed data drives.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s2-o3\Configure user storage of BitLocker 256-digit recovery key (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVRecoveryKey-Worksheet: Bitlocker Policy Settings; Row: 10Setting Index #1037: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected fixed data drives can be recovered CCE-8423-6UThe 'Change the time zone' user right should be assigned to the appropriate accounts.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the time zone (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeTimeZonePrivilege' and precedence=1CCE-470,Worksheet: Computer Policy Settings; Row: 36`Setting Index #33: This setting determines which users can change the time zone of the computer.Rule 'change_the_time_zone' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:18' CCE-8431-9VThe 'Create global objects' user right should be assigned to the appropriate accounts.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create global objects (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeCreateGlobalPrivilege' and precedence=1CCE-383,Worksheet: Computer Policy Settings; Row: 15Setting Index #36: This policy setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right.Rule 'create_global_objects' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:21' CCE-8460-8VThe 'Create symbolic links' user right should be assigned to the appropriate accounts.$(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create symbolic links (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeCreateSymbolicLinkPrivilege' and precedence=1CCE-1176,Worksheet: Computer Policy Settings; Row: 37XSetting Index #38: This policy setting determines which users can create symbolic links.Rule 'create_symbolic_links' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:23' CCE-8467-3jThe 'Impersonate a client after authentication' user right should be assigned to the appropriate accounts.1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Impersonate a client after authentication (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeImpersonatePrivilege' and precedence=1CCE-304,Worksheet: Computer Policy Settings; Row: 21Setting Index #48: The policy setting allows programs that run on behalf of a user to impersonate that user (or another specified account) so that they can act on behalf of the user.1Rule 'impersonate_a_client_after_authentication' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:32' CCE-8475-6aThe 'Perform volume maintenance tasks' user right should be assigned to the appropriate accounts.)(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Perform volume maintenance tasks (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeManageVolumePrivilege' and precedence=1CCE-314,Worksheet: Computer Policy Settings; Row: 28Setting Index #57: This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial-of-service condition.)Rule 'perform_volume_maintainance_tasks' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:42' CCE-8483-0Validation of the 'Comp< uter Manufacturer-Specific' Platform Configuration Register (aka PCR 7) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o8\PCR 7: Computer Manufacturer-Specific (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\7-Worksheet: Bitlocker Policy Settings; Row: 55Setting Index #870: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-8484-8?The built-in Administrator account should be correctly named. account name(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename administrator accountCCE-438,Worksheet: Computer Policy Settings; Row: 51jSetting Index #69: This policy setting provides the ability to change the default administrator user name.-Rule 'accounts_rename_administrator_account' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:53' CCE-8487-1The 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' setting should be configured correctly.number of logons3(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Number of previous logons to cache (in case domain controller is not available) (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\cachedlogonscountCCE-773,Worksheet: Computer Policy Settings; Row: 78Setting Index #97: This policy setting determines whether a user can log on to a Windows domain using cached account information.eRule 'interactive_logon_number_of_previous_logons_to_cache_in_case_domain_controller_is_unavailable' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:73' CCE-8493-9Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 12) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o13\PCR 12: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\12-Worksheet: Bitlocker Policy Settings; Row: 37Setting Index #875: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-8496-2Validation of the 'Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions' Platform Configuration Register (aka PCR 0) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate..(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o1\PCR 0: Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\0-Worksheet: Bitlocker Policy Settings; Row: 33Setting Index #863: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-8503-5oThe 'Microsoft network server: Server SPN target name validation level' setting should be configured correctly.5Off/Accept if provided by client/Required from client (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Server SPN target name validation level (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\SMBServerNameHardeningLevelCCE-278,Worksheet: Computer Policy Settings; Row: 92Setting Index #108: This policy setting controls the level of validation a computer with shared folders or printers performs on the service principal name provided by the client computer when it establishes a session using the server message block (SMB) protocolHRule 'microsoft_network_server_server_spn_target_name_validation_level' CCE-8513-4~The 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirectCCE-150,Worksheet: Computer Policy Settings; Row: 96Setting Index #115: The entry appears as MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes in the SCE.URule 'mss_enableicmpredirect_allow_icmp_redirects_to_override_ospf_generated_routes' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:127' CCE-8517-5Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 21) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o22\PCR 21: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\21-Worksheet: Bitlocker Policy Settings; Row: 47Setting Index #884: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-8525-8QRights to activate or launch DCOM applications should be assigned as appropriate.h(1) users and/or groups (2) allow/deny (3) local launch/remote launch/local activation/remote activation((1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax (2) Registry Key: HKEY_LOCAL_MACHINE\Software\policies\Microsoft\windows NT\DCOM\MachineLaunchRestrictionCCE-740,Worksheet: Computer Policy Settings; Row: 64Setting Index #76: This policy setting determines which users or groups might launch or activate DCOM applications remotely or locally. CCE-8530-8Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 15) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o16\PCR 15: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\15-Worksheet: Bitlocker Policy Settings; Row: 40Setting Index #878: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-8535-7Validation of the 'Master Boot Record (MBR) Code' Platform Configuration Register (aka PCR 4) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o5\PCR 4: Master Boot Record (MBR) Code (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\4-Worksheet: Bitlocker Policy Settings; Row: 52Setting Index #867: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-8538-1kThe BitLocker 'Require use of smart cards on removable data drives' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s4-o1\Require use of smart cards on removable data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVEnforceUserCert-Worksheet: Bitlocker Policy Settings; Row: 78Setting Index #912: This is a setting option. Refer to the following parent setting for additional information: Conf< igure use of smart cards on removable data drives CCE-8540-7kThe BitLocker 'Configure password complexity for fixed data drives' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s3-o2\Configure password complexity for fixed data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVPassphraseComplexity-Worksheet: Bitlocker Policy Settings; Row: 17Setting Index #846: This is a setting option. Refer to the following parent setting for additional information: Configure use of passwords for fixed data drives CCE-8541-5uThe 'Interactive logon: Display user information when the session is locked.' setting should be configured correctly."(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Display user information when the session is locked. (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLockedUserId-Worksheet: Computer Policy Settings; Row: 142Setting Index #918: CCE-8546-4Use of a Trusted Platform Moduel (TPM) startup PIN for operating system drives encrypted with BitLocker should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s5-o3\Configure TPM startup PIN (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\UseTPMPIN-Worksheet: Bitlocker Policy Settings; Row: 60Setting Index #890: This is a setting option. Refer to the following parent setting for additional information: Require additional authentication at startup CCE-8553-0yThe 'Omit recovery options from the BitLocker setup wizard' setting should be configured correctly for fixed data drives.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s2-o4\Omit recovery options from the BitLocker setup wizard (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVHideRecoveryPage-Worksheet: Bitlocker Policy Settings; Row: 11Setting Index #840: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected fixed data drives can be recovered CCE-8560-5The 'MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)' setting should be configured correctly.2(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\HiddenCCE-139,Worksheet: Computer Policy Settings; Row: 97Setting Index #116: The registry value entry appears as MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) in the SCE.6Rule 'mss_hidden_hide_computer_from_the_browser_list' CCE-8562-1The 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' setting should be configured correctly.B(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemandCCE-817-Worksheet: Computer Policy Settings; Row: 100Setting Index #120: The registry value entry appears as MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers in the SCE.pRule 'mss_nonamereleaseondemand_allow_computer_to_ignore_netbios_name_release_requests_except_from_wins_server' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:132' CCE-8581-1zThe BitLocker 'Provide the unique identifiers for your organization' setting should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\s5-o0\Provide the unique identifiers for your organization (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\IdentificationField-Worksheet: Bitlocker Policy Settings; Row: 87Setting Index #826: CCE-8583-7OThe 'Debug programs' user right should be assigned to the appropriate accounts.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Debug programs (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeDebugPrivilege' and precedence=1CCE-842,Worksheet: Computer Policy Settings; Row: 17Setting Index #39: This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components.Rule 'debug_programs' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:24' CCE-8587-8Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 17) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o18\PCR 17: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\17-Worksheet: Bitlocker Policy Settings; Row: 42Setting Index #880: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-8588-6The 'Configure user storage of BitLocker 48-digit recovery password' setting should be configured correctly for operating system drives.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s2-o2\Configure user storage of BitLocker 48-digit recovery password (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\OSRecoveryPassword-Worksheet: Bitlocker Policy Settings; Row: 25Setting Index #854: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected operating system drives can be recovered CCE-8591-0The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly.number of secondsD(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriodCCE-830-Worksheet: Computer Policy Settings; Row: 104Setting Index #124: The entry appears as MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) in the SCE.cRule 'mss_screensavergraceperiod_the_time_in_seconds_before_the_screen_saver_grace_period_expires' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:136' CCE-8595-1}The 'Omit recovery options from the BitLocker setup wizard' setting should be configured correctly for removable data drives.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s2-o4\Omit recovery options from the BitLocker setup wizard (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVHideRecoveryPage-Worksheet: Bitlocker Policy Settings; Row: 69Setting Index #903: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected removable data drives can be recovered CCE-8612-4WThe 'Change the system time' user right should be assigned to the appropriate accounts< .(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the system time (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeSystemtimePrivilege' and precedence=1CCE-799,Worksheet: Computer Policy Settings; Row: 12Setting Index #32: This policy setting determines which users and groups can change the time and date on the internal clock of the computers in your environment.Rule 'change_the_system_time' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:17' CCE-8613-2|The 'Choose how BitLocker-protected removable drives can be recovered' setting should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s2-o0\Choose how BitLocker-protected removable drives can be recovered (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVRecovery-Worksheet: Bitlocker Policy Settings; Row: 65Setting Index #899: CCE-8648-8{The BitLocker 'Configure use of smart cards on removable data drives' setting should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s4-o0\Configure use of smart cards on removable data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVAllowUserCert-Worksheet: Bitlocker Policy Settings; Row: 77Setting Index #911: CCE-8651-2Validation of the 'Platform and Motherboard Configuration and Data' Platform Configuration Register (aka PCR 1) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o2\PCR 1: Platform and Motherboard Configuration and Data (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\1-Worksheet: Bitlocker Policy Settings; Row: 44Setting Index #864: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-8653-8Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 22) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o23\PCR 22: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\22-Worksheet: Bitlocker Policy Settings; Row: 48Setting Index #885: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-8654-6The 'Network access: Do not allow storage of passwords and credentials for network authentication' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow storage of passwords and credentials for network authentication (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCredsCCE-542-Worksheet: Computer Policy Settings; Row: 109uSetting Index #132: This policy setting controls authentication credential storage and passwords on the local system.cRule 'network_access_do_not_allow_storage_of_passwords_and_credentials_for_network_authentication' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:88' CCE-8655-3The 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.6allowed/ignored when IP forwarding is enabled/disabled~(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting (3) WMI: Namespace = Windows XP; Class = ; Property = ; Where = -Worksheet: Computer Policy Settings; Row: 140Setting Index #521: The entry appears as MSS: (DisableIPSourceRouting) IPv6 source routing protection level (protects against packet spoofing) in the SCE.IRule 'mss_disableipsourceroutingipv6_ip_source_routing_protection_level' CCE-8673-6]The BitLocker 'Require password for fixed data drive' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s3-o1\Require password for fixed data drive (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVEnforcePassphrase-Worksheet: Bitlocker Policy Settings; Row: 16Setting Index #845: This is a setting option. Refer to the following parent setting for additional information: Configure use of passwords for fixed data drives CCE-8683-5aThe BitLocker 'Require password for removable data drive' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s3-o1\Require password for removable data drive (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVEnforcePassphrase-Worksheet: Bitlocker Policy Settings; Row: 74Setting Index #908: This is a setting option. Refer to the following parent setting for additional information: Configure use of passwords for removable data drives CCE-8688-4The minimum number of characters required for the BitLocker startup PIN used with the Trusted Platform Module (TPM) should be set correctly.number of characters(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s3-o1\Minimum characters: (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MinimumPIN-Worksheet: Bitlocker Policy Settings; Row: 31Setting Index #861: This is a setting option. Refer to the following parent setting for additional information: Configure minimum PIN length for startup CCE-8701-5The 'Configure user storage of BitLocker 256-digit recovery key' setting should be configured correctly for removable data drives.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s2-o3\Configure user storage of BitLocker 256-digit recovery key (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVRecoveryKey-Worksheet: Bitlocker Policy Settings; Row: 68Setting Index #902: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected removable data drives can be recovered CCE-8703-1Validation of the 'State Transition and Wake Events' Platform Configuration Register (aka PCR 6) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o7\PCR 6: State Transition and Wake Events (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\6-Worksheet: Bitlocker Policy Settings; Row: 54Setting Index #869: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-8714-8LThe 'Accounts: Guest account status' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Guest account statusCCE-332,Worksheet: Computer Policy Settings; Row: 55dSetting Index #67: This policy setting determines whether the Guest account is enabled or disabled. %Rule 'accounts_guest_account_status' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:51' CCE-8719-7jThe 'Deny write access to fixe< d drives not protected by BitLocker' setting should be configured correctly.$(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s5-o0\Deny write access to fixed drives not protected by BitLocker (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\FVE\FDVDenyWriteAccess-Worksheet: Bitlocker Policy Settings; Row: 21Setting Index #850: CCE-8721-3iThe BitLocker 'Configure use of smart cards on fixed data drives' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s4-o0\Configure use of smart cards on fixed data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVAllowUserCert-Worksheet: Bitlocker Policy Settings; Row: 19Setting Index #848: CCE-8732-0^The 'Replace a process level token' user right should be assigned to the appropriate accounts.,(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Replace a process level token (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeAssignPrimaryTokenPrivilege' and precedence=1CCE-667,Worksheet: Computer Policy Settings; Row: 32Setting Index #61: This policy setting allows one process or service to start another service or process with a different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges.%Rule 'replace_a_process_level_token' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:46' CCE-8740-3mThe 'Interactive logon: Message title for users attempting to log on' setting should be configured correctly.string(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message title for users attempting to log on (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaptionCCE-23,Worksheet: Computer Policy Settings; Row: 83Setting Index #96: This policy setting allows text to be specified in the title bar of the window that users see when they log on to the system.FRule 'interactive_logon_message_title_for_users_attempting_to_log_on' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:72' CCE-8743-7The 'Configure storage of BitLocker recovery information to AD DS' setting should be configured correctly for fixed data drives.RBackup recovery passwords and key packages/Backup recovery passwords only/disabled(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s2-o6\Configure storage of BitLocker recovery information to AD DS (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVActiveDirectoryInfoToStore-Worksheet: Bitlocker Policy Settings; Row: 13Setting Index #842: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected fixed data drives can be recovered CCE-8745-2xThe 'Choose how BitLocker-protected fixed drives can be recovered' setting should be enabled or disabled as appropriate. (1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s2-o0\Choose how BitLocker-protected fixed drives can be recovered (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVRecovery,Worksheet: Bitlocker Policy Settings; Row: 7Setting Index #1035: CCE-8751-0Validation of the 'NTFS Boot Sector' Platform Configuration Register (aka PCR 8) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o9\PCR 8: NTFS Boot Sector (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\8-Worksheet: Bitlocker Policy Settings; Row: 56Setting Index #871: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-8759-3The 'Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' setting should be configured correctly.K(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s2-o7\Do not enable BitLocker until recovery information is stored to AD DS for operating system drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\OSRequireActiveDirectoryBackup-Worksheet: Bitlocker Policy Settings; Row: 30Setting Index #859: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected operating system drives can be recovered CCE-8784-1The 'MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)' setting should be configured correctly.>(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreationCCE-511-Worksheet: Computer Policy Settings; Row: 101Setting Index #121: This registry value entry appears as MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) in the SCE. CCE-8787-4Validation of the 'Options ROM Code'' Platform Configuration Register (aka PCR 2) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o3\PCR 2: Options ROM Code (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\2-Worksheet: Bitlocker Policy Settings; Row: 50Setting Index #865: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-8789-0bThe 'Audit: Audit the use of Backup and Restore privilege' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Audit the use of Backup and Restore privilege (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\fullprivilegeauditingCCE-905,Worksheet: Computer Policy Settings; Row: 60Setting Index #72: This policy setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use setting is in effect.;Rule 'audit_audit_the_use_of_backup_and_restore_privilege' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:56' CCE-8791-6LThe default folder for BitLocker recovery passwords should be set correctly. folder path(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\s1-o1\Configure the default folder path: (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\DefaultRecoveryFolderPath-Worksheet: Bitlocker Policy Settings; Row: 84Setting Index #819: This is a setting option. Refer to the following parent setting for additional information: Choose default folder for recovery password CCE-8804-7gThe 'Network security: Allow LocalSystem NULL session fallback' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow LocalSystem NULL session fallback (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\-Worksheet: Computer Policy Settings; Row: 143WSetting Index #919: Allow NTLM to fall back to NULL session when used with LocalSystem.@Rule 'network_secur< ity_allow_localsystem_null_session_fallback' CCE-8806-2`The 'Network security: LAN Manager authentication level' setting should be configured correctly.authentication level(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevelCCE-719-Worksheet: Computer Policy Settings; Row: 117Setting Index #142: This policy setting specifies the type of challenge/response authentication for network logons. LAN Manager (LM) authentication is the least secure method; it allows encrypted passwords to be cracked because they can be easily intercepted on the network. 8Rule 'network_security_lanmanager_authentication_level' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:102' CCE-8807-0dThe 'Recovery console: Allow automatic administrative logon' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Recovery console: Allow automatic administrative logon (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\securitylevelCCE-410-Worksheet: Computer Policy Settings; Row: 120Setting Index #146: This policy setting allows the administrator account to automatically log on to the recovery console when it is invoked during startup.>Rule 'recovery_console_allow_automatic_administratiive_logon' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:106' CCE-8811-2~The 'User Account Control: Admin Approval Mode for the Built-in Administrator account' setting should be configured correctly.,(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Admin Approval Mode for the Built-in Administrator account (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorTokenCCE-1078-Worksheet: Computer Policy Settings; Row: 127Setting Index #157: This policy setting configures whether the built-in Administrator account runs in Admin Approval Mode. The default behavior varies because Windows Vista configures the built-in Administrator account dependant on specific installation criteria.WRule 'user_account_control_admin_approval_mode_for_the_built_in_administrator_account' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:113' CCE-8813-8wThe 'User Account Control: Behavior of the elevation prompt for standard users' setting should be configured correctly.<Prompt for credentials/Automatically deny elevation requests&(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for standard users (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUserCCE-1067-Worksheet: Computer Policy Settings; Row: 129Setting Index #159: This setting determines the behavior of Windows Vista when a logged on user attempts to complete a task that requires raised privileges. PRule 'user_account_control_behavior_of_the_elevation_prompt_for_standard_users' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:115' CCE-8817-9The 'User Account Control: Virtualize file and registry write failures to per-user locations' setting should be configured correctly./(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Virtualize file and registry write failures to per-user locations (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualizationCCE-673-Worksheet: Computer Policy Settings; Row: 135 Setting Index #165: This setting allows the user to create specific locations where the virtualization of file and registry write failures can be stored. This setting is specific to UAC compatibility. See the security guides for more information about this setting.^Rule 'user_account_control_virtualize_file_and_registry_write_failures_to_per_user_locations' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:121' CCE-8818-7The 'Interactive logon: Require Domain Controller authentication to unlock workstation' setting should be configured correctly.!(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Require Domain Controller authentication to unlock workstation (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogonCCE-374,Worksheet: Computer Policy Settings; Row: 80Setting Index #99: When this policy setting is enabled, a domain controller must authenticate the domain account used to unlock the computer.XRule 'interactive_logon_require_domain_controller_authentication_to_unlock_workstation' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:75' CCE-8822-9~Auditing of 'Account Management: Application Group Management' events on success should be enabled or disabled as appropriate.CCE-801)Worksheet: Audit Policy Settings; Row: 42SSetting Index #405: This policy setting audits Application Group Management events. CCE-8825-2xThe 'Microsoft network server: Digitally sign communications (if client agrees)' setting should be configured correctly.%(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (if client agrees) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\enablesecuritysignatureCCE-104,Worksheet: Computer Policy Settings; Row: 90Setting Index #107: This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. ORule 'microsoft_network_server_digitally_sign_communications_if_client_agrees' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:82' CCE-8829-4Auditing of 'Account Management: Distribution Group Management' events on failure should be enabled or disabled as appropriate.CCE-1048)Worksheet: Audit Policy Settings; Row: 44TSetting Index #404: This policy setting audits Distribution Group Management events. CCE-8837-7\The 'Devices: Allow undock without having to log on' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Allow undock without having to log on (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\undockwithoutlogonCCE-186,Worksheet: Computer Policy Settings; Row: 65Setting Index #77: This policy setting determines whether a portable computer can be undocked if the user does not log on to the system. CCE-8844-3eThe 'Allow Standby States (S1-S3) When Sleeping (On Battery)' setting should be configured correctly.!(1) GPO: Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Allow Standby States (S1-S3) When Sleeping (On Battery) (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab\DCSettingIndex,Worksheet: Bitlocker Policy Settings; Row: 3Setting Index #816: CCE-8850-0rAuditing of 'DS Access: Directory Service Changes' events on failure should be enabled or disabled as appropriate.CCE-982)Worksheet: Audit Policy Settings; Row: 50Setting Index #408: This policy setting in the DS Access audit category enables reports to result when changes to create, modify, move, or undelete operations are performed on objects in Active Directory Domain Services (AD DS). CCE-8853-4kAuditing of 'Logon-Logoff: Account Lockout' events on success should be enabled or disabled as appropriate.CCE-1264(Worksheet: Audit Policy Settings; Row: 8Setting Index #371: This audit category generates events that record the creation and destructio< n of logon sessions. This setting targets the Logon-Logoff Account Lockout setting. CCE-8855-9Validation of the 'BitLocker Access Control' Platform Configuration Register (aka PCR 11) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o12\PCR 11: BitLocker Access Control (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\11-Worksheet: Bitlocker Policy Settings; Row: 36Setting Index #874: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-8856-7bAuditing of 'Logon-Logoff: Logoff' events on success should be enabled or disabled as appropriate.CCE-493)Worksheet: Audit Policy Settings; Row: 12Setting Index #370: This audit category generates events that record the creation and destruction of logon sessions. This setting targets the Logoff event settings. CCE-8857-5oAuditing of 'Logon-Logoff: IPsec Extended Mode' events on failure should be enabled or disabled as appropriate.CCE-362(Worksheet: Audit Policy Settings; Row: 9Setting Index #374: This audit category generates events that record the creation and destruction of logon sessions. This setting targets the IPsec Extended Mode settings. CCE-8860-9rAuditing of 'Object Access:Application Generated' events on failure should be enabled or disabled as appropriate.CCE-379)Worksheet: Audit Policy Settings; Row: 17Setting Index #382: This setting determines whether to audit the event of a user who accesses an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It targets application generated events. CCE-8861-7pAuditing of 'Object Access: Detailed File Share' events on failure should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit Policy: Object Access: Detailed File Share)Worksheet: Audit Policy Settings; Row: 28Setting Index #930: CCE-8868-2bThe 'Devices: Allowed to format and eject removable media' setting should be configured correctly.RAdministrators/Administrators and Power Users/Administrators and Interactive Users(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Allowed to format and eject removable media (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASDCCE-919,Worksheet: Computer Policy Settings; Row: 66eSetting Index #78: This policy setting determines who is allowed to format and eject removable media. CCE-8870-8nWindows Firewall should allow or block outbound connections by default as appropriate for the Private Profile. allow/blocke(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Outbound connections (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultOutboundActionCCE-32-Worksheet: Computer Policy Settings; Row: 163Setting Index #192: This profile only applies if a user with local administrator privileges assigns it to a network that was previously set to use the Public profile. Microsoft recommends only changing the profile to Private for a trusted network. CCE-8884-9Display of a notification to the user when Windows Firewall blocks network activity should be enabled or disabled as appropriate for the private profile.f(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Display a notification (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableNotificationsCCE-38-Worksheet: Computer Policy Settings; Row: 164Setting Index #193: This profile only applies if a user with local administrator privileges assigns it to a network that was previously set to use the Public profile. Microsoft recommends only changing the profile to Private for a trusted network. CCE-8899-7[The BitLocker 'Prevent memory overwrite on restart' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\s4-o0\Prevent memory overwrite on restart (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MorBehavior-Worksheet: Bitlocker Policy Settings; Row: 86Setting Index #825: CCE-8905-2vThe 'Save BitLocker recovery information to AD DS for operating system drives' setting should be configured correctly.+(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s2-o5\Save BitLocker recovery information to AD DS for operating system drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\OSActiveDirectoryBackup-Worksheet: Bitlocker Policy Settings; Row: 28Setting Index #857: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected operating system drives can be recovered CCE-8912-8IThe "enforce password history" policy should meet minimum requirements. number of passwords remembered(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password history (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property = Setting; Where = KeyName='PasswordHistorySize' And precedence=1CCE-60)Worksheet: Domain Policy Settings; Row: 3Setting Index #1: This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. Rule 'enforce_password_history' 4Definition 'oval:gov.nist.usgcb.windowsseven:def:4' CCE-8917-7sThe 'Network Security: Restrict NTLM: Add server exceptions in this domain' setting should be configured correctly.list of servers(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Add server exceptions in this domain (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DCAllowedNTLMServers-Worksheet: Computer Policy Settings; Row: 148Setting Index #924: This policy setting allows you to create an exception list of servers in this domain to which clients are allowed to use NTLM pass-through authentication if the "Network Security: Restrict NTLM: Deny NTLM authentication in this domain" is set. CCE-8930-0The 'Enable computer and user accounts to be trusted for delegation' user right should be assigned to the appropriate accounts.K(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Enable computer and user accounts to be trusted for delegation (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeEnableDelegationPrivilege' and precedence=1CCE-15,Worksheet: Computer Policy Settings; Row: 19Setting Index #45: This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. CCE-8936-7oThe 'Network access: Let Everyone permissions apply to anonymous users' setting should be configured correctly. (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Let Everyone permissions apply to anonymous users (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymousCCE-18-Worksheet: Computer Policy Settings; Row: 110Setting Index #133: This policy setting< determines what additional permissions are assigned for anonymous connections to the computerGRule 'network_access_let_everyone_permissions_apply_to_anonymous_user' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:89' CCE-8937-5{The 'Network security: Do not store LAN Manager hash value on next password change' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Do not store LAN Manager hash value on next password change (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHashCCE-233-Worksheet: Computer Policy Settings; Row: 116Setting Index #140: This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. MRule 'network_security_do_not_store_lanmanager_hash_on_next_password_change' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:100' CCE-8945-8zThe 'Recovery console: Allow floppy copy and access to all drives and all folders' setting should be configured correctly.#(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Recovery console: Allow floppy copy and access to all drives and all folders (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\setcommandCCE-76-Worksheet: Computer Policy Settings; Row: 121YSetting Index #147: This policy setting makes the Recovery Console SET command available.ORule 'recovery_console_allow_floppy_copy_and_access_to_all_drives_and_folders' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:107' CCE-8947-4oThe BitLocker 'Configure password complexity for removable data drives' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s3-o2\Configure password complexity for removable data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVPassphraseComplexity-Worksheet: Bitlocker Policy Settings; Row: 75Setting Index #909: This is a setting option. Refer to the following parent setting for additional information: Configure use of passwords for removable data drives CCE-8956-5kAuditing of 'Logon-Logoff: IPsec Main Mode' events on success should be enabled or disabled as appropriate.CCE-1207)Worksheet: Audit Policy Settings; Row: 10Setting Index #372: This audit category generates events that record the creation and destruction of logon sessions. This setting targets the IPsec Main Mode settings. CCE-8958-1The 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' setting should be configured correctly.Elevate without prompting/Prompt for credentials on the secure desktop/Prompt for consent on the secure desktop/Prompt for credentials/Prompt for consent/Prompt for consent for non-Windows binaries>(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdminCCE-1063-Worksheet: Computer Policy Settings; Row: 128Setting Index #1048: This setting determines the behavior of Windows Vista when a logged on administrator attempts to complete a task that requires raised privileges.gRule 'user_account_control_behavior_of_the_elevation_prompt_for_administrators_in_admin_approval_mode' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:114' CCE-8965-6The 'Configure storage of BitLocker recovery information to AD DS' setting should be configured correctly for removable data drives.#(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s2-o6\Configure storage of BitLocker recovery information to AD DS (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVActiveDirectoryInfoToStore-Worksheet: Bitlocker Policy Settings; Row: 71Setting Index #905: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected removable data drives can be recovered CCE-8973-0lThe 'Interactive logon: Message text for users attempting to log on' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message text for users attempting to log on (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeTextCCE-829,Worksheet: Computer Policy Settings; Row: 82iSetting Index #95: This policy setting specifies a text message that displays to users when they log on. ERule 'interactive_logon_message_text_for_users_attempting_to_log_on' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:71' CCE-8974-8sThe 'Domain member: Digitally encrypt or sign secure channel data (always)' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt or sign secure channel data (always) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorsealCCE-549,Worksheet: Computer Policy Settings; Row: 70Setting Index #86: This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted.JRule 'domain_member_digitally_encrypt_or_sign_secure_channel_data_always' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:63' CCE-8983-9hThe BitLocker 'Minimum password length for removable data drive' setting should be configured correctly. (1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s3-o3\Minimum password length for removable data drive (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVPassphraseLength-Worksheet: Bitlocker Policy Settings; Row: 76Setting Index #910: This is a setting option. Refer to the following parent setting for additional information: Configure use of passwords for removable data drives CCE-8993-8The 'Configure user storage of BitLocker 256-digit recovery key' setting should be configured correctly for operating system drives.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s2-o3\Configure user storage of BitLocker 256-digit recovery key (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\OSRecoveryKey-Worksheet: Bitlocker Policy Settings; Row: 26Setting Index #855: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected operating system drives can be recovered CCE-8995-3ZThe 'Control use of Bitlocker on removable drives' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s5-o0\Control use of Bitlocker on removable drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVConfigureBDE-Worksheet: Bitlocker Policy Settings; Row: 79Setting Index #913: CCE-8999-5]The 'Increase scheduling priority' user right should be assigned to the appropriate accounts.-(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Increase scheduling priority (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeIncreaseBasePriorityPrivilege' and precedence=1CCE-349,Worksheet: Computer Policy Settings; Row: 22oSetting Index #50: This policy setting allows users to change the amount of processor time that a process uses.$Rule 'increase_scheduling_priority' 5Definition 'oval:gov.nist.< usgcb.windowsseven:def:34' CCE-9000-1The 'Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' setting should be configured correctly.H(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s2-o7\Do not enable BitLocker until recovery information is stored to AD DS for removable data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVRequireActiveDirectoryBackup-Worksheet: Bitlocker Policy Settings; Row: 72Setting Index #906: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected removable data drives can be recovered CCE-9007-6lWindows Firewall should allow or block inbound connections by default as appropriate for the Public Profile.`(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Inbound connections (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultInboundActionCCE-338-Worksheet: Computer Policy Settings; Row: 169Setting Index #198: CCE-9014-2UThe 'Shut down the system' user right should be assigned to the appropriate accounts.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeShutdownPrivilege' and precedence=1CCE-839,Worksheet: Computer Policy Settings; Row: 33Setting Index #63: This policy setting determines which users who are logged on locally can use the Shut Down command to shut down the operating system.Rule 'shut_down_the_system' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:48' CCE-9021-7zThe 'User Account Control: Only elevate executables that are signed and validated' setting should be configured correctly.+(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate executables that are signed and validated (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignaturesCCE-1104-Worksheet: Computer Policy Settings; Row: 131Setting Index #161: This setting enables the prevention of the execution of unsigned or invalidated applications. Before enabling this setting, it is essential that administrators are certain that all required applications are signed and valid. TRule 'user_account_control_only_elevate_applications_that_are_signed_and_validated' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:117' CCE-9023-3kAuditing of 'Logon-Logoff: Account Lockout' events on failure should be enabled or disabled as appropriate.CCE-1282 CCE-9026-6dThe 'Devices: Prevent users from installing printer drivers' setting should be configured correctly. (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDriversCCE-402,Worksheet: Computer Policy Settings; Row: 67_Setting Index #79: This setting controls which groups has the right to install printer drivers.=Rule 'devices_prevent_users_from_installing_printer_drivers' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:60' CCE-9036-5The 'Network Security: Restrict NTLM: Add remote server exceptions for NTLM authentication' setting should be configured correctly.#(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Add remote server exceptions for NTLM authentication (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\ClientAllowedNTLMServers-Worksheet: Computer Policy Settings; Row: 147 Setting Index #923: This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. CCE-9040-7nThe 'Microsoft network server: Digitally sign communications (always)' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (always) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\requiresecuritysignatureCCE-171,Worksheet: Computer Policy Settings; Row: 89}Setting Index #106: This policy setting determines if the server side SMB service is required to perform SMB packet signing. ERule 'microsoft_network_server_digitally_sign_communications_always' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:81' CCE-9046-4Validation of the 'Master Boot Record (MBR) Partition Table' Platform Configuration Register (aka PCR 5) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o6\PCR 5: Master Boot Record (MBR) Partition Table (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\5-Worksheet: Bitlocker Policy Settings; Row: 53Setting Index #868: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-9048-0_The 'Increase a process working set' user right should be assigned to the appropriate accounts.-(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Increase a process working set (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeIncreaseWorkingSetPrivilege' and precedence=1CCE-1027,Worksheet: Computer Policy Settings; Row: 43Setting Index #49: This policy setting determines which user accounts can increase or decrease the size of a process s working set. The working set of a process is the set of memory pages currently visible to the process in physical random access memory (RAM).&Rule 'increase_a_process_working_set' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:33' CCE-9050-6Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 16) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o17\PCR 16: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\16-Worksheet: Bitlocker Policy Settings; Row: 41Setting Index #879: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-9053-0The 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows ' setting should be configured correctly.;(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s1-o0\Allow access to BitLocker-protected removable data drives from earlier versions of Windows (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVDiscoveryVolumeType-Worksheet: Bitlocker Policy Settings; Row: 63Setting Index #897: CCE-9056-3{Auditing of 'Account Management: Security Group Management'< events on failure should be enabled or disabled as appropriate.CCE-369)Worksheet: Audit Policy Settings; Row: 46PSetting Index #403: This policy setting audits Security Group Management events. CCE-9058-9bAuditing of 'Logon-Logoff: Logoff' events on failure should be enabled or disabled as appropriate.CCE-996 CCE-9062-1IThe BitLocker 'Object identifier' setting should be configured correctly.(smart card certificate object identifier(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\s7-o1\Object identifier (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\CertificateOID-Worksheet: Bitlocker Policy Settings; Row: 90Setting Index #833: This is a setting option. Refer to the following parent setting for additional information: Validate smart card certificate usage rule compliance CCE-9066-2aAuditing of 'Audit privilege use' events on success should be enabled or disabled as appropriate.CCE-2431 CCE-9067-0\The 'Interactive logon: Smart card removal behavior' setting should be configured correctly.XNo Action/Lock Workstation/Force Logoff/Disconnect if a remote Terminal Services session(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\scremoveoptionCCE-443,Worksheet: Computer Policy Settings; Row: 81Setting Index #101: This policy setting determines what happens when the smart card for a logged on user is removed from the smart card reader.5Rule 'interactive_logon_smart_card_removal_behavior' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:76' CCE-9068-8cThe 'Adjust memory quotas for a process' user right should be assigned to the appropriate accounts.,(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Adjust memory quotas for a process (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeIncreaseQuotaPrivilege' and precedence=1CCE-807+Worksheet: Computer Policy Settings; Row: 9|Setting Index #27: This policy setting allows a user to adjust the maximum amount of memory that is available to a process. *Rule 'adjust_memory_quotas_for_a_process' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:12' CCE-9069-6xUnicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Domain Profile.z(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Allow unicast response (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DisableUnicastResponsesToMulticastBroadcastCCE-696-Worksheet: Computer Policy Settings; Row: 158Setting Index #187: This option determines if this computer can receive unicast responses to multicast or broadcast messages that it initiates. Unsolicited unicast responses are blocked regardless of this setting. CCE-9076-1qAuditing of 'Logon-Logoff: Network Policy Server' events on success should be enabled or disabled as appropriate.)Worksheet: Audit Policy Settings; Row: 16uSetting Index #520: This audit category generates events that record the creation and destruction of logon sessions. CCE-9079-5Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 13) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o14\PCR 13: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\13-Worksheet: Bitlocker Policy Settings; Row: 38Setting Index #876: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-9082-9Validation of the 'Option ROM Configuration and Data' Platform Configuration Register (aka PCR 3) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o4\PCR 3: Option ROM Configuration and Data (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\3-Worksheet: Bitlocker Policy Settings; Row: 51Setting Index #866: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-9087-8dThe BitLocker 'Minimum password length for fixed data drive' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s3-o3\Minimum password length for fixed data drive (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVPassphraseLength-Worksheet: Bitlocker Policy Settings; Row: 18Setting Index #847: This is a setting option. Refer to the following parent setting for additional information: Configure use of passwords for fixed data drives CCE-9088-6uThe 'Do not install BitLocker To Go Reader on FAT formatted removable drives' setting should be configured correctly.)(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s1-o1\Do not install BitLocker To Go Reader on FAT formatted removable drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVNoBitLockerToGoReader-Worksheet: Bitlocker Policy Settings; Row: 64Setting Index #898: This is a setting option. Refer to the following parent setting for additional information: Allow access to BitLocker-protected removable data drives on earlier versions of Windows CCE-9089-4WThe BitLocker 'Allow enhanced PINs for startup' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s1-o0\Allow enhanced PINs for startup (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\UseEnhancedPin-Worksheet: Bitlocker Policy Settings; Row: 22Setting Index #851: CCE-9096-9tThe 'Network security: Allow Local System to use computer identity for NTLM' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow Local System to use computer identity for NTLM (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\UseMachineId-Worksheet: Computer Policy Settings; Row: 144Setting Index #920: This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication.LRule 'network_security_allow_localsystem_to_use_computer_identity_for_ntlm' CCE-9098-5YThe 'Deny log on as a service' user right should be assigned to the appropriate accounts.!(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a service (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeDenyServiceLogonRight' and precedence=1CCE-597,Worksheet: Computer Policy Settings; Row: 39{Setting Index #42: This policy setting determines whether services can be launched in the context of the specified account. Rule 'deny_log_on_as_a_service' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:27' CCE-9103-3Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 18) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encrypt< ion\Operating System Drives\s4-o19\PCR 18: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\18-Worksheet: Bitlocker Policy Settings; Row: 43Setting Index #881: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-9106-6qThe 'Do not install BitLocker To Go Reader on FAT formatted fixed drives' setting should be configured correctly.!(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s1-o1\Do not install BitLocker To Go Reader on FAT formatted fixed drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVNoBitLockerToGoReader,Worksheet: Bitlocker Policy Settings; Row: 6Setting Index #1047: This is a setting option. Refer to the following parent setting for additional information: Do not install BitLocker To Go Reader on FAT formatted fixed drives CCE-9107-4mThe 'Allow log on through Remote Desktop Services' user right should be assigned to the appropriate accounts.;(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Remote Desktop Services (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeRemoteInteractiveLogonRight' and precedence=1CCE-883,Worksheet: Computer Policy Settings; Row: 35Setting Index #29: This policy setting determines which users or groups have the right to log on as a Terminal Services client.4Rule 'allow_log_on_through_remote_desktop_services' kDefinition 'oval:gov.nist.usgcb.windowsseven:def:140' Definition 'oval:gov.nist.usgcb.windowsseven:def:14' CCE-9112-4The 'System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies' setting should be configured correctly.6(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabledCCE-572-Worksheet: Computer Policy Settings; Row: 138Setting Index #156: This policy setting determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. CCE-9114-0LThe 'BitLocker identification field' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\s5-o1\BitLocker identification field (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\IdentificationFieldString-Worksheet: Bitlocker Policy Settings; Row: 88Setting Index #827: This is a setting option. Refer to the following parent setting for additional information: Provide the unique identifiers for your organization CCE-9121-5`The 'Network access: Remotely accessible registry paths' setting should be configured correctly. set of paths(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\MachineCCE-189-Worksheet: Computer Policy Settings; Row: 112Setting Index #135: This policy setting determines which registry paths will be accessible after referencing the WinReg key to determine access permissions to the paths.9Rule 'network_access_remotely_accessible_registry_paths' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:91' CCE-9123-1aThe 'Domain member: Maximum machine account password age' setting should be configured correctly.number of days(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\maximumpasswordageCCE-194,Worksheet: Computer Policy Settings; Row: 74lSetting Index #90: This policy setting determines the maximum allowable age for a computer account password.:Rule 'domain_member_maximum_machine_account_password_age' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:67' CCE-9124-9^The 'Restore files and directories' user right should be assigned to the appropriate accounts.!(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Restore files and directories (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeRestorePrivilege' and precedence=1CCE-553,Worksheet: Computer Policy Settings; Row: 46Setting Index #62: This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories.%Rule 'restore_files_and_directories' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:47' CCE-9126-4eThe 'Allow Standby States (S1-S3) When Sleeping (Plugged In)' setting should be configured correctly.!(1) GPO: Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Allow Standby States (S1-S3) When Sleeping (Plugged In) (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab\ACSettingIndex,Worksheet: Bitlocker Policy Settings; Row: 4Setting Index #817: CCE-9133-0{Auditing of 'Object Access:Filtering Platform Packet Drop' events on success should be enabled or disabled as appropriate.CCE-385)Worksheet: Audit Policy Settings; Row: 22Setting Index #385: This settings determines whether to audit the event of a user who attempts to access an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to dropped packet events by the Filtering Platform. CCE-9135-5_The 'Load and unload device drivers' user right should be assigned to the appropriate accounts.%(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Load and unload device drivers (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeLoadDriverPrivilege' and precedence=1CCE-860,Worksheet: Computer Policy Settings; Row: 23iSetting Index #51: This policy setting allows users to dynamically load a new device driver on a system. &Rule 'load_and_unload_device_drivers' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:35' CCE-9136-3GThe 'Account lockout threshold' setting should be configured correctly.number of failed logon attempts(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property = Setting; Where = KeyName='LockoutBadCount' And precedence=1CCE-658*Worksheet: Domain Policy Settings; Row: 10mSetting Index #8: This policy setting determines the number of failed logon attempts before a lockout occurs.!Rule 'account_lockout_threshold' 4Definition 'oval:gov.nist.usgcb.windowsseven:def:2' CCE-9137-1jAuditing of 'Object Access:Kernel Object' events on failure should be enabled or disabled as appropriate.CCE-1305)Worksheet: Audit Policy Settings; Row: 24 Setting Index #379: This settings determines whether to audit the event of a user who attempts to access an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to Kernal Object access processes. CCE-9138-9Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 19) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Con< figuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o20\PCR 19: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\19-Worksheet: Bitlocker Policy Settings; Row: 45Setting Index #882: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-9141-3lThe BitLocker 'Configure use of passwords for removable data drives' setting should be configured correctly. (1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s3-o0\Configure use of passwords for removable data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVPassphrase-Worksheet: Bitlocker Policy Settings; Row: 73Setting Index #907: CCE-9144-7hThe BitLocker 'Configure use of passwords for fixed data drives' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s3-o0\Configure use of passwords for fixed data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVPassphrase-Worksheet: Bitlocker Policy Settings; Row: 15Setting Index #844: CCE-9145-4TThe 'Allowed BitLocker identification field' setting should be configured correctly.6list of allowed BitLocker identification field strings(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\s5-o2\Allowed BitLocker identification field (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\SecondaryIdentificationField-Worksheet: Bitlocker Policy Settings; Row: 89Setting Index #828: This is a setting option. Refer to the following parent setting for additional information: Provide the unique identifiers for your organization CCE-9146-2yThe BitLocker 'Allow data recovery agent' setting should be enabled or disabled as appropriate for removable data drives.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s2-o1\Allow data recovery agent (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVManageDRA-Worksheet: Bitlocker Policy Settings; Row: 66Setting Index #900: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected removable data drives can be recovered CCE-9147-0The 'Omit recovery options from the BitLocker setup wizard' setting should be configured correctly for operating system drives.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s2-o4\Omit recovery options from the BitLocker setup wizard (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\OSHideRecoveryPage-Worksheet: Bitlocker Policy Settings; Row: 27Setting Index #856: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected operating system drives can be recovered CCE-9148-8Auditing of 'Account Logon: Kerberos Service Ticket Operations' events on success should be enabled or disabled as appropriate.)Worksheet: Audit Policy Settings; Row: 54aSetting Index #519: The Account Logon audit category generates events for credential validation. CCE-9149-6WThe 'Modify an object label' user right should be assigned to the appropriate accounts.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify an object label (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeRelabelPrivilege' and precedence=1CCE-1023,Worksheet: Computer Policy Settings; Row: 27Setting Index #1027: This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users.Rule 'modify_an_object_label' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:40' CCE-9150-4^The 'Audit: Audit the access of global system objects' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Audit the access of global system objects (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjectsCCE-2,Worksheet: Computer Policy Settings; Row: 59Setting Index #71: This policy setting creates a default system access control list (SACL) for system objects such as mutexes (mutual exclusive), events, semaphores, and MS-DOS devices, and causes access to these system objects to be audited.7Rule 'audit_audit_the_access_of_global_system_objects' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:55' CCE-9153-8|Auditing of 'Policy Change: MPSSVC Rule-Level Policy Change' events on success should be enabled or disabled as appropriate.CCE-203)Worksheet: Audit Policy Settings; Row: 40Setting Index #398: The policy setting for this audit category determines whether to audit MPSSVC Rule-Level Policy changes on computers running Windows Vista or later Windows operating systems. CCE-9156-1{The 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' setting should be configured correctly. (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts and shares (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousCCE-195-Worksheet: Computer Policy Settings; Row: 108|Setting Index #131: This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares.TRule 'network_access_do_not_allow_anonymous_enumeration_of_sam_accounts_and_shares' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:87' CCE-9159-5xAuditing of 'Privilege Use: Non Sensitive Privilege Use' events on failure should be enabled or disabled as appropriate.CCE-404)Worksheet: Audit Policy Settings; Row: 29Setting Index #389: This setting applies to the Non Sensitive Privilege Use subcategory of events. You can use it to audit users exercising user rights. CCE-9161-1Validation of the 'NTFS Boot Block' Platform Configuration Register (aka PCR 9) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o10\PCR 9: NTFS Boot Block (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\9-Worksheet: Bitlocker Policy Settings; Row: 34Setting Index #872: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-9162-9aAuditing of 'Audit object access' events on success should be enabled or disabled as appropriate. (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit object access (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditObjectAccess' and precedence=1CCE-2640)Worksheet: Audit Policy Settings; Row: 60ESetting Index #19: This policy setting audits and logs object access. CCE-9172-8tAuditing of 'Privilege Use: Sensitive Privilege Use' events on failure should be enabled or disabled as appropriate.CCE-1258)Worksheet: Audit Policy Settings; Row: 30Setting Index #388: This setting applies to the Sensitive Privilege Use subcategory of events. You can use it to audit users exercising user rights. CCE-9173-6gThe BitLocker 'Require use of smart cards on fixed data drives' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s4-o1\Require use< of smart cards on fixed data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVEnforceUserCert-Worksheet: Bitlocker Policy Settings; Row: 20Setting Index #849: This is a setting option. Refer to the following parent setting for additional information: Configure use of smart cards on fixed data drives CCE-9176-9~The 'Allow users to suspend and decrypt BitLocker protection on removable data drives' setting should be configured correctly.'(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s5-o2\Allow users to suspend and decrypt BitLocker protection on removable data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVDisableBDE-Worksheet: Bitlocker Policy Settings; Row: 81Setting Index #915: This is a setting option. Refer to the following parent setting for additional information: Control use of BitLocker on removable drives CCE-9179-3kAuditing of 'System: Security State Change' events on failure should be enabled or disabled as appropriate.CCE-1139(Worksheet: Audit Policy Settings; Row: 5Setting Index #368: This policy setting in the System audit category determines whether to audit Security State changes on computers that are running Windows Vista or later Windows operating systems. CCE-9180-1aAuditing of 'Audit policy change' events on success should be enabled or disabled as appropriate.CCE-2412 CCE-9182-7Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 23) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o24\PCR 23: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\23-Worksheet: Bitlocker Policy Settings; Row: 49Setting Index #886: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-9185-0RThe 'Create a pagefile' user right should be assigned to the appropriate accounts.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create a pagefile (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeCreatePagefilePrivilege' and precedence=1CCE-895,Worksheet: Computer Policy Settings; Row: 13WSetting Index #34: This policy setting allows users to change the size of the pagefile.Rule 'create_a_pagefile' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:19' CCE-9189-2qThe 'User Account Control: Run all administrators in Admin Approval Mode' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Run all administrators in Admin Approval Mode (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUACCE-1050-Worksheet: Computer Policy Settings; Row: 133rSetting Index #163: This is the setting that turns on or off UAC. Disabling this setting effectively disables UAC.JRule 'user_account_control_run_all_administrators_in_admin_approval_mode' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:119' CCE-9190-0xAuditing of 'Privilege Use: Non Sensitive Privilege Use' events on success should be enabled or disabled as appropriate.CCE-391 CCE-9191-8The 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' setting should be configured correctly.((1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionModeCCE-508-Worksheet: Computer Policy Settings; Row: 126Setting Index #154: This policy setting determines the strength of the default discretionary access control list (DACL) for objects.PRule 'system_objects_strengthen_default_permissions_on_internal_system_objects' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:112' CCE-9193-4BThe 'Maximum password age' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property = Setting; Where = KeyName = 'MaximumPasswordAge' And precedence=1CCE-871)Worksheet: Domain Policy Settings; Row: 4gSetting Index #2: This policy setting defines how long a user can use their password before it expires.Rule 'maximum_password_age' 4Definition 'oval:gov.nist.usgcb.windowsseven:def:5' CCE-9194-2fAuditing of 'System: System Integrity' events on failure should be enabled or disabled as appropriate.CCE-336(Worksheet: Audit Policy Settings; Row: 7Setting Index #365: This policy setting in the System audit category determines whether to audit System Integrity changes on computers that are running Windows Vista. CCE-9195-9]The 'Turn off downloading of print drivers over HTTP' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off downloading of print drivers over HTTP (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\DisableWebPnPDownloadCCE-887-Worksheet: Computer Policy Settings; Row: 182Setting Index #238: This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP.7Rule 'turn_off_downloading_of_print_drivers_over_http' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:229' CCE-9196-7eThe 'Network access: Shares that can be accessed anonymously' setting should be configured correctly. set of shares (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Shares that can be accessed anonymously (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionSharesCCE-942-Worksheet: Computer Policy Settings; Row: 114lSetting Index #138: This policy setting determines which network shares can be accessed by anonymous users. >Rule 'network_access_shares_that_can_be_accessed_anonymously' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:94' CCE-9197-5pThe 'Save BitLocker recovery information to AD DS for fixed data drives' setting should be configured correctly. (1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s2-o5\Save BitLocker recovery information to AD DS for fixed data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVActiveDirectoryBackup-Worksheet: Bitlocker Policy Settings; Row: 12Setting Index #841: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected fixed data drives can be recovered CCE-9199-1TThe 'Accounts: Administrator account status' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Administrator account statusCCE-499,Worksheet: Computer Policy Settings; Row: 54vSetting Index #66: This policy setting enables or disables the built-in Administrator account during normal operation.-Rule 'accounts_administrator_account_status' CCE-9200-7{The BitLocker 'Allow data recovery agent' setting should be enabled or disabled as appropriate for operating system drives.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Dr< ive Encryption\Operating System Drives\s2-o1\Allow data recovery agent (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\OSManageDRA-Worksheet: Bitlocker Policy Settings; Row: 24Setting Index #853: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected operating system drives can be recovered CCE-9211-4sThe 'Deny write access to removable data drives not protected by BitLocker' setting should be configured correctly.1(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s6-o0\Deny write access to removable data drives not protected by BitLocker (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\FVE\RDVDenyWriteAccess-Worksheet: Bitlocker Policy Settings; Row: 82Setting Index #916: CCE-9212-2[The 'Deny log on as a batch job' user right should be assigned to the appropriate accounts.!(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a batch job (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeDenyBatchLogonRight' and precedence=1CCE-165,Worksheet: Computer Policy Settings; Row: 38{Setting Index #41: This policy setting determines which accounts will not be able to log on to the computer as a batch job."Rule 'deny_log_on_as_a_batch_job' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:26' CCE-9213-0aAuditing of 'Logon-Logoff: Logon' events on failure should be enabled or disabled as appropriate.CCE-1097)Worksheet: Audit Policy Settings; Row: 13Setting Index #369: This audit category generates events that record the creation and destruction of logon sessions. This setting targets the Logon settings. CCE-9214-8lAuditing of 'Audit directory service access' events on failure should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit directory service access (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditDSAccess' and precedence=1CCE-2390)Worksheet: Audit Policy Settings; Row: 58Setting Index #17: This policy setting determines whether to audit user access to an Active Directory object that has its own specified system access control list (SACL). CCE-9215-5VThe 'Create a token object' user right should be assigned to the appropriate accounts.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create a token object (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeCreateTokenPrivilege' and precedence=1CCE-926,Worksheet: Computer Policy Settings; Row: 14Setting Index #35: This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data.Rule 'create_a_token_object' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:20' CCE-9217-1hAuditing of 'Object Access:File System' events on success should be enabled or disabled as appropriate.CCE-1085)Worksheet: Audit Policy Settings; Row: 20Setting Index #377: This settings determines whether to audit the event of a user who attempts to access an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to File System object access processes. CCE-9218-9jThe 'Network access: Named Pipes that can be accessed anonymously' setting should be configured correctly.list of named pipes(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Named Pipes that can be accessed anonymously (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipesCCE-136-Worksheet: Computer Policy Settings; Row: 111Setting Index #134: This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access.CRule 'network_access_named_pipes_that_can_be_accessed_anonymously' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:90' CCE-9220-5The 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows ' setting should be configured correctly.3(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s1-o0\Allow access to BitLocker-protected fixed data drives from earlier versions of Windows (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVDiscoveryVolumeType,Worksheet: Bitlocker Policy Settings; Row: 5Setting Index #1039: CCE-9221-3Use of the combination of both a Trusted Platform Module (TPM) startup key and PIN for operating system drives encrypted with BitLocker should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s5-o5\Configure TPM startup key and PIN (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\UseTPMKeyPIN-Worksheet: Bitlocker Policy Settings; Row: 62Setting Index #892: This is a setting option. Refer to the following parent setting for additional information: Require additional authentication at startup CCE-9222-1UThe 'Shutdown: Clear virtual memory pagefile' setting should be configured correctly. (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Clear virtual memory pagefile (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdownCCE-422-Worksheet: Computer Policy Settings; Row: 122Setting Index #149: This policy setting determines whether the virtual memory pagefile is cleared when the system is shut down. .Rule 'shutdown_clear_virtual_memory_pagefile' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:109' CCE-9223-9aThe 'Manage auditing and security log' user right should be assigned to the appropriate accounts.%(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Manage auditing and security log (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeSecurityPrivilege' and precedence=1CCE-850,Worksheet: Computer Policy Settings; Row: 25Setting Index #55: This policy setting determines which users can change the auditing options for files and directories and clear the Security log.(Rule 'manage_auditing_and_security_log' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:39' CCE-9224-7lAuditing of 'Audit directory service access' events on success should be enabled or disabled as appropriate.CCE-2118 CCE-9226-2YThe 'Generate security audits' user right should be assigned to the appropriate accounts.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Generate security audits (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeAuditPrivilege' and precedence=1CCE-939,Worksheet: Computer Policy Settings; Row: 42zSetting Index #47: This policy setting determines which users or processes can generate audit records in the Security log. Rule 'generate_security_audits' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:31' CCE-9227-0tAuditing of 'Detailed Tracking: Process Termination' events on success should be enabled or disabled as appropriate.CCE-416)Worksheet: Audit Policy Settings; Row: 34Setting Index #391: Detailed Tracking audit category determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. This setting deals with Process Termination.< CCE-9229-67The built-in Guest account should be correctly named. (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename guest accountCCE-834,Worksheet: Computer Policy Settings; Row: 52OSetting Index #70: This setting allows the name of the guest account to change.%Rule 'accounts_rename_guest_account' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:54' CCE-9235-3pAuditing of 'Policy Change: Audit Policy Change' events on failure should be enabled or disabled as appropriate.CCE-991 CCE-9236-1The 'Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' setting should be configured correctly.@(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s2-o7\Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVRequireActiveDirectoryBackup-Worksheet: Bitlocker Policy Settings; Row: 14Setting Index #843: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected fixed data drives can be recovered CCE-9239-5TThe 'Deny log on locally' user right should be assigned to the appropriate accounts. (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeDenyInteractiveLogonRight' and precedence=1CCE-64,Worksheet: Computer Policy Settings; Row: 40nSetting Index #43: This security setting determines which users are prevented from logging on at the computer.Rule 'deny_log_on_locally' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:28' CCE-9241-1VThe 'Allow BitLocker without a compatible TPM' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s5-o1\Allow BitLocker without a compatible TPM (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\EnableBDEWithNoTPM-Worksheet: Bitlocker Policy Settings; Row: 58Setting Index #888: This is a setting option. Refer to the following parent setting for additional information: Require additional authentication at startup CCE-9244-5nThe 'Deny access to this computer from the network' user right should be assigned to the appropriate accounts.6(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeDenyNetworkLogonRight' and precedence=1CCE-898,Worksheet: Computer Policy Settings; Row: 18Setting Index #40: This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely.2Rule 'deny_access_this_computer_from_the_network' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:25' CCE-9247-8ERights to access DCOM applications should be assigned as appropriate.E(1) users and/or groups (2) allow/deny (3) local access/remote access((1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax (2) Registry Key: HKEY_LOCAL_MACHINE\Software\policies\Microsoft\windows NT\DCOM\MachineAccessRestrictionCCE-458,Worksheet: Computer Policy Settings; Row: 63{Setting Index #75: This policy setting determines which users or groups might access DCOM application remotely or locally. CCE-9248-6The 'Configure storage of BitLocker recovery information to AD DS' setting should be configured correctly for operating system drives.$(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s2-o6\Configure storage of BitLocker recovery information to AD DS (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\OSActiveDirectoryInfoToStore-Worksheet: Bitlocker Policy Settings; Row: 29Setting Index #858: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected operating system drives can be recovered CCE-9249-4pThe 'Network access: Do not allow anonymous enumeration of SAM accounts' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAMCCE-318-Worksheet: Computer Policy Settings; Row: 107Setting Index #130: This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM).HRule 'network_acces_do_not_allow_anonymous_enumeration_of_sam_accounts' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:86' CCE-9251-0rThe 'Domain member: Digitally encrypt secure channel data (when possible)' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt secure channel data (when possible) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\sealsecurechannelCCE-601,Worksheet: Computer Policy Settings; Row: 71Setting Index #87: This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates.IRule 'domain_member_digitally_encrypt_secure_channel_data_when_possible' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:64' CCE-9253-6fThe 'Access this computer from the network' user right should be assigned to the appropriate accounts.*(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access this computer from the network (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeNetworkLogonRight' and precedence=1CCE-532+Worksheet: Computer Policy Settings; Row: 7]Setting Index #24: This setting allows other users on the network to connect to the computer.-Rule 'access_this_computer_from_the_network' CCE-9254-4`The 'Create permanent shared objects' user right should be assigned to the appropriate accounts.+(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create permanent shared objects (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeCreatePermanentPrivilege' and precedence=1CCE-335,Worksheet: Computer Policy Settings; Row: 16fSetting Index #37: This policy setting allows users to create directory objects in the object manager.'Rule 'create_permanent_shared_objects' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:22' CCE-9256-9tThe 'Save BitLocker recovery information to AD DS for removable data drives' setting should be configured correctly.((1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s2-o5\Save BitLocker recovery information to AD DS for removable data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVActiveDirectoryBackup-Worksheet: Bitlocker Policy Settings; Row: 70Setting Index #904: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected removable data drives can be recovered CCE-9258-5|Auditing of 'Account Logon: Kerberos Authentication Service' events on success should be enabled or disabled as appropriate.)Worksheet: Audit Policy S< ettings; Row: 53aSetting Index #518: The Account Logon audit category generates events for credential validation. CCE-9259-3Use of the Trusted Platform Module (TPM) on startup for operating system drives encyrpted with BitLocker should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s5-o2\Configure TPM startup (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\UseTPM-Worksheet: Bitlocker Policy Settings; Row: 59Setting Index #889: This is a setting option. Refer to the following parent setting for additional information: Require additional authentication at startup CCE-9260-1YThe 'Store passwords using reversible encryption' setting should be configured correctly.)(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingBoolean; Property = Setting; Where = KeyName = 'ClearTextPassword' And precedence=1CCE-479)Worksheet: Domain Policy Settings; Row: 8Setting Index #6: This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption, which provides support for application protocols that require knowledge of the user's password for authentication purposes.3Rule 'store_passwords_using_reversible_encryption' 4Definition 'oval:gov.nist.usgcb.windowsseven:def:9' CCE-9265-0|The 'Microsoft network client: Send unencrypted password to third-party SMB servers' setting should be configured correctly..(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Send unencrypted password to third-party SMB servers (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPasswordCCE-228,Worksheet: Computer Policy Settings; Row: 87Setting Index #104: Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to third-party SMB servers that do not support password encryption. URule 'microsoft_network_client_send_unencrypted_password_to_third_party_smb_servers' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:79' CCE-9266-8The 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' setting should be configured correctly.!(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\EnabledCCE-55-Worksheet: Computer Policy Settings; Row: 124Setting Index #530: This policy setting determines whether the Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite.\Rule 'system_cryptography_use_fips_compliant_algorithms_for_encryption_hashing_and_signing' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:110' CCE-9269-2Auditing of 'Account Logon: Kerberos Service Ticket Operations' events on failure should be enabled or disabled as appropriate. CCE-9274-2lThe 'Deny log on through Remote Desktop Services' user right should be assigned to the appropriate accounts.>(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on through Remote Desktop Services (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeDenyRemoteInteractiveLogonRight' and precedence=1CCE-108,Worksheet: Computer Policy Settings; Row: 41jSetting Index #1046: This policy setting determines whether users can log on as Terminal Services clients.3Rule 'deny_log_on_through_remote_desktop_services' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:29' CCE-9279-1Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 20) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o21\PCR 20: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\20-Worksheet: Bitlocker Policy Settings; Row: 46Setting Index #883: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile CCE-9282-5pThe 'Allow users to apply BitLocker protection on removable data drives' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s5-o1\Allow users to apply BitLocker protection on removable data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVAllowBDE-Worksheet: Bitlocker Policy Settings; Row: 80Setting Index #914: This is a setting option. Refer to the following parent setting for additional information: Control use of BitLocker on removable drives CCE-9289-0UThe 'Lock pages in memory' user right should be assigned to the appropriate accounts.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Lock pages in memory (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeLockMemoryPrivilege' and precedence=1CCE-749,Worksheet: Computer Policy Settings; Row: 24Setting Index #52: This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Rule 'lock_pages_in_memory' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:36' CCE-9295-7eThe 'Domain member: Disable machine account password changes' setting should be configured correctly. (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Disable machine account password changes (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\disablepasswordchangeCCE-831,Worksheet: Computer Policy Settings; Row: 73Setting Index #89: This policy setting determines whether a domain member can periodically change its computer account password. >Rule 'domain_member_disable_machine_account_password_changes' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:66' CCE-9301-3The 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' setting should be configured correctly.D(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle-Worksheet: Computer Policy Settings; Row: 139Setting Index #534: Windows Vista SP1 includes a new Security Policy (UAC: Allow UAccess), which allows applications to prompt for elevation without using the secure desktop. This allows a remote helper to enter administrative credentials during a Remote Assistance session.qRule 'user_account_control_allow_uiaccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop' CCE-9304-7lThe 'Devices: Restrict CD-ROM access to locally logged-on user only' setting should be configured correctly. (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Restrict CD-ROM access to locally logged-on user only (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRomsCCE-565,Worksheet: Computer Policy Settings; Row: 68Setting Index #80: This policy setting determines whether a CD-R< OM is accessible to both local and remote users simultaneously.@Rule 'devices_restrict_cdrom_access_to_locally_logged_on_users' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:61' CCE-9307-0qThe 'Interactive logon: Prompt user to change password before expiration' setting should be configured correctly."number of days prior to expiration(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\passwordexpirywarningCCE-814,Worksheet: Computer Policy Settings; Row: 79wSetting Index #98: This policy setting determines how far in advance users are warned that their password will expire. JRule 'interactive_logon_prompt_user_to_change_password_before_expiration' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:74' CCE-9308-8FThe 'Account lockout duration' setting should be configured correctly.number of minutes(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property = Setting; Where = KeyName='LockoutDuration' And precedence=1CCE-980)Worksheet: Domain Policy Settings; Row: 9Setting Index #7: This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. Rule 'account_lockout_duration' 4Definition 'oval:gov.nist.usgcb.windowsseven:def:1' CCE-9309-6iThe 'Take ownership of files or other objects' user right should be assigned to the appropriate accounts.2(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Take ownership of files or other objects (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeTakeOwnershipPrivilege' and precedence=1CCE-492,Worksheet: Computer Policy Settings; Row: 47Setting Index #65: This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects and give ownership to the specified user.0Rule 'take_ownership_of_files_or_other_objects' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:49' CCE-9314-6wAuditing of 'Privilege Use: Other Privilege Use Events' events on failure should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Privilege Use\Audit Policy: Privilege Use: Other Privilege Use Events)Worksheet: Audit Policy Settings; Row: 31Setting Index #931: This setting applies to Other Privilege Use Events subcategory of events. You can use it to audit users exercising user rights. CCE-9317-9\The 'Interactive logon: Do not require CTRL+ALT+DEL' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DEL (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCADCCE-133,Worksheet: Computer Policy Settings; Row: 77Setting Index #94: When this setting is configured to Enabled, users are not required to use the CTRL+ALT+DEL key combination to log on to the network.5Rule 'interactive_logon_do_not_require_ctrl_alt_del' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:70' CCE-9319-5sThe 'System objects: Require case insensitivity for non-Windows subsystems' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Require case insensitivity for non-Windows subsystems (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitiveCCE-300-Worksheet: Computer Policy Settings; Row: 125Setting Index #153: Determines whether case insensitivity is enforced for all subsystems. Example is case insensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX) which are normally case sensitive.LRule 'system_objects_require_case_insensitivity_for_non_windows_subsystems' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:111' CCE-9320-3VThe 'Log on as a batch job' user right should be assigned to the appropriate accounts.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a batch job (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeBatchLogonRight' and precedence=1CCE-177,Worksheet: Computer Policy Settings; Row: 44bSetting Index #53: This policy setting allows accounts to log on using the task scheduler service.Rule 'log_on_as_a_batch_job' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:37' CCE-9321-1hAuditing of 'Audit account logon events' events on success should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account logon events (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditAccountLogon' and precedence=1CCE-2628)Worksheet: Audit Policy Settings; Row: 56Setting Index #15: This policy setting determines whether to audit each instance of a user who logs on to or off from another computer that validates the account. CCE-9326-0eThe 'Remove computer from docking station' user right should be assigned to the appropriate accounts.'(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Remove computer from docking station (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeUndockPrivilege' and precedence=1CCE-656,Worksheet: Computer Policy Settings; Row: 31Setting Index #60: This policy setting allows the user of a portable computer to click Eject PC on the Start menu to undock the computer.,Rule 'remove_computer_from_docking_station' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:45' CCE-9327-8nThe 'Microsoft network client: Digitally sign communications (always)' setting should be configured correctly.!(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignatureCCE-576,Worksheet: Computer Policy Settings; Row: 85sSetting Index #102: This policy setting determines whether packet signing is required by the SMB client component. ERule 'microsoft_network_client_digitally_sign_communications_always' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:77' CCE-9329-4mThe 'Windows Firewall: Domain: Apply local connection security rules' setting should be configured correctly.yes/nox(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Apply local connection security rules (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalIPsecPolicyMergeCCE-584-Worksheet: Computer Policy Settings; Row: 160Setting Index #189: This setting controls whether local administrators are allowed to create connection security rules that apply with other connection security rules enforced by Group Policy. CCE-9330-2BThe 'Minimum password age' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password age (2) WMI: Namespace = r< oot\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property = Setting; Where = KeyName = 'MinimumPasswordAge' And precedence=1CCE-324)Worksheet: Domain Policy Settings; Row: 5{Setting Index #3: This policy setting determines the number of days that you must use a password before you can change it. Rule 'minimum_password_age' 4Definition 'oval:gov.nist.usgcb.windowsseven:def:6' CCE-9336-9dThe 'Force shutdown from a remote system' user right should be assigned to the appropriate accounts.(1) GPO: Computer Configuration\Windows Settings\Local Policies\User Rights Assignment\Force shutdown from a remote system (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeRemoteShutdownPrivilege' and precedence=1CCE-754,Worksheet: Computer Policy Settings; Row: 20Setting Index #46: This policy setting allows users to shut down Windows Vista based computers from remote locations on the network.+Rule 'force_shutdown_from_a_remote_system' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:30' CCE-9339-3fAuditing of 'Audit account management' events on success should be enabled or disabled as appropriate.CCE-2000 CCE-9340-1jThe 'Network Security: Restrict NTLM: Audit Incoming NTLM Traffic' setting should be configured correctly. (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Audit Incoming NTLM Traffic (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\AuditReceivingNTLMTraffic-Worksheet: Computer Policy Settings; Row: 149RSetting Index #925: This policy setting allows you to audit incoming NTLM traffic. CCE-9342-7lThe 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' setting should be configured correctly. (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogonCCE-283,Worksheet: Computer Policy Settings; Row: 93Setting Index #109: The registry value entry AutoAdminLogon was added to the template file in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ registry key7Rule 'mss_autoadminlogon_enable_automatic_admin_logon' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:122' CCE-9344-3xThe 'Microsoft network client: Digitally sign communications (if server agrees)' setting should be configured correctly.*(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (if server agrees) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignatureCCE-519,Worksheet: Computer Policy Settings; Row: 86wSetting Index #103: This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing.ORule 'microsoft_network_client_digitally_sign_communications_if_server_agrees' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:78' CCE-9345-0UThe 'Allow log on locally' user right should be assigned to the appropriate accounts.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeInteractiveLogonRight' and precedence=1CCE-965,Worksheet: Computer Policy Settings; Row: 34xSetting Index #28: This policy setting determines which users can interactively log on to computers in your environment.Rule 'allow_log_on_locally' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:13' CCE-9347-6dAuditing of 'Audit process tracking' events on success should be enabled or disabled as appropriate.CCE-2529 CCE-9348-4pThe 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) (2) Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchModeCCE-271-Worksheet: Computer Policy Settings; Row: 103wSetting Index #123: The entry appears as MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) in the SCE.9Rule 'mss_safedllsearchmode_enable_safe_dll_search_mode' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:135' CCE-9357-5EThe 'Minimum password length' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property = Setting; Where = KeyName = 'MinimumPasswordLength' And precedence=1CCE-100)Worksheet: Domain Policy Settings; Row: 6{Setting Index #4: This policy setting determines the least number of characters that make up a password for a user account.Rule 'minimum_password_length' 4Definition 'oval:gov.nist.usgcb.windowsseven:def:7' CCE-9358-3rThe 'Microsoft network server: Disconnect clients when logon hours expire' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Disconnect clients when logon hours expire (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\enableforcedlogoff,Worksheet: Computer Policy Settings; Row: 91Setting Index #1043: This policy setting determines whether to disconnect users who are connected to the local computer outside their user account s valid logon hours. It affects the SMB component.FRule 'microsoft_network_server_disconnect_clients_when_logons_expire' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:83' CCE-9361-7VThe 'Registry policy processing' setting should be enabled or disabled as appropriate.g(1) GPO: Computer Configuration\Administrative Templates\System\Group Policy\Registry policy processing-Worksheet: Computer Policy Settings; Row: 177VSetting Index #232: This policy setting determines when registry policies are updated."Rule 'registry_policy_processing' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:227' CCE-9915-0The 'Do not apply during periodic background processing' option for registry policy processing should be enabled or disabled as appropriate.*(1) GPO: Computer Configuration\Administrative Templates\System\Group Policy\Registry policy processing\Do not apply during periodic background processing (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy CCE-10417-4The 'Process even if the Group Policy objects have not changed' option for registry policy processing should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\System\Group Policy\Registry policy processing (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges CCE-9364-1kAuditing of 'Detailed Tracking: RPC Events' events on failure should be enabled or disabled as appropriate.CCE-1365)Worksheet: Audit Policy Settings; Row: 35Setting Index #393: The Detailed Tracking audit category determines whether to audit detailed tracking information for events, such as program activation, process exit, handle duplication, and indirect object access. This setting is focus< ed on RPC events. CCE-9365-8`Auditing of 'Audit logon events' events on success should be enabled or disabled as appropriate.CCE-1686 CCE-9370-8PThe 'Password must meet complexity requirements' policy should be set correctly.)(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingBoolean; Property = Setting; Where = KeyName = 'PasswordComplexity' And precedence=1CCE-633)Worksheet: Domain Policy Settings; Row: 7~Setting Index #5: This policy setting checks all new password to ensure that they meet basic requirements for strong password.3Rule 'password_must_meeet_complexity_requirements' 4Definition 'oval:gov.nist.usgcb.windowsseven:def:8' CCE-9375-7oThe 'Domain member: Digitally sign secure channel data (when possible)' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally sign secure channel data (when possible) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\signsecurechannelCCE-614,Worksheet: Computer Policy Settings; Row: 72Setting Index #88: This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed.FRule 'domain_member_digitally_sign_secure_channel_data_when_possible' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:65' CCE-9376-5gAuditing of 'Object Access:File Share' events on success should be enabled or disabled as appropriate.CCE-1372)Worksheet: Audit Policy Settings; Row: 19Setting Index #384: This setting determines whether to audit the event of a user who attempts to access an object that has a specified system access control list (SACL), effectively enabling auditing to take place. This setting is targeted to File Share access operations. CCE-9380-7nThe 'Access Credential Manager as a trusted caller' user right should be assigned to the appropriate accounts.>(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access Credential Manager as a trusted caller (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeTrustedCredManAccessPrivilege' and precedence=1CCE-389,Worksheet: Computer Policy Settings; Row: 48bSetting Index #581: This security setting is used by Credential Manager during Backup and Restore. CCE-9381-5The 'System cryptography: Force strong key protection for user keys stored on the computer' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography: Force strong key protection for user keys stored on the computer (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtectionCCE-647-Worksheet: Computer Policy Settings; Row: 136Setting Index #150: This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used. CCE-9386-4nThe 'Network access: Remotely accessible registry paths and sub-paths' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths and sub-paths (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\MachineCCE-1185,Worksheet: Computer Policy Settings; Row: 50Setting Index #136: This policy setting determines which registry paths and sub-paths will be accessible when an application or process references the WinReg key to determine access permissions.GRule 'network_access_remotely_accessible_registry_paths_and_sub_paths' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:92' CCE-9387-2oThe 'Domain member: Require strong (Windows 2000 or later) session key' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Require strong (Windows 2000 or later) session key (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requirestrongkeyCCE-417,Worksheet: Computer Policy Settings; Row: 75Setting Index #91: When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key.FRule 'domain_member_require_strong_windows_2000_or_later_session_key' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:68' CCE-9388-0WThe 'Profile single process' user right should be assigned to the appropriate accounts.'(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile single process (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeProfileSingleProcessPrivilege' and precedence=1CCE-260,Worksheet: Computer Policy Settings; Row: 29Setting Index #58: This policy setting determines which users can use tools to monitor the performance of non-system processes. if System Monitor is configured to collect data using Windows Management Instrumentation (WMI) this setting is required.Rule 'profile_single_process' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:43' CCE-9389-8^The 'Back up files and directories' user right should be assigned to the appropriate accounts. (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Back up files and directories (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeBackupPrivilege' and precedence=1CCE-931,Worksheet: Computer Policy Settings; Row: 10wSetting Index #30: This policy setting allows users to circumvent file and directory permissions to back up the system.%Rule 'back_up_files_and_directories' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:15' CCE-9395-5}The 'User Account Control: Switch to the secure desktop when prompting for elevation' setting should be configured correctly.((1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Switch to the secure desktop when prompting for elevation (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktopCCE-230-Worksheet: Computer Policy Settings; Row: 134Setting Index #164: This setting helps to prevent malicious use of the elevation prompt. The Windows Vista secure desktop can only run SYSTEM processes, which generally eliminates messages from malicious software.VRule 'user_account_control_switch_to_the_secure_desktop_when_prompting_for_elevation' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:120' CCE-9396-3ZThe 'Restrictions for Unauthenticated RPC clients' setting should be configured correctly.TEnabled:Authenticated/Enabled:Authenticated without exceptions/Enabled:None/Disabled(1) GPO: Computer Configuration\Administrative Templates\System\Remote Procedure Call\Restrictions for Unauthenticated RPC clients (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc\RestrictRemoteClientsCCE-423-Worksheet: Computer Policy Settings; Row: 180Setting Index #235: This policy setting configures the RPC Runtime on an RPC server to restrict unauthenticated RPC clients from connecting to the RPC server. 4Rule 'restrictions_for_unauthenticated_rpc_clients' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:251' CCE-9400-3QThe 'Reset account lockout counter after' setting should be configured correctly.&(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after (2) < WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property = Setting; Where = KeyName='ResetLockoutCount' And precedence=1CCE-733*Worksheet: Domain Policy Settings; Row: 11ySetting Index #9: This policy setting determines the length of time before the Account lockout threshold resets to zero. Rule 'account_lockout_reset' 4Definition 'oval:gov.nist.usgcb.windowsseven:def:3' CCE-9403-7?Automatic Updates should be enabled or disabled as appropriate.Notify for download and notify for install/Auto download and notify for install/Auto download and schedule the install/Allow local admin to choose setting/Disabled(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptionsCCE-306-Worksheet: Computer Policy Settings; Row: 192Setting Index #274: This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS?http://technet.microsoft.com/en-us/library/cc720539(WS.10).aspx#Rule 'configure_automatic_updates' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:301' CCE-10700-3QThe 'Scheduled install day' option for automatic updates should be set correctly.$every day/specific day of every week CCE-9924-2RThe 'Scheduled install time' option for automatic updates should be set correctly.hour of the day CCE-9405-2gAuditing of 'Object Access:File Share' events on failure should be enabled or disabled as appropriate.CCE-1033 CCE-9406-0~The 'Microsoft network server: Amount of idle time required before suspending session' setting should be configured correctly."(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Amount of idle time required before suspending session (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\autodisconnectCCE-222,Worksheet: Computer Policy Settings; Row: 88Setting Index #105: This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. WRule 'microsoft_network_server_amount_of_idle_time_required_before_suspending_session' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:80' CCE-9407-8dThe 'Act as part of the operating system' user right should be assigned to the appropriate accounts.#(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Act as part of the operating system (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeTcbPrivilege' and precedence=1CCE-162+Worksheet: Computer Policy Settings; Row: 8Setting Index #25: This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access.+Rule 'act_as_part_of_the_operating_system' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:11' CCE-9410-2SThe 'Interactive logon: Require smart card' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Require smart card (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\scforceoptionCCE-828,Worksheet: Computer Policy Settings; Row: 84aSetting Index #100: This policy setting requires users to log on to a computer with a smart card. CCE-9412-8oAuditing of 'Detailed Tracking: DPAPI Activity' events on failure should be enabled or disabled as appropriate.CCE-699)Worksheet: Audit Policy Settings; Row: 32Setting Index #392: The Detailed Tracking audit category determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. This setting deals with the DPAPI Activity. CCE-9417-7cThe 'Modify firmware environment values' user right should be assigned to the appropriate accounts.0(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify firmware environment values (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeSystemEnvironmentPrivilege' and precedence=1CCE-17,Worksheet: Computer Policy Settings; Row: 26Setting Index #56: This policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration.-Rule 'modify_firmware_environment_variables' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:41' CCE-9418-5xThe 'Accounts: Limit local account use of blank passwords to console logon only' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Limit local account use of blank passwords to console logon only (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUseCCE-533,Worksheet: Computer Policy Settings; Row: 58Setting Index #68: This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer consoleQRule 'accounts_limit_local_account_use_of_blank_passwords_to_console_logon_only' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:52' CCE-9419-3[The 'Profile system performance' user right should be assigned to the appropriate accounts.$(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile system performance (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeSystemProfilePrivilege' and precedence=1CCE-599,Worksheet: Computer Policy Settings; Row: 30Setting Index #59: This policy setting allows users to use tools to view the performance of different system processes, which could be abused to allow attackers to determine a system's active processes and provide insight into the potential attack surface of the computer."Rule 'profile_system_performance' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:44' CCE-9426-8xThe 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' setting should be configured correctly.frequency in milliseconds(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTimeCCE-188,Worksheet: Computer Policy Settings; Row: 98Setting Index #117: The registry value entry appears as MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds (300,000 is recommended) in the SCE.ORule 'mss_keepalivetime_how_often_keep_alive_packets_are_sent_in_milliseconds' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:129' CCE-9432-6The 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' setting should be configured correctly.<(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\scenoapplylegacyauditpolicyCCE-111,Worksheet: Computer Policy Settings; Row: 62Setting Index #73: This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. Uses subcategory setting to override audit policy categories.ZRule 'audit_force_policy_subcategory_settings_to_override_audit_policy_category_settings' < 5Definition 'oval:gov.nist.usgcb.windowsseven:def:57' CCE-9439-1The 'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.' setting should be configured correctly.Allow all exceptions (least secure)/Multicast, broadcast, and ISAKMP are exempt (Best for Windows XP)/RSVP, Kerberos, and ISAKMP are excempt/Only ISAKMP is excempt (recommended for Windows Server 2003)/Disabled(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic. (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC\NoDefaultExemptCCE-501,Worksheet: Computer Policy Settings; Row: 99Setting Index #118: The entry appears as MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic in the SCE.&http://support.microsoft.com/kb/811832[Rule 'mss_nodefaultexempt_configure_ipsec_exemptions_for_various_types_of_network_traffic' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:130' CCE-9440-9lThe 'Devices: Restrict floppy access to locally logged-on user only' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Restrict floppy access to locally logged-on user only (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppiesCCE-463,Worksheet: Computer Policy Settings; Row: 69Setting Index #81: This policy setting determines whether removable floppy media are accessible to both local and remote users simultaneously.ARule 'devices_restrict_floppy_access_to_locally_logged_on_users' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:62' CCE-9445-8wAuditing of 'Account Logon: Other Account Logon Events' events on failure should be enabled or disabled as appropriate.CCE-226)Worksheet: Audit Policy Settings; Row: 55xSetting Index #413: This policy setting audits logon events other than credential validation and Kerberos Ticket Events. CCE-9449-0^The 'Interactive logon: Do not display last user name' setting should be configured correctly. (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not display last user name (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserNameCCE-65,Worksheet: Computer Policy Settings; Row: 76Setting Index #93: This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen.7Rule 'interactive_logon_do_not_display_last_user_name' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:69' CCE-9455-7wAuditing of 'Object Access:Other Object Access Events' events on success should be enabled or disabled as appropriate.CCE-642)Worksheet: Audit Policy Settings; Row: 25Setting Index #387: This settings determines whether to audit the event of a user who accesses an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to Other Object Access events. CCE-9456-5The 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should be configured correctly.number of retransmissionsH(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissionsCCE-872-Worksheet: Computer Policy Settings; Row: 105Setting Index #127: This registry value entry appears as MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) in the SCE.YRule 'mss_tcpmaxdataretransmissions_how_many_times_unacknowledged_data_is_retransmitted' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:137' CCE-9458-1The 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' setting should be configured correctly.NEnable only if DHCP sends the Perform Router Discovery option/Enabled/DisabledA(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscoveryCCE-952-Worksheet: Computer Policy Settings; Row: 102Setting Index #122: This registry value entry appears as MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) in the SCE.dRule 'mss_performrouterdiscovery_allow_irdp_to_detect_andconfigure_default_default_gateway_address' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:134' CCE-9460-7sAuditing of 'Object Access:Certification Services' events on success should be enabled or disabled as appropriate.CCE-1345)Worksheet: Audit Policy Settings; Row: 18Setting Index #381: This policy determines whether to audit the event of a user who attempts to access an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to the certification services processes. CCE-9461-5TThe 'Log on as a service' user right should be assigned to the appropriate accounts.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeServiceLogonRight' and precedence=1CCE-216,Worksheet: Computer Policy Settings; Row: 45Setting Index #54: This policy setting allows accounts to start network services or register a process as a service running on the system.Rule 'log_on_as_a_service' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:38' CCE-9463-1rThe 'Audit: Shut down system immediately if unable to log security audits' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\crashonauditfailCCE-92,Worksheet: Computer Policy Settings; Row: 61xSetting Index #74: This policy setting determines whether the system shuts down if it is unable to log Security events. CCE-9464-9The 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAUShutdownOptionCCE-1-Worksheet: Computer Policy Settings; Row: 193Setting Index #273: This policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box. [Rule 'do_not_display_install_updates_and_shut_down_option_in_shut_down_windows_dialog_box' 9Definition 'oval:gov.nist.usgcb.windowsseven:def:100212' CCE-9465-6YThe Windows Firewall should be enabled or disabled as appropriate for the Domain Profile.U(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Firewall state (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall-Worksheet: Computer Po< licy Settings; Row: 154Setting Index #183: Select On to allow Windows Firewall to filter network traffic. Select Off to prevent Windows Firewall from using any firewall rules or connection security rules for this profile. CCE-9487-0The 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should be configured correctly.N(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\TcpMaxDataRetransmissions-Worksheet: Computer Policy Settings; Row: 141Setting Index #522: This registry value entry appears as MSS: (TcpMaxDataRetransmissions) IPv6 How many times unacknowledged data is retransmitted (3 recommended, 5 is default) in the SCE.]Rule 'mss_tcpmaxdataretransmissionsipv6_how_many_times_unacknowledged_data_is_retransmitted' CCE-9488-8sAuditing of 'Object Access:Certification Services' events on failure should be enabled or disabled as appropriate.CCE-1261 CCE-9492-0kAuditing of 'Detailed Tracking: RPC Events' events on success should be enabled or disabled as appropriate.CCE-1219 CCE-9494-6dThe 'Network Security: Restrict NTLM: Incoming NTLM traffic' setting should be configured correctly.4Allow all/Deny all domain accounts/Deny all accounts(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Incoming NTLM traffic (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictReceivingNTLMTraffic-Worksheet: Computer Policy Settings; Row: 151ZSetting Index #927: This policy setting allows you to deny or allow incoming NTLM traffic. CCE-9496-1The 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.6(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRoutingCCE-564,Worksheet: Computer Policy Settings; Row: 95Setting Index #112: The entry appears as MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) in the SCE.ERule 'mss_disableipsourcerouting_ip_source_routing_protection_level' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:123' CCE-9498-7}Auditing of 'Account Management: Computer Account Management' events on success should be enabled or disabled as appropriate.CCE-1070)Worksheet: Audit Policy Settings; Row: 43RSetting Index #402: This policy setting audits Computer Account Management events. CCE-9500-0TThe 'Retain old events' setting should be configured correctly for the security log.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security\Retain old events (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security\Retain security log-Worksheet: Computer Policy Settings; Row: 205SSetting Index #516: This policy requires Windows Vista or later versions of Windows CCE-9501-8The 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' setting should be configured correctly.&log capacity threshold as a percentage9(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning (2) Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevelCCE-125-Worksheet: Computer Policy Settings; Row: 106Setting Index #128: The entry appears as MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning in the SCE.tRule 'mss_warninglevel_percentage_threshold_for_the_security_event_log_at_which_the_system_will_generate_a_warning' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:139' CCE-9502-6|Auditing of 'Account Logon: Kerberos Authentication Service' events on failure should be enabled or disabled as appropriate. CCE-9503-4kThe 'Network access: Sharing and security model for local accounts' setting should be configured correctly.Classic/Guest only(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Sharing and security model for local accounts (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuestCCE-343-Worksheet: Computer Policy Settings; Row: 115pSetting Index #139: This policy setting determines how network logons that use local accounts are authenticated.DRule 'network_access_sharing_and_security_model_for_local_accounts' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:95' CCE-9506-7User-intiated solicitations for remote assistance (aka the 'Solicited Remote Assistance' setting) should be enabled or disabled as appropriate.(1) GPO: Computer Configuration\Administrative Templates\System\Remote Assistance\Solicited Remote Assistance (2) Registry Key: HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelpCCE-859-Worksheet: Computer Policy Settings; Row: 179Setting Index #234: This policy setting determines whether remote assistance may be solicited from computers running Windows operating systems in your environment.#Rule 'solicited_remote_assistance' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:249' CCE-10519-7The 'Permit remote control of this computer' option for the 'Solicited Remote Assistance' setting should be configured correctly.VAllow helpers to remotely control the computer/Allow helpers to only view the computerm(1) GPO: Computer Configuration\Administrative Templates\System\Remote Assistance\Solicited Remote Assistance CCE-10753-2vThe 'Maximum ticket time (value)' option for the 'Solicited Remote Assistance' setting should be configured correctly. time value CCE-10312-7vThe 'Maximum ticket time (units)' option for the 'Solicited Remote Assistance' setting should be configured correctly. time units CCE-9929-1The 'Method for sending e-mail invitations' option for the 'Solicited Remote Assistance' setting should be configured correctly.Mailto/Simple MAPI CCE-9509-1mWindows Firewall should allow or block outbound connections by default as appropriate for the Domain Profile.b(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Outbound connections (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultOutboundActionCCE-485-Worksheet: Computer Policy Settings; Row: 156~Setting Index #185: This setting determines the behavior for outbound connections that do not match an outbound firewall rule. CCE-9518-2LThe 'Do not allow drive redirection' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Device and Resource Redirection\Do not allow drive redirection (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdmCCE-648-Worksheet: Computer Policy Settings; Row: 199Setting Index #269: This policy setting prevents users from sharing the local drives on their client computers to Terminal Servers that they access. CCE-9520-8fAuditing of 'System: System Integrity' events on success should be enabled or disabled as appropriate.CCE-856 CCE-9521-6iAuditing of 'Logon-Logoff: Special Logon' events on failu< re should be enabled or disabled as appropriate.CCE-1038)Worksheet: Audit Policy Settings; Row: 15Setting Index #375: This audit category generates events that record the creation and destruction of logon sessions. This setting targets the special settings defined in the Windows Vista Security Guide. CCE-9522-4yUnicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Private Profile.}(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Allow unicast response (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableUnicastResponsesToMulticastBroadcastCCE-70-Worksheet: Computer Policy Settings; Row: 165Setting Index #194: This is an advanced security setting for the Windows Firewall that you can use to allow unicast responses on computers running Windows Vista. CCE-9525-7qThe 'Network Security: Restrict NTLM: NTLM authentication in this domain' setting should be configured correctly.mDisabled/Deny for domain accounts to domain servers/deny for domain accounts/deny for domain servers/Deny all(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: NTLM authentication in this domain (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RestrictNTLMInDomain-Worksheet: Computer Policy Settings; Row: 153Setting Index #928: This policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy does not affect interactive logon to this domain controller. CCE-9526-5Auditing of 'DS Access: Detailed Directory Service Replication' events on failure should be enabled or disabled as appropriate.CCE-1186)Worksheet: Audit Policy Settings; Row: 48Setting Index #410: This policy setting in the DS Access audit category enables domain controllers to report detailed information about information that replicates between domain controllers. CCE-9528-1?The 'Turn off Autoplay' setting should be configured correctly.!All drives/CD-ROM drives/Disabled(1) GPO: Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies\Turn off Autoplay (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRunCCE-44-Worksheet: Computer Policy Settings; Row: 189Setting Index #244: Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately.Rule 'turn_off_autoplay' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:259' CCE-9531-5bThe 'Network access: Allow anonymous SID/Name translation' setting should be configured correctly."(1) GPO: Computer Configuration\Windows Settings\Local Policies\Security Options\Network access: Allow anonymous SID/Name translation (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingBoolean; Property = Setting; Where = KeyName='LSAAnonymousNameLookup' and precedence=1CCE-953,Worksheet: Computer Policy Settings; Row: 56Setting Index #129: This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding user name. ;Rule 'network_access_allow_anonymous_sid_name_translation' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:85' CCE-9532-3oThe 'Network Security: Configure encryption types allowed for Kerberos' setting should be configured correctly.1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Configure encryption types allowed for Kerberos (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes-Worksheet: Computer Policy Settings; Row: 146oSetting Index #922: This policy setting allows you to set the encryption types that Kerberos is allowed to use.HRule 'network_security_configure_encryption_types_allowed_for_kerberos' CCE-9534-9The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' setting should be enabled or disabled as appropriate."(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSecCCE-674-Worksheet: Computer Policy Settings; Row: 119Setting Index #144: This policy setting determines the minimum application-to-application communications security standards for client computers.aRule 'network_security_minimum_session_security_for_ntlm_ssp_based_including_secure_rpc_clients' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:104' CCE-10887-8The 'Require message confidentiality' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' setting should be enabled or disabled as appropriate. CCE-10777-1The 'Require NTLMv2 session security' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' setting should be enabled or disabled as appropriate. CCE-10904-1The 'Require 128-bit encryption' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' setting should be enabled or disabled as appropriate. CCE-9540-6qThe 'Network access: Restrict anonymous access to Named Pipes and Shares' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict anonymous access to Named Pipes and Shares (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\restrictnullsessaccessCCE-638-Worksheet: Computer Policy Settings; Row: 113Setting Index #137: When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings.JRule 'network_access_restrict_anonymous_access_to_named_pipes_and_shares' 5Definition 'oval:gov.nist.usgcb.windowsseven:def:93' CCE-9542-2yAuditing of 'Account Management: User Account Management' events on success should be enabled or disabled as appropriate.CCE-1043)Worksheet: Audit Policy Settings; Row: 47ISetting Index #401: This policy setting audits Account Management events. CCE-9545-5wAuditing of 'Object Access:Other Object Access Events' events on failure should be enabled or disabled as appropriate.CCE-1026 CCE-9556-2vThe 'Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers' setting should be configured correctly.Allow all/Audit all/Deny all(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictSendingNTLMTraffic-Worksheet: Computer Policy Settings; Row: 152Setting Index #929: This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. CCE-9559-6tThe 'Turn off the Windows Messenger Customer Experience Improvement Program' setting should be configured correctly. (1) GPO: Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the Windows Messenger Customer Experience Improvement Program (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Micro< soft\Messenger\Client\CEIPCCE-722-Worksheet: Computer Policy Settings; Row: 187Setting Index #242: This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. NRule 'turn_off_the_windows_messenger_customer_experience_improvement_program' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:241' CCE-9562-0qAuditing of 'Detailed Tracking: Process Creation' events on success should be enabled or disabled as appropriate.CCE-913)Worksheet: Audit Policy Settings; Row: 33Setting Index #394: The Detailed Tracking audit category determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. This setting deals with Process Creation. CCE-9569-5zAuditing of 'Object Access:Filtering Platform Connection' events on failure should be enabled or disabled as appropriate.CCE-744)Worksheet: Audit Policy Settings; Row: 21Setting Index #386: This setting determines whether to audit the event of a user who attempts to access an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to connections to the Filtering Platform. CCE-9579-4RThe 'System settings: Optional subsystems' setting should be configured correctly.List of subsystems(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System settings: Optional subsystems (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optionalCCE-48-Worksheet: Computer Policy Settings; Row: 137ySetting Index #155: This policy setting determines which subsystems are used to support applications in your environment. CCE-9586-9iAuditing of 'System: Other System Events' events on success should be enabled or disabled as appropriate.CCE-1332 CCE-9588-5mWindows Firewall should allow or block outbound connections by default as appropriate for the Public Profile.b(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Outbound connections (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultOutboundActionCCE-342-Worksheet: Computer Policy Settings; Row: 170Setting Index #199: This setting determines the behavior for outbound connections that do not match an outbound firewall rule. If Outbound connections are set to Block and deploy the firewall policy by using a GPO, cannot receive subsequent Group Policy updates. CCE-9591-9~Auditing of 'Account Management: Application Group Management' events on failure should be enabled or disabled as appropriate.CCE-1016 CCE-9593-5YThe Windows Firewall should be enabled or disabled as appropriate for the Public Profile.U(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Firewall state (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewallCCE-295-Worksheet: Computer Policy Settings; Row: 168ySetting Index #197: Windows Firewall with Advanced Security uses the settings for this profile to filter network traffic. CCE-9596-8wAuditing of 'Policy Change: Other Policy Change Events' events on success should be enabled or disabled as appropriate.CCE-205 CCE-9603-2[The 'Maximum Log Size (KB)' setting should be configured correctly for the application log.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Application\Maximum Log Size (KB) (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application\MaxSize-Worksheet: Computer Policy Settings; Row: 202Setting Index #505: This policy requires Windows Vista or later versions of Windows, it specifies the maximum size of the log file in kilobytes.$Rule 'maximum_application_log_size' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:265' CCE-9604-0wThe 'Network Security: Restrict NTLM: Audit NTLM authentication in this domain' setting should be configured correctly.tDisable/Enable for domain accounts to domain servers/Enable for domain accounts/Enable for domain servers/Enable all(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Audit NTLM authentication in this domain (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\AuditNTLMInDomain-Worksheet: Computer Policy Settings; Row: 150xSetting Index #926: This policy setting allows you to audit NTLM authentication in a domain from this domain controller. CCE-9608-1}Auditing of 'Account Management: Computer Account Management' events on failure should be enabled or disabled as appropriate.CCE-840 CCE-9616-4}The 'User Account Control: Detect application installations and prompt for elevation' setting should be configured correctly.+(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetectionCCE-1128-Worksheet: Computer Policy Settings; Row: 130Setting Index #160: This setting determines how Windows Vista responds to application installation requests. Application installation requires an elevation of privilege. URule 'user_account_control_detect_application_installation_and_prompt_for_elevation' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:116' CCE-9620-6lWindows Firewall should allow or block inbound connections by default as appropriate for the Domain Profile.`(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Inbound connections (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultInboundActionCCE-249-Worksheet: Computer Policy Settings; Row: 155|Setting Index #184: This setting determines the behavior for inbound connections that do not match an inbound firewall rule. CCE-9622-2uAuditing of 'Logon-Logoff: Other Logon/Logoff Events' events on success should be enabled or disabled as appropriate.CCE-378)Worksheet: Audit Policy Settings; Row: 14tSetting Index #376: This audit category generates events that record the creation and destruction of logon sessions. CCE-9628-9Auditing of 'DS Access: Detailed Directory Service Replication' events on success should be enabled or disabled as appropriate.CCE-207 CCE-9629-7aAuditing of 'Audit object access' events on failure should be enabled or disabled as appropriate.CCE-1991 CCE-9631-3uAuditing of 'Logon-Logoff: Other Logon/Logoff Events' events on failure should be enabled or disabled as appropriate.CCE-1208 CCE-9632-1lAuditing of 'Logon-Logoff: IPsec Quick Mode' events on success should be enabled or disabled as appropriate.CCE-1257)Worksheet: Audit Policy Settings; Row: 11Setting Index #373: This audit category generates events that record the creation and destruction of logon sessions. This setting targets IPsec Quick Mode settings. CCE-9633-9xAuditing of 'Policy Change: Authorization Policy Change' events on success should be enabled or disabled as appropriate.CCE-187 CCE-9637-0vAuditing of 'DS Access: Directory Service Replication' events on success should be enabled or disabled as appropriate.CCE-881)Worksheet: Audit Policy Settings; Row: 51Setting Index #409: This policy setting for the DS Access audit category enables reports to result when replication bet< ween two domain controllers starts and ends. CCE-9643-8fThe 'Turn off the "Publish to Web" task for files and folders' setting should be configured correctly./(1) GPO: Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the "Publish to Web" task for files and folders (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPublishingWizardCCE-1009-Worksheet: Computer Policy Settings; Row: 183Setting Index #237: This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders.>Rule 'turn_off_the_publish_to_web_task_for_files_and_folders' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:240' CCE-9644-6Auditing of 'Account Management: Distribution Group Management' events on success should be enabled or disabled as appropriate.CCE-515 CCE-9657-8Auditing of 'Account Management: Other Account Management Events' events on success should be enabled or disabled as appropriate.CCE-206)Worksheet: Audit Policy Settings; Row: 45OSetting Index #406: This policy setting audits Other Account Management events. CCE-9661-0oAuditing of 'Logon-Logoff: IPsec Extended Mode' events on success should be enabled or disabled as appropriate.CCE-1028 CCE-9663-6cThe 'Windows Firewall: Private: Apply local firewall rules' setting should be configured correctly.k(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Apply local firewall rules (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\AllowLocalPolicyMergeCCE-117-Worksheet: Computer Policy Settings; Row: 166Setting Index #195: This profile only applies if a user with local administrator privileges assigns it to a network that was previously set to use the Public profile. Microsoft recommends only changing the profile to Private for a trusted network. CCE-9668-5Auditing of 'Account Management: Other Account Management Events' events on failure should be enabled or disabled as appropriate.CCE-1202 CCE-9670-1cThe 'Require a Password When a Computer Wakes (Plugged In)' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Require a Password When a Computer Wakes (Plugged In) (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ACSettingIndex+Worksheet: Computer Policy Settings; Row: 4vSetting Index #1029: Specifies whether or not the user is prompted for a password when the system resumes from sleep. 9Rule 'require_a_password_when_computer_wakes_plugged_in' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:247' CCE-9671-9lAuditing of 'Logon-Logoff: IPsec Quick Mode' events on failure should be enabled or disabled as appropriate.CCE-1274 CCE-9672-7The 'No auto-restart with logged on users for scheduled automatic updates installations' setting should be configured correctly.&(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Update\No auto-restart with logged on users for scheduled automatic updates installations (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsersCCE-641-Worksheet: Computer Policy Settings; Row: 194\Setting Index #1049: Setting controls the auto-restart functionality of the operating systemZRule 'no_auto_restart_with_logged_on_users_for_scheduled_automatic_updates_installations' 9Definition 'oval:gov.nist.usgcb.windowsseven:def:100213' CCE-9674-3wThe 'Turn off Internet download for Web publishing and online ordering wizards' setting should be configured correctly.;(1) GPO: Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Internet download for Web publishing and online ordering wizards (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebServicesCCE-691-Worksheet: Computer Policy Settings; Row: 184Setting Index #239: Setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards.QRule 'turn_off_internet_download_for_web_publishing_and_online_ordering_wizards' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:234' CCE-9677-6VThe 'Prevent access to registry editing tools' setting should be configured correctly.(1) GPO: User Configuration\Administrative Templates\System\Prevent access to registry editing tools (2) Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryToolsCCE-405'Worksheet: User Policy Settings; Row: 8lSetting Index #278: This policy setting disables the Windows registry editors Regedit.exe and Regedt32.exe. CCE-9683-4aAuditing of 'Logon-Logoff: Logon' events on success should be enabled or disabled as appropriate.CCE-1284 CCE-9684-2XThe 'Hide mechanisms to remove zone information' setting should be configured correctly.(1) GPO: User Configuration\Administrative Templates\Windows Components\Attachment Manager\Hide mechanisms to remove zone information (2) Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\HideZoneInfoOnPropertiesCCE-58'Worksheet: User Policy Settings; Row: 4Setting Index #281: This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments. &Rule 'hide_mechanisms_to_remove_zone' CCE-9686-7bThe 'Windows Firewall: Domain: Apply local firewall rules' setting should be configured correctly.h(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Apply local firewall rules (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalPolicyMergeCCE-400-Worksheet: Computer Policy Settings; Row: 159Setting Index #188: This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. CCE-9692-5{Auditing of 'Account Management: Security Group Management' events on success should be enabled or disabled as appropriate.CCE-1118 CCE-9694-1mWindows Firewall should allow or block inbound connections by default as appropriate for the Private Profile.c(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Inbound connections (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultInboundActionCCE-29-Worksheet: Computer Policy Settings; Row: 162Setting Index #191: This setting determines the behavior for inbound connections that do not match an inbound firewall rule. This profile only applies if a user with local administrator privileges assigns it to a network that was previously set to use the Public profile. CCE-9704-8dThe 'Network security: Force logoff when logon hours expire' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expireCCE-775,Worksheet: Computer Policy Settings; Row: 53Setting Index #141: This policy setting, which determines whether to disconnect users who are connected to the loc< al computer outside their user account s valid logon hours, affects the SMB component.=Rule 'network_security_force_logoff_when_logon_hours_expire' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:101' CCE-9707-1mThe 'Shutdown: Allow system to be shut down without having to log on' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogonCCE-224-Worksheet: Computer Policy Settings; Row: 123tSetting Index #148: This policy setting determines whether a computer can be shut down when a user is not logged on.ERule 'shutdown_allow_system_to_be_shutdown_without_having_to_log_on' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:108' CCE-9712-1nThe 'Windows Firewall: Private: Apply local connection security rules' setting should be configured correctly.{(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Apply local connection security rules (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\AllowLocalIPsecPolicyMergeCCE-199-Worksheet: Computer Policy Settings; Row: 167Setting Index #196: This profile only applies if a user with local administrator privileges assigns it to a network that was previously set to use the Public profile. Microsoft recommends only changing the profile to Private for a trusted network. CCE-9715-4kAuditing of 'Logon-Logoff: IPsec Main Mode' events on failure should be enabled or disabled as appropriate.CCE-351 CCE-9718-8rAuditing of 'Account Logon: Credential Validation' events on failure should be enabled or disabled as appropriate.CCE-229)Worksheet: Audit Policy Settings; Row: 52Setting Index #411: The Account Logon audit category generates events for credential validation. These events occur on the computer that is authoritative for the credentials. CCE-9720-4pAuditing of 'Object Access: Detailed File Share' events on success should be enabled or disabled as appropriate. CCE-9725-3rAuditing of 'Account Logon: Credential Validation' events on success should be enabled or disabled as appropriate.CCE-1141 CCE-9728-7zAuditing of 'Object Access:Filtering Platform Connection' events on success should be enabled or disabled as appropriate.CCE-717 CCE-9730-3OThe 'Password protect the screen saver' setting should be configured correctly.(1) GPO: User Configuration\Administrative Templates\Control Panel\Personalization\Password protect the screen saver (2) Registry Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecureCCE-949'Worksheet: User Policy Settings; Row: 9^Setting Index #500: If this setting is enabled, then all screen savers are password protected.)Rule 'password_protect_the_screen_saver' CCE-9733-7The 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' setting should be configured correctly.1(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAUAsDefaultShutdownOptionCCE-989-Worksheet: Computer Policy Settings; Row: 196Setting Index #275: This policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box. CCE-9734-5rAuditing of 'DS Access: Directory Service Changes' events on success should be enabled or disabled as appropriate.CCE-317 CCE-9735-2oAuditing of 'Detailed Tracking: DPAPI Activity' events on success should be enabled or disabled as appropriate.CCE-1413 CCE-9736-0The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' setting should be enabled or disabled as appropriate."(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSecCCE-766,Worksheet: Computer Policy Settings; Row: 49DSetting Index #145: This setting controls the encrypion used in RPC.aRule 'network_security_minimum_session_security_for_ntlm_ssp_based_including_secure_rpc_servers' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:105' CCE-10916-5The 'Require message confidentiality' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' setting should be enabled or disabled as appropriate. CCE-10281-4The 'Require NTLMv2 session security' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' setting should be enabled or disabled as appropriate. CCE-10924-9The 'Require 128-bit encryption' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' setting should be enabled or disabled as appropriate. CCE-9737-8eAuditing of 'Object Access:Registry' events on success should be enabled or disabled as appropriate.CCE-1138 CCE-9739-4ZThe Windows Firewall should be enabled or disabled as appropriate for the Private Profile.X(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Firewall state (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewallCCE-7-Worksheet: Computer Policy Settings; Row: 161Setting Index #190: This profile only applies if a user with local administrator privileges assigns it to a network that was previously set to use the Public profile. Microsoft recommends only changing the profile to Private for a trusted network. CCE-9741-0qAuditing of 'Logon-Logoff: Network Policy Server' events on failure should be enabled or disabled as appropriate. CCE-9742-8Display of a notification to the user when Windows Firewall blocks network activity should be enabled or disabled as appropriate for the public profile.c(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Display a notification (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableNotificationsCCE-390-Worksheet: Computer Policy Settings; Row: 171}Setting Index #200: Setting displays notifications to the user when a program is blocked from receiving inbound connections. CCE-9755-0vAuditing of 'DS Access: Directory Service Replication' events on failure should be enabled or disabled as appropriate.CCE-247 CCE-9763-4iAuditing of 'Logon-Logoff: Special Logon' events on success should be enabled or disabled as appropriate.CCE-371 CCE-9764-2zThe Remote Desktop Services 'Set client connection encryption level' setting should be enabled or disabled as appropriate.!(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Set client connection encryption level (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel-Worksheet: Computer Policy Settings; Row: 198Setting Index #271: This policy setting specifies whether the computer that is ab< out to host the remote connection will enforce an encryption level for all data sent between it and the client computer for the remote session..Rule 'set_client_connection_encryption_level' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:276' CCE-10779-7The 'Encryption Level' option for the Remote Desktop Services 'Set client connection encryption level' setting should be configured correctly.Low/High/Client CompatibleCCE-397 CCE-9765-9qAuditing of 'DS Access: Directory Service Access' events on success should be enabled or disabled as appropriate.CCE-1199)Worksheet: Audit Policy Settings; Row: 49Setting Index #407: This policy setting in the DS Access audit category enables reports to result when Active Directory Domain Services (AD DS) objects are accessed. CCE-9768-3`The 'Network security: LDAP client signing requirements' setting should be configured correctly.&None/Negotiate signing/Require signing(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LDAP client signing requirements (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrityCCE-732-Worksheet: Computer Policy Settings; Row: 118Setting Index #143: This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests.9Rule 'network_security_ldap_client_signing_requirements' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:103' CCE-9770-9The 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' setting should be configured correctly.!(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Allow PKU2U authentication requests to this computer to use online identities (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID-Worksheet: Computer Policy Settings; Row: 145Setting Index #921: This policy will be turned off by default on domain joined machines. This would disallow the online identities to be able to authenticate to the domain joined machine in Windows 7.fRule 'network_security_allow_pku2u_authentication_requests_to_this_computer_to_use_online_identities' CCE-9773-3xUnicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Public Profile.z(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Allow unicast response (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableUnicastResponsesToMulticastBroadcastCCE-414-Worksheet: Computer Policy Settings; Row: 172zSetting Index #201: Controls whether computer receives unicast responses to its outgoing multicast or broadcast messages. CCE-9774-1Display of a notification to the user when Windows Firewall blocks network activity should be enabled or disabled as appropriate for the domain profile.c(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Display a notification (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DisableNotificationsCCE-1047-Worksheet: Computer Policy Settings; Row: 157Setting Index #186: Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. CCE-9786-5bThe 'Windows Firewall: Public: Apply local firewall rules' setting should be configured correctly.h(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Apply local firewall rules (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalPolicyMergeCCE-421-Worksheet: Computer Policy Settings; Row: 173Setting Index #202: This setting controls whether local administrators are allowed to create local firewall rules that apply with other firewall rules enforced by Group Policy. CCE-9789-9pAuditing of 'Object Access:Handle Manipulation' events on success should be enabled or disabled as appropriate.CCE-1363 CCE-9791-5qAuditing of 'DS Access: Directory Service Access' events on failure should be enabled or disabled as appropriate.CCE-459 CCE-9800-4yAuditing of 'Account Management: User Account Management' events on failure should be enabled or disabled as appropriate.CCE-924 CCE-9801-2The 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' setting should be configured correctly.7(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate UIAccess applications that are installed in secure locations (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPathsCCE-986-Worksheet: Computer Policy Settings; Row: 132Setting Index #162: This setting helps protect a Windows Vista based computer by only allowing applications installed in a secure location, such as the Program Files or the Windows\System32 folders, to run with elevated privileges.fRule 'user_account_control_only_elevate_uiaccess_applications_that_are_installed_in_secure_locations' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:118' CCE-9802-0bAuditing of 'System: IPsec Driver' events on failure should be enabled or disabled as appropriate.CCE-1314(Worksheet: Audit Policy Settings; Row: 3Setting Index #366: This policy setting in the System audit category determines whether to audit IPsec Driver events on computers that are running Windows Vista. CCE-9803-8jAuditing of 'Object Access:Kernel Object' events on success should be enabled or disabled as appropriate.CCE-1288 CCE-9805-3qAuditing of 'Detailed Tracking: Process Creation' events on failure should be enabled or disabled as appropriate.CCE-1079 CCE-9808-7wAuditing of 'Account Logon: Other Account Logon Events' events on success should be enabled or disabled as appropriate.CCE-214 CCE-9811-1hAuditing of 'Object Access:File System' events on failure should be enabled or disabled as appropriate.CCE-1340 CCE-9816-0rAuditing of 'Object Access:Application Generated' events on success should be enabled or disabled as appropriate.CCE-1322 CCE-9817-8mThe 'Windows Firewall: Public: Apply local connection security rules' setting should be configured correctly.x(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Apply local connection security rules (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalIPsecPolicyMergeCCE-437-Worksheet: Computer Policy Settings; Row: 174Setting Index #203: This setting controls whether local administrators are allowed to create connection security rules that apply with other connection security rules enforced by Group Policy. CCE-9818-6tAuditing of 'Detailed Tracking: Process Termination' events on failure should be enabled or disabled as appropriate.CCE-1250 CCE-9829-3cThe 'Require a Password When a Computer Wakes (On Battery)' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\System\Power Management\Sleep S< ettings\Require a Password When a Computer Wakes (On Battery) (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\DCSettingIndex+Worksheet: Computer Policy Settings; Row: 3vSetting Index #1028: Specifies whether or not the user is prompted for a password when the system resumes from sleep. 9Rule 'require_a_password_when_computer_wakes_on_battery' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:246' CCE-9845-9`Auditing of 'Object Access:SAM' events on failure should be enabled or disabled as appropriate.CCE-451)Worksheet: Audit Policy Settings; Row: 27Setting Index #380: The policy setting controls whether to audit users who have accessed the Security Accounts Manager (SAM) object on computers running Windows Vista or later Windows operating systems. CCE-9850-9kAuditing of 'System: Security State Change' events on success should be enabled or disabled as appropriate.CCE-1121 CCE-9856-6`Auditing of 'Object Access:SAM' events on success should be enabled or disabled as appropriate.CCE-446 CCE-9863-2oAuditing of 'System: Security System Extension' events on success should be enabled or disabled as appropriate.CCE-1270(Worksheet: Audit Policy Settings; Row: 6Setting Index #364: This policy setting in the System audit category determines whether to audit Security System Extension changes on computers that are running Windows Vista or later Windows operating systems. CCE-9878-0tAuditing of 'Privilege Use: Sensitive Privilege Use' events on success should be enabled or disabled as appropriate.CCE-488 CCE-9887-1hAuditing of 'Audit account logon events' events on failure should be enabled or disabled as appropriate.CCE-2543 CCE-9902-8}Auditing of 'Policy Change: Filtering Platform Policy Change' events on success should be enabled or disabled as appropriate.CCE-1042 CCE-9913-5|Auditing of 'Policy Change: MPSSVC Rule-Level Policy Change' events on failure should be enabled or disabled as appropriate.CCE-879 CCE-9918-4]The 'Turn off Data Execution Prevention for Explorer' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Explorer\Turn off Data Execution Prevention for Explorer (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer\NoDataExecutionPrevention+Worksheet: Computer Policy Settings; Row: 6Setting Index #1030: Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer.7Rule 'turn_off_data_execution_prevention_for_explorer' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:291' CCE-9925-9bAuditing of 'System: IPsec Driver' events on success should be enabled or disabled as appropriate.CCE-1177 CCE-9938-2[The 'Enumerate administrator accounts on elevation' setting should be configured correctly. (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Credential User Interface\Enumerate administrator accounts on elevation (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministratorsCCE-935-Worksheet: Computer Policy Settings; Row: 190{Setting Index #245: By default, all administrator accounts are displayed when you attempt to elevate a running application.5Rule 'enumerate_administrator_accounts_on_elevation' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:261' CCE-9958-0IThe 'Force specific screen saver' setting should be configured correctly.(1) GPO: User Configuration\Administrative Templates\Control Panel\Personalization\Force specific screen saver (2) Registry Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXECCE-54(Worksheet: User Policy Settings; Row: 10_Setting Index #1031: This policy setting allows you to manage whether or not screen savers run. CCE-9960-6Unsolicited offers of remote assistance (aka the 'Offer Remote Assistance' setting) should be automatically rejected or passed to the logged-on user for confirmation as appropriate.(1) GPO: Computer Configuration\Administrative Templates\System\Remote Assistance\Offer Remote Assistance (2) Registry Key: HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicitedCCE-434-Worksheet: Computer Policy Settings; Row: 178Setting Index #233: This policy setting determines whether an IT support person can offer remote assistance to fix issues on computers in your environment without explicit user requests.Rule 'offer_remote_assistance' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:248' CCE-10690-6}The 'Permit remote control of this computer' option for the 'Offer Remote Assistance' setting should be configured correctly. CCE-9931-7The set of users and/or gorups allowed to make unsolicited offers of remote assistance (aka the 'Helpers' option for the 'Offer Remote Assistance' setting) should be configured correctly.list of users and/or groups CCE-9976-2yAuditing of 'Policy Change: Authentication Policy Change' events on success should be enabled or disabled as appropriate.CCE-388 CCE-9983-8PThe 'Do not process the legacy run list' setting should be configured correctly.(1) GPO: Computer Configuration\Administrative Templates\System\Logon\Do not process the legacy run list (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableLocalMachineRunCCE-503-Worksheet: Computer Policy Settings; Row: 175Setting Index #230: This policy setting causes the run list, which is a list of programs that Windows Vista runs automatically when it starts, to be ignored. CCE-9985-3kThe 'Allow users to connect remotely using Remote Desktop Services' setting should be configured correctly.;(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow users to connect remotely using Remote Desktop Services (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnectionsCCE-401-Worksheet: Computer Policy Settings; Row: 200Setting Index #268: This policy setting allows you to control if users can connect to a computer using Terminal Services or Remote Desktop.ERule 'allow_users_to_connect_remotely_using_remote_desktop_services' CCE-9988-7wAuditing of 'Privilege Use: Other Privilege Use Events' events on success should be enabled or disabled as appropriate. CCE-9990-3aAuditing of 'Audit system events' events on failure should be enabled or disabled as appropriate.CCE-1680 CCE-9998-6oAuditing of 'System: Security System Extension' events on failure should be enabled or disabled as appropriate.CCE-1102 CCE-10207-9hThe "IPv6 Block of Protocols 41" option for the Windows Firewall setting should be configured correctly.(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Outbound Rules\IPv6 Block of Protocols 41CCE-1795 CCE-10488-5dThe "IPv6 Block of UDP 3544" option for the Windows Firewall setting should be configured correctly.(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Outbound Rules\IPv6 Block of UDP 3544CCE-1293 CCE-10502-3pThe "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Domain Profile. (1) enabled/disabledI(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile Tab\Logging\Log dropped packets (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\LogDroppedPacketsCCE-251 CCE-10268-1wThe "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Domain Profil< e.(1) enabled/disabled[(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile Tab\Logging\Logged successful connections (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\LogSuccessfulConnectionsCCE-617 CCE-10022-2lThe "Log File Path and Name" for the Windows Firewall should be configured correctly for the Domain Profile. (1) File path4(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile Tab\Logging\Name (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\LogFilePathCCE-793 CCE-9747-7iThe "Log File Size Limit" for the Windows Firewall should be configured correctly for the Domain Profile.(1) Size limit (KB)?(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile Tab\Logging\Size limit (KB) (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\LogFileSizeCCE-57 CCE-10215-2qThe "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Private Profile.K(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile Tab\Logging\Log dropped packets (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\LogDroppedPacketsCCE-325 CCE-10611-2xThe "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Private Profile.enable/disabled](1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile Tab\Logging\Logged successful connections (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\LogSuccessfulConnectionsCCE-327 CCE-10386-1mThe "Log File Path and Name" for the Windows Firewall should be configured correctly for the Private Profile.6(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile Tab\Logging\Name (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\LogFilePathCCE-999 CCE-10250-9jThe "Log File Size Limit" for the Windows Firewall should be configured correctly for the Private Profile.A(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile Tab\Logging\Size limit (KB) (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\LogFileSizeCCE-1091 CCE-9749-3pThe "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Public Profile.I(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile Tab\Logging\Log dropped packets (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\LogDroppedPacketsCCE-1165 CCE-9753-5wThe "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Public Profile.(1) enable/disabled[(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile Tab\Logging\Logged successful connections (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\LogSuccessfulConnectionsCCE-534 CCE-9926-7lThe "Log File Path and Name" for the Windows Firewall should be configured correctly for the Public Profile.4(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile Tab\Logging\Name (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\LogFilePathCCE-1263 CCE-10373-9iThe "Log File Size Limit" for the Windows Firewall should be configured correctly for the Public Profile.?(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile Tab\Logging\Size limit (KB) (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\LogFileSizeCCE-1313 CCE-9783-2PThe "Turn on Mapper I/O (LLTDIO) Driver" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) Driver (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\LLTD\EnableLLTDIO'Rule 'turn_on_mapper_io_lltdio_driver' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:207' CCE-15050-8bThe "Allow operation while in domain" setting on the LLTDIO Driver should be configured correctly. (1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) Driver - Allow operation while in domain (2) HKLM\Software\Policies\Microsoft\Windows\LLTD\AllowLLTDIOOnDomain, CCE-14109-3jThe "Allow operation while in public network" setting on the LLTDIO Driver should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) Driver - Allow operation while in public network (2) HKLM\Software\Policies\Microsoft\Windows\LLTD\AllowLLTDIOOnPublicNet, CCE-14718-1nThe "Prohibit operation while in private network" setting on the LLTDIO Driver should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) Driver - Prohibit operation while in private network (2) HKLM\Software\Policies\Microsoft\Windows\LLTD\ProhibitLLTDIOOnPrivateNet CCE-10059-4OThe "Turn on Responder (RSPNDR) Driver" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) Driver (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\LLTD\EnableRspndr'Rule 'turn_on_responder_rspndr_driver' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:208' CCE-15059-9bThe "Allow operation while in domain" setting on the RSPNDR Driver should be configured correctly. (1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) Driver - Allow Operation while in Domain (2) HKLM\Software\Policies\Microsoft\Windows\LLTD\AllowRspndrOnDomain, CCE-14830-4jThe "Allow operation while in public network" setting on the RSPNDR Driver should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) Driver - Allow operation while in public network (2) HKLM\Software\Policies\Microsoft\Windows\LLTD\AllowRspndrOnPublicNet, CCE-14834-6nThe "Prohibit operation while in private network" setting on the RSPNDR Driver should be configured correctly. (1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Tur< n on Responder (RSPNDR) Driver - Prohibit operation while in private network (2) HKLM\Software\Policies\Microsoft\Windows\LLTD\ProhibitRspndrOnPrivateNet CCE-10438-0^The startup type of Microsoft Peer-to-Peer Networking Services should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Turn off Microsoft Peer-to-Peer Networking Services (2) Registry Key: HKLM\Software\policies\Microsoft\Peernet\Disabled;Rule 'turn_off_microsoft_peer_to_peer_networking_services' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:209' CCE-9953-1kInstallation and Configuration of Network Bridge on the DNS Domain Network should be properly configured. -(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit installation and configuration of Network Bridge on your DNS domain network (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA\Rule 'prohibit_installation_and_configuration_of_network_bridge_on_your_dns_domain_network' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:210' CCE-9797-2 (1) enabled/disabled(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Sharing on your DNS domain network (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI CCE-10359-8oThe "Require domain users to elevate when setting a network's location" setting should be configured correctly. (1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Network Connections\Require domain users to elevate when setting a network"s location (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Network Connections\NC_StdDomainUserSetLocationHRule 'require_domain_users_to_elevate_when_setting_a_networks_location' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:212' CCE-10509-8\The "Route all traffic through the internal network" setting should be configured correctly.GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Network Connections\Route all traffic through the internal network Registry Key: HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\Force_Tunneling6Rule 'route_all_traffic_through_the_internal_network' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:213' CCE-10266-58The "6to4 State" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\6to4 State (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\6to4_StateRule '_6to4_state' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:214' CCE-10130-3CThe "ISATAP State" setting for IPv6 should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\ISATAP State (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ISATAP_StateRule 'isatap_state' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:215' CCE-10011-5:The "Teredo State" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\Teredo State (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\Teredo_StateRule 'teredo_state' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:216' CCE-10764-9<The "IP HTTPS" state setting should be configured correctly.oGPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\IP HTTPS Registry Key: HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface\IPHTTPS_ClientState, HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface\IPHTTPS_ClientUrlRule 'ip_https' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:217' CCE-9879-8The "Configuration of wireless settings using Windows Connect Now" setting should be configured correctly for Wireless Connect Now over Ethernet (UPnP). (1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\WCN\Registrars\EnableRegistrars DRule 'configuration_of_wireless_settings_using_windows_connect_now' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:218' CCE-14900-5_The Windows Connect Now "Maximum number of WCN devices" setting should be configured correctly.number of devices(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now (2) HKLM\Software\Policies\Microsoft\Windows\WCN\Registrars\MaxWCNDeviceNumber, CCE-14653-0The Windows Connect Now "Higher precedence medium for devices discovered by multiple media" setting should be configured appropriately.7WCN over Ethernet (UPnP), WCN over In-band 802.11 Wi-Fi(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now (2) HKLM\Software\Policies\Microsoft\Windows\WCN\Registrars\HigherPrecedenceRegistrar CCE-15015-1QThe Windows Connect Now "Ethernet (UPnP)" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\WCN\Registrars\DisableUPnPRegistrar CCE-15019-3RThe Windows Connect "In-band 802.11 Wi-Fi" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now (2) Registry Key:HKLM\Software\Policies\Microsoft\Windows\WCN\Registrars\DisableInBand802DOT11Registrar CCE-15041-7QThe Windows Connect Now "USB Flash Drive" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now Registry Key: HKLM\Software\Policy (2) cies\Microsoft\Windows\WCN\Registrars\DisableFlashConfigRegistrar CCE-14411-3YThe Windows Connect Now "Windows Portable Device" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\WCN\Registrars\DisableWPDRegistrar CCE-10778-9`The "Prohibit Access of the Windows Connect Now Wizards" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Windows Connect Now\Prohibit Access of the Windows Connect Now wizards (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\WCN\UI\DisableWcnUi:Rule 'prohibit_access_to_the_windows_connect_now_wizards' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:219' CCE-10782-1The "Extend Point and Print connection to search Windows Update and use alternate connection if needed" setting should be configured correctly.7(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Printers\Extend Point and Print connection to search Windows Update and use alternate connection if needed (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows NT\Printers\DoNotInstallCompatibleDriverFromWindowsUpdateiRule 'extend_< point_and_print_connection_to_search_windows_update_and_use_alternate_connection_if_needed' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:220' CCE-10769-8VThe "Allow remote access to the PnP interface" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Device Installation\Allow remote access to the PnP interface (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings\AllowRemoteRPC0Rule 'allow_remote_access_to_the_pnp_interface' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:221' CCE-9901-0The "Do not send a Windows Error Report when a generic driver is installed on a device" setting should be configured correctly.<(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Device Installation\Do not send a Windows Error Report when a generic driver is installed on a device (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings\DisableSendGenericDriverNotFoundToWERYRule 'do_not_send_a_windows_error_report_when_a_generic_driver_is_installed_on_a_device' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:222' CCE-10553-6qThe "Do not create system restore point when new device driver installed" setting should be configured correctly.R(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Device Installation\Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings\DisableSystemRestoreRule 'prevent_creation_of_a_system_restore_point_during_device_activity_that_would_normally_prompt_creation_of_a_restore_point' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:223' CCE-10165-9]The "Prevent device metadata retrieval from internet" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Device Installation\Prevent device metadata retrieval from internet (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata\PreventDeviceMetadataFromNetwork;Rule 'prevent_device_metadata_retrieval_from_the_internet' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:224' CCE-9919-2eThe "Specify Search Order for device driver source locations" setting should be configured correctly.`(1) enabled/disabled (2) Windows Update first, Windows Update last, Do not search Windows Update(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Device Installation\Specify Search Order for device driver source locations (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\DriverSearching\SearchOrderConfig?Rule 'specify_search_order_for_device_driver_source_locations' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:225' CCE-10694-8aThe "Turn off Windows Update device driver search prompt" setting should be configured correctly. (1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Driver Installation\Turn off Windows Update device driver search prompt (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\DriverSearching\DontPromptForWindowsUpdate CCE-10681-5YThe "Turn Off Automatic Root Certificates Update" setting should be configured correctly.2(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn off Automatic Root Certificates Update (2) Registry Key: HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate CCE-9819-4UThe "Turn Off Event Views "Events.asp" Links" setting should be configured correctly.'(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn off Event Viewer "Events.asp" links (2) Registry Key: HKLM\Software\Policies\Microsoft\EventViewer\MicrosoftEventVwrDisableLinks.Rule 'turn_off_event_viewer_events_asp_links' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:230' CCE-10658-3_The "Turn off handwriting personalization data sharing" setting should be configured correctly.5(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn off handwriting personalization data sharing (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\TabletPC\PreventHandwritingDataSharing CCE-10645-0]The "Turn Off Handwriting Reconition Error Reporting" setting should be configured correctly.D(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn off handwriting recognition error reporting (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\HandwritingErrorReports\PreventHandwritingErrorReportsqRule 'turn_off_handwriting_personalization_data_sharing' Rule 'turn_off_handwriting_recognition_error_reporting' lDefinition 'oval:gov.nist.usgcb.windowsseven:def:232' Definition 'oval:gov.nist.usgcb.windowsseven:def:231' CCE-10649-2The "Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com" setting should be configured correctly.W(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Internet Connection Wizard\ExitOnMSICW[Rule 'turn_off_internet_connection_wizard_if_url_connection_is_referring_to_microsoft_com' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:233' CCE-10795-3XThe "Turn Off Internet File Association Service" setting should be configured correctly.2(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn off Internet File Association service (2) Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith1Rule 'turn_off_internet_file_association_wizard' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:235' CCE-10160-0sThe "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting should be configured correctly.M(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn Off Registration if URL Connection is Referring to Microsoft.com (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Registration Wizard Control\NoRegistrationMRule 'turn_off_registration_if_url_connection_is_referring_to_microsoft_com' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:237' CCE-9823-6VThe "Turn Off the 'Order Prints' Picture Task" setting should be configured correctly.2(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn off the "Order Prints" picture task (2) Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoOnlinePrintsWizard.Rule 'turn_off_the_order_prints_picture_task' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:239' CCE-9831-9fThe "Turn off Windows Customer Experience Improvement Program" setting should be configured correctly.*(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn off Windows Customer Experience Improvement Program (2) Registry Key: HKLM\Software\Policies\Microsoft\SQMClient\Windows\CEIPEnableDRule 'turn_off_the_windows_customer_experience_improvement_program' CCE-10441-4>The "Enable Error Reporting" policy should < be set correctly. a(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn off Windows Error Reporting (2) Registry Key: HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\DoReport, HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting\Disabled(Rule 'turn_off_windows_error_reporting' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:243' CCE-10591-62Use Classic Logon should be properly configured.  (1) logon type(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Logon\Always use classic logon (2) Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LogonType Rule 'always_use_classic_logon' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:245' CCE-10344-0EThe "Turn on session logging" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Remote Assistance\Turn on session logging (2) Registry Key: HKLM\Software\policies\Microsoft\Windows NT\Terminal Services\LoggingEnabledRule 'turn_on_session_logging' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:250' CCE-9842-6The "Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider" setting should be configured correctly.w(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\DisableQueryRemoteServerfRule 'microsoft_support_diagnostic_tool_turn_on_msdt_interactive_communication_with_support_provider' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:253' CCE-10606-2The "Troubleshooting: Allow user to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via Windows Online Troubleshooting Service - WOTS)" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Scripted Diagnostics\Troubleshooting: Allow user to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via Windows Online Troubleshooting Service - WOTS) (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\EnableQueryRemoteServerRule 'troubleshooting_allow_user_to_access_online_troubleshooting_content_on_microsoft_servers_from_the_troubleshooting_control_panel' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:254' CCE-10219-4FThe "Enable/Disable PerfTrack" setting should be configured correctly.4(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Windows Performance PerfTrack\Enable/Disable PerfTrack (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ScenarioExecutionEnabled Rule 'enable_disable_perftrack' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:255' CCE-10500-7TThe "Configure Windows NTP Client\NtpServer" setting should be configured correctly.EThe Domain Name System (DNS) name or IP address of an NTP time source(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\NtpServer (2) Registry Key: HKLM\Software\Policies\Microsoft\W32time\Parameters\NtpServer$Rule 'configure_windows_ntp_client' 9Definition 'oval:gov.nist.usgcb.windowsseven:def:100215' CCE-10368-9OThe "Configure Windows NTP Client\Type" setting should be configured correctly.No Sync/NTP/NT5DS/AllSync(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\Type (2) Registry Key: HKLM\Software\Policies\Microsoft\W32time\Parameters\Type CCE-9892-1]The "Configure Windows NTP Client\CrossSiteSyncFlags" setting should be configured correctly.0/1/2(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\CrossSiteSyncFlags (2) Registry Key: HKLM\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\CrossSiteSyncFlags CCE-10756-5dThe "Configure Windows NTP Client\ResolvePeerBackoffMinutes" setting should be configured correctly.Number of minutes&(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\ResolvePeerBackoffMinutes (2) Registry Key: HKLM\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\ResolvePeerBackoffMinutes CCE-10531-2eThe "Configure Windows NTP Client\ResolvePeerBackoffMaxTimes" setting should be configured correctly.+Number of attempts made to resolve DNS name((1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\ResolvePeerBackoffMaxTimes (2) Registry Key: HKLM\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\ResolvePeerBackoffMaxTimes CCE-10774-8^The "Configure Windows NTP Client\SpecialPollInterval" setting should be configured correctly.Number of seconds(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\SpecialPollInterval (2) Registry Key: HKLM\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\SpecialPollInterval CCE-10408-3XThe "Configure Windows NTP Client\EventLogFlags" setting should be configured correctly. 0, 1, 2, 3(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\EventLogFlags (2) Registry Key: HKLM\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\EventLogFlags CCE-10787-0HThe "Turn off Program Inventory" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Application Compatibility\Turn off Program Inventory (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\AppCompat\DisableInventory"Rule 'turn_off_program_inventory' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:257' CCE-10527-0?The default behavior for AutoRun should be properly configured.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies\Default behavior for AutoRun (2) Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun$Rule 'default_behavior_for_autorun' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:258' CCE-10655-9VThe "Turn off Autoplay for non-volume devices" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies\Turn off Autoplay for non-volume devices (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume0Rule 'turn_off_autoplay_for_non_volume_devices' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:260' CCE-9857-4LThe "Override the More Gadgets Link" setting should be configured correctly. (1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Desktop Gadgets\Override the More Gadgets link (2) Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\OverrideMoreGadgetsLink&Rule 'override_the_more_gadgets_link' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:262' CCE-10811-8yThe "Disable unpacking and installation of gadgets that are not digita< lly signed" setting should be configured correctly.4(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Desktop Gadgets\Restrict unpacking installation of gadgets that are not digitally signed (2) Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffUnsignedGadgetsPRule 'restrict_unpacking_installation_of_gadgets_that_are_not_digitally_signed' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:263' CCE-10586-6]The "Turn Off User Installed Windows Sidebar Gadgets" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Desktop Gadgets\Turn Off user-installed desktop gadgets (2) Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffUserInstalledGadgets/Rule 'turn_off_user_installed_desktop_gadgets' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:264' CCE-10714-4:The setup log maximum size should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Setup\Maximum Log Size (KB) (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup\MaxSizeRule 'maximum_setup_log_size' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:267' CCE-10828-2VThe "Turn Off Downloading of Game Information" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Game Explorer\Turn off downloading of game information (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\GameUX\DownloadGameInfo0Rule 'turn_off_downloading_of_game_information' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:269' CCE-10850-6CThe "Turn off game updates" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Game Explorer\Turn off game updates (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\GameUX\GameUpdateOptionsRule 'turn_off_game_updates' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:270' CCE-10608-8\The "Set time limit for idle sessions" policy should be set correctly for Terminal Services. (1) Time limit (minutes)R(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for active but idle Remote Desktop Services sessions (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTimeKRule 'set_time_limit_for_active_but_idle_remote_desktop_services_sessions' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:277' CCE-9858-2dThe "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services. (1) Time Limit (minutes)@(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for disconnected sessions (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime0Rule 'set_time_limit_for_disconnected_sessions' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:278' CCE-10856-3QThe "Do not delete temp folder upon exit" setting should be configured correctly.9(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary Folders\Do not delete temp folder upon exit (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\DeleteTempDirsOnExit,Rule 'do_not_delete_temp_folders_upon_exit' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:279' CCE-9864-0VThe "Do not use temporary folders per session" setting should be configured correctly.;(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary Folders\Do not use temporary folders per session (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\PerSessionTempDir0Rule 'do_not_use_temporary_folders_per_session' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:280' CCE-10730-0PThe "Turn off downloading of enclosures" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\RSS Feeds\Turn off downloading of enclosures (2) Registry Key: HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload*Rule 'turn_off_downloading_of_enclosures' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:281' CCE-10007-3YThe "Turn on Basic feed authentication over HTTP" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\RSS Feeds\Turn on Basic feed authentication over HTTP (2) Registry Key: HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds\AllowBasicAuthInClear CCE-10496-8OThe "Allow indexing of encrypted files" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Search\Allow indexing of encrypted files (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems)Rule 'allow_indexing_of_encrypted_files' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:283' CCE-9866-5XThe "Prevent indexing uncached Exchange folders" setting should be configured correctly. (1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Search\Enable indexing uncached Exchange folders (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Windows Search\PreventIndexingUncachedExchangeFolders1Rule 'enable_indexing_uncached_exchange_folders' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:284' CCE-10137-8ZThe "Prevent Windows Anytime Upgrade from running" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Anytime Upgrade\Prevent Windows Anytime Upgrade from running (2) Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\WAU\Disabled4Rule 'prevent_windows_anytime_upgrade_from_running' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:285' CCE-9868-1RThe "Configure Microsoft SpyNet Reporting" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Configure Microsoft SpyNet Reporting (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet\SpyNetReporting,Rule 'configure_microsoft_spynet_reporting' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:286' CCE-10157-6UThe Windows Error Reporting "Disable Logging" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Disable Logging (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\LoggingDisabledRule 'disable_logging' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:287' CCE-9914-3MThe "Disable Windows Error Reporting" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Disable Windows Error Reporting (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Disabled'Rule 'disable_windows_error_reporting' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:288' CCE-10709-4`The Windows Error Reporting "Display Error Notification" setting should be configured correctly.(1) GPO Settings: < Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Display Error Notification (2) Registry Key: HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\ShowUI#Rule 'disable_error_notifications' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:289' CCE-10824-1aThe Windows Error Reporting "Do not send additional data" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Do not send additional data (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData#Rule 'do_not_send_additional_data' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:290' CCE-9874-9UThe "Turn off Heap termination on corruption" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Explorer\Turn off heap termination on corruption (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Explorer\NoHeapTerminationOnCorruption0Rule 'turn_off_heap_terminiation_on_corruption' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:292' CCE-10623-7TThe "Turn off shell protocol protected mode" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Explorer\Turn off shell protocol protected mode (2) Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior.Rule 'turn_off_shell_protocol_protected_mode' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:293' CCE-9875-6>The "Set Safe for Scripting" policy should be set correctly. (1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Disable IE security prompt for Windows Installer scripts (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Installer\SafeForScripting@Rule 'disable_ie_security_prompt_for_windows_installer_scripts' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:294' CCE-9876-4IThe "Enable User Control Over Installs" policy should be set correctly. (1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Enable user control over installs (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Installer\EnableUserControl)Rule 'enable_user_control_over_installs' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:295' CCE-9888-9mThe "Prohibit non-administrators from applying vendor signed updates" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Prohibit non-administrators from applying vender signed updates (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Installer\DisableLUAPatchingGRule 'prohibit_non_administrators_from_applying_vendor_signed_updates' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:296' CCE-9907-7aThe "Report Logon Server Not Available During User logon" setting should be configured correctly.&(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options\Report when logon server was not available during user logon (2) Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ReportControllerMissingDRule 'report_when_logon_server_was_not_available_during_user_logon' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:297' CCE-9908-5WThe "Prevent Windows Media DRM Internet Access" setting should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Media Digital Rights Management\Prevent Windows Media DRM Internet Access (2) Registry Key: HKLM\Software\Policies\Microsoft\WMDRM\DisableOnline1Rule 'prevent_windows_media_drm_internet_access' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:298' CCE-10692-2iThe "Do Not Show First Use Dialog Boxes" setting for Windows Media Player should be configured correctly.(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Do Not Show First Use Dialog Boxes (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsMediaPlayer\GroupPrivacyAcceptance*Rule 'do_not_show_first_use_dialog_boxes' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:299' CCE-10602-1RThe "Disable Media Player for automatic updates" policy should be set correctly. (1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Prevent Automatic Updates (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsMediaPlayer\DisableAutoUpdate!Rule 'prevent_automatic_updates' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:300' CCE-10661-7>The startup type of the Bluetooth service should be correct. 7(1) disabled/manual/automatic/automatic (delayed start)(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy !Rule 'bluetooth_support_service' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:142' CCE-10150-18The startup type of the Fax service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy Rule 'fax_service' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:143' CCE-10543-7GThe startup type of the Homegroup Listener service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy "Rule 'homegroup_listener_service' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:144' CCE-9910-1GThe startup type of the Homegroup Provider service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy "Rule 'homegroup_provider_service' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:145' CCE-10699-7KThe startup type of the Media Center Extenders service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mcx2Svc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy %Rule 'media_center_extender_service' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:146' CCE-10311-9FThe startup type of the Parantal Controls service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPCSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy !Rule 'parental_controls_service' 6Definition 'oval:gov.nist.usgcb.windowsseven:def:147' CCE-10443-0MThe startup type of the SPP Notification Service service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sppuinotify\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-10091-7FThe startup type of the Windows Biometric service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WbioSrvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-10844-9DThe startup type of the WWAN AutoConfig service should be correct. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WwanSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy CCE-10636-9YThe "add workstations to domain" user right should be assigned to the correct accounts. |Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Add workstations to a domain CCE-10251-7DEPRECATED. Previously: The "synchronize directory service < data" user right should be assigned to the correct accounts. Note: According to Microsoft, this is only relevant to domain controllers and hence does not apply to Windows 7. CCE-11164-1DEPRECATED. Previously: The startup type of the Alerter service should be correct. Note: According to Microsoft, no such service in Windows 7.  CCE-11151-8cThe startup type of the Background Intelligent Transfer Service (BITS) service should be correct. qComputer Configuration\Windows Settings\Security Settings\System Services\Background Intelligent Transfer Service CCE-11045-2DEPRECATED. Previously: The startup type of the ClipBook service should be correct. Note: According to Microsoft, no such service in Windows 7.  CCE-10254-1EThe startup type of the Computer Browser service should be correct. ZComputer Configuration\Windows Settings\Security Settings\System Services\Computer Browser CCE-10674-0DEPRECATED. Previously: The Error Reporting Service should be enabled or disabled as appropriate. Note: According to Microsoft, no such service in Windows 7. See Windows Error Reporting.  CCE-10956-1DEPRECATED. Previously: The startup type of the Fast User Switching service should be correct. Note: According to Microsoft, no such service in Windows 7.  CCE-11066-8CThe startup type of the FTP Publishing service should be correct. `Computer Configuration\Windows Settings\Security Settings\System Services\FTP Publishing Service CCE-10264-0DEPRECATED. Previously: The startup type of the Indexing service should be correct. Note: According to Microsoft, no such service in Windows 7.  CCE-11235-9DEPRECATED. Previously: The startup type of the Messenger service should be correct. Note: According to Microsoft, no such service in Windows 7.  CCE-11221-9DEPRECATED. Previously: The startup type of the NetMeeting Remote Desktop Sharing service should be correct. Note: According to Microsoft, no such service in Windows 7.  CCE-11226-8DEPRECATED. Previously: The Network Dynamic Data Exchange (DDE) service should be enabled or disabled as appropriate.Note: According to Microsoft, no such service in Windows 7.  CCE-11124-5DEPRECATED. Previously: The Network DDE DDE Share Database Manager (DSDM) service should be enabled or disabled as appropriate.Note: According to Microsoft, no such service in Windows 7.  CCE-10267-3ZThe Remote Access Connection Manager service should be enabled or disabled as appropriate.jComputer Configuration\Windows Settings\Security Settings\System Services\Remote Access Connection Manager CCE-11246-6NThe startup type of the Routing and Remote Access service should be correct. cComputer Configuration\Windows Settings\Security Settings\System Services\Routing and Remote Access CCE-10271-5CThe startup type of the SSDP Discovery service should be correct. `Computer Configuration\Windows Settings\Security Settings\System Services\SSDP Discovery Service CCE-10272-3CThe startup type of the Task Scheduler service should be correct. XComputer Configuration\Windows Settings\Security Settings\System Services\Task Scheduler CCE-10841-5DEPRECATED. Previously: The startup type of the Terminal Services service should be correct. Note: According to Microsoft, no such service in Windows 7. See Remote Desktop Services.  CCE-10577-5DEPRECATED. Previously: The startup type of the Universal Plug and Play Device Host (UPnP) service should be correct. Note: According to Microsoft, no such service in Windows 7.  CCE-11207-8CThe WebClient service should be enabled or disabled as appropriate.SComputer Configuration\Windows Settings\Security Settings\System Services\WebClient CCE-11229-2DEPRECATED. Previously: The Wireless Zero Configuration service should be enabled or disabled as appropriate.Note: According to Microsoft, no such service in Windows 7.  CCE-11233-4QThe WMI Performance Adapter service should be enabled or disabled as appropriate.aComputer Configuration\Windows Settings\Security Settings\System Services\WMI Performance Adapter CCE-11220-1NThe startup type of the World Wide Web Publishing service should be correct. kComputer Configuration\Windows Settings\Security Settings\System Services\World Wide Web Publishing Service CCE-10282-2DEPRECATED. Previously: The "Prohibit use of Internet Connection Firewall on your DNS domain network" setting should be configured correctly.Note: According to Microsoft, does not apply to Windows 7. CCE-10886-0The "Internet Explorer Maintenance Policy Processing - Allow processing across a slow network connection" setting should be configured correctly.sComputer Configuration\Administrative Templates\System\Group Policy\Internet Explorer Maintenance policy processing CCE-10499-2LThe "Turn off Windows Startup Sound" setting should be configured correctly.[Computer Configuration\Administrative Templates\System\Logon\Turn off Windows Startup Sound CCE-10877-9wThe 'Approved Installation Sites for ActiveX Controls' security mechanism should be enabled or disabled as appropriate.Computer Configuration\Administrative Templates\Windows Components\ActiveX Installer Service\Approved Installation Sites for ActiveX Controls CCE-10759-9PThe "Do not allow Digital Locker to run" setting should be configured correctly.tComputer Configuration\Administrative Templates\Windows Components\Digital Locker\Do not allow Digital Locker to run CCE-10763-1VThe startup type of the NetMeeting Remote Desktop Sharing service should be correct. lComputer Configuration\Administrative Templates\Windows Components\NetMeeting\Disable remote Desktop Sharing CCE-11252-4YThe "Turn off the communitication features" setting should be configured correctly. (sic)qComputer Configuration\Administrative Templates\Windows Components\Windows Mail\Turn off the communities features CCE-10882-9OThe "Turn off Windows Mail application" setting should be configured correctly.qComputer Configuration\Administrative Templates\Windows Components\Windows Mail\Turn off Windows Mail application CCE-11027-0hThe "Prevent Desktop Shortcut Creation" setting for Windows Media Player should be configured correctly.yComputer Configuration\Administrative Templates\Windows Components\Windows Media Player\Prevent Desktop Shortcut Creation CCE-10767-2DEPRECATED. Previously: Prompt for password on resume from hibernate/suspend is set correctly.Note: According to Microsoft, does not apply to Windows 7. See settings under System\Power Management\Sleep Settings. CCE-10644-3cThe "Prevent users from sharing files within their profile" setting should be configured correctly.User Configuration\Administrative Templates\Windows Components\Network Sharing\Prevent users from sharing files within their profile. CCE-10295-4CThe "Turn off Help Ratings" setting should be configured correctly.User Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication Settings\Turn off Help Ratings CCE-10939-7DEPRECATED in favor of CCE-9715-4, CCE-8956-5. Previously: Auditing of 'Logon-Logoff: IPsec Main Mode' events on success should be enabled or disabled as appropriate.. CCE-10551-0.DEPRECATED in favor of CCE-9811-1, CCE-9217-1. CCE-10450-5/DEPRECATED in favor of CCE-10078-4, CCE-9737-8. CCE-18880-54The 'Games' features should be configured correctly.r(1) Control Panel\Programs and Features\Turn Windows features on or off\Games (2) %Program Files%\Microsoft Gamesgames*oval:gov.nist.usgcb.windowsseven:def:20000 CCE-18249-3LThe 'Internet Information Services' features should be configured correctly.(1) Control Panel\Programs and Features\Turn Windows features on or off\Internet Information Services (2) HKLM\SYSTEM\CurrentControlSet\Services\W3Svc\DisplayNameInternet_Information_Services*oval:gov.nist.usgcb.windowsseven:def:20001 CCE-18629-6AThe 'SimpleTCP Services' features should be configured correctly.<W(1) Control Panel\Programs and Features\Turn Windows features on or off\SimpleTCP Services (2) HKLM\SYSTEM\CurrentControlSet\Services\simptcp\DisplayNameSimple_TCPIP_Services*oval:gov.nist.usgcb.windowsseven:def:20002 CCE-18659-3<The 'Telnet Client' features should be configured correctly.w(1) Control Panel\Programs and Features\Turn Windows features on or off\Telnet Client (2) %windir%\system32\telnet.exe Telnet_Client*oval:gov.nist.usgcb.windowsseven:def:20003 CCE-18739-3<The 'Telnet Server' features should be configured correctly.(1) Control Panel\Programs and Features\Turn Windows features on or off\Telnet Server (2) HKLM\SYSTEM\CurrentControlSet\Services\tlntsvr Telnet_Server*oval:gov.nist.usgcb.windowsseven:def:20004 CCE-18190-9:The 'TFTP Client' features should be configured correctly.s(1) Control Panel\Programs and Features\Turn Windows features on or off\TFTP Client (2) %windir%\system32\tftp.exe TFTP_Client*oval:gov.nist.usgcb.windowsseven:def:20005 CCE-18300-4CThe 'Windows Media Center' features should be configured correctly.|(1) Control Panel\Programs and Features\Turn Windows features on or off\Windows Media Center (2) %windir%\ehome\ehshell.exeWindows_Media_Center*oval:gov.nist.usgcb.windowsseven:def:20006 CCE-14986-4P(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Inbound Rules\Core Networking - Dynamic Host Configuration Protocol (DHCP-In) (2) Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules\CoreNet-DHCP-In CCE-14854-4T(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Inbound Rules\Core Networking - Dynamic Host Configuration Protocol (DHCPV6-In) (2) Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules\CoreNet-DHCPV6-In&domain_profile_Core_Networking_DHCP_In*oval:gov.nist.USGCB.win7firewall:def:20940(domain_profile_Core_Networking_DHCPV6_In*oval:gov.nist.USGCB.win7firewall:def:20941|The 'Core Networking - Dynamic Host Configuration Protocol (DHCP-In)' Windows Firewall rule should be configured correctly. (1) Enabled\Not Enabled (2) Allow the connection\Allow the connection if it is secure(Allow the connection if it is authenticated and integrity-protected\Require the connection to be encrypted\Allow the computers to dynamically negotiate encryption\Allow the connection to use null encapsulation\Override block rules)\Block the connection (3) List of authorized computers (4) List of computer exceptions (5) List of local IP address that limit the scope (6) List of remote IP address that limit the scope (7) Profiles: Domain\Private\Public (8) All interface types\These interface types (Local area network/Remote access\Wireless) (9) Block edge traversal\Allow edge traversal\Defer to user\Defer to application (10) List of authorized users (11) List of user exceptions~The 'Core Networking - Dynamic Host Configuration Protocol (DHCPV6-In)' Windows Firewall rule should be configured correctly. 1Microsoft Security Compliance Manager Version 2.5 CCE-18800-3SThe "Check Administrator Group Membership" setting should be configured correctly. True/False(1) Powershell: Get-WmiObject -Class Win32_ComputerSystem to get domain (2) Powershell: Get-WmiObject -Class Win32_Group -ComputerName (3) Powershell: Code logic to extract admin list and compare against desired list (4) If match True else False CCE-19216-1SThe "Check if Windows Updates are missing" setting should be configured correctly.Compliant/Not Compliant(1) Powershell: New-Object -ComObject "Microsoft.Update.Session" (2) CreateupdateSearcher().Search($criteria).Updates.Count (3) If count = 0 "Compliant" else "Not Compliant" CCE-19306-0LThe "Check if AppLocker is Enabled" setting should be configured correctly.Enabled/Disabledg(1) Powershell: Get-AppLockerPolicy -Effective |Select-Object -Skip 1 (2) If NULL Disabled else EnabledLast modified: 2012-05-18Version: 5.20120521Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Win7SP1ExtendedDCMChecks 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID&Z  x? % (d2@ <@HS@ _JiArl!LELM0sV]@h6[[=51 2#I.9gCKOX enpx{ ؐG r( l}EX p M";,y7 B&M@V 1`Kbj|s| s6 <F`*x -^TC <%i.7 6A_IQ*Z/ tcyVn7Kw, eȒt1X1Xd>5b -<9E CMeWJ alvv7Vy= @ʩg* ccB g2ɀ `gx&P`"5RI\`p 2pRV %H)  dMbP?_*+%&?'?(?)?M\\MBPS1\1S412-OC9284-5337-46DF  od XX0CourierArial 0X o   COPIES@PJL JOB NAME="!JOBNAME" @PJL SET GUISTARTJOB=1 @PJL EOJ  E222XXXXXXXXXXXXXXXC,EXXxxxxb 222XXXX,TOSHIBA eS282/283Series PSL3Mckinley1M24402XXXE0?ʡE??ʡE? 2222                                                   X1118050,E211111111111111111111111C,1003,E211,2124,E1,111302({111111C E222XXXXXXXXXXXXXXXXXXXXXC,D222,X,E2XXXXX2,D1,E011111111111121111111111C EXXX222222222222222222222C,E22X,X,EX2XXXXX,X0,SP:Drawer1Pap"dXX??& U} 9} ;} m,;} 2;} <}  ;} #=} (=} >} "?} ?} @} /A} $ Ag  B(      : : g g g gh g i i j  k  k  l  l  i mmmmmmmmmmmm ] ^ ^ ^_ ^ ` `*abbcdeffffffffffff 9 ; ; ;E ; F F \ 9 ; ; ;E ; F F \ 9 ; ; ;E ;! F" F# \ 9$ ;% ; ;E ;& F' F( \ 9) ;* ; ;E ;+ F, F- \ 9. G/ ;0 ;1 E ;2 F3 F4 ?5 \ 96 ;7 ; ;8 E ;9 F: F; ?< ?= \ 9> ;? ; ;@ E FA FB \ 9C ;D ;0 ;E E ;F FG FH ?I \ 9J ;K ; ;L E ;M FN FO \ 9P ;Q ; ;E ;R FS FT \ 9U ;V ; ;E ;W FX FY \ 9Z ;[ ; ;\E ;] F^ F_ \ 9` ;a ; ;E ;b Fc Fd \ 9e ;f ;0 ;gE ;h Fi Fj  ?k  ?l \ 9m ;n ;0 ;oE ;p Fq Fr \ 9s ;t ;0 ;uE ;v Fw Fx \ 9y ;z ; ;E ;{ F| F} \ 9~ ; ; ;E ; F F  ?  ? \ 9 ; ; ;E ; F F \ 9 ; ;0 ;E ; F F \ 9 ; ; ;E ; F F \ 9 ; ; ;E ; F F  ?  ? \ 9 ; ; ;E ; F F \ 9 ; ; ;E ; F F  ? \ 9 ; ;0 ;E ; F F \ 9 ; ; ;E ; F F  ?  ? \ 9 ; ; ;E ; F F  ? \Dlvvvvvhvvvvvvvvvvvvv !"#$%&'()*+,-./0123456789:;<= >? 9 ; ; ; E ; F F \ !9 !; !; !;!E !; !F !F! \ "9 "; ";0 ";"E "; "F "F " ? " ?" \ #9 #; #; #;#E #;M #F #F # ? # ?# \ $9 $; $;0 $;$E $; $F $F $ ? $ ?$ \ %9 %; %;0 %;%E %; %F %F% \ &9 &; &; &;&E &;M &F &F& \ '9 '; '; ';'E ';M 'F 'F '>' \ (9 (; (; (;(E (;M (F (F (>( \ )9 ); ); );)E );M )F )F )>) \ *9 *; *; *;*E *;M *F *F *>* \ +9 +; +; +; +E +;M +F  +F  +>+ \ ,9  ,;  ,; ,;,E ,;M ,F ,F ,>, \ -9 -; -; -;-E -;M -F -F ->- \ .9 .; .; .;.E .;M .F .F .>. \ /9 /; /; /;/E /;M /F /F />/ \ 09  0;! 0; 0;"0E 0;# 0F$ 0F%0 \ 19& 1;' 1;( 1;)1E 1;* 1F+ 1F, 1 ?- 1 ?.1 \ 29/ 2;0 2; 2;12E 2;M 2F2 2F3 2>2 \ 394 3;5 3; 3;63E 3;M 3F7 3F8 3>3 \ 499 4G: 4G( 4;;4E 4;< 4F= 4F> 4 ?? 4 ?@4 \ 59A 5;B 5;( 5;C5E 5;D 5FE 5FF 5 ?G 5 ?H5 \ 69I 6;J 6;( 6;K6E 6;L 6FM 6FN 6 ?O 6 ?P6 \ 79Q 7;R 7;( 7;S7E 7;T 7FU 7FV 7 ?W 7 ?X7 \ 89Y 8;Z 8;( 8;[8E 8;\ 8F] 8F^ 8 ?_ 8 ?`8 \ 99a 9;b 9; 9;c9E 9;M 9Fd 9Fe 9>9 \ :9f :Gg :;h :;i:E :;j :Fk :Fl : ?m : ?n: \ ;9o ;;p ;;q ;;r;E ;;s ;Ft ;Fu ; ?v ; ?w; \ <9x <;y <; <;z<E <;M <F{ <F| <>< \ =9} =;~ =; =;=E =;M =F =F =>= \ >9 >; >; >;>E >; >F >F > ?> \ ?9 ?; ?; ?;?E ?; ?F ?F ? ? ? ?? \Dblvvvvv@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_ @9 @; @; @;@E @;M @F @F @>@ \ A9 A; A; A;AE A; AF AFA \ B9 B; B; B;BE B;M BF BF B>B \ C9 C; C; C;CE C;M CF CF C>C \ D9 D; D; D;DE D;M DF DF D>D \ E9 E; E; E;EE E;M EF EF E>E \ F9 F; F; F;FE F;M FF FFF \ G9 G; G; G;GE G;M GF GF G>G \ H9 H; H; H;HE H;M HF HF H>H \ I9 I; I;0 I;IE I; IF IF I ?I \ J9 J; J;0 J;JE J; JF JF J ? J ?J \ K9 K; K; K;KE K;M KF KF K>K \ L9 L; L;( L;LE L; LF LF L ? L ?L \ M9 M; M; M;ME M;M MF MF M>M \ N9 N; N; N;NE N;M NF NF N>N \ O9 OH O; O;OE O; OF OF O ? O ?O \ P9 P; P; P;PE P;M PF PF P>P \ Q9 Q; Q;( Q;QE Q; QF QF Q ? Q ?Q \ R9 R; R; R;RE R;M RF RF R>R \ S9 S; S; S;SE S;M SF SF S>S \ T9 T; T; T; TE T;M TF  TF  T>T \ U9  U;  U; U;UE U;M UF UF U>U \ V9 V; V; V;VE V; VF VF V ? V ?V \ W9 W; W; W;WE W; WF WF W ?W \ X9  X;! X; X;"XE X;M XF# XF$ X>X \ Y9% Y;& Y; Y;'YE Y;M YF( YF) Y>Y \ Z9* Z;+ Z;, Z;-ZE Z;M ZF. ZF/ Z>Z \ [90 [;1 [; [;2[E [;M [F3 [F4 [>[ \ \95 \;6 \; \;7\E \;M \F8 \F9 \>\ \ ]9: ];; ]; ];<]E ];= ]F> ]F? ] ?@ ] ?A] \ ^9B ^;C ^; ^;D^E ^;M ^FE ^FF ^>^ \ _9G _;H _; _;I_E _;M _FJ _FK _>_ \D8lvv`abcdefghijklmnopqrstuvwxyz{|}~ `9L `;M `;( `;N`E `;O `FP `FQ ` ?R ` ?S` \ a9T a;U a;V a;WaE a;X aFY aFZ a ?[ a ?\a \ b9] b;^ b;_ b;`bE b;M bFa bFb b>b \ c9c c;d c; c;ecE c;M cFf cFg c>c \ d9h d;i d; d;jdE d;M dFk dFl d>d \ e9m e;n e; e;oeE e;M eFp eFq e>e \ f9r f;s f;0 f;tfE f;u fFv fFwf \ g9x g;y g; g;zgE g;M gF{ gF| g>g \ h9} h;~ h; h;hE h; hF hF h ? h ?h \ i9 i; i; i;iE i;M iF iF i>i \ j9 j; j; j;jE j;M jF jF j ?j \ k9 k; k; k;kE k; kF kF k ? k ?k \ l9 l; l; l;lE l; lF lF l ? l ?l \ m9 m; m;0 m;mE m; mF mF m ? m ?m \ n9 n; n; n;nE n; nF nF n ? n ?n \ o9 o; o;0 o;oE o; oF oF o ? o ?o \ p9 p; p;0 p;pE p; pF pF p ? p ?p \ q9 q; q; q;qE q; qF qFq \ r9 r; r;0 r;rE r; rF rF r ? r ?r \ s9 s; s; s;sE s; sF sFs \ t9 t; t; t;tE t; tF tFt \ u9 u; u; u;uE u;M uF uFu \ v9 v; v; v;vE v; vF vFv \ w9 w; w; w;wE w; wF wFw \ x9 x; x; x;xE x;M xF xF x>x \ y9 y; y; y;yE y; yF yFy \ z9 z; z; z;zE z; zF zFz \ {9 {; {; {;{E {; {F {F{ \ |9 |; |; |;|E |;M |F |F| \ }9 }; }; };}E }; }F }F } \ ~9  ~;  ~;  ~; ~E ~; ~F ~F~ \ 9 ; ; ;E ; F F \Dlvvvvvvvvvvvvv  9 ; ; ;E ;M F F > \ 9 ; ; ;E ;M F F  > \ 9! G" G# ;$E ;% F& F' ?( ?) \ 9* ;+ ;, ;-E ;M F. F/ \ 90 ;1 ;( ;2E ;3 F4 F5 \ 96 ;7 ; ;8E ;9 F: F; ?< ?= \ 9> ;? ;0 ;@E ;A FB FC ?D ?E \ 9F ;G ; ;HE ;I FJ FK ?L ?M \ 9N ;O ; ;PE ;M FQ FR > \ 9S ;T ; ;E ;U FV FW \ 9X ;Y ;Z ;[E ;\ F] F^ ?_ ?` \ 9a ;b ;_ ;cE ;M Fd Fe > \ 9f ;g ;V ;hE ;i Fj Fk ?l ?m \ 9n ;o ;0 ;pE ;q Fr Fs ?t ?u \ 9v ;w ;, ;xE ;M Fy Fz > \ 9{ ;| ; ;}E ;M F~ F > \ 9 ; ; ;E ;M F F > \ 9 ; ;( ;E ; F F ? ? \ 9 ; ; ;E ;M F F > \ 9 ; ;  ;E ; F F \ 9 ; ;( ;E ; F F ? ? \ 9 ; ; ;E ; F F ? ? \ 9 ; ; ;E ; F F \ 9 ; ;0 ;E ; F F ? ? \ 9 ; ;, ;E ;M F F \ 9 ; ;0 ;E ; F F ? ? \ 9 ; ; ;E ;M F F > \ 9 ; ;( ;E ; F F ? ? \ 9 ; ; ;E ;M F F > \ 9 ; ; ;E ;M F F > \ 9 ; ; ;E ; F F \ 9 ; ; ;E ; F F \DFlvvvvvvv 9 ; ; ;E ;M F F > \ 9 ; ; ;E ; F F \ 9 ; ; ;E ; F F ? ? \ 9 ; ;( ;E ; F F ? ? \ 9 G ; ;E ; F F \ 9 ; ; ;E ; F F \ 9 ; ; ;E ;M F F > \ 9 ;  ; ; E ;M F  F  > \ 9  ; ;, ;E ;M F F > \ 9 ; ; ;E ;M F F > \ 9 ; ; ;E ;M F F > \ 9 ; ;0 ;E ;M F F  ?! \ 9" ;# ;( ;$E ;% F& F' ?( ?) \ 9* ;+ ; ;,E ;M F- F. > \ 9/ ;0 ; ;1E ;M F2 F3 > \ 94 ;5 ;( ;6E ;7 F8 F9 ?: ?; \ 9< ;= ; ;>E ;? F@ FA \ 9B ;C ;V ;DE ;M FE FF > \ 9G ;H ;I ;JE ;K FL FM ?N ?O \ 9P ;Q ;R ;SE ;T FU FV ?W ?X \ 9Y ;Z ;( ;[E ;\ F] F^ ?_ ?` \ 9a ;b ; ;cE ;M Fd Fe \ 9f ;g ; ;E ;h Fi Fj \ 9k ;l ;( ;mE ;n Fo Fp ?q ?r \ 9s ;t ;u ;vE ;w Fx Fy ?z ?{ \ 9| ;} ; ;E ;~ F F \ 9 ; ; ;E ;M F F > \ 9 ; ; ;E ;M F F > \ 9 ; ; ;E ;M F F > \ 9 ; ; ;E ;M F F > \ 9 ; ; ;E ;M F F > \ 9 ; ; ;E ;M F F > \Dlvvvvvvv 9 ; ; ;E ; F F \ 9 ; ;( ;E ; F F ? ? \ 9 ; ; ;E ; F F ? ? \ 9 ; ; ;E ; F F \ 9 ; ;0 ;E ; F F ? ? \ 9 ; ; ;E ; F F \ 9 ; ; ;E ;M F F > \ 9 ; ; ;E ; F F \ 9 ; ; ;E ; F F \ 9 ; ; ;E ;M F F > \ 9 ; ; ;E ;M F F > \ 9 ; ; ;E ; F F \ 9 ; ; ;E ; F F \ 9 ; ; ;E ;M F F > \ 9 ; ;( ;E ; F F ? ? \ 9 ; ;0 ;E ; F F ? ? \ 9 ; ; ;E ; F F \ 9 ; ;0 ;E ; F F ? ? \ 9 ;  ;R ; E ;  F  F  ? ? \ 9 ; ; ;E ; F F \ 9 ; ; ;E ; F F ? ? \ 9 ; ; ; E ;! F" F# ?$ ?% \ 9& ;' ; ;(E ;M F) F* > \ 9+ ;, ; ;-E ;. F/ F0 ?1 \ 92 ;3 ; ;4E ;M F5 F6 > \ 97 ;8 ; ;9E ;M F: F; > \ 9< ;= ;( ;>E ;? F@ FA ?B ?C \ 9D ;E ; ;E ;F FG FH \ 9I ;J ; ;KE ;L FM FN \ 9O ;P ;( ;QE ;R FS FT ?U ?V \ 9W ;X ; ;E ;Y FZ F[ \ 9\ ;] ;^ ;_E ;` Fa Fb ?c ?d \Dlvvvvvvvvvvvv 9e ;f ; ;gE ;M Fh Fi > \ 9j ;k ; ;lE ;M Fm Fn > \ 9o ;p ; ;qE ;r Fs Ft ?u ?v \ 9w ;x ;( ;yE ;z F{ F| ?} ?~ \ 9 ; ; ;KE ; FM FN \ 9 ; ;( ;E ; F F ? ? \ 9 ; ; ;E ; F F \ 9 G ;h ;E ; F F ? ? \ 9 ; ; ;E ; F" F# \ 9 ; ; ;E ;M F F > \ 9 ; ;( ;E ; F F ? ? \ 9 ; ; ;E ;M F F > \ 9 ; ;( ;E ; F F ? ? \ 9 ; ; ;E ; F F \ 9 ; ;_ ;E ;M F F > \ 9 ; ;0 ;E ; F F ? ? \ 9 ; ;0 ;E ; F F ? ? \ 9 ; ;( ;E ; F F ? \ 9 ; ;( ;E ; F F ? ? \ 9 ; ; ;E ;M F F > \ 9 ; ; ;E ; F F \ 9 ; ; ;E ;M F F > \ 9 ; ; ;E ; F F ? ? \ 9 ; ; ;E ; F F ? ? \ 9 ; ;0 ;E ; F F ? ? \ 9 ; ; ;E ;M F F \ 9 ; ;( ; E ;  F  F  ?  ? \ 9 ; ; ;E ;M F F > \ 9 ; ; ;E ;M F F > \ 9 ; ;( ;E ; F F ? ?  \ 9! ;" ; ;#E ;$ F% F& ?' ?( \ 9) ;* ; ;+E ; F, F- ?. \D~lvvvvvv      9/ ;0 ; ;1E ;2 F3 F4  ?5  ?6 \ 97 ;8 ;9 ;:E ;; F< F=  ?>  ?? \ 9@ ;A ;B ;CE ;D FE FF  ?G  ?H \ 9I ;J ;( ;KE ;L FM FN  ?O  ?P \ 9Q ;R ; ;SE ;M FT FU \ 9V ;W ; ;XE ;Y FZ F[  ?\  ?] \ 9^ ;_ ;0 ;`E ;a Fb Fc  ?d  ?e \ 9f ;g ;( ;hE ;i Fj Fk  ?l  ?m \ 9n ;o ; ;pE ;q Fr Fs \ 9t ;u ;( ;v E ;w Fx Fy  ?z  ?{  \ 9| ;} ;0 ;~ E ; F F  ?  ?  \ 9 ; ; ; E ; F F  \ 9 ; ;R ; E ; F F  ?  ?  \ 9 ; ;( ; E ; F F  ?  ?  \ 9 ; ; ;E ; F F \ 9 ; ; ;E ;M F F \ 9 ; ; ;E ; F F  ?  ? \ 9 ; ;0 ;E ; F F  ?  ? \ 9 ; ;( ;E ; F F  ?  ? \ 9 ; ; ;\E ; F^ F_ \ 9 ; ; ;E ; F F  ?  ? \ 9 ; ;, ;E ; F F  ?  ? \ 9 ; ;0 ;E ; F F  ?  ? \ 9 ; ; ;E ; F F  ?  ? \ I ; ; ;E F F \ I ; ; ;E ; F F \ 9 ; ; ;E ; F F \ 9 ; ; ;E ; F F \ 9 ; ;0 ;E ; F F  ?  ? \ 9 ; ;0 ;E ; F F  ?  ? \ 9 ; ; ;E ; F F \ 9 ; ;( ;E ; F F \Dblvvvvvvhvvvv !"#$%&'( )*+,-./0123456789:;<=>? 9 ; ; ; E ; F  F   \ !9  !;  !;I !; !E !; !F !F ! ? ! ?! \ "9 "; ";0 ";"E "; "F "F " ? " ?" \ #9 #; #;( #;#E #; #F #F  # ?! # ?"# \ $9# $;$ $;( $;%$E $;& $F' $F( $ ?) $ ?*$ \ %9+ %;, %;0 %;-%E %;. %F/ %F0 % ?1 % ?2% \ &93 &;4 &;5 &;6&E &;7 &F8 &F9 & ?: & ?;& \ '9< ';= ';B ';>'E ';? 'F@ 'FA ' ?B ' ?C' \ (9D (;E (;F (;G(E (;H (FI (FJ (>K ( ?L ( ?M( \ )IN );O );P );G)E );H )FI )FJ )>K) \ *IQ *;R *;S *;G*E *;H *FI *FJ *>K* \ +9T +;U +; +;+E +;V +F +F+ \ ,9W ,;X ,;B ,;Y,E ,;Z ,F[ ,F\ , ?] , ?^, \ -9_ -;` -;( -;a-E -;b -Fc -Fd - ?e - ?f- \ .9g .;h .; .;i.E .;j .Fk .Fl. \ /9m /;n /; /;/E /;o /Fp /Fq/ \ 09r 0;s 0;( 0;t0E 0;u 0Fv 0Fw 0 ?x 0 ?y0 \ 19z 1;{ 1;0 1;|1E 1;} 1F~ 1F 1 ? 1 ?1 \ 29 2; 2;( 2;2E 2; 2F 2F 2 ? 2 ?2 \ 39 3; 3; 3;3E 3; 3F 3F 3 ? 3 ?3 \ 49 4; 4;0 4;4E 4; 4F 4F 4 ? 4 ?4 \ 59 5; 5; 5;5E 5; 5F 5F 5> 5 ? 5 ?5 \ 69 6; 6; 6;6E 6; 6F 6F 6 ? 6 ?6 \ 79 7; 7; 7;7E 7; 7F 7F7 \ 89 8; 8;0 8;8E 8; 8F 8F 8 ? 8 ?8 \ 99 9; 9; 9;9E 9; 9F 9F9 \ :9 :; :; :;:E :; :F :F : ? : ?: \ ;9 ;; ;; ;;;E ;; ;F ;F ; ? ; ?; \ <9 <; <; <;<E <; <F <F< \ =9 =; =;( =;=E =; =F =F = ? = ?= \ >9 >; >; >;>E >; >F >F> \ ?9 ?; ?; ?;?E ?; ?F ?F ? ? ? ?? \Dlvvvvvvvv@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_ @9 @; @; @;@E @; @F @F@ \ A9 A; A; A;AE A; AF AF A ?A \ B9 B; B; B;BE B; BF BFB \ C9 C; C; C;CE C; CF CFC \ D9 D; D; D;DE D;M DF DFD \ E9 E; E; E;EE E; EF EF E ?  E ? E \ F9  F;  F; F;FE F;  FF FFF \ G9 G; G; G;GE GF GFG \ H9 H; H; H;HE H; HF HF H ? H ?H \ I9 I; I; I;IE I;M IF IFI \ J9  J;! J;" J;#JE J;$ JF% JF& J ?' J ?(J \ K9) K;* K; K;+KE K;, KF- KF. K ?/ K ?0K \ L91 L;2 L;3 L;4LE LF- LF.L \ M95 M;6 M;7 M;4ME MF- MF.M \ N98 N;9 N;: N;4NE NF- NF.N \ O9; O;< O;= O;4OE OF- OF.O \ P9> P;? P;  P;@PE P;A PFB PFCP \ Q9D Q;E Q;0 Q;FQE Q;G QFH QFIQ \ R9J R;K R; R;RE R;L RF RFR \ S9M S;N S; S;SE S;O SFP SFQS \ T9R TGS T; T;TTE T;U TFV TFWT \ U9X U;Y U;Z U;[UE U;M UF\ UF]U \ V9^ V;_ V; V;VE V;` VFa VFbV \ W9c W;d W;e W;fWE W;g WFh WFi W ?j W ?kW \ X9l X;m X; X;nXE X;o XFp XFq X ?r X ?sX \ Y9t Y;u Y; Y;vYE Y;M YFw YFx Y ?yY \ Z9z Z;{ Z; Z;|ZE Z;} ZF~ ZF Z ? Z ?Z \ [9 [; [; [;|[E [;} [F~ [F[ \ \9 \; \; \;|\E \;} \F~ \F\ \ ]9 ]; ]; ];|]E ];} ]F~ ]F] \ ^9 ^; ^; ^;^E ^; ^F ^F ^ ? ^ ?^ \ _9 _; _; _;_E _; _F _F_ \Dlvvvvvhvhhhhvvvvvvvvvv`abcdefghijklmnopqrstuvwxyz{|}~ `9 `; `; `;`E `; `F `F` \ a9 a; a; a;aE a;M aF aFa \ b9 b; b; b;bE b; bF bF b ? b ?b \ c9 c; c; c;cE c; cF cFc \ d9 d; d; d;dE d; dF dFd \ e9 e; e; e;eE e; eF eFe \ f9 f; f; f;fE f; fFc fFdf \ g9 g; g;  g;gE g; gF gFg \ h9 h; h; h;hE h; hF hFh \ i9 i; i; i;iE i; iF iFi \ j9 j; j; j;jE j; jF' jF(j \ k9 k; k; k;kE k; kF kF k ? k ?k \ l9 l; l; l;lE l;M lF lFl \ m9 m; m; m;mE m; mF mFm \ n9 n; n;0 n;nE n; nF nF n ? n ?n \ o9 o; o;  o;oE o; oF oFo \ p9 p; p; p;pE p; pF pFp \ q9 q; q; q;qE q; qFa qFbq \ r9 r; r; r;rE r; rF rFr \ s9 s; s; s;sE s; sF sFs \ t9 t; t; t;tE t; tF tFt \ u9 u; u; u;uE u; uF, uF-u \ v9 v; v; v;vE v; vF vF v \ w9 w; w; w; wE w; wF wF w ? w ? w \ x9 x; x; x;xE x; xF xFx \ y9 y; y; y;yE y; yF yF y \ z9 z; z; z;zE z; zF zFz \ {9 {; {; {; {E {; {F {F { \ |9 |; |; |;|E |; |F |F | \ }9! };" }; };# }E };M }F$ }F% } ?& } ?' } \ ~9( ~;) ~; ~;~E ~;* ~F ~F~ \ 9+ ;, ; ;- E ;. F/ F0  ?1  ?2  \Dlvvvvvvvvvvvvvvvvvvvvvvvvvv 93 ;4 ; ;5 E ;6 F7 F8  ?9  ?:  \ 9; ;< ;0 ;= E ;> F? F@  \ 9A ;B ; ;E ;C FG FH \ 9D ;E ;0 ;F E ;G FH FI  ?J  \ 9K ;L ; ;M E ;N FO FP  \ 9Q ;R ; ;E ;S F F \ 9T ;U ;  ;V E ;W FX FY  \ 9Z ;[ ; ;\ E ;] F^ F_  ?`  ?a  \ 9b ;c ; ;d E ;e Ff Fg  ?h  ?i  \ 9j ;k ; ;l E ;m Fn Fo  \ 9p ;q ; ;E ;r FV FW \ 9s ;t ; ;E ;u Fv Fw  \ 9x ;y ; ;E ;M F F \ 9z ;{ ; ;E ;| Fv Fw  \ 9} ;~ ; ;E ; F F \ 9 ; ;0 ; E ; F F  ?  \ 9 ; ; ; E ; F F  \ 9 ; ; ;E ; F F \ 9 ; ; ;E ; Fp Fq \ 9 ; ; ; E ; F F  ?  ?  \ 9 ; ; ; E ; F F  \ 9 ; ; ; E ; F F  \ 9 ; ; ; E ; F F  \ 9 ; ; ;E ; FS FT \ 9 ; ; ; E ; F F  \ 9 ; ; ;E ;M F F \ 9 ; ; ; E ; F F  \ 9 ; ; ;E ; F F  \ 9 ; ; ;E ; FP FQ \ 9 ; ; ; E F F  ?  ?  \ I ; ; ; E ; F F  \ 9 ; ; ;E ; F F  \Dlvvvvvvvvvvvvvvvvvvvvvvvv 9 ; ; ; E ; F F  ?  ?  \ 9 ; ; ; E ;M F F  ?  \ 9 G ; ; E ; F F  \ 9 ; ; ; E ; F F  \ 9 ; ; ; E ; F F  \ 9 ; ; ;E ; F| F} \ 9 ; ; ;E ; F F  \ 9 ; ; ;E ; F F \ 9 ; ;0 ; E ; F F  ?  ?  \ 9 ; ; ;E ; F F  \ 9 ; ; ;E ; F F \ 9 ; ; ;E ; F F \ 9 ; ; ;E ; F F \ 9 ; ; ;E ; FZ F[ \ 9 ; ; ;E ; F F \ 9 ; ; ; E ; F F  \ 9 ; ; ;E ; F F \ 9 ; ; ; E ;M F F  ?  ?  \ 9 ; ; ;E ; F! F"  \ 9# ;$ ; ;E ;% F F \ 9& ;' ; ;E ;( F! F"  \ 9) ;* ; ;E ;+ F, F-  \ 9. ;/ ; ;E ;0 F F \ 91 ;2 ; ;pE ;3 Fr Fs \ 94 ;5 ; ;E ;6 FX FY \ 97 ;8 ; ;E ;9 F F \ 9: ;; ; ;< E ;M F= F>  ??  ?@  \ 9A ;B ; ;E ;C F F  \ 9D ;E ; ;F E ;G FH FI  ?J  ?K  \ 9L ;M ; ;N E ;O FP FQ  \ 9R ;S ; ;T E ;U FV FW  ?X  ?Y  \ 9Z ;[ ;3 ;T E FV FW  \Dlvvvvvvvvvvvvvvvvvvvvvvvv 9\ ;] ;^ ;T E FV FW  \ 9_ ;` ; ;E ;a F F \ 9b ;c ;0 ;d E ;e Ff Fg  \ 9h ;i ; ;j E ;k Fl Fm  ?n  \ 9o ;p ; ;SE ;M FT FU \ 9q ;r ; ;"E ;s F$ F% \ 9t ;u ; ;E ;v F, F-  \ 9w ;x ; ;y E ;z  \ 9{ ;| ; ;} E ;~  \ 9 ; ; ; E ;  \ 9 ; ; ; E ;  \ 9 ; ; ; E ;  \ 9 ; ; ; E ;  \ 9 ; ; ; E ;  \ 9 ; ; ; E ;  \ 9 ; ; ; E ;  \ 9 ; ; ; E ;  \ 9 ; ; ; E ;  \ 9 ; ; ; E ;  \ 9 ; ; ; E ;  \ 9 ; ; ; E ;  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E \ 9 ; ; ; E \ 9 ; ; ; E \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E \ 9 ; ; ; E \ 9 ; ; ; E \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E \DZlhvvvvvZZZZZZZZZZZZZZhLLLhLLLhh 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E \ 9 ; ; ; E \ 9 ; ; ; E \ 9 ; ; ; E \ 9 ; ; ; E \ 9 ; ; ; E \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ;! E  ?"  ?#  \ 9$ ;% ; ;& E  ?'  ?(  \ 9) ;* ; ;+ E  ?,  ?-  \ 9. ;/ ; ;0 E  ?1  ?2  \ 93 ;4 ;5 ;6 E  ?7  ?8  \ 99 ;: ; ;; E \ 9< ;= ; ;> E \ 9? ;@ ; ;A E  ?B  ?C  \ 9D ;E ; ;F E \ 9G ;H ; ;I E  ?J  ?K  \ 9L ;M ; ;N E  ?O  ?P  \ 9Q ;R ; ;S E  ?T  ?U  \ 9V ;W ; ;X E  ?Y  ?Z  \ 9[ ;\ ; ;] E  ?^  ?_  \ 9` ;a ; ;b E  ?c  \ 9d ;e ; ;f E  ?g  ?h  \ 9i ;j ;k ;l E  ?m  ?n  \DvlhhhhhhhLLLLLLhhhhhhhLLhLhhhhhZh       9o ;p ; ;q E  ?r  ?s  \ 9t ;u ; ;v E  ?w  ?x  \ 9y ;z ; ;{ E  ?|  ?}  \ 9~ ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E \ 9 ; ; ; E \ 9 ; ; ; E \ 9 ; ; ; E \ 9 ; ; ;  E  \ 9 ; ; ;  E  \ 9 ; ; ;  E  ?  ?   \ 9 ; ; ;  E  ?  ?   \ 9 ; ; ;  E  ?  ?   \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \ 9 ; ; ; E  ?  ?  \DlhhhhhLLLLLLhhhhhhhhhhhhhhLhhhhh !"#$%&'()*+,-./01234C5 6789:;<=>? 9 ; ; ;  E  ?  ?   \ !9 !; !; !; !E ! ? ! ? ! \ "9 "; "; "; "E " ? " ? " \ #9 #; #; #; #E # ? # ? # \ $9 $; $; $; $E $ ?! $ ?" $ \ %9# %;$ %; %;% %E % ?& % ?' % \ &9( &;) &; &;* &E & ?+ & ?, & \ '9- ';. '; ';/ 'E ' ?0 ' ?1 ' \ (92 (;3 (; (;4 (E ( ?5 ( ?6 ( \ )97 );8 ); );9 )E ) ?: ) ?; ) \ *9< *;= *; *;> *E * ?? * ?@ * \ +9A +;B +;C +;D +E + ?E + ?F + \ ,9G ,;H ,;C ,;I ,E , ?J , ?K , \ -9L -;M -;C -;N -E - ?O - ?P - \ .9Q .;R .;C .;S .E . ?T . ?U . \ /9V /;W /;C /;X /E / ?Y / ?Z / \ 09[ 0;\ 0;C 0;] 0E 0 ?^ 0 ?_ 0 \ 19` 1;a 1;C 1;b 1E1 \ 29c 2;d 2;C 2;e 2E2 \ 39f 3;g 3;C 3;h 3E3 \ 49i 4Jj 4; 4;k 4E;==>??@@\ 59l 5Km 5E5 \ 69n 6Go 6E6 \ 79p 7Gq 7;C 7;r 7E7 \ 89s 8Gt 8E8 \ 99u 9Gv 9;C 9;w 9E9 \ :9x :Gy :E: \ ;9z ;G{ ;E; \ <9| <G} <;C <;~ <E< \ =9 =G =E= \ >9 >G >E> \ ?9 ?G ?E? \D lhhhhhhhhhhhhhhhhhLLLR00L0L00L00@A BCDEFGHIJKL MNOPQRSTU VWXYZ[\]^_ @9 @G @E@ \ A9 AG AEA \ B9 BG B;C B; BEB \ C9 CG C;C C; CEC \ D9 DG D;C D; DED \ E9 EG E;C E; EEE \ F9 FG FEF \ G9 GG GEG \ H9 HG H;C H; HEH \ I9 IG IEI \ J9 JG J;C J; JEJ \ K9 KG K;C K; KEK \ L9 LL LEL \ M9 ML M; MEM \ N9 NL N; NEN \ O9 OL O; OEO \ P9 PL P; PEP \ Q9 QG Q;C Q; QEQ \ R9 RL R; RER \ S9 SL S; SES \ T9 TL T; TET \ U9 UL UEU \ V9 VL V; VEV \ W9 WL W; WEW \ X9 X; XEX \ Y9 Y9 YEY \ Z9 Z9 ZEZ \ [U [M [N [N [O [ P [ P [ \ \V \Q \R \R \E \ S \ S \ \ ]V ]Q ]R ]R ]E ] P ] P ] \ ^V ^Q ^R ^R ^E ^ S ^ S ^ \ _V _Q _R _R _E _ P _ P _ \D l00LLLL00L0LL0>>>>L>>>0>>000hhhh`abcdef `V `Q `R `R `E ` S ` S ` \ aV aQ aR aR aE a P a P a \ bZ bD bD bT b> b ? b P b P b \ cZ cD cD cT c> c ? c P c P c \ d[ dW dX dX d Y e[ eW eX eX e Y f[ fW fX fX f Y "xhhzzFF>@dPRA ggD Oh+'0@H\p  Sain, Joe Sain, JoeMicrosoft Excel@L#w@5՜.+,0 PXx  The MITRE Corporation win7  Worksheets  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%Root Entry FZ5Workbook*SummaryInformation(DocumentSummaryInformation8