View
222
Download
0
Category
Preview:
Citation preview
Outline CCE Id CCE Description
CCE-25
CCE-899
CCE-727
CCE-211
CCE-39
CCE-83
CCE Parameters
File & Registry Permissions & Auditing
File & Registry Auditing
The required auditing for %SystemDrive% directory should be enabled.
(1) set of accounts (2) events to audit (3) applicability
The required auditing for the registry key HKEY_LOCAL_MACHINE\SOFTWARE should be enabled.
(1) set of accounts (2) events to audit (3) applicability
The required auditing for the registry key HKEY_LOCAL_MACHINE\SYSTEM should be enabled.
(1) set of accounts (2) events to audit (3) applicability
File Permissions
The required permissions for the directory %ALL% should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %AllUsersProfile% should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %AllUsersProfile%\Application Data should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-854
CCE-783
CCE-713
CCE-387
CCE-527
CCE-686
CCE-3
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Crypto\DSSHKLMKeys should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Crypto\RSAHKLMKeys should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Dr Watson should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Dr Watson\drwtsn32.log should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\HTML Help should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\MediaIndex should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-356
CCE-85
CCE-24
CCE-570
CCE-204
CCE-411
CCE-816
CCE-746
CCE-987
The required permissions for the directory %AllUsersProfile%\Documents\desktop.ini should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %AllUsersProfile%\DRM should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %ProgramFiles% should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %ProgramFiles%\Resource Kit should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %ProgramFiles%\Resource Pro Kit should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive% should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\AUTOEXEC.BAT should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\BOOT.INI should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\CONFIG.SYS should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-419
CCE-120
CCE-181
CCE-868
CCE-776
The required permissions for the file %SystemDrive%\Documents and Settings should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive%\Documents and Settings\Administrator should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive%\Documents and Settings\All Users should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson\drwtsn32.log should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-714
CCE-540
CCE-602
CCE-399
CCE-192
CCE-561
CCE-755
CCE-341
CCE-971
The required permissions for the directory %SystemDrive%\Documents and Settings\Default User should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\IO.SYS should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\MSDOS.SYS should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\NTBOOTDD.SYS should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\NTDETECT.COM should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\NTLDR should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive%\Temp should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive%\My Download Files should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\System Volume Information should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-645
CCE-579
CCE-505
CCE-640
CCE-328
CCE-134
CCE-293
The required permissions for the directory %SystemRoot% should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\Driver Cache\I386\Driver.cab should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\$NtServicePackUninstall$ should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\$NtServicePackUninstall$ should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for any of the %SystemRoot%\$NtUninstall* directories should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\CSC should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\Debug should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-94
CCE-152
CCE-482
CCE-147
CCE-737
CCE-795
CCE-248
CCE-398
The required permissions for the directory %SystemRoot%\Debug\UserMode should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\Debug\UserMode\userenv.log should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\Installer should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\Offline Web Pages should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\Prefetch should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\regedit.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive%\NTDS should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\Offline Web Pages should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-155
CCE-323
CCE-873
CCE-67
CCE-979
CCE-701
CCE-380
CCE-45
CCE-600
The required permissions for the directory %SystemRoot%\Registration should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\Registration\CRMLog should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\repair should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\SYSVOL should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\SYSVOL\domain\Policies should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\Temp should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\arp.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-393
CCE-166
CCE-977
CCE-272
CCE-994
CCE-170
CCE-197
CCE-765
CCE-334
CCE-201
The required permissions for the file %SystemRoot%\System32\at.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicabilityThe required permissions
for the file %SystemRoot%\System32\attrib.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\cacls.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\ciadv.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\Com\comexp.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\compmgmt.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\CONFIG should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\CONFIG\AppEvent.evt should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\CONFIG\*.evt should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\debug.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-386
CCE-941
CCE-981
CCE-350
CCE-403
CCE-972
CCE-20
CCE-489
CCE-917
CCE-846
The required permissions for the file %SystemRoot%\System32\devmgmt.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\dfrg.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\diskmgmt.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\dllcache should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\drwatson.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\drwtsn32.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\edlin.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\eventcreate.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\eventtriggers.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\eventvwr.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-529
CCE-264
CCE-819
CCE-361
CCE-789
CCE-894
CCE-198
CCE-634
The required permissions for the file %SystemRoot%\System32\fsmgmt.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\ftp.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\gpedit.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\DTCLog should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\GroupPolicy should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\ias should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\lusrmgr.msg should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\MSDTC should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-550
CCE-731
CCE-607
CCE-158
CCE-220
CCE-242
CCE-821
CCE-486
CCE-548
The required permissions for the file %SystemRoot%\System32\nbstat.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\net.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\net1.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\netsh.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\netstat.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\nslookup.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\Ntbackup.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\NTMSData should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\ntmsoprq.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-715
CCE-151
CCE-997
CCE-547
CCE-865
CCE-543
CCE-657
CCE-89
CCE-274
The required permissions for the file %SystemRoot%\System32\ntmsmgr.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\perfmon.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\Rcp.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\reg.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\Regedt32.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\regini.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\regsvr32.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\system32\ReinstallBackups should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\Rexec.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-168
CCE-353
CCE-27
CCE-340
CCE-516
CCE-922
CCE-847
CCE-904
CCE-587
The required permissions for the file %SystemRoot%\System32\route.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\Rsh.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\RSoP.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\runas.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\sc.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\Secedit.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\secpol.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\services.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\Setup should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-326
CCE-357
CCE-291
CCE-692
CCE-921
CCE-225
CCE-159
CCE-348
The required permissions for the directory %SystemRoot%\System32\repl should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\repl\export should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\repl\import should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\spool\Printers should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\subst.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\systeminfo.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\telnet.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\tftp.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-718
CCE-154
CCE-322
CCE-864
CCE-364
CCE-46
CCE-447
CCE-760
The required permissions for the file %SystemRoot%\System32\tlntsvr.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\wmimgmt.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\Tasks should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %ALL%\Program Files\MQSeries should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %ALL%\Program Files\MQSeries\qmggr should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\HTML Help ACL should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive%\WINNT\SECURITY\Database\SECEDIT.SDB ACL should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
Registry Permissions
The required permissions for the registry key HKEY_CLASSES_ROOT should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-813
CCE-279
CCE-843
CCE-253
CCE-59
CCE-90
CCE-477
The required permissions for the registry key HKEY_LOCAL_MACHINE should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Regfile\Shell\Open\Command should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography/Calais should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\Security\XAKey should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-394
CCE-826
CCE-240
CCE-618
CCE-19
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetDDE should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OS/2 Subsystem for NT should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Asr\Commands should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-363
CCE-790
CCE-268
CCE-321
CCE-131
CCE-34
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-135
CCE-558
CCE-867
CCE-545
CCE-289
CCE-465
CCE-254
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\clone should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset001 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset002 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset003 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset004 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset005 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-606
CCE-694
CCE-500
CCE-809
CCE-99
CCE-837
CCE-9
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset006 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset007 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset008 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset009 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset010 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-934
CCE-252
CCE-53
CCE-269
CCE-960
CCE-613
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Subsystems should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Wmi\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-930
CCE-163
CCE-978
CCE-877
CCE-683
CCE-238
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ersvc\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRENUM\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-101
CCE-788
CCE-823
CCE-246
CCE-902
CCE-193
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netdd\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netddedsdm\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rpcss\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-110
CCE-661
CCE-330
CCE-594
CCE-35
CCE-290
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scarddrv\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scardsvr\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Stisvc\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-202
CCE-603
CCE-748
CCE-907
CCE-127
CCE-483
CCE-796
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tapisrv\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32time\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_USERS\.DEFAULT should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\NetDDE should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-845
CCE-730User Rights
CCE-898 (1) set of accounts
CCE-532 (1) set of accounts
CCE-162 (1) set of accounts
CCE-931 (1) set of accounts
CCE-376 (1) set of accounts
The required permissions for the registry key HKEY_CLASSES_ROOT should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\Root\ProtectedRoots should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The "deny access to this computer from the network" user right should be assigned to the correct accounts.
The "access this computer from the network" user right should be assigned to the correct accounts.
The "act as part of the operating system" user right should be assigned to the correct accounts.
The "back up files and directories" user right should be assigned to the correct accounts.
The "bypass traverse checking" user right should be assigned to the correct accounts.
CCE-799 (1) set of accounts
CCE-895 (1) set of accounts
CCE-926 (1) set of accounts
CCE-335 (1) set of accounts
CCE-842 (1) set of accounts
CCE-754 (1) set of accounts
CCE-939 (1) set of accounts
CCE-807 (1) set of accounts
The "change the system time" user right should be assigned to the correct accounts.
The "create a pagefile" user right should be assigned to the correct accounts.
The "Create a token object" user right should be assigned to the correct accounts.
The "create permanent shared objects" user right should be assigned to the correct accounts.
The "debug programs" user right should be assigned to the correct accounts.
The "force shutdown from a remote system" user right should be assigned to the correct accounts.
The "generate security audits" user right should be assigned to the correct accounts.
The "adjust memory quotas for a process" user right should be assigned to the correct accounts.
CCE-349 (1) set of accounts
CCE-860 (1) set of accounts
CCE-749 (1) set of accounts
CCE-177 (1) set of accounts
CCE-216 (1) set of accounts
CCE-965 (1) set of accounts
CCE-850 (1) set of accounts
CCE-17 (1) set of accounts
The "increase scheduling priority" user right should be assigned to the correct accounts.
The "load and unload device drivers" user right should be assigned to the correct accounts.
The "lock pages in memory" user right should be assigned to the correct accounts.
The "log on as a batch job" user right should be assigned to the correct accounts.
The "log on as a service" user right should be assigned to the correct accounts.
The "log on locally" user right should be assigned to the correct accounts.
The "manage auditing and security log" user right should be assigned to the correct accounts.
The "modify firmware environment values" user right should be assigned to the correct accounts.
CCE-260 (1) set of accounts
CCE-599 (1) set of accounts
CCE-656 (1) set of accounts
CCE-667 (1) set of accounts
CCE-553 (1) set of accounts
CCE-839 (1) set of accounts
CCE-492 (1) set of accounts
The "profile single process" user right should be assigned to the correct accounts.
The "profile system performance" user right should be assigned to the correct accounts.
The "remove computer from docking station" user right should be assigned to the correct accounts.
The "replace a process-level token" user right should be assigned to the correct accounts.
The "restore files and directories" user right should be assigned to the correct accounts.
The "shut down the system" user right should be assigned to the correct accounts.
The "take ownership of files or other objects" user right should be assigned to the correct accounts.
CCE-381 (1) set of accounts
CCE-64 (1) set of accounts
CCE-15 (1) set of accounts
CCE-183 (1) set of accounts
CCE-883 (1) set of accounts
CCE-165 (1) set of accounts
CCE-597 (1) set of accounts
The "synchronize directory service data" user right should be assigned to the correct accounts.
The "deny logon locally" user right should be assigned to the correct accounts.
The "enable computer and user accounts to be trusted for delegation" user right should be assigned to the correct accounts.
The "add workstations to domain" user right should be assigned to the correct accounts.
The "allow logon through Terminal Services" user right should be assigned to the correct accounts.
The "deny logon as a batch job" user right should be assigned to the correct accounts.
The "deny logon as a service" user right should be assigned to the correct accounts.
CCE-108 (1) set of accounts
CCE-314 (1) set of accounts
CCE-733
CCE-980
CCE-658Audit Policy
CCE-315
CCE-2628 enabled/disabled
The "deny logon through Terminal Services" user right should be assigned to the correct accounts.
The "perform volume maintenance tasks" user right should be assigned to the correct accounts.
Auditing and Account Policies
Account Lockout Policy
The "reset account lockout counter after" policy should meet minimum requirements.
(1) number of minutes
The "account lockout duration" policy should meet minimum requirements.
(1) number of minutes
The "account lockout threshold" policy should meet minimum requirements.
(1) number of attempts
DEPRECATED in favor of CCE-2628, CCE-2543.
Auditing of "account logon" events on success should be enabled or disabled as appropriate..
CCE-2543 enabled/disabled
CCE-596
CCE-2000 enabled/disabled
CCE-1646 enabled/disabled
CCE-10
CCE-2118 enabled/disabled
CCE-2390 enabled/disabled
CCE-429
CCE-1686 enabled/disabled
CCE-1744 enabled/disabled
CCE-812
Auditing of "account logon" events on failure should be enabled or disabled as appropriate..DEPRECATED in favor of CCE-2000, CCE-1646.
Auditing of "account management" events on success should be enabled or disabled as appropriate..
Auditing of "account management" events on failure should be enabled or disabled as appropriate..DEPRECATED in favor of CCE-2118, CCE-2390.
Auditing of "directory service access" events on success should be enabled or disabled as appropriate..
Auditing of "directory service access" events on failure should be enabled or disabled as appropriate..DEPRECATED in favor of CCE-1686, CCE-1744.
Auditing of "logon" events on success should be enabled or disabled as appropriate..
Auditing of "logon" events on failure should be enabled or disabled as appropriate..DEPRECATED in favor of CCE-2640, CCE-1991.
CCE-2640 enabled/disabled
CCE-1991 enabled/disabled
CCE-966
CCE-2412 enabled/disabled
CCE-2347 enabled/disabled
CCE-874
CCE-2431 enabled/disabled
CCE-2584 enabled/disabledCCE-169 DEPRECATED.
CCE-8
CCE-2529 enabled/disabled
CCE-2617 enabled/disabled
Auditing of "object access" events on success should be enabled or disabled as appropriate..
Auditing of "object access" events on failure should be enabled or disabled as appropriate..DEPRECATED in favor of CCE-2412, CCE-2347.
Auditing of "policy change" events on success should be enabled or disabled as appropriate..
Auditing of "policy change" events on failure should be enabled or disabled as appropriate..DEPRECATED in favor of CCE-2431, CCE-2584.
Auditing of "privilege use" events on success should be enabled or disabled as appropriate..
Auditing of "privilege use" events on failure should be enabled or disabled as appropriate..
DEPRECATED in favor of CCE-2529, CCE-2617.
Auditing of "process tracking" events on success should be enabled or disabled as appropriate..
Auditing of "process tracking" events on failure should be enabled or disabled as appropriate..
CCE-149
CCE-2420 enabled/disabled
CCE-1680 enabled/disabled
CCE-396
CCE-916
CCE-475
CCE-141
CCE-299
CCE-185 (1) size of file
CCE-285 type of retention
DEPRECATED in favor of CCE-2420, CCE-1680.
Auditing of "system" events on success should be enabled or disabled as appropriate..
Auditing of "system" events on failure should be enabled or disabled as appropriate..
The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly.
(1) enabled/disabled
The "Decoy Admin Account Not Disabled" policy should be set correctly.
(1) enabled/disabled
The "Confirm open after download" option should be properly set for all file types.
(1) file type (2) enabled/disabled
The Microsoft Script Runtime library, scrrun.dll, should be registered or not as appropriate.
(1) registered/unregistered
Event Log Settings
The "restrict guest access to application log" policy should be set correctly.
(1) enabled/disabled
The application log maximum size should be configured correctly..
The "when maximum log size is reached" property should be set correctly for the Application log.
CCE-951 (1) number of days
CCE-462
CCE-757 (1) size of file
CCE-523 type of retention
CCE-682 (1) number of days
CCE-726
CCE-735 (1) size of file
CCE-664 type of retention
If the Application log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.
The "restrict guest access to security log" policy should be set correctly.
(1) enabled/disabled
The security log maximum size should be configured correctly..
The "when maximum log size is reached" property should be set correctly for the Security log.
If the Security log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.
The "restrict guest access to system log" policy should be set correctly.
(1) enabled/disabled
The system log maximum size should be configured correctly..
The "when maximum log size is reached" property should be set correctly for the System log.
CCE-210 (1) number of days
CCE-871 (1) number of days
CCE-324 (1) number of days
CCE-100 (1) number of days
CCE-514
CCE-633
CCE-60
CCE-479
If the System log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.
Password Policy
The "maximum password age" policy should meet minimum requirements.
The "minimum password age" policy should meet minimum requirements.
The "minimum password length" policy should meet minimum requirements. The correct password filtering DLL should be installed.
(1) file name (2) version (3) file size (4) file hash
The "password must meet complexity requirments" policy should be set correctly.
(1) enabled/disabled
The "enforce password history" policy should meet minimum requirements.
(1) number of passwords remembered
The "store password using reversible encryption for all users in the domain" policy should be set correctly.
(1) enabled/disabled
Available Network Services
Services Running
CCE-487
CCE-496
CCE-148
CCE-954
CCE-637
CCE-294
CCE-800
CCE-78
CCE-712
CCE-311
The startup type of the Alerter service should be correct.
(1) disabled/manual/automatic
The startup type of the Automatic Update service should be correct.
(1) disabled/manual/automatic
The startup type of the Background Intelligent Transfer Service (BITS) service should be correct.
(1) disabled/manual/automatic
The startup type of the ClipBook service should be correct.
(1) disabled/manual/automatic
DEPRECATED in favor of CCE-232.
The startup type of the Computer Browser service should be correct.
(1) disabled/manual/automatic
The startup type of the Fast User Switching service should be correct.
(1) disabled/manual/automatic
The startup type of the Fax service should be correct.
(1) disabled/manual/automatic
The startup type of the FTP Publishing service should be correct.
(1) disabled/manual/automatic
The startup type of the IIS Admin service should be correct.
(1) disabled/manual/automatic
CCE-738
CCE-729
CCE-650
CCE-408
CCE-232
CCE-857
CCE-267
CCE-663
The startup type of the Indexing service should be correct.
(1) disabled/manual/automatic
The startup type of the Messenger service should be correct.
(1) disabled/manual/automatic
The startup type of the .NET Framework service should be correct.
(1) disabled/manual/automatic
The startup type of the Net Logon service should be correct.
(1) disabled/manual/automatic
The startup type of the NetMeeting Remote Desktop Sharing service should be correct.
(1) disabled/manual/automatic
The startup type of the Print Services for Unix service should be correct.
(1) disabled/manual/automatic
The startup type of the Remote Access Auto connection Manager service should be correct.
(1) disabled/manual/automatic
The startup type of the Remote Desktop Help Session Manager service should be correct.
(1) disabled/manual/automatic
CCE-672
CCE-73
CCE-223
CCE-522
CCE-531
CCE-870
CCE-975
CCE-892
The startup type of the Internet Connection Sharing service should be correct.
(1) disabled/manual/automatic
The startup type of the Remote Registry service should be correct.
(1) disabled/manual/automatic
The startup type of the Routing and Remote Access service should be correct.
(1) disabled/manual/automatic
The startup type of the Remote Shell service should be correct.
(1) disabled/manual/automatic
The startup type of the Simple TCP/IP service should be correct.
(1) disabled/manual/automatic
The startup type of the Simple Mail Transport Protocol (SMTP) service should be correct.
(1) disabled/manual/automatic
The startup type of the SNMP Service service should be correct.
(1) disabled/manual/automatic
The startup type of the SNMP Trap Service service should be correct.
(1) disabled/manual/automatic
CCE-940
CCE-40
CCE-75
CCE-974
CCE-608
CCE-758
CCE-559
CCE-445
CCE-115
The startup type of the SSDP Discovery service should be correct.
(1) disabled/manual/automatic
The startup type of the Task Scheduler service should be correct.
(1) disabled/manual/automatic
The startup type of the Telnet service should be correct.
(1) disabled/manual/automatic
The startup type of the Terminal Services service should be correct.
(1) disabled/manual/automatic
The startup type of the Universal Plug and Play Device Host (UPnP) service should be correct.
(1) disabled/manual/automatic
The startup type of the World Wide Web Publishing service should be correct.
(1) disabled/manual/automatic
The startup type of the Automatic Update service should be correct.
(1) disabled/manual/automatic
The startup type of the Background Intelligent Transfer Service (BITS) service should be correct.
(1) disabled/manual/automatic
The startup type of the Print Services for Unix service should be correct.
(1) disabled/manual/automatic
Service Permissions
CCE-669
CCE-889
CCE-61
CCE-476
CCE-643
CCE-87
CCE-968
CCE-4
CCE-792
CCE-444
The correct service permissions for the Alerter service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Automatic Updates service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Background Intelligent Transfer service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the ClipBook service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Computer Browser service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Fax service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the File Shares service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the FTP Publishing service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the IIS Admin service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Indexing service should be assigned.
(1) set of accounts (2) list of permissions
CCE-79
CCE-497
CCE-21
CCE-109
CCE-157
CCE-915
CCE-219
CCE-779
CCE-426
CCE-56
The correct service permissions for the Messenger service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Net Logon service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the NetMeeting service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Printer service should be assigned.
(1) set of accounts (2) list of permissions
The startup type of the Remote Access Auto connection Manager service should be correct.
(1) disabled/manual/automatic
The correct service permissions for the Remote Desktop Help Session Manager service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Remote Registry service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Routing and Remote Access service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the SMTP service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the SNMP service should be assigned.
(1) set of accounts (2) list of permissions
CCE-521
CCE-407
CCE-944
CCE-605
CCE-869
CCE-143
CCE-310
CCE-195
The correct service permissions for the SNMP Trap service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Task Scheduler service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Telnet service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Terminal Services service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Universal Plug and Play service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the WWW Publishing service should be assigned.
(1) set of accounts (2) list of permissions
Security Settings
Major Security Settings
The "Additional restrictions for anonymous connections" policy should be set correctly.
(1) enabled/disabled
The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts and shares should be correct.
(1) restricted/unrestricted
CCE-318
CCE-953
CCE-983
CCE-142
CCE-653
CCE-464
CCE-332
CCE-499
The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts should be correct.
(1) restricted/unrestricted
The behavior surrounding Anonymous SID/Name translation should be correct.
(1) enabled/disabled
Minor Security Settings
Additional Registry Settings
The "Anonymous access to the application event log" policy should be set correctly.
(1) exist/not exist (2) enabled/disabled
The "Anonymous access to the system event log" policy should be set correctly.
(1) exist/not exist (2) enabled/disabled
The "Anonymous access to the security event log" policy should be set correctly.
(1) exist/not exist (2) enabled/disabled
The "Anonymous access to the registry" policy should be set correctly.
(1) enabled/disabled
Use of the built-in Guest account should be enabled or disabled as appropriate.
(1) enabled/disabled
Use of the built-in Administrator account should be enabled or disabled as appropriate.
(1) enabled/disabled
CCE-23 (1) text caption
CCE-829 (1) text statement
CCE-512
CCE-243
CCE-283
The "Message title for users attempting to log on" policy should be set correctly.
The "Message text for users attempting to log on" policy should be set correctly.
Administrative Shares should be properly configured.
(1) allowed/removed
Automatic Execution of the System Debugger should be properly configured.
(1) enabled/disabled
Automatic Logon should be properly configured.
(1) enabled/disabled
CCE-137
CCE-44
CCE-36
CCE-820
CCE-344
CCE-282 (1) enabled/ignored
CCE-150 (1) enabled/ignored
Automatic Reboot After System Crash should be properly configured.
(1) enabled/disabled
Autoplay on all Drive Types should be properly configured.
(1) enabled/disabled
Autoplay for Current User should be properly configured.
(1) enabled/disabled
Autoplay for Default User should be properly configured.
(1) enabled/disabled
CD-ROM Autorun should be properly configured.
(1) enabled/disabled
Computer Browser ResetBrowser Frames should be properly configured.
ICMP Redirects should be properly configured.
CCE-564
CCE-952
CCE-501
CCE-536
CCE-65
CCE-544
CCE-580
IP Source Routing should be properly configured.
(1) enabled/disabled
IRDP should be properly configured.
(1) enabled/disabled
Kerberos and RSVP Traffic Protected by IPSec should be properly configured.
(1) enabled/disabled
Dr. Watson Crash Dumps should be properly configured.
(1) enabled/disabled
Display Last User Name in Logon Screen should be properly configured.
(1) enabled/disabled
File System Checker and Popups should be properly configured.
(1) enabled/disabled
System File Checker should be properly configured.
(1) enabled/disabled
CCE-236 (1) visible/invisible
CCE-139 (1) available/hidden
CCE-897
CCE-188
CCE-333
CCE-751
System File Checker Progress Meter should be properly configured.
System availability to Master Browser should be properly configured.
TCP/IP Dead Gateway Detection should be properly configured.
(1) enabled/disabled
The TCP/IP KeepAlive Time should be set correctly .
(1) number of milliseconds
The permitted number of TCP/IP Maximum Half-open Sockets should be set correctly .
(1) number of sockets
The permitted number of TCP/IP Maximum Retried Half-open Sockets should be set correctly .
(1) number of sockets
CCE-817
CCE-998
CCE-284
CCE-112 (1) security level
CCE-125 (1) warning level
CCE-156
CCE-601
TCP/IP NetBIOS Name Release on Request Prevented should be properly configured.
(1) enabled/disabled
TCP/IP PMTU Discovery should be properly configured.
(1) enabled/disabled
TCP/IP SYN Flood Attack Protection should be properly configured.
(1) enabled/disabled
Protect Kernel object attributes should be properly configured.
Security Audit log warning level should be properly configured.
Disable saving of dial-up passwords should be properly configured.
(1) enabled/disabled
The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly.
(1) enabled/disabled
CCE-614
CCE-130
CCE-271
CCE-707
CCE-213
CCE-231 (1) logon type
CCE-50
CCE-81
CCE-896
The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly.
(1) enabled/disabled
DEPRECATED in favor of CCE-92.
Safe DLL Search Mode should be properly configured.
(1) enabled/disabled
Always Wait for the Network at Computer Startup and Logon should be properly configured.
(1) enabled/disabled
Delete Roaming Cached Profiles should be properly configured.
(1) enabled/disabled
Use Classic Logon should be properly configured.
Background Refresh of Group Policy should be properly configured.
(1) enabled/disabled
Show Shared Internet Connection Access UI should be properly configured.
(1) enabled/disabled
Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.
(1) enabled/disabled
CCE-574
CCE-358
CCE-257
CCE-438 (1) valid names
CCE-834 (1) valid names
CCE-222
CCE-2
CCE-905
Disallow Installation of Printers Using Kernel-mode Drivers should be properly configured.
(1) enabled/disabled
DEPRECATED in favor of CCE-156.
Security Options
The "Allow Server Operators to Schedule Tasks" policy should be set correctly.
(1) enabled/disabled
The built-in Administrator account should be correctly named.
The built-in Guest account should be correctly named.
The amount of idle time required before disconnecting a session should be set correctly.
(1) number of minutes
The "Audit the access of global system objects" policy should be set correctly.
(1) enabled/disabled
The "Audit the use of backup and restore privilege" policy should be set correctly.
(1) enabled/disabled
CCE-133
CCE-719
CCE-275
CCE-402
CCE-410
CCE-76
The "Disable CTRL+ALT+Delete Requirement for Logon" policy should be set correctly.
(1) enabled/disabled
The "LAN Manager Authentication Level" policy should be set correctly.
(1) authentication level
The "Send LanMan compatible password" setting should be configured correctly.
The "Prevent Users from Installing Printer Drivers" policy should be set correctly.
(1) enabled/disabled
The "Recovery Console: Allow Automatic Administrative Logon" policy should be set correctly.
(1) enabled/disabled
The "Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders" policy should be set correctly.
(1) enabled/disabled
CCE-565
CCE-463
CCE-508
CCE-417
CCE-228
CCE-413 (1) behavior
CCE-307 (1) behavior
CCE-814
The "Restrict CD-ROM Access to Locally Logged-On User Only" policy should be set correctly.
(1) enabled/disabled
The "Restrict Floppy Access to Locally Logged-On User Only" policy should be set correctly.
(1) enabled/disabled
The "Strengthen Default Permissions of Global System Objects" policy should be set correctly.
(1) enabled/disabled
The "Secure Channel: Require Strong (Windows 2000 or later) Session Key" policy should be set correctly.
(1) enabled/disabled
The "Send Unencrypted Password to Connect to Third-Party SMB Servers" policy should be set correctly.
(1) enabled/disabled
The "Unsigned Driver Installation Behavior" policy should be set correctly.
The "Unsigned Non-Driver Installation Behavior" policy should be set correctly.
The "Users Prompted to Change Password Before Expiration" policy should be set correctly.
(1) number of days prior to expiration
CCE-92
CCE-224
CCE-360
CCE-422
CCE-576
CCE-519
CCE-171
CCE-104
The "Shut Down system immediately if unable to log security audits" policy should be set correctly.
(1) enabled/disabled
The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly.
(1) enabled/disabled
The "Automatically Log Off Users When Logon Time Expires (local)" policy should be set correctly.
(1) enabled/disabled
The "Clear Virtual Memory Pagefile at shutdown" policy should be set correctly.
(1) enabled/disabled
The "Digitally Sign Client Communication (Always)" policy should be set correctly.
(1) enabled/disabled
The "Digitally Sign Client Communication (When Possible)" policy should be set correctly.
(1) enabled/disabled
The "Digitally Sign Server Communication (Always)" policy should be set correctly.
(1) enabled/disabled
The "Digitally Sign Server Communication (When Possible)" policy should be set correctly.
(1) enabled/disabled
CCE-773
CCE-919 (1) Group(s)
CCE-549
CCE-161
CCE-918
CCE-443 (1) behavior
CCE-831
CCE-368
The "Number of Previous Logons to Cache" policy should be set correctly.
(1) number of logons
The "Allowed to Format and Eject Removable NTFS Media" policy should be set correctly.
The "Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)" policy should be set correctly.
(1) enabled/disabled
The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly.
(1) enabled/disabled
The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly.
(1) enabled/disabled
The "Smart Card Removal Behavior" policy should be set correctly.
The "Prevent System Maintenance of Computer Account Password" policy should be set correctly.
(1) enabled/disabled
The "System boot timeout" policy should be set correctly.
(1) number of seconds to wait
CCE-55
CCE-575
CCE-300
CCE-533
CCE-186
CCE-710
The "Use FIPS compliant algorithms for encryption, hashing, and signing" policy should be set correctly.
(1) enabled/disabled
The "Default owner for objects created by members of the Administrators group" policy should be set correctly.
(1) enabled/disabled
The "Require Case Insensitivity for Non-Windows Sybsystems" policy should be set correctly.
(1) enabled/disabled
The "Limit local account user of blank passwords to console logon only" policy should be set correctly.
(1) enabled/disabled
The "Allow undock without having to logon" policy should be set correctly.
(1) enabled/disabled
The "LDAP server signing requirements" policy should be set correctly.
(1) enabled/disabled
CCE-732
CCE-490
CCE-194
CCE-374
CCE-278
CCE-542
The "LDAP client signing requirements" policy should be set correctly.
(1) enabled/disabled
The "Refuse machine account password change" policy should be set correctly.
(1) enabled/disabled
The "Maximum machine account password age" policy should be set correctly.
(1) enabled/disabled
The "Require Domain Controller authentication to unlock workstation" policy should be set correctly.
(1) enabled/disabled
The "Disconnect clients when logon hours expire" policy should be set correctly.
(1) enabled/disabled
The "Do not allow storage of credentials or .NET Passports" policy should be set correctly.
(1) enabled/disabled
CCE-18
CCE-136
CCE-189 (1) set of paths
CCE-942 (1) set of shares
CCE-343
The "Let Everyone permissions apply to anonymous users" policy should be set correctly.
(1) enabled/disabled
The "Named Pipes that can be accessed anonymously" policy should be set correctly.
(1) enabled/disabled
The "Remotely accessible registry paths" policy should be set correctly.
The "Shares that can be accessed anonymously" policy should be set correctly.
The "Sharing and security model for local accounts" policy should be set correctly.
(1) Classic/Guest only
CCE-233
CCE-775
CCE-674
CCE-766
CCE-621
CCE-546
Screensaver
The "Do not store LAN Manager hash value on next password change" policy should be set correctly.
(1) enabled/disabled
The "Force logoff when logon hours expire" policy should be set correctly.
(1) enabled/disabled
The "Minimum session security for NTLM SSP based clients" policy should be set correctly.
(1) enabled/disabled
The "Minimum session security for NTLM SSP based servers" policy should be set correctly.
(1) enabled/disabled
System Requirements – Other
Local volumes should be formatted correctly.
(1) type of formatting
Unused USB Ports should be enabled or disabled as appropriate.
(1) enabled/disabled
Application Registry Settings
CCE-764
CCE-830 (1) time in seconds
CCE-949
CCE-742
CCE-623
CCE-517 (1) time in seconds
CCE-433
CCE-103
CCE-54
The "Current user screensaver" policy should be set correctly.
(1) enabled/disabled
The "Current user screensaver timeout" policy should be set correctly.
The "Current user screensaver secure" policy should be set correctly.
(1) enabled/disabled
The "Current user screensaver active" policy should be set correctly.
(1) enabled/disabled
The "Default user screensaver" policy should be set correctly.
(1) enabled/disabled
The "Default user screensaver timeout" policy should be set correctly.
The "Default user screensaver secure" policy should be set correctly.
(1) enabled/disabled
The "Default user screensaver active" policy should be set correctly.
(1) enabled/disabled
The "Current user screensaver" policy should be set correctly.
(1) enabled/disabled
CCE-221 (1) time in seconds
CCE-235
CCE-287
CCE-688 (1) enabled/disabled
CCE-442 (1) enabled/disabled
CCE-468 (1) enabled/disabled
CCE-631
CCE-481Installer
CCE-736
The "Current user screensaver timeout" policy should be set correctly.
The "Current user screensaver secure" policy should be set correctly.
(1) enabled/disabled
The "Current user screensaver active" policy should be set correctly.
(1) enabled/disabled
The "Hide Screen Saver tab" setting should be configured correctly.
The "password protect the screen saver" setting should be configured correctlyThe "Screen Saver" should be enabled or disabled as appropriate.
The "Screen Saver executable name" setting should be configured correctly.
(1) enabled/disabled (2) path to screensaver executable
The "Screen Saver timeout" should be set correctly.
(1) enabled/disabled (2) number of seconds
The "Always Install with Elevated Privileges" policy should be set correctly.
(1) enabled/disabled
CCE-261
CCE-415
CCE-794
CCE-107
CCE-256
CCE-662
CCE-424
CCE-455
CCE-124
The "Set Safe for Scripting" policy should be set correctly.
(1) enabled/disabled
The "Enable User Control Over Installs" policy should be set correctly.
(1) enabled/disabled
The "Enable User to Browser for Source While Elevated" policy should be set correctly.
(1) enabled/disabled
The "Enable User to Use Media Source While Elevated" policy should be set correctly.
(1) enabled/disabled
The "Allow Administrator to Install from Terminal Services Session" policy should be set correctly.
(1) enabled/disabled
The "Enable User to Patch Elevated Products" policy should be set correctly.
(1) enabled/disabled
The "Cache Transforms in Secure Location" policy should be set correctly.
(1) enabled/disabled
Windows MediaPlayer
The "Disable Media Player for automatic updates" policy should be set correctly.
(1) enabled/disabled
The "Prevent Codec Download" policy should be set correctly for Windows MediaPlayer.
(1) enabled/disabled
Windows Messenger
CCE-525
CCE-802
CCE-309Task Scheduler
CCE-785
CCE-578
CCE-507
CCE-80
CCE-401
CCE-824
Internet access for Windows Messenger should be configured correctly.
(1) enabled/disabled
The "Do Not Allow Windows Messenger to be Run" policy should be set correctly.
(1) enabled/disabled
The "Do Not Automatically Start Windows Messenger" policy should be set correctly.
(1) enabled/disabled
The "Hide Property Pages" policy should be set correctly for the Task Scheduler.
(1) enabled/disabled
The "Prohibit New Task Creation" policy should be set correctly for the Task Scheduler.
(1) enabled/disabled
Terminal Services
The "Limit Users to One Remote Session" policy should be set correctly for Terminal Services.
(1) enabled/disabled
The "Limit Number of Connections" policy should be set correctly for Terminal Services.
(1) Maximum number of connections allowed
The "Do Not Allow New Client Connections" policy should be set correctly for Terminal Services.
(1) enabled/disabled
The "Do Not Allow Local Administrators to Customize Permissions" policy should be set correctly for Terminal Services.
(1) enabled/disabled
CCE-190
CCE-855
CCE-397 (1) encryption level
CCE-670
CCE-961
CCE-920
CCE-123
CCE-524
CCE-568
The "Remote Control Settings" policy should be set correctly for Terminal Services.
(1) enabled/disabled
The "Always Prompt Client for Password upon Connection" policy should be set correctly for Terminal Services.
(1) enabled/disabled
The "Set Client connection Encryption Level" policy should be set correctly for Terminal Services.
The "Do not Use Temp folders per Session" policy should be set correctly for Terminal Services.
(1) enabled/disabled
The "Do not Delete Temp folder on exit" policy should be set correctly for Terminal Services.
(1) enabled/disabled
The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services.
(1) Time Limit (minutes)
The "Set time limit for idle sessions" policy should be set correctly for Terminal Services.
(1) Time limit (minutes)
The "Allow Reconnection from Original Client Only" policy should be set correctly for Terminal Services.
(1) enabled/disabled
The "Terminate session when time limits are reached" policy should be set correctly for Terminal Services.
(1) enabled/disabled
CCE-705
CCE-859
CCE-434PCHealth
CCE-592Kerberos
CCE-227 -1
CCE-6 -1
CCE-37 -1
CCE-33 -1
CCE-588 -1
CCE-888
The "Enable Keep-Alive Messages" policy should be set correctly for Terminal Services.
(1) enabled/disabled
The "Allow Solicited Remote Assistance" policy should be set correctly for Terminal Services.
(1) enabled/disabled
The "Allow Unsolicited Remote Assistance" policy should be set correctly for Terminal Services.
(1) enabled/disabled
The "Enable Error Reporting" policy should be set correctly.
(1) enabled/disabled
The "Enforce user logon restrictions" policy should be set correctly.
The "Maximum Service Ticket Litfetime" policy should be set correctly.
The "Maximum User Ticket Lifetime" policy should be set correctly. The "Maximum User Renewal Lifetime" policy should be set correctly.
The "Maximum tolerance for computer clock synchronization" policy should be set correctly.
Public Key Policies
The "Enroll certificates automatically" policy should be set correctly
CCE-627
CCE-513
CCE-676
CCE-63
CCE-628
CCE-777Printers
CCE-367
CCE-420
CCE-526Loopback
CCE-319
CCE-191
The "Renew expired certificates, update pending certificates, and remove revoked certificates" policy should be set correctly
The "Update certificates that use certificate templates" policy should be set correctly
The "Allow users to encrypt files using Encrypting File System (EFS)" policy should be set correctly.
The "Allow users to select new root certification authorities (CAs) to trust" policy should be set correctly.
The "Client computers can trust the following certificate stores" policy should be set correctly.
The "To perform certificate-based authentication of users and computers, CAs must meet the following criteria" policy should be set correctly.
The "Pre-populate printer search location text" setting should be configured correctly.
Removable Storage
Removable storage should have correct permissions setRemovable storage should have correct auditing set
The "User Group Policy loopback processing mode" should be set correctly
XP Service Pack 2
The delivery of XP Service Pack 2 should be set correctly.
SUS Client
CCE-861
CCE-244
CCE-306
CCE-566
CCE-989
CCE-1
CCE-456
CCE-641
CCE-778
CCE-804
CCE-932
CCE-82
The "Allow automatic updates immediate installation" should be set correctlyThe "Automatic Updates detection frequency" should be set correctlyThe "Configure Automatic Updates" should be set correctlyThe "Delay Restart for scheduled installations" should be set correctly
The "Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box" should be set correctly
The "Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box" should be set correctlyThe "Enable client-side targeting" should be set correctlyThe "No auto-restart for scheduled Automatic Updates installations
The "Re-prompt for restart with scheduled installations" should be set correctly
The "Reschedule Automatic Updates scheduled installations" should be set correctly
The "Specify intranet Microsoft update service location" should be set correctly
Client Installation Wizard Options
The "Custom Setup" option should be set correctly for the Client Installation Wizard.
CCE-866
CCE-551
CCE-454
CCE-106New for NIST
CCE-383
CCE-304
CCE-458
CCE-740
CCE-22
CCE-828
The "Restart Setup" option should be set correctly for the Client Installation Wizard.
The "Tools" option should be set correctly for the Client Installation Wizard.
Desktop/Active Directory
The "Maximum size of Active Directory searches" should be set correctly
MS Security Bulletin Login Script
The "Run logon scripts visible" setting should be set correctly.
The "Create global objects" user right should be assigned to the correct accounts.
The "Impersonate a client after authentication" user right should be assigned to the correct accounts.
The "DCOM: Machine access Restrictions in Security Descriptor Definition Language (SDDL) syntax" setting should be configured correctly.
The "DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax" security option should be set correctly.
The "Display user information when the session is locked" setting should be configured correctly.
The "Interactive logon: Requre smart card" setting should be configured correctly.
CCE-638
CCE-647
CCE-48
CCE-572
CCE-577
CCE-872
CCE-506 Backup Operators
CCE-990 Power Users
CCE-250 Remote Desktop Users
CCE-43
The "Network access: Restrict anonymous access to named pipes and shares" setting should be configured correctly.
The "System cryptography: Force strong key protection for user keys stored on the computer" setting should be configured correctly.
The "System settings: optional subsystems" setting should be configured correctly.
the "System settings: Use Certificate Rules on Windows Executables for Software Restriction Polices" setting should be configured correctly.
MSS:(TCPMaxConnectResponseRetransmission) SYN-ACK retansmissions when a connection request is not acknowledged
(1) number of seconds
MSS:(TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted
(1) number of seconds
Application Layer Gateway Service
CCE-167 Application Management
CCE-585 Cryptographic Services
CCE-484 DHCP Client
CCE-651
CCE-303
CCE-436 DNS Client
CCE-774 Error Reporting Service
CCE-435 Event Log
CCE-950 Help and Support
CCE-118
CCE-624
CCE-453 Infrared Monitor
CCE-72 IPSEC Services
CCE-988 Logical Disk Manager
CCE-891
Distributed Link Tracking Client
Distributed Transaction Coordinator
Human Interface Device Access
IMAPI CD-Burning COM Service
Logical Disk Manager Administrative Service
CCE-900
CCE-671 Network Connections
CCE-217
CCE-768
CCE-825
CCE-472
CCE-265
CCE-759
CCE-697 Protected Storage
CCE-706 QoS RSVP
CCE-750
CCE-993
CCE-164
CCE-741 Removable Storage
MS Software Shadow Copy Provider
Network Dynamic Data Exchange (DDE)
Network DDE DDE Share Database Manager (DSDM)
Network Location Awareness (NLA)
NT LM Security Support Provider
Performance Logs and Alerts
Portable Media Serial Number Service
Remote Access Connection Manager
Remote Procedure Call (RPC)
Remote Procedure Call (RPC) Locator
CCE-172 Secondary Logon
CCE-679
CCE-102 Server
CCE-98 Smart Card
CCE-1001 Smart Card Helper
CCE-772 System Event Notification
CCE-450 System Restore Service
CCE-665 TCP/IP NetBIOS Helper
CCE-428 Telephony
CCE-956 Themes
CCE-366
CCE-652 Upload Manager
CCE-538 Volume Shadow Copy
CCE-305 WebClient
CCE-851 Windows Audio
CCE-234
CCE-890 Windows Installer
Security Accounts Manager
Uninterruptable Power Supply
Windows Image Acquisition (WIA)
CCE-912
CCE-815
CCE-560 Windows Time
CCE-604
CCE-745
CCE-296 Workstation
CCE-511 (1) reg_dword
New For CIS CCE-145 (1) enabled/disabled
CCE-423 (1) enabled/disabled
CCE-806 (1) enabled/disabled
CCE-969 (1) enabled/disabled
CCE-502 (1) enabled/disabled
Windows Management Instrumentation
Windows Management Instrumentation Driver Extensions
Wireless Zero Configuration
WMI Performance Adapter
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames.
RPC Endpiont Mapper Client Authentication (SP2 only)
Restrictions for Unauthenticated RPC clients (SP2 only)
New For CIS (SP2 firewall)
Domain Profile: Protect all network connections (SP2 only)Domain Profile: Do not allow exceptions (SP2 only)
Domain Profile: Allow local program exceptions
CCE-771
CCE-555 (1) enabled/disabled
CCE-277 (1) enabled/disabled
CCE-832
CCE-590 (1) enabled/disabled
CCE-762 (1) enabled/disabled
CCE-251 (1) enabled/disabled
CCE-793 (1) File path
Domain Profile: Allow remote administration
(1) enabled/disabled (2) subnets for internal support only
Domain Profile: Allow file and printer sharing exception (SP2 only)Domain Profile: Allow ICMP exceptions (SP2 only)
Domain Profile: Allow Remote Desktop exception (SP2 only)
(1) enabled/disabled (2) subnets for internal support only
Domain Profile: Allow UPnP framework exception (SP2 only)
The "Windows Firewall: Prohibit notifications" setting should be configured correctly for the Domain Profile.
The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Domain Profile.
The log file path and name for the Windows Firewall should be configured correctly for the Domain Profile.
CCE-57 (1) Size limit (KB)
CCE-617 (1) enabled/disabled
CCE-696 (1) enabled/disabled
CCE-114 (1) enabled/disabled
CCE-370 (1) enabled/disabled
CCE-273 (1) enabled/disabled
CCE-440 (1) enabled/disabled
CCE-352 (1) enabled/disabled
CCE-467 (1) enabled/disabled
CCE-626 (1) enabled/disabled
The log file size limit for the Windows Firewall should be configured correctly for the Domain Profile.
The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Domain Profile.
Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Domain Profile.
Domain Profile: Define port exceptions (SP2 only)
Domain Profile: Allow local port exceptions (SP2 only)
Standard Profile: Protect all network connections (SP2 only)Standard Profile: Do not allow exceptions (SP2 only)
Standard Profile: Allow local program exceptions (SP2 only)
Standard Profile: Allow remote administration exception (SP2 only)
Standard Profile: Allow file and printer sharing exception (SP2 only)
CCE-797
CCE-354 (1) enabled/disabled
CCE-266 (1) enabled/disabled
CCE-901 (1) enabled/disabled
CCE-945 (1) enabled/disabled
CCE-609 (1) file path
CCE-160 (1) Size limit (KB)
CCE-962 (1) enabled/disabled
CCE-632 (1) enabled/disabled
Standard Profile: Allow ICMP exceptions (SP2 only)
(1) enabled/ Allow outboud source quench, Allow inbound echo request, Allow outbound packet too big
Standard Profile: Allow Remote Desktop exception (SP2 only)
Standard Profile: Allow UPnP framework exception (SP2 only)
The "Windows Firewall: Prohibit notifications" setting should be configured correctly for the Standard Profile.
The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Standard Profile.
The log file path and name for the Windows Firewall should be configured correctly for the Standard Profile.
The log file size limit for the Windows Firewall should be configured correctly for the Standard Profile.
The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Standard Profile.
Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Standard Profile.
CCE-196 (1) enabled/disabled
CCE-77 (1) enabled/disabled
CCE-530 (1) enabled/disabled
CCE-301
CCE-418CCE-2188
CCE-2258
CCE-1298
CCE-2166
CCE-1786
CCE-831
CCE-146
CCE-2065
CCE-1988
CCE-1984
Standard Profile: Define port exceptions (SP2 only)
Standard Profile: Allow local port exceptions (SP2 only)
The startup type of the Internet Connection Firewall service should be correct. Restricted Groups have been set on the system
(1) Group enumeration
MSS: TCPMaxPortsExhausted, How many dropped connect requests to initiate SYN attack protection.POSIX Subsystem File ComponentsDistributed Link Tracking Server Service DisabledLicense LoggingService DisabledNetwork News Transport Protocol Service Disabled
Resultant Set of Policy Provider Service Disabled
Resetting Computer Account Password RequirementsIE - Security Zones: Do Not Allow Users to Add/Delete Sites Requirements
OS/2 Subsystem Registry Keys Installed Requirements
POSIX Subsystem Registry Keys Installed RequirementsRecycle Bin Configured to Delete Files (Servers) Requirements
CCE-2253
Vista
CCE-249
CCE-485
CCE-400
CCE-584
CCE-7
CCE-29
CCE-32
CAC logon required (NIPRNet only) Requirement
Domain Profile - Inbound Connections
Domain Profile - Outbound Connections
Domain Profile - Apply Local Firewall Rules
Domain Profile - Apply Local Connection Security Rules
Private Profile- Firewall State
Private Profile - Inbound Connections
Private Profile - Outbound Connections
CCE-38
CCE-70 enabled/disabled
CCE-117
CCE-199
CCE-295
CCE-338
CCE-342
User notifications when a program is blocked from receiving inbound connections by Windows Firewall should be enabled or disabled as appropriate for the Private Profile.
yes/no/not configured
Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Private Profile.
Private Profile - Apply Local Firewall Rules
Private Profile - Apply Local Connection Security Rules
Public Profile- Firewall State
Public Profile - Inbound Connections
Public Profile - Outbound Connections
CCE-390
CCE-414 enabled/disabled
CCE-421
CCE-437
CCE-503
CCE-583
CCE-584
CCE-691
User notifications when a program is blocked from receiving inbound connections by Windows Firewall should be enabled or disabled as appropriate for the Public Profile.
yes/no/not configured
Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Public Profile.
Public Profile - Apply Local Firewall Rules
Public Profile - Apply Local Connection Security Rules
Logon - Do not process the legacy run list
Logon - Do not process the run once list
Group Policy - Registry policy processing
Turn off Internet download for Web publishing and online ordering wizards
CCE-722
CCE-818
CCE-852
CCE-887
CCE-927
CCE-935
CCE-255
CCE-466
CCE-11 Add-on List
CCE-976
CCE-648
CCE-405
Turn off the Windows Messenger Customer Experience Improvement Program
Turn off Search Companion content file updates
Turn off printing over HTTP
Turn off downloading of print drivers over HTTP
Turn off Windows Update device driver searching
Enumerate administrator accounts on elevation
Require trusted path for credential entry
Deny all add-ons unless specifically allowed in the Add-on List
The "Do not allow passwords to be saved" setting should be configured correctly for Terminal Services.
The "Do not allow drive redirection" setting should be configured correctly for Terminal Services.
Access to registry editing tools is set correctly.
CCE-509
CCE-12
CCE-58
CCE-372
CCE-886
CCE-111
CCE-1044 enabled/disabled
CCE-84 enabled/disabled
CCE-86 enabled/disabled
CCE-629 enabled/disabled
CCE-593 enabled/disabled
Prompt for password on resume from hibernate/suspend is set correctly.
Do not preserve zone information in file attachments is set correcly.
Hide mechanisms to remove zone information is set correcly.
Notify antivirus programs when opening attachments is set correcly.
Outlook Express attachment blocking is set correctly.
Audit: Force audit policy subcategory settings are set correcly.
The "Log Access For Setup Log" setting should be configured correctly.
The startup type of the Windows Search service should be configured correctly.
The startup type of Microsoft Peer-to-Peer Networking Services should be configured correctly.
The "Prohibit Access of the Windows Connect Now Wizards" setting should be configured correctly.
The "Allow remote access to the PnP interface" setting should be configured correctly.
CCE-849 enabled/disabled
CCE-571 enabled/disabled
CCE-91 enabled/disabled
CCE-858 enabled/disabled
CCE-263 enabled/disabled
CCE-430 enabled/disabled
CCE-756 enabled/disabled
CCE-1029 enabled/disabled
CCE-1055 enabled/disabled
CCE-1064 enabled/disabled
The "Do not create system restore point when new device driver installed" setting should be configured correctly.
The "Do not send a Windows Error Report when a generic driver is installed on a device" setting should be configured correctly.
The "Turn Off Access to All Windows Update Feature" setting should be configured correctly.
The "Turn Off Automatic Root Certificates Update" setting should be configured correctly.
The "Turn Off Event Views 'Events.asp' Links" setting should be configured correctly.
The "Turn Off Handwriting Reconition Error Reporting" setting should be configured correctly.
The "Turn Off Help and Support Center "Did You Know?" Content" setting should be configured correctly.
The "Turn Off Help and Support Center Microsoft Knowledge Base Search" setting should be configured correctly.
The "Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com" setting should be configured correctly.
The "Turn Off Internet File Association Service" setting should be configured correctly.
CCE-88 enabled/disabled
CCE-375 enabled/disabled
CCE-1009 enabled/disabled
CCE-1040 enabled/disabled
CCE-1062 enabled/disabled
CCE-93 enabled/disabled
CCE-1020 enabled/disabled
CCE-681 enabled/disabled
CCE-346 enabled/disabled
CCE-1011 enabled/disabled
The "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting should be configured correctly.
The "Turn Off the 'Order Prints' Picture Task" setting should be configured correctly.
The "Turn off the 'Publish to Web' task for files and folders" setting should be configured correctly.
The "Turn Off Windows Movies Maker Automatic Codec Downloads" setting should be configured correctly.
The "Turn Off Windows Movie Maker Online Web Links" setting should be configured correctly.
The "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting should be configured correctly.
The "Don't Display the Getting Started Welcome Screen at Logon" setting should be configured correctly.
The "Turn off Windows Startup Sound" setting should be configured correctly.
The "Require a Password when a Computer Wakes (On Battery)" setting should be configured correctly.
The "Require a Password when a Computer Wakes (Plugged)" setting should be configured correctly.
CCE-1007 enabled/disabled
CCE-923 enabled/disabled
CCE-1056 enabled/disabled
CCE-835 enabled/disabled
CCE-474 enabled/disabled
CCE-557 enabled/disabled
CCE-95 enabled/disabled
CCE-767 enabled/disabled
CCE-1049 enabled/disabled
CCE-1058 enabled/disabled
CCE-441 enabled/disabled
CCE-97 enabled/disabled
CCE-728 enabled/disabled
The "Allow only Vista or later connections" setting should be configured correctly.
The "Customization Warning Messages" setting should be configured correctly.
The "Turn on bandwidth optimization" setting should be configured correctly.The "Turn on session logging" setting should be configured correctly.
The "Prevent IIS Installation" setting should be configured correctly.The "Turn off Active Help" setting should be configured correctly.The "Turn off Untrusted Content" setting should be configured correctly.
The "Turn off downloading of enclosures" setting should be configured correctly.
The "Allow indexing of encrypted files" setting should be configured correctly.
The "Prevent indexing uncached Exchange folders" setting should be configured correctly.The "Turn off Windows Calendar" setting should be configured correctly.
The "Allow Corporate redirection of Customer Experience Improvement uploads" setting should be configured correctly.The "Turn off Windows Defender" setting should be configured correctly.
CCE-384 enabled/disabled
CCE-480 enabled/disabled
CCE-612 enabled/disabled
CCE-392 enabled/disabled
CCE-96 enabled/disabled
CCE-331 enabled/disabled
CCE-1089 enabled/disabled
CCE-992 enabled/disabled
CCE-105 enabled/disabled
CCE-297 enabled/disabled
CCE-702 enabled/disabled
The "Turn off Heap termination on corruption" setting should be configured correctly.
The "Turn off shell protocol protected mode" setting should be configured correctly.
The "Prohibit non-administrators from applying vendor signed updates" setting should be configured correctly.
The "Report Logon Server Not Available During User logon" setting should be configured correctly.
The "Turn off the communitication features" setting should be configured correctly.
The "Turn off Windows Mail application" setting should be configured correctly.
The "Prevent Windows Media DRM Internet Access" setting should be configured correctly.
The "Turn off Windows Meeting Space" setting should be configured correctly.
The "Turn on Windows Meeting Space audting" setting should be configured correctly.
The "Disable unpacking and installation of gadgets that are not digitally signed" setting should be configured correctly.
The "Override the More Gadgets Link" setting should be configured correctly.
CCE-644 enabled/disabled
CCE-1747 enabled/disabled
CCE-1778 enabled/disabled
CCE-1795 enabled/disabled
CCE-1293 enabled/disabledOffice 2007
2003/2007 CCE-116 enabled/disabled
2003/2007 CCE-908
The "Turn Off User Installed Windows Sidebar Gadgets" setting should be configured correctly.
The "Do not allow Digital Locker to run" setting should be configured correctly.
The "Turn Off Downloading of Game Information" setting should be configured correctly.
The "IPv6 Block of Protocols 41" setting should be configured correctly.
The "IPv6 Block of UDP 3544" setting should be configured correctly.
The "Disable VBA for Office applications" setting should be configured correctly.
The "ActiveX Control Initialization:" setting should be configured correctly.
1 = Do not prompt | 4 = Prompt user to use control defaults | 6 = Prompt user to use persisted data
2007 CCE-184 enabled/disabled
2007 CCE-276 enabled/disabled
2007 CCE-967
2007 CCE-427
2007 CCE-649
The "Enable Customer Experience Improvement Program" setting should be configured correctly.
The "Enable Customer Experience Improvement Program" setting should be configured correctly.
The "Online content options" setting should be configured correctly.
0 = Never show online content or entry points | 1 = Search only offline content whenever available | 2 = Search online content whenever available
The "VBA Macro Warning Settings" setting should be configured correctly for Access 2007.
1 = No Security checks for macros | 2 = Trust Bar warning for all macros | 3 = Trust Bar warning for digitally signed macros only | 4 = No Warnings for all macros but disable all macros
The "VBA Macro Warning Settings" setting should be configured correctly for Excel 2007.
1 = No Security checks for macros | 2 = Trust Bar warning for all macros | 3 = Trust Bar warning for digitally signed macros only | 4 = No Warnings for all macros but disable all macros
2003/2007 CCE-862 enabled/disabled
2007 CCE-567
2007 CCE-68 enabled/disabled
2007 CCE-537 enabled/disabled
2003/2007 CCE-786
The "Trust access to Visual Basic Project" setting should be configured correctly for Excel 2007 and 2003.
The "VBA Macro Warning Settings" setting should be configured correctly for PowerPoint 2007.
1 = No Security checks for macros | 2 = Trust Bar warning for all macros | 3 = Trust Bar warning for digitally signed macros only | 4 = No Warnings for all macros but disable all macros
The "Trust access to Visual Basic Project" setting should be configured correctly for PowerPoint 2007.
The "Disable Remember Password" setting should be configured correctly.
The "Configure Add-In Trust Level" setting should be configured correctly.
0 = Trust all or use Exchange settings if present | 1 = Trust all loaded and installed COM addins | 2 = Do NOT trust loaded and installed COM addins
2007 CCE-937 enabled/disabled
2007 CCE-13 enabled/disabled
2007 CCE-316 enabled/disabled
2003/2007 CCE-14 enabled/disabled
2007 CCE-153 enabled/disabled
2003/2007 CCE-345 enabled/disabled
The "Disable 'Remember password' for Internet e-mail accounts" setting should be configured correctly.
The "Minimum encryption settings" setting should be configured correctly.
The "Do not check e-mail address against address of certificates being using" setting should be configured correctly.
The "Send all signed messages as clear signed messages" setting should be configured correctly.
The "Request an S/MIME receipt for all S/MIME signed messages" setting should be configured correctly.
The "Do not display 'Publish to GAL' button" setting should be configured correctly.
2003/2007 CCE-700
2003/2007 CCE-695 enabled/disabled
2007 CCE-395
2007 CCE-659
The "Signature Warning" setting should be configured correctly.
0 = Let user decide if they want to be warned | 1 = Always warn about invalid signatures | 2 = Never warn about invalid signatures
The "Enable Cryptography Icons" setting should be configured correctly.
The "Retrieving CRLs (Certificate Revocation Lists)" setting should be configured correctly.
0 = Use system Default | 1 = When online always retreive the CRL | 2 = Never retreive the CRL
The "VBA Macro Warning Settings" setting should be configured correctly for Word 2007.
1 = No Security checks for macros | 2 = Trust Bar warning for all macros | 3 = Trust Bar warning for digitally signed macros only | 4 = No Warnings for all macros but disable all macros
2003/2007 CCE-703 enabled/disabled
2003/2007 CCE-173 enabled/disabled
2007 CCE-784 enabled/disabled
2007 CCE-1395
enabled/disabled
2007 CCE-1137
enabled/disabled
The "Trust access to Visual Basic Project" setting should be configured correctly for Word 2007 and 2003.
The "Warn before printing, saving or sending a file that contains tracked changes or comments" setting should be configured correctly.
The "Block updates from the Office Update Site from applying" setting should be configured correctly.
ms user config
The "Underline hyperlinks" setting should be configured correctly for Access 2007.
The "Number of documents in the Recent Documents list (0-9)" setting should be configured correctly for Access 2007.
2007 CCE-1423
enabled/disabled
2007 CCE-1238
enabled/disabled
2007 CCE-1476
enabled/disabled
2007 CCE-1520
enabled/disabled
2007 CCE-780
enabled/disabled
2007 CCE-1214
enabled/disabled
2007 CCE-1370
enabled/disabled
2007 CCE-1268
enabled/disabled
The "Disable Trust Bar Notification for unsigned application add-ins" setting should be configured correctly for Access 2007.
The "Disable all application add-ins" setting should be configured correctly for Access 2007.
The "Require that application add-ins are signed by Trusted Publisher" setting should be configured correctly for Access 2007.
The "Disable all trusted locations" setting should be configured correctly for Access 2007.
The "Allow Trusted Locations not on the computer" setting should be configured correctly for Access 2007.
The "Modal Trust Decision Only" setting should be configured correctly for Access 2007.
The "Disable commands" setting should be configured correctly for Access 2007.
The "Disable commands - Office Button | E-Mail" setting should be configured correctly for Access 2007.
2007 CCE-1400
enabled/disabled
2007 CCE-1440
enabled/disabled
2007 CCE-581
enabled/disabled
2007 CCE-1480
enabled/disabled
2007 CCE-1489
enabled/disabled
2007 CCE-1392
enabled/disabled
The "Disable commands - Office Button | Access Options | Customize | All Commands | Insert Hyperlink" setting should be configured correctly for Access 2007.
The "Disable commands - Database Tools | Database Tools | Encrypt with Password" setting should be configured correctly for Access 2007.
The "Disable commands - Database Tools | Administer | Users and Permission | User and Group Permissions" setting should be configured correctly for Access 2007.
The "Disable commands - Database Tools | Administer | Users and Permissions | User and Group Accounts" setting should be configured correctly for Access 2007.
The "Disable commands - Database Tools | Administer | Users and Permission | User-Level Security Wizard..." setting should be configured correctly for Access 2007.
The "Disable commands - Database Tools | Database Tools | Encode/Decode Database" setting should be configured correctly for Access 2007.
2007 CCE-1414
enabled/disabled
2007 CCE-1418
enabled/disabled
2007 CCE-1405
enabled/disabled
2007 CCE-1550
enabled/disabled
2007 CCE-1075
enabled/disabled
2007 CCE-709
enabled/disabled
2007 CCE-1502
enabled/disabled
2007 CCE-1260
enabled/disabled
The "Disable commands - Database Tools | Macro | Visual Basic" setting should be configured correctly for Access 2007.
The "Disable commands - Database Tools | Macro | Run Macro" setting should be configured correctly for Access 2007.
The "Database Tools | Macro | Convert Macros to Visual Basic" setting should be configured correctly for Access 2007.
The "Database Tools | Macro | Create Shortcut Menu from Macro" setting should be configured correctly for Access 2007.
The "Disable shortcut keys" setting should be configured correctly for Access 2007.
The "Disable commands - Ctrl+K (Office Button | Access Options | Customize | All Commands | Insert Hyperlinks)" setting should be configured correctly for Access 2007.
The "Disable commands - Alt+F11 (Database Tools | Macro | Visual Basic)" setting should be configured correctly for Access 2007.
The "Default file format (Access 2007 | Access 2002-2003)" setting should be configured correctly for Access 2007.
2007 CCE-1510
enabled/disabled
2007 CCE-1532
enabled/disabled
2007 CCE-1039
enabled/disabled
2007 CCE-1295
enabled/disabled
2007 CCE-1334
enabled/disabled
2007 CCE-1308
enabled/disabled
2007 CCE-616
enabled/disabled
The "Do not prompt to convert older databases" setting should be configured correctly for Access 2007.
The "Internet and network paths as hyperlinks" setting should be configured correctly for Excel 2007.
The "Save Excel files as (Excel Workbook (*.xlsx) | Excel Macro-Enabled Workbook (*.xlsm) | Excel Binary Workbook (*.xlsb) | Web Page (*.htm; *.html) | Excel 97-2003 Workbook (*.xls) | Excel 5.0/95 Workbook (*.xls))" setting should be configured correctly for Excel 2007.
The "Disable AutoRepublish" setting should be configured correctly for Excel 2007.
The "AutoRepublish Warning Alert (Always show the alert before publishing | Never show the alert before publishing)" setting should be configured correctly for Excel 2007.
The "Determine whether to force encrypted macros to be scanned in Microsoft Excel Open XML workbooks" setting should be configured correctly
The "Force file extension to match file type (Allow different | Allow different, but warn | Always match file type)" setting should be configured correctly for Excel 2007.
2007 CCE-1246
enabled/disabled
2007 CCE-1251
enabled/disabled
2007 CCE-1524
enabled/disabled
2007 CCE-1422
enabled/disabled
2007 CCE-1444
enabled/disabled
2007 CCE-1449
enabled/disabled
2007 CCE-1471
enabled/disabled
2007 CCE-1119
enabled/disabled
2007 CCE-1378
enabled/disabled
The "Store macro in Personal Macro Workbook by default" setting should be configured correctly
The "Disable all application add-ins" setting should be configured correctly for Excel 2007.
The "Require that application add-ins are signed by Trusted Publisher" setting should be configured correctly for Excel 2007.
The "Disable Trust Bar Notification for unsigned application add-ins" setting should be configured correctly for Excel 2007.
The "Allow Trusted Locations not on the computer" setting should be configured correctly for Excel 2007.
The "Disable all trusted locations" setting should be configured correctly for Excel 2007.
The "Ignore other applications " setting should be configured correctly for Excel 2007.
The "Ask to update automatic links" setting should be configured correctly for Excel 2007.
The "Number of documents in the Recent Documents list (0-17)" setting should be configured correctly for Excel 2007.
2007 CCE-1277
enabled/disabled
2007 CCE-1464
enabled/disabled
2007 CCE-1094
enabled/disabled
2007 CCE-1129
enabled/disabled
2007 CCE-1389
enabled/disabled
2007 CCE-1433
enabled/disabled
2007 CCE-1323
enabled/disabled
2007 CCE-1469
enabled/disabled
The "Save any additional data necessary to maintain formulas" setting should be configured correctly for Excel 2007.
The "Load pictures from Web pages not created in Excel" setting should be configured correctly for Excel 2007.
The "Do not show data extraction options when opening corrupt workbooks" setting should be configured correctly for Excel 2007.
The "Assume structured storage format of workbook is intact when recovering data" setting should be configured correctly for Excel 2007.
The "Corrupt formula conversion (Convert unrecoverable references to: values | #REF or #NAME)" setting should be configured correctly for Excel 2007.
The "Connection File Locations" setting should be configured correctly for Excel 2007.
The "Automatic Query Refresh (Prompt for all workbooks | Do not prompt; do not allow auto refresh | Do not prompt; allow auto refresh)" setting should be configured correctly for Excel 2007.
The "Disable commands" setting should be configured correctly for Excel 2007.
2007 CCE-1473
enabled/disabled
2007 CCE-1499
enabled/disabled
2007 CCE-1024
enabled/disabled
2007 CCE-1530
enabled/disabled
2007 CCE-1120
enabled/disabled
2007 CCE-1252
enabled/disabled
2007 CCE-1151
enabled/disabled
2007 CCE-1301
enabled/disabled
The "Disable commands - Office Button | Excel Options | Customize | All Commands | Save as Web Page" setting should be configured correctly for Excel 2007.
The "Disable commands - Office Button | Excel Options | Customize | All Commands | Web Page Preview" setting should be configured correctly for Excel 2007.
The "Disable commands - Office Button | Send | Email" setting should be configured correctly for Excel 2007.
The "Disable commands - Insert | Links | Hyperlink" setting should be configured correctly for Excel 2007.
The "Disable commands - Review | Changes | Protect Sheet" setting should be configured correctly for Excel 2007.
The "Disable commands - Review | Changes | Protect Workbook" setting should be configured correctly for Excel 2007.
The "Disable commands - Review | Changes | Protect and Share Workbook" setting should be configured correctly for Excel 2007.
The "Disable commands - View | Macros | Macros" setting should be configured correctly for Excel 2007.
2007 CCE-1310
enabled/disabled
2007 CCE-1213
enabled/disabled
2007 CCE-1362
enabled/disabled
2007 CCE-1156
enabled/disabled
2007 CCE-1429
enabled/disabled
2007 CCE-1182
enabled/disabled
2007 CCE-1525
enabled/disabled
2007 CCE-1547
enabled/disabled
The "Disable commands - Developer | Code | Macros" setting should be configured correctly for Excel 2007.
The "Disable commands - Developer | Code | Record Macro" setting should be configured correctly for Excel 2007.
The "Disable commands - Developer | Code | Macro Security" setting should be configured correctly for Excel 2007.
The "Disable commands - Developer | Code | Visual Basic" setting should be configured correctly for Excel 2007.
The "Disable commands - Office Button | Excel Options | Customize | All Commands | Document Location" setting should be configured correctly for Excel 2007.
The "Disable shortcut keys" setting should be configured correctly for Excel 2007.
The "Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink)" setting should be configured correctly for Excel 2007.
The "Disable shortcut keys - Alt+F8 (Developer | Code | Macros)" setting should be configured correctly for Excel 2007.
2007 CCE-1300
enabled/disabled
2007 CCE-1331
enabled/disabled
2007 CCE-1468
enabled/disabled
2007 CCE-1490
enabled/disabled
2007 CCE-1512
enabled/disabled
2007 CCE-1543
enabled/disabled
2007 CCE-1195
enabled/disabled
2007 CCE-554
enabled/disabled
2007 CCE-1415
enabled/disabled
The "Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic)" setting should be configured correctly for Excel 2007.
The "Block opening of pre-release versions of file formats new to Excel 2007" setting should be configured correctly for Excel 2007.
The "Block opening of Open XML file types" setting should be configured correctly for Excel 2007.
The "Block opening of Binary 12 file types" setting should be configured correctly for Excel 2007.
The "Block opening of Binary file types" setting should be configured correctly for Excel 2007.
The "Block opening of Html and Xmlss files types" setting should be configured correctly for Excel 2007.
The "Block opening of Xml file types" setting should be configured correctly for Excel 2007.
The "Block opening of DIF and SYLK file types" setting should be configured correctly for Excel 2007.
The "Block opening of Text file types" setting should be configured correctly for Excel 2007.
2007 CCE-1437
enabled/disabled
2007 CCE-1446
enabled/disabled
2007 CCE-1098
enabled/disabled
2007 CCE-562
enabled/disabled
2007 CCE-1507
enabled/disabled
2007 CCE-1406
enabled/disabled
2007 CCE-573
enabled/disabled
2007 CCE-1336
enabled/disabled
2007 CCE-1230
enabled/disabled
2007 CCE-1375
enabled/disabled
The "Block opening of Xll file type" setting should be configured correctly for Excel 2007.
The "Block saving of Open Xml file types" setting should be configured correctly for Excel 2007.
The "Block saving of Binary12 file types" setting should be configured correctly for Excel 2007.
The "Block saving of Binary file types" setting should be configured correctly for Excel 2007.
The "Block saving of Html and Xmlss file types" setting should be configured correctly for Excel 2007.
The "Block saving Xml file types" setting should be configured correctly for Excel 2007.
The "Block saving DIF and SYLK file types" setting should be configured correctly for Excel 2007.
The "Block saving of Text file types" setting should be configured correctly for Excel 2007.
The "Locally cache network file storages" setting should be configured correctly for Excel 2007.
The "Locally cache PivotTable reports" setting should be configured correctly for Excel 2007.
2007 CCE-1380
enabled/disabled
2007 CCE-1376
enabled/disabled
2007 CCE-1398
enabled/disabled
2007 CCE-569
enabled/disabled
2007 CCE-1065
enabled/disabled
2007 CCE-1361
enabled/disabled
2007 CCE-1096
enabled/disabled
2007 CCE-1391
enabled/disabled
The "OLAP PivotTable User Defined Function (UDF) security setting (Allow ALL UDFs | Allow safe UDFs only | Allow NO UDFs)" setting should be configured correctly for Excel 2007.
The "Recognize SmartTags" setting should be configured correctly for Excel 2007.
The "Number of documents in the Recent Documents list (0 - 9)" setting should be configured correctly for InfoPath 2007.
The "Offline Mode status (Disabled | Enabled, InfoPath in Offline Mode | Enabled, InfoPath not in Offline Mode)" setting should be configured correctly for InfoPath 2007.
The "Disable commands" setting should be configured correctly for InfoPath 2007.
The "Disable commands - File | Print" setting should be configured correctly for InfoPath 2007.
The "Disable commands - File | Send to Mail Recipient" setting should be configured correctly for InfoPath 2007.
The "Disable commands - File | Open from SharePoint Site" setting should be configured correctly for InfoPath 2007.
2007 CCE-1519
enabled/disabled
2007 CCE-1523
enabled/disabled
2007 CCE-1171
enabled/disabled
2007 CCE-1457
enabled/disabled
2007 CCE-1426
enabled/disabled
2007 CCE-805
enabled/disabled
2007 CCE-1453
enabled/disabled
2007 CCE-1351
enabled/disabled
The "Disable commands - File | Print Preview" setting should be configured correctly for InfoPath 2007.
The "Disable commands - File | Page Setup" setting should be configured correctly for InfoPath 2007.
The "Disable commands - Insert | Hyperlinks..." setting should be configured correctly for InfoPath 2007.
The "Disable commands - Tools | Set Language" setting should be configured correctly for InfoPath 2007.
The "Disable commands - Tools | Customize..." setting should be configured correctly for InfoPath 2007.
The "Disable commands - Tools | Options..." setting should be configured correctly for InfoPath 2007.
The "Disable commands - Help | Microsoft Office Online" setting should be configured correctly for InfoPath 2007.
The "Disable commands - Office Diagnostics" setting should be configured correctly for InfoPath 2007.
2007 CCE-620
enabled/disabled
2007 CCE-1017
enabled/disabled
2007 CCE-1021
enabled/disabled
2007 CCE-1299
enabled/disabled
2007 CCE-1197
enabled/disabled
2007 CCE-704
enabled/disabled
2007 CCE-1105
enabled/disabled
2007 CCE-1114
enabled/disabled
The "Disable commands - Help | Activate Product..." setting should be configured correctly for InfoPath 2007.
The "Disable commands - Print Default" setting should be configured correctly for InfoPath 2007.
The "Disable shortcut keys" setting should be configured correctly for InfoPath 2007.
The "Disable shortcut keys - Print Shortcut (Ctrl+P)" setting should be configured correctly for InfoPath 2007.
The "Disable shortcut keys - Insert Hyperlink Shortcut (Ctrl+K)" setting should be configured correctly for InfoPath 2007.
The "Control behavior for Windows SharePoint Services gradual upgrade (Allow redirections to any location | Allow redirections to Intranet only | Block all redirections)" setting should be configured correctly for InfoPath 2007.
The "Disable opening of solutions from the Internet security zone" setting should be configured correctly for InfoPath 2007.
The "Disable fully trusted solutions full access to computer" setting should be configured correctly for InfoPath 2007.
2007 CCE-761
enabled/disabled
2007 CCE-739
enabled/disabled
2007 CCE-1259
enabled/disabled
2007 CCE-1267
enabled/disabled
2007 CCE-1060
enabled/disabled
2007 CCE-955
enabled/disabled
2007 CCE-1479
enabled/disabled
2007 CCE-1360
enabled/disabled
The "Allow the use of ActiveX Custom Controls in InfoPath forms" setting should be configured correctly for InfoPath 2007.
The "Run forms in restricted mode if they do not specify a publish location and use only features introduced before InfoPath 2003 SP1" setting should be configured correctly for InfoPath 2007.
The "Allow file types as attachments to forms" setting should be configured correctly for InfoPath 2007.
The "Block specific file types as attachments to forms" setting should be configured correctly for InfoPath 2007.
The "Prevent users from allowing unsafe file types to be attached to forms" setting should be configured correctly for InfoPath 2007.
The "Display a warning that a form is digitally signed" setting should be configured correctly for InfoPath 2007.
The "Control behavior when opening forms in the Internet security zone (Block | Prompt | Allow)" setting should be configured correctly for InfoPath 2007.
The "Control behavior when opening forms in the Intranet security zone (Block | Prompt | Allow)" setting should be configured correctly for InfoPath 2007.
2007 CCE-1386
enabled/disabled
2007 CCE-893
enabled/disabled
2007 CCE-1290
enabled/disabled
2007 CCE-1381
enabled/disabled
2007 CCE-1135
enabled/disabled
2007 CCE-1157
enabled/disabled
The "Control behavior when opening forms in the Local Machine security zone (Block | Prompt | Allow)" setting should be configured correctly for InfoPath 2007.
The "Control behavior when opening forms in the Trusted Site security zone (Block | Prompt | Allow)" setting should be configured correctly for InfoPath 2007.
The "Beaconing UI for forms opened in InfoPath (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone)" setting should be configured correctly for InfoPath 2007.
The "Beaconing UI for forms opened in InfoPath Editor ActiveX (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone)" setting should be configured correctly for InfoPath 2007.
The "Disable all application add-ins" setting should be configured correctly for InfoPath 2007.
The "Require that application add-ins are signed by Trusted Publisher" setting should be configured correctly for InfoPath 2007.
2007 CCE-1434
enabled/disabled
2007 CCE-1315
enabled/disabled
2007 CCE-1210
enabled/disabled
2007 CCE-1236
enabled/disabled
2007 CCE-884
enabled/disabled
2007 CCE-1518
enabled/disabled
2007 CCE-1170
enabled/disabled
The "Disable Trust Bar Notification for unsigned application add-ins" setting should be configured correctly for InfoPath 2007.
The "Control behavior when opening InfoPath e-mail forms containing code or script (Run without prompting | Prompt before running | Never run)" setting should be configured correctly for InfoPath 2007.
The "Disable sending form template with e-mail forms" setting should be configured correctly for InfoPath 2007.
The "Disable dynamic caching of the form template in InfoPath e-mail forms" setting should be configured correctly for InfoPath 2007.
The "Disable sending InfoPath 2003 Forms as e-mail forms" setting should be configured correctly for InfoPath 2007.
The "Disable e-mail forms running in restricted security level" setting should be configured correctly for InfoPath 2007.
The "Disable e-mail forms from the Internet security zone" setting should be configured correctly for InfoPath 2007.
2007 CCE-1316
enabled/disabled
2007 CCE-1567
enabled/disabled
2007 CCE-1265
enabled/disabled
2007 CCE-1538
enabled/disabled
2007 CCE-1564
enabled/disabled
2007 CCE-1212
enabled/disabled
2007 CCE-1344
enabled/disabled
2007 CCE-723
enabled/disabled
The "Disable e-mail forms from the Intranet security zone" setting should be configured correctly for InfoPath 2007.
The "Disable e-mail forms from the Full Trust security zone" setting should be configured correctly for InfoPath 2007.
The "Disable InfoPath e-mail forms in Outlook" setting should be configured correctly for InfoPath 2007.
The "Information Rights Management" setting should be configured correctly for InfoPath 2007.
The "Custom code" setting should be configured correctly for InfoPath 2007.
The "Email Forms Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone)" setting should be configured correctly for InfoPath 2007.
The "Disable user customization of Quick Access Toolbar via UI" setting should be configured correctly
The "Disable user customization of Quick Access Toolbar via UI - Disallow in Word" setting should be configured correctly
2007 CCE-1384
enabled/disabled
2007 CCE-1159
enabled/disabled
2007 CCE-1146
enabled/disabled
2007 CCE-1542
enabled/disabled
2007 CCE-582
enabled/disabled
2007 CCE-1291
enabled/disabled
2007 CCE-1326
enabled/disabled
2007 CCE-1330
enabled/disabled
The "Disable user customization of Quick Access Toolbar via UI - Disallow in Excel" setting should be configured correctly
The "Disable user customization of Quick Access Toolbar via UI - Disallow in PowerPoint" setting should be configured correctly
The "Disable user customization of Quick Access Toolbar via UI - Disallow in Access" setting should be configured correctly
The "Disable user customization of Quick Access Toolbar via UI - Disallow in Outlook" setting should be configured correctly
The "Disable all user customization of Quick Access Toolbar" setting should be configured correctly
The "Disable all user customization of Quick Access Toolbar - Disallow in Word" setting should be configured correctly
The "Disable all user customization of Quick Access Toolbar - Disallow in Excel" setting should be configured correctly
The "Disable all user customization of Quick Access Toolbar - Disallow in PowerPoint" setting should be configured correctly
2007 CCE-1335
enabled/disabled
2007 CCE-1229
enabled/disabled
2007 CCE-630
enabled/disabled
2007 CCE-1154
enabled/disabled
2007 CCE-1410
enabled/disabled
2007 CCE-1432
enabled/disabled
2007 CCE-1198
enabled/disabled
2007 CCE-929
enabled/disabled
The "Disable all user customization of Quick Access Toolbar - Disallow in Access" setting should be configured correctly
The "Disable all user customization of Quick Access Toolbar - Disallow in Outlook" setting should be configured correctly
The "Disable UI extending from documents and templates" setting should be configured correctly
The "Disable UI extending from documents and templates - Disallow in Word" setting should be configured correctly
The "Disable UI extending from documents and templates - Disallow in Excel" setting should be configured correctly
The "Disable UI extending from documents and templates - Disallow in PowerPoint" setting should be configured correctly
The "Disable UI extending from documents and templates - Disallow in Access" setting should be configured correctly
The "Disable UI extending from documents and templates - Disallow in Outlook" setting should be configured correctly
2007 CCE-1074
enabled/disabled
2007 CCE-1458
enabled/disabled
2007 CCE-1233
enabled/disabled
2007 CCE-1379
enabled/disabled
2007 CCE-1401
enabled/disabled
2007 CCE-1528
enabled/disabled
2007 CCE-1533
enabled/disabled
2007 CCE-646
enabled/disabled
The "Recognize smart tags in Excel" setting should be configured correctly
The "Disable Clip Art and Media downloads from the client and from Office Online website" setting should be configured correctly
The "Disable template downloads from the client and from Office Online website" setting should be configured correctly
The "Disable access to updates, add-ins, and patches on the Office Online website" setting should be configured correctly
The "Prevents users from uploading document templates to the Office Online community." setting should be configured correctly
The "Disable training practice downloads from the Office Online website" setting should be configured correctly
The "Disable customer-submitted templates downloads from Office Online" setting should be configured correctly
The "Open Office documents as read/write while browsing" setting should be configured correctly
2007 CCE-1438
enabled/disabled
2007 CCE-711
enabled/disabled
2007 CCE-1292
enabled/disabled
2007 CCE-1615 enabled/disabled
2007 CCE-1191
enabled/disabled
2007 CCE-1587
enabled/disabled
2007 CCE-1486
enabled/disabled
2007 CCE-1508
enabled/disabled
2007 CCE-1640
enabled/disabled
2007 CCE-1539
enabled/disabled
The "Rely on VML for displaying graphics in browsers" setting should be configured correctly
The "Allow PNG as an output format" setting should be configured correctly
The "Improve Proofing Tools" setting should be configured correctly
The "Disable Opt-in Wizard on first run" setting should be configured correctly.
The "Microsoft Office Online" setting should be configured correctlyThe "Disable Password Caching" setting should be configured correctly
The "Disable all Trust Bar notifications for security issues" setting should be configured correctly
The "Protect document metadata for rights managed Office Open XML Files" setting should be configured correctly
The "Protect document metadata for password protected files." setting should be configured correctly
The "Encryption type for password protected Office Open XML files" setting should be configured correctly
2007 CCE-1561
enabled/disabled
2007 CCE-1068
enabled/disabled
2003/2007 CCE-1574
enabled/disabled
2007 CCE-1239
enabled/disabled
2007 CCE-1623
enabled/disabled
2007 CCE-1083
enabled/disabled
2007 CCE-1343
enabled/disabled
2007 CCE-1242
enabled/disabled
2007 CCE-770
enabled/disabled
2007 CCE-903
enabled/disabled
The "Encryption type for password protected Office 97-2003 files" setting should be configured correctly
The "Load Controls in Forms3 (1 | 2 | 3 | 4)" setting should be configured correctly
The "Automation Security (Disable macros by default | Use application macro security level | Macros enabled)" setting should be configured correctly
The "Prevent Word and Excel from loading managed code extensions" setting should be configured correctly
The "Disable hyperlink warnings" setting should be configured correctly
The "Disable password to open UI" setting should be configured correctly
The "Download Office Controls" setting should be configured correctly
The "Disable All ActiveX" setting should be configured correctly
The "Allow mix of policy and user locations" setting should be configured correctly
The "Disable Smart Document's use of manifests" setting should be configured correctly
2007 CCE-1555
enabled/disabled
2007 CCE-1061
enabled/disabled
2007 CCE-1603
enabled/disabled
2007 CCE-1612
enabled/disabled
2007 CCE-1493
enabled/disabled
2007 CCE-1409
enabled/disabled
2007 CCE-1589
enabled/disabled
2007 CCE-1237
enabled/disabled
The "Completely disable the Smart Documents feature in Word and Excel" setting should be configured correctly
The "Disable Internet Fax feature" setting should be configured correctly
The "Prevent users from changing permissions on rights managed content" setting should be configured correctly
The "Allow users with earlier versions of Office to read with browsers..." setting should be configured correctly
The "Always require users to connect to verify permission" setting should be configured correctly
The "Always expand groups in Office when restricting permission for documents" setting should be configured correctly
The "Never allow users to specify groups when restricting permission for documents" setting should be configured correctly
The "Disable Microsoft Passport service for content with restricted permission" setting should be configured correctly
2007 CCE-1404
enabled/disabled
2007 CCE-1396
enabled/disabled
2007 CCE-1167
enabled/disabled
2007 CCE-1585
enabled/disabled
2007 CCE-1572
enabled/disabled
2007 CCE-1220
enabled/disabled
2007 CCE-1634
enabled/disabled
2007 CCE-1643
enabled/disabled
2007 CCE-1546
enabled/disabled
The "Do not allow users to upgrade Information Rights Management configuration" setting should be configured correctly
The "Key Usage Filtering" setting should be configured correctlyThe "EKU filtering" setting should be configured correctly
The "Legacy format signatures" setting should be configured correctly
The "Suppress Office Signing Providers (Enable Western and East Asian | Suppress default Western | Suppress default East Asian | Suppress both Western and East Asian)" setting should be configured correctly
The "Suppress external signature services menu item" setting should be configured correctly
The "Disable Check For Solutions" setting should be configured correctly
The "Disable inclusion of document properties in PDF and XPS output" setting should be configured correctly
The "Disable Document Information Panel" setting should be configured correctly
2007 CCE-1505
enabled/disabled
2007 CCE-1545
enabled/disabled
2007 CCE-1549
enabled/disabled
2007 CCE-1431
enabled/disabled
2007 CCE-1594
enabled/disabled
2007 CCE-1241
enabled/disabled
The "Document Information Panel Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone)" setting should be configured correctly
The "Disable the Office client from polling the Office server for published links" setting should be configured correctly
The "Block opening of pre-release versions of file formats new to Word 2007 through the Compatibility Pack for the 2007 Office system and Word 2007 Open XML/Word 97-2003 Format Converter" setting should be configured correctly
The "Block opening of pre-release versions of file formats new to Excel 2007 through the Compatibility Pack for the 2007 Office system and Excel 2007 Converter" setting should be configured correctly
The "Block opening of pre-release versions of file formats new to PowerPoint 2007 through the Compatibility Pack for the 2007 Office system and PowerPoint 2007 Converter" setting should be configured correctly
The "Control Blogging (Enabled | Only SharePoint blogs allowed | All blogging disabled)" setting should be configured correctly
2007 CCE-1607
enabled/disabled
2007 CCE-752
enabled/disabled
2007 CCE-1166
enabled/disabled
2007 CCE-654
enabled/disabled
2007 CCE-1192
enabled/disabled
2007 CCE-791
enabled/disabled
2007 CCE-1456
enabled/disabled
2007 CCE-1478
enabled/disabled
2007 CCE-1368
enabled/disabled
The "Enable Smart Resume" setting should be configured correctly
The "Do not upload media files" setting should be configured correctly
The "Disable hyperlinks to web templates in File | New and task panes" setting should be configured correctly
The "Prevent access to Web-based file storage" setting should be configured correctly
The "Do not allow attachment previewing in Outlook" setting should be configured correctly for Outlook 2007.
The "Read e-mail as plain text" setting should be configured correctly for Outlook 2007.
The "Read signed e-mail as plain text" setting should be configured correctly for Outlook 2007.
The "Prevent publishing to Office Online" setting should be configured correctly for Outlook 2007.
The "Prevent publishing to a DAV server" setting should be configured correctly for Outlook 2007.
2007 CCE-1641
enabled/disabled
2007 CCE-1266
enabled/disabled
2007 CCE-1399
enabled/disabled
2007 CCE-1187
enabled/disabled
2007 CCE-1588
enabled/disabled
2007 CCE-1117
enabled/disabled
2007 CCE-1130
enabled/disabled
The "Restrict level of calendar details users can publish (All options are available | Disables 'Full details' | Disables 'Full details' and 'Limited details')" setting should be configured correctly for Outlook 2007.
The "Access to published calendars" setting should be configured correctly for Outlook 2007.
The "Restrict upload method" setting should be configured correctly for Outlook 2007.
The "Hide Junk Mail UI" setting should be configured correctly for Outlook 2007.
The "Junk E-mail protection level (No Protection, Low, High, Trusted Lists Only)" setting should be configured correctly for Outlook 2007.
The "Trust E-mail from Contacts" setting should be configured correctly for Outlook 2007.
The "Add e-mail recipients to users' Safe Senders Lists" setting should be configured correctly for Outlook 2007.
2007 CCE-1093
enabled/disabled
2007 CCE-1599
enabled/disabled
2007 CCE-1621
enabled/disabled
2007 CCE-1269
enabled/disabled
2007 CCE-1419
enabled/disabled
2007 CCE-1551
enabled/disabled
2007 CCE-655
enabled/disabled
2007 CCE-1592
enabled/disabled
The "Dial-up options" setting should be configured correctly for Outlook 2007.
The "Dial-up options - Warn before switching dial-up connection" setting should be configured correctly for Outlook 2007.
The "Dial-up options - Hang up when finished sending, receiving, or updating" setting should be configured correctly for Outlook 2007.
The "Dial-up options - Automatically dial during a background Send/Receive" setting should be configured correctly for Outlook 2007.
The "Do not allow creating, replying, or forwarding signatures for e-mail messages" setting should be configured correctly for Outlook 2007.
The "Send copy of pictures with HTML messages instead of reference to Internet location" setting should be configured correctly for Outlook 2007.
The "Outlook Rich Text options (Convert to HTML | Convert to Plain Text format | Send Using Outlook Rich Text format)" setting should be configured correctly for Outlook 2007.
The "Plain text options" setting should be configured correctly for Outlook 2007.
2007 CCE-1614
enabled/disabled
2007 CCE-1526
enabled/disabled
2007 CCE-1111
enabled/disabled
2007 CCE-1494
enabled/disabled
2007 CCE-1287
enabled/disabled
2007 CCE-1529
enabled/disabled
2007 CCE-1560
enabled/disabled
The "Plain text options - Encode attachments in UUENCODE format when sending a plain text message" setting should be configured correctly for Outlook 2007.
The "Set message format (HTML | Rich Text | Plain Text)" setting should be configured correctly for Outlook 2007.
The "Make Outlook the default program for E-mail, Contacts, and Calendar" setting should be configured correctly for Outlook 2007.
The "Do not allow folders in non-default stores to be set as folder home pages" setting should be configured correctly for Outlook 2007.
The "Use Unicode format when dragging e-mail message to file system" setting should be configured correctly for Outlook 2007.
The "Do not allow Outlook object model scripts to run for shared folders" setting should be configured correctly for Outlook 2007.
The "Do not allow Outlook object model scripts to run for public folders" setting should be configured correctly for Outlook 2007.
2007 CCE-1596
enabled/disabled
2007 CCE-1604
enabled/disabled
2007 CCE-1648
enabled/disabled
2007 CCE-1516
enabled/disabled
2007 CCE-1296
enabled/disabled
2007 CCE-1388
enabled/disabled
The "Set maximum level of online status on a person name (Do not allow | Allow everywhere except To and CC field | Allow everywhere)" setting should be configured correctly for Outlook 2007.
The "Display online status on a person name (Never | Everywhere except To and CC field | Everywhere)" setting should be configured correctly for Outlook 2007.
The "Turn off Enable the Person Names Smart Tag option" setting should be configured correctly for Outlook 2007.
The "Outlook Security Mode (Outlook Default Security | Use Security Form from 'Outlook Security Settings' Public Folder | Use Security Form from 'Outlook 10 Security Settings' Public Folder | Use Outlook Security Group Policy)" setting should be configured correctly for Outlook 2007.
The "Display Level 1 attachments" setting should be configured correctly for Outlook 2007.
The "Allow users to demote attachments to Level 2" setting should be configured correctly for Outlook 2007.
2007 CCE-1652
enabled/disabled
2007 CCE-1569
enabled/disabled
2007 CCE-1459
enabled/disabled
2007 CCE-1608
enabled/disabled
2007 CCE-1617
enabled/disabled
2007 CCE-1631
enabled/disabled
2007 CCE-1155
enabled/disabled
2007 CCE-1556
enabled/disabled
The "Do not prompt about Level 1 attachments when sending an item" setting should be configured correctly for Outlook 2007.
The "Do not prompt about Level 1 attachments when closing an item" setting should be configured correctly for Outlook 2007.
The "Allow in-place activation of embedded OLE objects" setting should be configured correctly for Outlook 2007.
The "Display OLE package objects" setting should be configured correctly for Outlook 2007.
The "Add file extensions to block as Level 1" setting should be configured correctly for Outlook 2007.
The "Remove file extensions blocked as Level 1" setting should be configured correctly for Outlook 2007.
The "Add file extensions to block as Level 2" setting should be configured correctly for Outlook 2007.
The "Remove file extensions blocked as Level 2" setting should be configured correctly for Outlook 2007.
2007 CCE-1595
enabled/disabled
2007 CCE-1436
enabled/disabled
2007 CCE-1586
enabled/disabled
2007 CCE-1590
enabled/disabled
2007 CCE-1004
enabled/disabled
The "Allow scripts in one-off Outlook forms" setting should be configured correctly for Outlook 2007.
The "Set Outlook object model Custom Actions execution prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.
The "Set control ItemProperty prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly
The "Configure Outlook object model prompt when sending mail (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.
The "Configure Outlook object model prompt when accessing an address book (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.
2007 CCE-1273
enabled/disabled
2007 CCE-1172
enabled/disabled
2007 CCE-1568
enabled/disabled
2007 CCE-1573
enabled/disabled
The "Configure Outlook object model prompt when reading address information (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.
The "Configure Outlook object model prompt when responding to meeting and task requests (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.
The "Configure Outlook object model prompt when executing Save As (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.
The "Configure Outlook object model prompt When accessing the Formula property of a UserProperty object (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.
2007 CCE-1454
enabled/disabled
2007 CCE-1498
enabled/disabled
2007 CCE-1630
enabled/disabled
2007 CCE-1626
enabled/disabled
2007 CCE-1163
enabled/disabled
2007 CCE-1445
enabled/disabled
The "Configure Outlook object model prompt when accessing address information via UserProperties.Find (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.
The "Required Certificate Authority" setting should be configured correctly for Outlook 2007.
The "S/MIME interoperability with external clients: (Handle internally | Handle externally | Handle if possible)" setting should be configured correctly for Outlook 2007.
The "Always use Rich Text formatting in S/MIME messages" setting should be configured correctly for Outlook 2007.
The "S/MIME password settings" setting should be configured correctly for Outlook 2007.
The "S/MIME password settings - Default S/MIME password time (minutes): (0 - 2147483647)" setting should be configured correctly for Outlook 2007.
2007 CCE-1582
enabled/disabled
2007 CCE-1357
enabled/disabled
2007 CCE-1132
enabled/disabled
2003/2007 CCE-1511
enabled/disabled
2007 CCE-1018
enabled/disabled
The "S/MIME password settings - Maximum S/MIME password time (minutes): (0 - 2147483647)" setting should be configured correctly for Outlook 2007.
The "Message Formats" setting should be configured correctly for Outlook 2007.
The "Message Formats - Support the following message formats: (S/MIME | Exchange | Fortezza | S/MIME and Exchange | S/MIME and Fortezza | Exchange and Fortezza | S/MIME, Exchange, and Fortezza)" setting should be configured correctly for Outlook 2007.
2007: The "Do not provide Continue option on Encryption warning dialog boxes" setting should be configured correctly for Outlook 2007. 2003: The "Disable Continue button on all Encryption warning dialogs" setting should be configured correctly.
The "Run in FIPS compliant mode" setting should be configured correctly for Outlook 2007.
2003/2007 CCE-1181
enabled/disabled
2007 CCE-1639
enabled/disabled
2007 CCE-677
enabled/disabled
2007 CCE-687
enabled/disabled
2007 CCE-1613
enabled/disabled
2007 CCE-1402
enabled/disabled
2007 CCE-1658
enabled/disabled
2007 CCE-1662
enabled/disabled
The "Encrypt all e-mail messages" setting should be configured correctly for Outlook 2007 and 2003.
The "Sign all e-mail messages" setting should be configured correctly for Outlook 2007.
The "URL for S/MIME certificates" setting should be configured correctly for Outlook 2007.
The "Ensure all S/MIME signed messages have a label" setting should be configured correctly for Outlook 2007.
The "S/MIME receipt requests (Open message if receipt can't be sent | Don't open message if receipt can't be sent | Always prompt before sending receipt | Never send S/MIME )" setting should be configured correctly for Outlook 2007.
The "Fortezza certificate policies" setting should be configured correctly for Outlook 2007.
The "Require SuiteB algorithms for S/MIME operations" setting should be configured correctly for Outlook 2007.
The "Missing CRLs" setting should be configured correctly for Outlook 2007.
2007 CCE-1080
enabled/disabled
2007 CCE-1076
enabled/disabled
2007 CCE-1636
enabled/disabled
2007 CCE-943
enabled/disabled
2007 CCE-1591
enabled/disabled
2007 CCE-1133
enabled/disabled
2007 CCE-725
enabled/disabled
2007 CCE-1347
enabled/disabled
The "Missing CRLs - Indicate a missing CRL as a(n): (warning | error)" setting should be configured correctly for Outlook 2007.
The "Missing root certificates" setting should be configured correctly for Outlook 2007.
The "Missing root certificates - Indicate a missing root certificate as a(n): (neither error nor warning | warning | error)" setting should be configured correctly for Outlook 2007.
The "Promote Level 2 errors as errors, not warnings" setting should be configured correctly for Outlook 2007.
The "Attachment Secure Temporary Folder" setting should be configured correctly for Outlook 2007.
The "Display pictures and external content in HTML e-mail" setting should be configured correctly for Outlook 2007.
The "Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists" setting should be configured correctly for Outlook 2007.
The "Do not permit download of content from safe zones" setting should be configured correctly for Outlook 2007.
2007 CCE-1475
enabled/disabled
2007 CCE-1497
enabled/disabled
2007 CCE-1501
enabled/disabled
2007 CCE-1030
enabled/disabled
2007 CCE-1052
enabled/disabled
2007 CCE-1462
enabled/disabled
2007 CCE-1281
enabled/disabled
The "Block Trusted Zones" setting should be configured correctly for Outlook 2007.
The "Include Internet in Safe Zones for Automatic Picture Download" setting should be configured correctly for Outlook 2007.
The "Include Intranet in Safe Zones for Automatic Picture Download" setting should be configured correctly for Outlook 2007.
The "Security setting for macros (Always warn | Never warn, disable all | Warn for signed, disable unsigned | No security check)" setting should be configured correctly for Outlook 2007.
The "Enable links in e-mail messages" setting should be configured correctly for Outlook 2007.
The "Apply macro security settings to macros, add-ins, and SmartTags" setting should be configured correctly for Outlook 2007.
The "Automatically configure profile based on Active Directory Primary SMTP address" setting should be configured correctly for Outlook 2007.
2007 CCE-1303
enabled/disabled
2007 CCE-1082
enabled/disabled
2007 CCE-1712
enabled/disabled
2007 CCE-1131
enabled/disabled
2007 CCE-1620
enabled/disabled
2007 CCE-1541
enabled/disabled
2007 CCE-1311
enabled/disabled
2007 CCE-1682
enabled/disabled
The "Do not allow users to change permissions on folders" setting should be configured correctly for Outlook 2007.
The "Enable RPC encryption" setting should be configured correctly for Outlook 2007.
The "Authentication with Exchange Server (Kerberos/NTLM Password Authentication | Kerberos Password Authentication | NTLM Password Authentication)" setting should be configured correctly for Outlook 2007.
The "Synchronize Outlook RSS Feeds with Common Feed List" setting should be configured correctly for Outlook 2007.
The "Turn off RSS feature" setting should be configured correctly for Outlook 2007.
The "Automatically download enclosures" setting should be configured correctly for Outlook 2007.
The "Download full text of articles as HTML attachments" setting should be configured correctly for Outlook 2007.
The "Automatically download attachments" setting should be configured correctly for Outlook 2007.
2007 CCE-1461
enabled/disabled
2007 CCE-1041
enabled/disabled
2007 CCE-1565
enabled/disabled
2007 CCE-1719
enabled/disabled
2007 CCE-1477
enabled/disabled
2007 CCE-1142
enabled/disabled
The "Do not include Internet Calendar integration in Outlook" setting should be configured correctly for Outlook 2007.
The "Disable user entries to server list (Publish default, allow others | Publish default, disallow others)" setting should be configured correctly for Outlook 2007.
The "Do not expand distribution lists" setting should be configured correctly for Outlook 2007.
The "Save files in this format (PowerPoint Presentation (*.pptx) | PowerPoint Macro-Enabled Presentation (*.pptm) | PowerPoint 97-2003 Presentation (*.ppt))" setting should be configured correctly for PowerPoint 2007.
The "Number of documents in the Recent Documents list (0 - 50)" setting should be configured correctly for PowerPoint 2007.
The "Determine whether to force encrypted macros to be scanned in Microsoft PowerPoint Open XML presentations" setting should be configured correctly for PowerPoint 2007.
2007 CCE-1649
enabled/disabled
2007 CCE-1279
enabled/disabled
2007 CCE-1451
enabled/disabled
2007 CCE-1204
enabled/disabled
2007 CCE-1107
enabled/disabled
2007 CCE-743
enabled/disabled
2007 CCE-747
enabled/disabled
2007 CCE-782
enabled/disabled
The "Run Programs (disable (don't run any programs) | enable (prompt user before running) | enable all (run without prompting))" setting should be configured correctly for PowerPoint 2007.
The "Make hidden markup visible" setting should be configured correctly for PowerPoint 2007.
The "Unblock automatic download of linked images" setting should be configured correctly for PowerPoint 2007.
The "Disable all application add-ins" setting should be configured correctly for PowerPoint 2007.
The "Require that application add-ins are signed by Trusted Publisher" setting should be configured correctly for PowerPoint 2007.
The "Disable Trust Bar Notification for unsigned application add-ins" setting should be configured correctly for PowerPoint 2007.
The "Allow Trusted Locations not on the computer" setting should be configured correctly for PowerPoint 2007.
The "Disable all trusted locations" setting should be configured correctly for PowerPoint 2007.
2007 CCE-1327
enabled/disabled
2007 CCE-1723
enabled/disabled
2007 CCE-1366
enabled/disabled
2007 CCE-1679
enabled/disabled
2007 CCE-1173
enabled/disabled
2007 CCE-1714
enabled/disabled
2007 CCE-1485
enabled/disabled
2007 CCE-1687
enabled/disabled
The "Disable commands" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Web Page Preview" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Office Button | Send | Email" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Insert | Links | Hyperlink" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Review | Proofing | Language" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - View | Macros | Macros" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Developer | Code | Macros" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Developer | Code | Macro Security" setting should be configured correctly for PowerPoint 2007.
2007 CCE-1709
enabled/disabled
2007 CCE-1463
enabled/disabled
2007 CCE-1467
enabled/disabled
2007 CCE-1740
enabled/disabled
2007 CCE-1780
enabled/disabled
2007 CCE-1661
enabled/disabled
2007 CCE-1688
enabled/disabled
2007 CCE-1701
enabled/disabled
The "Disable commands - Developer | Code | Visual Basic" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Document Location" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Disable shortcut keys" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Ctrl+K (Insert | Links | Hyperlink)" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Alt+F8 (Developer | Code | Macros)" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Alt+F11 (Developer | Code | Visual Basic)" setting should be configured correctly for PowerPoint 2007.
The "Block opening of pre-release versions of file formats new to PowerPoint 2007" setting should be configured correctly for PowerPoint 2007.
The "Block opening of Open Xml files types" setting should be configured correctly for PowerPoint 2007.
2007 CCE-1348
enabled/disabled
2007 CCE-1644
enabled/disabled
2007 CCE-1194
enabled/disabled
2007 CCE-1216
enabled/disabled
2007 CCE-1506
enabled/disabled
2007 CCE-1136
enabled/disabled
2007 CCE-1766
enabled/disabled
2007 CCE-1180
enabled/disabled
2007 CCE-1722
enabled/disabled
2007 CCE-1731
enabled/disabled
The "Block opening of Binary file types" setting should be configured correctly for PowerPoint 2007.
The "Block opening of Html file types" setting should be configured correctly for PowerPoint 2007.
The "Block opening of Outlines" setting should be configured correctly for PowerPoint 2007.
The "Block opening of Converters" setting should be configured correctly for PowerPoint 2007.
The "Block saving of Open Xml file types" setting should be configured correctly for PowerPoint 2007.
The "Block saving of Binary file types" setting should be configured correctly for PowerPoint 2007.
The "Block saving of Html file types" setting should be configured correctly for PowerPoint 2007.
The "Block saving of Outlines" setting should be configured correctly for PowerPoint 2007.
The "Block saving of GraphicFilters" setting should be configured correctly for PowerPoint 2007.
The "Disable Slide Update" setting should be configured correctly for PowerPoint 2007.
2007 CCE-885
enabled/disabled
2007 CCE-1656
enabled/disabled
2007 CCE-1537
enabled/disabled
2007 CCE-1249
enabled/disabled
2007 CCE-1509
enabled/disabled
The "Hidden text" setting should be configured correctly for Word 2007.
The "Save files in this format (Word document (*.docx) | Single Files Web Page (*.mht) | Web Page (*.htm; *.html) | Web Page, Filtered (*.htm, *.html) | Rich Text Format (*.rtf) | Plain Text (*.txt) | Word 6.0/95 (*.doc) | Word 6.0/95 - Chinese (Simplified) (*.doc) | Word 6.0/95 - Chinese (Traditional) (*.doc) | Word 6.0/95 - Japanese (*.doc) | Word 6.0/95 - Korean (*.doc) | Word 97-2002 & 6.0/95 - RTF | Word 5.1 for Macintosh (*.mcw) | Word 5.0 for Macintosh (*.mcw) | Word 2.x for Windows (*.doc) | Works 4.0 for Windows (*.wps) | WordPerfect 5.x for Windows (*.doc) | WordPerfect 5.1 for DOS (*.doc) | Word 2007 Macro Enabled Document (*.docm) | Word 2007 Macro Free Template (*.dotx) | Word 2007 Macro Enabled Template (*.dotm) | Word 97 - 2003 Document (*.doc) | Word 97 - 2003 Template (*.dot) | Flat XML Document (*.xml))" setting should be configured correctly for The "Number of documents in the Recent Documents list (0-50)" setting should be configured correctly for Word 2007.
The "Update automatic links at Open" setting should be configured correctly for Word 2007.
The "Save smart tags in e-mail" setting should be configured correctly for Word 2007.
2007 CCE-1280
enabled/disabled
2007 CCE-1681
enabled/disabled
2007 CCE-1562
enabled/disabled
2007 CCE-1333
enabled/disabled
2007 CCE-1355
enabled/disabled
2007 CCE-1637
enabled/disabled
2007 CCE-1659
enabled/disabled
2007 CCE-1329
enabled/disabled
The "Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents" setting should be configured correctly for Word 2007.
The "Disable all application add-ins" setting should be configured correctly for Word 2007.
The "Require that application add-ins are signed by Trusted Publisher" setting should be configured correctly for Word 2007.
The "Disable Trust Bar Notification for unsigned application add-ins" setting should be configured correctly for Word 2007.
The "Allow Trusted Locations not on the computer" setting should be configured correctly for Word 2007.
The "Disable all trusted locations" setting should be configured correctly for Word 2007.
The "Disable commands" setting should be configured correctly for Word 2007.
The "Disable commands - Office Button | Word Options | Customize | All Commands | Save As Web Page" setting should be configured correctly for Word 2007.
2007 CCE-1632
enabled/disabled
2007 CCE-1425
enabled/disabled
2007 CCE-1196
enabled/disabled
2007 CCE-936
enabled/disabled
2007 CCE-1354
enabled/disabled
2007 CCE-1125
enabled/disabled
2007 CCE-1742
enabled/disabled
2007 CCE-1782
enabled/disabled
The "Disable commands - Office Button | Word Options | Customize | All Commands | Web Page Preview" setting should be configured correctly for Word 2007.
The "Disable commands - Office Button | Send | Email" setting should be configured correctly for Word 2007.
The "Disable commands - Insert | Links | Hyperlink" setting should be configured correctly for Word 2007.
The "Disable commands - Review | Protect | Protect Document" setting should be configured correctly for Word 2007.
The "Disable commands - View | Macros | Macros" setting should be configured correctly for Word 2007.
The "Disable commands - Developer | Code | Macros" setting should be configured correctly for Word 2007.
The "Disable commands - Developer | Code | Record Macro" setting should be configured correctly for Word 2007.
The "Disable commands - Developer | Code | Macro Security" setting should be configured correctly for Word 2007.
2007 CCE-1306
enabled/disabled
2007 CCE-1548
enabled/disabled
2007 CCE-1716
enabled/disabled
2007 CCE-1597
enabled/disabled
2007 CCE-1689
enabled/disabled
2007 CCE-1570
enabled/disabled
2007 CCE-1720
enabled/disabled
2007 CCE-1746
enabled/disabled
The "Disable commands - Developer | Code | Visual Basic" setting should be configured correctly for Word 2007.
The "Disable commands - Developer | Templates | Document Template" setting should be configured correctly for Word 2007.
The "Disable shortcut keys" setting should be configured correctly for Word 2007.
The "Disable shortcut keys - Ctrl+F (Home | Editing | Find)" setting should be configured correctly for Word 2007.
The "Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink)" setting should be configured correctly for Word 2007.
The "Disable shortcut keys - Alt+F8 (Developer | Code | Macros)" setting should be configured correctly for Word 2007.
The "Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic)" setting should be configured correctly for Word 2007.
The "Block opening of pre-release versions of file formats new to Word 2007" setting should be configured correctly for Word 2007.
2007 CCE-1504
enabled/disabled
2007 CCE-1654
enabled/disabled
2007 CCE-1160
enabled/disabled
2007 CCE-958
enabled/disabled
2007 CCE-1579
enabled/disabled
2007 CCE-984
enabled/disabled
2007 CCE-1072
enabled/disabled
2007 CCE-1503
enabled/disabled
2007 CCE-1371
enabled/disabled
2007 CCE-1019
enabled/disabled
The "Block opening of Open XML file types" setting should be configured correctly for Word 2007.
The "Block opening of Binary file types" setting should be configured correctly for Word 2007.
The "Block opening of HTML file types" setting should be configured correctly for Word 2007.
The "Block opening of Word 2003 XML file types" setting should be configured correctly for Word 2007.
The "Block opening of RTF file types" setting should be configured correctly for Word 2007.
The "Block open Converters" setting should be configured correctly for Word 2007.
The "Block opening of Text file types" setting should be configured correctly for Word 2007.
The "Block opening of Internal file types" setting should be configured correctly for Word 2007.
The "Block opening of files before version" setting should be configured correctly for Word 2007.
The "Block saving of Open XML file types" setting should be configured correctly for Word 2007.
2007 CCE-1684
enabled/disabled
2007 CCE-1675
enabled/disabled
2007 CCE-1200
enabled/disabled
2007 CCE-1741
enabled/disabled
2007 CCE-1231
enabled/disabled
2007 CCE-1755
enabled/disabled
2007 CCE-1169
enabled/disabled
2007 CCE-1735
enabled/disabled
The "Block saving of Binary file types" setting should be configured correctly for Word 2007.
The "Block saving of HTML file types" setting should be configured correctly for Word 2007.
The "Block saving of Word 2003 XML file types" setting should be configured correctly for Word 2007.
The "Block saving of RTF file types" setting should be configured correctly for Word 2007.
The "Block saving of Converters" setting should be configured correctly for Word 2007.
The "Block saving of Text file types" setting should be configured correctly for Word 2007.
ms computer config
The InfoPath APTCA Assembly Whitelist setting should be configured correctly.
The Windows Internet Explorer Feature Control Opt-In (None | InfoPath.exe, Document Information Panel and Workflow forms | InfoPath.exe, Document Information Panel, Workflow forms and 3rd Party Hosting) setting should be configured correctly.
2007 CCE-1739
enabled/disabled
2007 CCE-933
enabled/disabled
2007 CCE-1563
enabled/disabled
2007 CCE-1215
enabled/disabled
2007 CCE-1484
enabled/disabled
2007 CCE-1629
enabled/disabled
2007 CCE-1762
enabled/disabled
The InfoPath APTCA Assembly Whitelist Enforcement setting should be configured correctly.
The Disable Package Repair setting should be configured correctly.
The Disable user name and password setting should be configured correctly.
The Disable user name and password - excel.exe setting should be configured correctly.
The Disable user name and password - powerpnt.exe setting should be configured correctly.
The Disable user name and password - pptview.exe setting should be configured correctly.
The Disable user name and password - winword.exe setting should be configured correctly.
2007 CCE-1660
enabled/disabled
2007 CCE-1057
enabled/disabled
2007 CCE-1285
enabled/disabled
2007 CCE-1669
enabled/disabled
2007 CCE-1691
enabled/disabled
2007 CCE-1338
enabled/disabled
2007 CCE-1717
enabled/disabled
2007 CCE-1488
enabled/disabled
The Disable user name and password - outlook.exe setting should be configured correctly.
The Disable user name and password - spDesign.exe setting should be configured correctly.
The Disable user name and password - msaccess.exe setting should be configured correctly.
The Bind to object setting should be configured correctly.
The Bind to object - excel.exe setting should be configured correctly.
The Bind to object - powerpnt.exe setting should be configured correctly.
The Bind to object - pptview.exe setting should be configured correctly.
The Bind to object - winword.exe setting should be configured correctly.
2007 CCE-1638
enabled/disabled
2007 CCE-1647
enabled/disabled
2007 CCE-1294
enabled/disabled
2007 CCE-1193
enabled/disabled
2007 CCE-1352
enabled/disabled
2007 CCE-928
enabled/disabled
2007 CCE-1576
enabled/disabled
2007 CCE-1100
enabled/disabled
The Bind to object - outlook.exe setting should be configured correctly.
The Bind to object - spDesign.exe setting should be configured correctly.
The Bind to object - msaccess.exe setting should be configured correctly.
The Saved from URL setting should be configured correctly.
The Saved from URL - excel.exe setting should be configured correctly.
The Saved from URL - powerpnt.exe setting should be configured correctly.
The Saved from URL - pptview.exe setting should be configured correctly.
The Saved from URL - pptview.exe setting should be configured correctly.
2007 CCE-1232
enabled/disabled
2007 CCE-1774
enabled/disabled
2007 CCE-906
enabled/disabled
2007 CCE-1034
enabled/disabled
2007 CCE-1435
enabled/disabled
2007 CCE-1708
enabled/disabled
2007 CCE-808
enabled/disabled
2007 CCE-1650
enabled/disabled
The Saved from URL - outlook.exe setting should be configured correctly.
The Saved from URL - spDesign.exe setting should be configured correctly.
The Saved from URL - msaccess.exe setting should be configured correctly.
The Navigate URL setting should be configured correctly.
The Navigate URL - excel.exe setting should be configured correctly.
The Navigate URL - powerpnt.exe setting should be configured correctly.
The Navigate URL - pptview.exe setting should be configured correctly.
The Navigate URL - winword.exe setting should be configured correctly.
2007 CCE-1223
enabled/disabled
2007 CCE-1764
enabled/disabled
2007 CCE-1769
enabled/disabled
2007 CCE-1152
enabled/disabled
2007 CCE-1566
enabled/disabled
2007 CCE-1077
enabled/disabled
2007 CCE-1606
enabled/disabled
2007 CCE-1738
enabled/disabled
The Navigate URL - outlook.exe setting should be configured correctly.
The Navigate URL - spDesign.exe setting should be configured correctly.
The Navigate URL - msaccess.exe setting should be configured correctly.
The Block popups setting should be configured correctly.
The Block popups - excel.exe setting should be configured correctly.
The Block popups - powerpnt.exe setting should be configured correctly.
The Block popups - pptview.exe setting should be configured correctly.
The Block popups - winword.exe setting should be configured correctly.
2007 CCE-1262
enabled/disabled
2007 CCE-1663
enabled/disabled
2007 CCE-1544
enabled/disabled
new NIST
2007 CCE-1443 1 = Enabled
2003 CCE-1161
2003 CCE-1421
The Block popups - outlook.exe setting should be configured correctly.
The Block popups - spDesign.exe setting should be configured correctly.
The Block popups - msaccess.exe setting should be configured correctly.
The "Prevent users from customizing attachment security settings" setting should be configured correctly.
The "Access: Macro Security Level" setting should be configured correctly.
1 = Enabled - Low | 2 = Enabled - Medium | 3 = Enabled - High
The "Access: Trust all installed add – ins and templates" setting should be configured correctly.
0 = Enabled | 1 = Disabled
2003 CCE-1571
2003 CCE-1721
2003 CCE-1602
2003 CCE-1624
2003 CCE-1522
The "Excel: Macro Security Level" setting should be configured correctly.
1 = Enabled - Low | 2 = Enabled - Medium | 3 = Enabled - High
The "Excel: Trust all installed add – ins and templates" setting should be configured correctly.
0 = Enabled | 1 = Disabled
The "Outlook: Macro Security Level" setting should be configured correctly.
1 = Enabled - Low | 2 = Enabled - Medium | 3 = Enabled - High
The "Outlook: Trust all installed add-ins and templates" setting should be configured correctly.
0 = Enabled | 1 = Disabled
The "Outlook virus security settings" setting should be configured correctly.
0 = Uses default administrative settings | 1 = Look in the Outlook Security Settings folder | 2 = Look in the Outlook 10 Security Settings folder
2003 CCE-1183
2003 CCE-1611
2003 CCE-1633
2003 CCE-822
2003 CCE-1734
2003 CCE-1628
The "S/MIME receipt requests" setting should be configured correctly.
0 = Open message if receipt can't be sent | 1 = Always prompt before sending receipt | 2 = Never send S/MIME receipts | 3 = Don't open message if receipt can't be sent
The "PowerPoint: Macro Security Level" setting should be configured correctly.
1 = Enabled - Low | 2 = Enabled - Medium | 3 = Enabled - High
The "PowerPoint: Trust all installed add – ins and templates" setting should be configured correctly.
0 = Enabled | 1 = Disabled
The "Publisher: Macro Security Level" setting should be configured correctly.
1 = Enabled - Low | 2 = Enabled - Medium | 3 = Enabled - High
The "Publisher: Trust all installed add–ins and templates" setting should be configured correctly.
0 = Enabled | 1 = Disabled
The "Word: Macro Security Level" setting should be configured correctly.
1 = Enabled - Low | 2 = Enabled - Medium | 3 = Enabled - High
2003 CCE-1761
2003 CCE-1302
2003 CCE-1307
CCE-5
CCE-119
The "Word: Trust all installed add–ins and templates" setting should be configured correctly.
0 = Enabled | 1 = Disabled
The "Store random number to improve merge accuracy" setting should be configured correctly.
0 = Enabled | 1 = Disabled
The "Prevent Users from Changing Office Encryption Settings" setting should be configured correctly.
0 = Disabled | 1 = Enabled
Internet Explorer
The "Security Zones: Use Only Machine Settings" setting should be configured correctly.
(1) enabled/disabled
Internet Explorer Processes (Restrict ActiveX Install)
(1) enabled/disabled
CCE-146
CCE-212
CCE-270
CCE-347 enabled/disabled
The "Security Zones: Do Not Allow Users to Add/Delete Sites" setting should be configured correctly.
(1) enabled/disabled
The "Disable Periodic Check For Internet Explorer Software Updates" setting should be configured correctly.
(1) enabled/disabled
DEPRECATED in favor of CCE-684.
Internet Explorer Processes (Zone Elevation Protection)
CCE-382 enabled/disabled
CCE-449 enabled/disabled
CCE-498
CCE-591
The "Internet Explorer Processes (Consistent MIME Handling)" setting should be configured correctly.
The "Allow Software to Run or Install Even if the Signature is Invalid" setting should be configured correctly.DEPRECATED in favor of CCE-212.
The "Internet Explorer Processes (MK Protocol)" setting should be configured correctly.
(1) enabled/disabled
CCE-622
CCE-668 enabled/disabled
CCE-684
CCE-693
The "Disable Software Update Shell Notifications on Program Launch" setting should be configured correctly.
(1) enabled/disabled
The "Internet Explorer Processes (Restrict File Download)" setting should be configured correctly.
The "Disable Automatic Install of Internet Explorer Components" setting should be configured correctly.
(1) enabled/disabled
The "Make Proxy Settings Per-Machine (Rather Then Per-User)" setting should be configured correctly.
(1) number of proxy settings
CCE-708 enabled/disabled
CCE-753 enabled/disabled
CCE-827 enabled/disabled
CCE-833
The "Do Not Allow Users to enable or Disable Add-Ons" setting should be configured correctly.
The "Turn Off Crash Detection" setting should be configured correctly.
The "Internet Explorer Processes (Scripted Window Security Restrictions)" setting should be configured correctly.
The "Security Zones: Do Not Allow Users to Change Policies" setting should be configured correctly.
(1) enabled/disabled
CCE-985 enabled/disabled
CCE-1025 enabled/disabled
CCE-42 enabled/disabled
CCE-49 enabled/disabled
CCE-863 enabled/disabled
CCE-286 enabled/disabled
The "Internet Explorer Processes (MIME Sniffing)" setting should be configured correctly.
The "Check for Signature on Downloaded Programs" setting should be configured correctly.
The "Do Not Allow Resetting Internet Explorer Settings" setting should be configured correctly.
The "Allow cut, copy, or paste operations from the clipboard via script" setting should be configured correctly for the Internet Zone.
The "Turn Off First- Run Opt-In" setting should be configured correctly for the Internet Zone.
The "Web Browser Applications" setting should be configured correctly for the Internet Zone.
CCE-1031 enabled/disabled
CCE-200 enabled/disabled
CCE-51 enabled/disabled
CCE-876 enabled/disabled
CCE-810 enabled/disabled
CCE-811 enabled/disabled
CCE-595 enabled/disabled
CCE-938 enabled/disabled
The "Allow cut, copy, or paste operations from the clipboard via script" setting should be configured correctly for the Restricted Sites Zone.
The "Turn Off First- Run Opt-In" setting should be configured correctly for the Restricted Sites Zone.
The "Web Browser Applications" setting should be configured correctly for the Restricted Sites Zone.
The "Intranet Sites: Include all network paths (UNCs)" setting should be configured correctly.
The "Disable the Advanced Page" setting should be configured correctly.
The "Disable the Privacy Page" setting should be configured correctly.
The "Disable the Security Page" setting should be configured correctly.
The "Prevent Ignoing Certificate Errors" setting should be configured correctly.
CCE-946 enabled/disabled
CCE-237 enabled/disabled
CCE-541 enabled/disabled
CCE-911 enabled/disabled
CCE-66 enabled/disabled
CCE-471 enabled/disabled
CCE-611 enabled/disabled
The "Turn Off changing the URL to be displayed for checking updates to Internet Explorer and Internet Tools" setting should be configured correctly.
The "Turn Off Configuring the Update Check Interval (In Days)" setting should be configured correctly.
The "Add-on List" setting should be configured correctly.
The "Deny all add-ons unless specifically allowed in the Add-on List" setting should be configured correctly.
The "Disable "Configuring History"" setting should be configured correctly.
The "Disable Changing Automatic Configuration Settings" setting should be configured correctly.
The "Disable Changing Connection Settings" setting should be configured correctly.
CCE-62 enabled/disabled
CCE-556 enabled/disabled
CCE-948 enabled/disabled
CCE-495 enabled/disabled
CCE-1006 enabled/disabled
CCE-909 enabled/disabled
CCE-1010 enabled/disabled
CCE-1032 enabled/disabled
CCE-1054 enabled/disabled
The "Disable Changing Proxy Settings" setting should be configured correctly.
The "Disable Showing the Splash Screen" setting should be configured correctly.
The "Prevent "Fix settings" Functionality" setting should be configured correctly.
The "Prevent participation in the Customer Experience Improvement Programs" setting should be configured correctly.
The "Prevent performance of First Run Customize settings" setting should be configured correctly.
The "Prevent the deletation of temporary internet files and cookies" setting should be configured correctly.
The "Turn off "Delete Browsing History" functionality" setting should be configured correctly.
The "Turn off Managing Phishing Filter" setting should be configured correctly.
The "Turn off the Security Settings Check feature" setting should be configured correctly.
CCE-964 enabled/disabled
CCE-598 enabled/disabled
CCE-1008 enabled/disabled
CCE-690 enabled/disabled
CCE-47
CCE-685
CCE-491
CCE-355
The "Allow Active Content from CD's to Run on User Machine" setting should be configured correctly.
The "Enable third-party browser extensions" setting should be configured correctly.
The "Automatically Check for Internet Explorer Updates" setting should be configured correctly.
The "Check for Server Certificate Revocation" setting should be configured correctly.
The "Access data sources across domains" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "Drag and drop or copy and paste files" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "Font download" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "Installation of desktop items" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
CCE-280 enabled/disabled
CCE-439
CCE-914 enabled/disabled
CCE-16 enabled/disabled
CCE-1013
CCE-176
The "Allow script-initiated windows without size or position constraints" setting should be configured correctly for the Internet Zone.
The "Allow Scriptlets" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "Allow status bar updates via script" setting should be configured correctly for the Internet Zone.
The "Automatic prompting for file downloads" setting should be configured correctly for the Internet Zone.
The "Download signed ActiveX controls" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "Download unsigned ActiveX controls" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
CCE-586
CCE-132
CCE-689
CCE-720
CCE-126
The "Initialize and script ActiveX controls not marked as safe for scripting" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "Java permissions" setting should be configured correctly for the Internet Zone.
Custom/Disable Java/High safety/Low safety/Medium safety
The "Launching programs and files in an IFRAME" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "Logon" setting should be configured correctly for the Internet Zone.
Anonymous logon/Automatic logon only in Intranet zone/Automatic logon with current user name and password/Prompt for user name and password
The "Loose XAML" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
CCE-245
CCE-910 enabled/disabled
CCE-359
CCE-1002 enabled/disabled
CCE-425 enabled/disabled
CCE-724
CCE-1015
The "Navigate sub-frames across different domains" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "Open files based on content, not file extension" setting should be configured correctly for the Internet Zone.
The "Software channel permissions" setting should be configured correctly for the Internet Zone.
High safety/low safety/medium safety
The "Use Pop-up Blocker" setting should be configured correctly for the Internet Zone.
The "Userdata persistence" setting should be configured correctly for the Internet Zone.
The "Web sites in less privileged Web content zones can navigate into this zone" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "XPS documents" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
CCE-878
CCE-288
CCE-552
CCE-473
CCE-239
CCE-636
CCE-292
The "Display mixed content" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "Display mixed content" setting should be configured correctly for the Intranet Zone.
enabled/disabled/prompt
The "Display mixed content" setting should be configured correctly for the Locked Down Intranet Zone.
enabled/disabled/prompt
The "Display mixed content" setting should be configured correctly for the Local Machine Zone.
enabled/disabled/prompt
The "Display mixed content" setting should be configured correctly for the Locked Down Local Machine Zone.
enabled/disabled/prompt
The "Access data sources across domains" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Active scripting" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
CCE-178
CCE-41
CCE-970 enabled/disabled
CCE-882
CCE-763
CCE-680 enabled/disabled
The "Binary and script behaviors" setting should be configured correctly for the Restricted Sites Zone.
Administrator approved/enabled/disabled
The "Drag and drop or copy and paste files" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "File download" setting should be configured correctly for the Restricted Sites Zone.
The "Font download" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Installation of desktop items" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Allow META REFRESH" setting should be configured correctly for the Restricted Sites Zone.
CCE-208 enabled/disabled
CCE-838
CCE-129 enabled/disabled
CCE-175 enabled/disabled
CCE-52
CCE-1012
The "Allow script-initiated windows without size or position constraints" setting should be configured correctly for the Restricted Sites Zone.
The "Allow Scriptlets" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Allow status bar updates via script" setting should be configured correctly for the Restricted Sites Zone.
The "Automatic prompting for file downloads" setting should be configured correctly for the Restricted Sites Zone.
The "Download signed ActiveX controls" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Download unsigned ActiveX controls" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
CCE-26
CCE-925
CCE-339
CCE-128
CCE-639
CCE-995
The "Initialize and script ActiveX controls not marked as safe for scripting" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Java permissions" setting should be configured correctly for the Restricted Sites Zone.
Custom/Disable Java/High safety/Low safety/Medium safety
The "Launching programs and files in an IFRAME" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Logon" setting should be configured correctly for the Restricted Sites Zone.
Anonymous logon/Automatic logon only in Intranet zone/Automatic logon with current user name and password/Prompt for user name and password
The "Loose XAML" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Navigate sub-frames across different domains" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
CCE-409 enabled/disabled
CCE-678
CCE-563
CCE-841
CCE-973
The "Open files based on content, not file extension" setting should be configured correctly for the Restricted Sites Zone.
The "Run components not signed with Authenticode" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Run components signed with Authenticode" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Run ActiveX controls and plugins" setting should be configured correctly for the Restricted Sites Zone.
Administrator approved/enabled/disabled/prompt
The "Script ActiveX controls marked safe for scripting" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
CCE-1000
CCE-520
CCE-660 enabled/disabled
CCE-28 enabled/disabled
CCE-698
CCE-460
The "Scripting of Java applets" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Software channel permissions" setting should be configured correctly for the Restricted Sites Zone.
High safety/low safety/medium safety
The "Use Pop-up Blocker" setting should be configured correctly for the Restricted Sites Zone.
The "Userdata persistence" setting should be configured correctly for the Restricted Sites Zone.
The "Web sites in less privileged Web content zones can navigate into this zone" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "XPS documents" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
CCE-30
CCE-31
CCE-666
CCE-528 enabled/disabled
CCE-721 enabled/disabled
CCE-69 enabled/disabled
CCE-71 enabled/disabled
CCE-478 enabled/disabled
CCE-412 enabled/disabled
CCE-1037 enabled/disabled
The "Display mixed content" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Display mixed content" setting should be configured correctly for the Trusted Sites Zone.
enabled/disabled/prompt
The "Display mixed content" setting should be configured correctly for the Locked Down Trusted Sites Zone.
enabled/disabled/prompt
The "Enable Native XMLHttp Support" setting should be configured correctly.
The "Turn on the auto-complete feature for user names and passwords on form" setting should be configured correctly.
The "Allow Install On Demand (Internet Explorer)" setting should be configured correctly.
The "Turn off page transitions" setting should be configured correctly.
The "Disable AutoComplete for forms" setting should be configured correctly.
The "Disable Save this program to disk option" setting should be configured correctly.
The "Disable changing certificate settings" setting should be configured correctly.
CCE-1051 enabled/disabled
CCE-963 enabled/disabled
CCE-258 enabled/disabled
CCE-769 enabled/disabled
CCE-625 enabled/disabled
CCE-74 enabled/disabled
CCE-122 enabled/disabled
CCE-716 enabled/disabled
CCE-610 enabled/disabled
CCE-619 enabled/disabled
CCE-373 enabled/disabled
CCE-298 enabled/disabled
CCE-1069 enabled/disabled
The "Disable external branding of Internet Explorer" setting should be configured correctly.The "Configure Outlook Express" setting should be configured correctly
The "Turn on the Internet Connection Wizard Auto Detect" setting should be configured correctly.
The "Disable Internet Connection wizard" setting should be configured correctly.
The "Disable the Reset Web Settings feature" should be configured correctly.
The "Disable Downloading Of Site Subscription Content" setting should be configured correctly.
The "Disable Adding Schedules For Offline Pages" setting should be configured correctly.The "Disable Adding Channels" setting should be configured correctly.
The "Disable Editing And Creating Of Schedule Groups" setting should be configured correctly.
The "Disable All Scheduled Offline Pages" setting should be configured correctly.
The "Disable Editing Schedules For Offline Pages" setting should be configured correctly.
The "Disable Channel User Interface Completely" setting should be configured correctly.The "Disable Removing Channels" setting should be configured correctly.
CCE-615 enabled/disabled
CCE-1003 enabled/disabled
CCE-1027
CCE-1067
CCE-1063
CCE-113 enabled/disabled
CCE-1022 enabled/disabled
CCE-1087 enabled/disabled
CCE-494
CCE-365 enabled/disabled
The "Disable Removing Schedules For Offline Pages" setting should be configured correctly.
The "Disable Offline Page Hit Logging" setting should be configured correctly.
The "Increase a Process Working Set" setting should be configured correctly.
Set of users or groups
The "Behavior of the elevation prompt for standard users" setting should be configured correctly.
Prompt for credentials/Automatically deny
The "Behavior of the elevation prompt for administrators in Admin Approval Mode" setting should be configured correctly.
Prompt for consent/Prompt for credentials/Automatically deny
The "Remove CD Burning features" setting should be configured correctly.The "Remove Security tab" setting should be configured correctly.
The "Empty Temporary Internet Files folder when browser is closed" setting should be configured correctly.
The "Disable changing Temporary Internet files settings" setting should be configured correctly.
The "Internet Explorer Maintenance Policy Processing - Allow processing across a slow network connection" setting should be configured correctly.
CCE-121 enabled/disabled
CCE-1103 enabled/disabled
CCE-947 enabled/disabled
CCE-329 enabled/disabled
CCE-377 enabled/disabled
CCE-1134 enabled/disabled
CCE-1092 enabled/disabled
CCE-1035 enabled/disabled
CCE-320
The "Internet Explorer Maintenance Policy Processing - Do not apply during periodic background processing" setting should be configured correctly.
The "Internet Explorer Maintenance Policy Processing - Process even if the Group Policy objects have not changed" setting should be configured correctly.
The "Turn on Mapper I/O (LLTDIO) driver" setting should be configured correctly for the domain profile.
The "Turn on Mapper I/O (LLTDIO) driver" setting should be configured correctly for the public profile.
The "Turn on Mapper I/O (LLTDIO) driver" setting should be configured correctly for the private profile.
The "Turn on Responder (RSPNDR) driver" setting should be configured correctly for the domain profile.
The "Turn on Responder (RSPNDR) driver" setting should be configured correctly for the public profile.
The "Turn on Responder (RSPNDR) driver" setting should be configured correctly for the private profile.
The "Java permissions" setting should be configured correctly for the Locked Down Intranet Zone.
Custom/Disable Java/High safety/Low safety/Medium safety
CCE-138
CCE-1045
CCE-1088
CCE-675
CCE-140
CCE-734 enabled/disabled
CCE-469 enabled/disabled
The "Java permissions" setting should be configured correctly for the Local Machine Zone.
Custom/Disable Java/High safety/Low safety/Medium safety
The "Java permissions" setting should be configured correctly for the Locked Down Local Machine Zone.
Custom/Disable Java/High safety/Low safety/Medium safety
The "Java permissions" setting should be configured correctly for the Locked Down Restricted Sites Zone.
Custom/Disable Java/High safety/Low safety/Medium safety
The "Java permissions" setting should be configured correctly for the Trusted Sites Zone.
Custom/Disable Java/High safety/Low safety/Medium safety
The "Java permissions" setting should be configured correctly for the Locked Down Trusted Sites Zone.
Custom/Disable Java/High safety/Low safety/Medium safety
The "Configuration of wireless settings using Windows Connect Now" setting should be configured correctly for Wireless Connect Now over Ethernet (UPnP).
The "Configuration of wireless settings using Windows Connect Now" setting should be configured correctly for USB flash drives.
CCE-302 enabled/disabled
CCE-836 enabled/disabled
CCE-959 enabled/disabled
CCE-803 enabled/disabled
CCE-798 enabled/disabled
CCE-215 enabled/disabled
CCE-144 enabled/disabled
CCE-174 enabled/disabled
CCE-1109 enabled/disabled
CCE-1122 enabled/disabled
CCE-1144 enabled/disabled
The "Configuration of wireless settings using Windows Connect Now" setting should be configured correctly for the Windows Portable Device API.
The 'Approved Installation Sites for ActiveX Controls' security mechanism should be enabled or disabled as appropriate.The "Disable Logging" setting should be configured correctly.
The "Disable Windows Error Reporting" setting should be configured correctly.
The "Do not send additional data" setting should be configured correctly.
The "Configure Corporate Windows Error Reporting" setting should be configured correctly.
The "Remove Default Programs link from the Start menu" setting should be configured correctly.
The "Turn off Help Experience Improvement Program" setting should be configured correctly.
The "Turn off Help Ratings" setting should be configured correctly.
The "Turn off Windows Online" setting should be configured correctly.
The "Prevent users from sharing files within their profile" setting should be configured correctly.
CCE-389 list of accounts
CCE-470 list of accounts
CCE-1176 list of accounts
CCE-1023 list of accounts
CCE-1185 set of paths
CCE-1078 enabled/disabled
CCE-1128 enabled/disabled
CCE-1104 enabled/disabled
CCE-986 enabled/disabled
The "Access Credential Manager as a trusted caller" user right should be assigned to the appropriate accounts.
The "Change the time zone" user right should be assigned to the appropriate accounts.
The "Create Symbolic Links" user right should be assigned to the appropriate accounts.
The "Modify an object label" user right should be assigned to the appropriate accounts.
The "Remotely accessible registry paths and subpaths" policy should be set correctly.
The "User Account Control: Admin Approval Mode for the Built-in Administrator account" setting should be configured correctly.
The "User Account Control: Detect application installations and prompt for elevation" setting should be configured correctly.
The "User Account Control: Only elevate executables that are signed and validated" setting should be configured correctly.
The "User Account Control: Only elevate UIAccess applications that are installed in secure locations" setting should be configured correctly.
CCE-1050 enabled/disabled
CCE-230 enabled/disabled
CCE-673 enabled/disabled
CCE-1225
CCE-957
CCE-241 enabled/disabled
CCE-259 enabled/disabled
CCE-262 (1) Size limit (KB)
CCE-1005
The "User Account Control: Run all administrators in Admin Approval Mode" setting should be configured correctly.
The "User Account Control: Switch to the secure desktop when prompting for elevation" setting should be configured correctly.
The "User Account Control: Virtualize file and registry write failures to per-user locations" setting should be configured correctly.
The required permissions for the file %SystemRoot%\System32\mshta.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the WLAN AutoConfig service should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The "Prohibit use of Internet Connection Firewall on your DNS domain network" setting should be configured correctly.
The "Display Error Notification" setting should be configured correctly.The setup log maximum size should be configured correctly.
Computer-wide, rather than per-user, assignment of sites to zones for Internet Explorer should be enabled or disabled as appropriate.
enabled, disabled, or not configured
CCE-281 enabled/disabled
CCE-308
CCE-1147 enabled/disabled
CCE-1211 enabled/disabled
CCE-312
CCE-1140 enabled/disabled
CCE-313 enabled/disabled
CCE-1047
The "Turn on Protected Mode" setting should be configured correctly for the Internet Zone.
The "Download signed ActiveX controls" setting should be configured correctly for the Locked-Down Internet Zone.
enabled/disabled/prompt
The "Allow status bar updates via script" setting should be configured correctly for the Locked-Down Trusted Sites Zone.
The "Turn on Protected Mode" setting should be configured correctly for the Restricted Sites Zone.
Computer-wide, rather than per-user, use of Microsoft Spynet Reporting for Windows Defender should be enabled or disabled as appropriate.
enabled, disabled, or not configured
The "Do Not Show First Use Dialog Boxes" setting for Windows Media Player should be configured correctly.
The "Prevent Desktop Shortcut Creation" setting for Windows Media Player should be configured correctly.
User notifications when a program is blocked from receiving inbound connections by Windows Firewall should be enabled or disabled as appropriate for the Domain Profile.
yes/no/not configured
CCE-325 (1) enabled/disabled
CCE-327 enable/disabled
CCE-999 (1) File path
CCE-1091 (1) Size limit (KB)
CCE-1165 (1) enabled/disabled
The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Private Profile.
The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Private Profile.
The log file path and name for the Windows Firewall should be configured correctly for the Private Profile.
The log file size limit for the Windows Firewall should be configured correctly for the Private Profile.
The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Public Profile.
CCE-534 enable/disabled
CCE-1263 (1) File path
CCE-1313 (1) Size limit (KB)
CCE-1227 enabled/disabled
CCE-1036 enabled/disabled
CCE-1148 enabled/disabled
CCE-1270 enabled/disabled
The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Public Profile.
The log file path and name for the Windows Firewall should be configured correctly for the Public Profile.
The log file size limit for the Windows Firewall should be configured correctly for the Public Profile.
The ISATAP tunneling protocol for IPv6 should be enabled or disabled as appropriate.
The 6to4 tunneling protocol for IPv6 should be enabled or disabled as appropriate.
The Teredo tunneling protocol for IPv6 should be enabled or disabled as appropriate.
Auditing of "System: Security System Extension" events on success should be enabled or disabled as appropriate.
CCE-1102 enabled/disabled
CCE-856 enabled/disabled
CCE-336 enabled/disabled
CCE-1177 enabled/disabled
CCE-1314 enabled/disabled
CCE-1332 enabled/disabled
CCE-337 enabled/disabled
CCE-1121 enabled/disabled
CCE-1139 enabled/disabled
CCE-1284 enabled/disabled
Auditing of "System: Security System Extension" events on failure should be enabled or disabled as appropriate.
Auditing of "System: System Integrity" events on success should be enabled or disabled as appropriate.
Auditing of "System: System Integrity" events on failure should be enabled or disabled as appropriate.
Auditing of "System: Ipsec Driver" events on success should be enabled or disabled as appropriate.
Auditing of "System: Ipsec Driver" events on failure should be enabled or disabled as appropriate.
Auditing of "System: Other System Events" events on success should be enabled or disabled as appropriate.
Auditing of "System: Other System Events" events on failure should be enabled or disabled as appropriate.
Auditing of "System: Security State Change" events on success should be enabled or disabled as appropriate.
Auditing of "System: Security State Change" events on failure should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: Logon" events on success should be enabled or disabled as appropriate.
CCE-1097 enabled/disabled
CCE-493 enabled/disabled
CCE-996 enabled/disabled
CCE-1264 enabled/disabled
CCE-1282 enabled/disabled
CCE-1207 enabled/disabled
CCE-351 enabled/disabled
CCE-1257 enabled/disabled
CCE-1274 enabled/disabled
Auditing of "Logon/Logoff: Logon" events on failure should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: Logoff" events on success should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: Logoff" events on failure should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: Account Lockout" events on success should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: Account Lockout" events on failure should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: IPsec Main Mode" events on success should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: IPsec Main Mode" events on failure should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: IPsec Quick Mode" events on success should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: IPsec Quick Mode" events on failure should be enabled or disabled as appropriate.
CCE-1028 enabled/disabled
CCE-362 enabled/disabled
CCE-371 enabled/disabled
CCE-1038 enabled/disabled
CCE-378 enabled/disabled
CCE-1208 enabled/disabled
CCE-1085 enabled/disabled
CCE-1340 enabled/disabled
CCE-1138 enabled/disabled
Auditing of "Logon/Logoff: IPsec Extended Mode" events on success should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: IPsec Extended Mode" events on failure should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: Special Logon" events on success should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: Special Logon" events on failure should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: Other Logon/Logoff Events" events on success should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: Other Logon/Logoff Events" events on failure should be enabled or disabled as appropriate.
Auditing of "Object Access: File System" events on success should be enabled or disabled as appropriate.
Auditing of "Object Access: File System" events on failure should be enabled or disabled as appropriate.
Auditing of "Object Access: Registry" events on success should be enabled or disabled as appropriate.
CCE-1283 enabled/disabled
CCE-1288 enabled/disabled
CCE-1305 enabled/disabled
CCE-446 enabled/disabled
CCE-451 enabled/disabled
CCE-1345 enabled/disabled
CCE-1261 enabled/disabled
CCE-1322 enabled/disabled
CCE-379 enabled/disabled
Auditing of "Object Access: Registry" events on failure should be enabled or disabled as appropriate.
Auditing of "Object Access: Kernel Object" events on success should be enabled or disabled as appropriate.
Auditing of "Object Access: Kernel Object" events on failure should be enabled or disabled as appropriate.
Auditing of "Object Access: SAM" events on success should be enabled or disabled as appropriate.
Auditing of "Object Access: SAM" events on failure should be enabled or disabled as appropriate.
Auditing of "Object Access: Certification Services" events on success should be enabled or disabled as appropriate.
Auditing of "Object Access: Certification Services" events on failure should be enabled or disabled as appropriate.
Auditing of "Object Access: Application Generated" events on success should be enabled or disabled as appropriate.
Auditing of "Object Access: Application Generated" events on failure should be enabled or disabled as appropriate.
CCE-1363 enabled/disabled
CCE-1244 enabled/disabled
CCE-1372 enabled/disabled
CCE-1033 enabled/disabled
CCE-385 enabled/disabled
CCE-589 enabled/disabled
CCE-717 enabled/disabled
CCE-744 enabled/disabled
Auditing of "Object Access: Handle Manipulation" events on success should be enabled or disabled as appropriate.
Auditing of "Object Access: Handle Manipulation" events on failure should be enabled or disabled as appropriate.
Auditing of "Object Access: File Share" events on success should be enabled or disabled as appropriate.
Auditing of "Object Access: File Share" events on failure should be enabled or disabled as appropriate.
Auditing of "Object Access: Filtering Platform Packet Drop" events on success should be enabled or disabled as appropriate.
Auditing of "Object Access: Filtering Platform Packet Drop" events on failure should be enabled or disabled as appropriate.
Auditing of "Object Access: Filtering Platform Connection" events on success should be enabled or disabled as appropriate.
Auditing of "Object Access: Filtering Platform Connection" events on failure should be enabled or disabled as appropriate.
CCE-642 enabled/disabled
CCE-1026 enabled/disabled
CCE-488 enabled/disabled
CCE-1258 enabled/disabled
CCE-391 enabled/disabled
CCE-404 enabled/disabled
CCE-1203 enabled/disabled
CCE-406 enabled/disabled
Auditing of "Object Access: Other Object Access Events" events on success should be enabled or disabled as appropriate.
Auditing of "Object Access: Other Object Access Events" events on failure should be enabled or disabled as appropriate.
Auditing of "Privilege Use: Sensitive Privilege Use" events on success should be enabled or disabled as appropriate.
Auditing of "Privilege Use: Sensitive Privilege Use" events on failure should be enabled or disabled as appropriate.
Auditing of "Privilege Use: Non Sensitive Privilege Use" events on success should be enabled or disabled as appropriate.
Auditing of "Privilege Use: Non Sensitive Privilege Use" events on failure should be enabled or disabled as appropriate.
Auditing of "Privilege Use: Other Privilege Use Events" events on success should be enabled or disabled as appropriate.
Auditing of "Privilege Use: Privilege Use: Other Privilege Use Events" events on failure should be enabled or disabled as appropriate.
CCE-416 enabled/disabled
CCE-1250 enabled/disabled
CCE-1413 enabled/disabled
CCE-699 enabled/disabled
CCE-1219 enabled/disabled
CCE-1365 enabled/disabled
CCE-913 enabled/disabled
CCE-1079 enabled/disabled
CCE-1110 enabled/disabled
Auditing of "Detailed Tracking: Process Termination" events on success should be enabled or disabled as appropriate.
Auditing of "Detailed Tracking: Process Termination" events on failure should be enabled or disabled as appropriate.
Auditing of "Detailed Tracking: DPAPI Activity" events on success should be enabled or disabled as appropriate.
Auditing of "Detailed Tracking: DPAPI Activity" events on failure should be enabled or disabled as appropriate.
Auditing of "Detailed Tracking: RPC Events" events on success should be enabled or disabled as appropriate.
Auditing of "Detailed Tracking: RPC Events" events on failure should be enabled or disabled as appropriate.
Auditing of "Detailed Tracking: Process Creation" events on success should be enabled or disabled as appropriate.
Auditing of "Detailed Tracking: Process Creation" events on failure should be enabled or disabled as appropriate.
Auditing of "Policy Change: Audit Policy Change" events on success should be enabled or disabled as appropriate.
CCE-991 enabled/disabled
CCE-388 enabled/disabled
CCE-180 enabled/disabled
CCE-187 enabled/disabled
CCE-448 enabled/disabled
CCE-203 enabled/disabled
CCE-879 enabled/disabled
CCE-1042 enabled/disabled
Auditing of "Policy Change: Audit Policy Change" events on failure should be enabled or disabled as appropriate.
Auditing of "Policy Change: Authentication Policy Change" events on success should be enabled or disabled as appropriate.
Auditing of "Policy Change: Authentication Policy Change" events on failure should be enabled or disabled as appropriate.
Auditing of "Policy Change: Authorization Policy Change" events on success should be enabled or disabled as appropriate.
Auditing of "Policy Change: Authorization Policy Change" events on failure should be enabled or disabled as appropriate.
Auditing of "Policy Change: MPSSVC Rule-Level Policy Change" events on success should be enabled or disabled as appropriate.
Auditing of "Policy Change: MPSSVC Rule-Level Policy Change" events on failure should be enabled or disabled as appropriate.
Auditing of "Policy Change: Filtering Platform Policy Change" events on success should be enabled or disabled as appropriate.
CCE-1112 enabled/disabled
CCE-205 enabled/disabled
CCE-787 enabled/disabled
CCE-1043 enabled/disabled
CCE-924 enabled/disabled
CCE-1070 enabled/disabled
CCE-840 enabled/disabled
CCE-1118 enabled/disabled
Auditing of "Policy Change: Filtering Platform Policy Change" events on failure should be enabled or disabled as appropriate.
Auditing of "Policy Change: Other Policy Change Events" events on success should be enabled or disabled as appropriate.
Auditing of "Policy Change: Other Policy Change Events" events on failure should be enabled or disabled as appropriate.
Auditing of "Account Management: User Account Management" events on success should be enabled or disabled as appropriate.
Auditing of "Account Management: User Account Management" events on failure should be enabled or disabled as appropriate.
Auditing of "Account Management: Computer Account Management" events on success should be enabled or disabled as appropriate.
Auditing of "Account Management: Computer Account Management" events on failure should be enabled or disabled as appropriate.
Auditing of "Account Management: Security Group Management" events on success should be enabled or disabled as appropriate.
CCE-369 enabled/disabled
CCE-515 enabled/disabled
CCE-1048 enabled/disabled
CCE-801 enabled/disabled
CCE-1016 enabled/disabled
CCE-206 enabled/disabled
CCE-1202 enabled/disabled
Auditing of "Account Management: Security Group Management" events on failure should be enabled or disabled as appropriate.
Auditing of "Account Management: Distribution Group Management" events on success should be enabled or disabled as appropriate.
Auditing of "Account Management: Distribution Group Management" events on failure should be enabled or disabled as appropriate.
Auditing of "Account Management: Application Group Management" events on success should be enabled or disabled as appropriate.
Auditing of "Account Management: Application Group Management" events on failure should be enabled or disabled as appropriate.
Auditing of "Account Management: Other Account Management Events" events on success should be enabled or disabled as appropriate.
Auditing of "Account Management: Other Account Management Events" events on failure should be enabled or disabled as appropriate.
CCE-317 enabled/disabled
CCE-982 enabled/disabled
CCE-881 enabled/disabled
CCE-247 enabled/disabled
CCE-207 enabled/disabled
CCE-1186 enabled/disabled
CCE-1199 enabled/disabled
CCE-459 enabled/disabled
Auditing of "DS Access: Directory Service Changes" events on success should be enabled or disabled as appropriate.
Auditing of "DS Access: Directory Service Changes" events on failure should be enabled or disabled as appropriate.
Auditing of "DS Access: Directory Service Replication" events on success should be enabled or disabled as appropriate.
Auditing of "DS Access: Directory Service Replication" events on failure should be enabled or disabled as appropriate.
Auditing of "DS Access: Detailed Directory Service Replication" events on success should be enabled or disabled as appropriate.
Auditing of "DS Access: Detailed Directory Service Replication" events on failure should be enabled or disabled as appropriate.
Auditing of "DS Access: Directory Service Access" events on success should be enabled or disabled as appropriate.
Auditing of "DS Access: Directory Service Access" events on failure should be enabled or disabled as appropriate.
CCE-209 enabled/disabled
CCE-1071 enabled/disabled
CCE-214 enabled/disabled
CCE-226 enabled/disabled
CCE-1141 enabled/disabled
CCE-229 enabled/disabled
Auditing of "Account Logon: Kerberos Ticket Events" events on success should be enabled or disabled as appropriate.
Auditing of "Account Logon: Kerberos Ticket Events" events on failure should be enabled or disabled as appropriate.
Auditing of "Account Logon: Other Account Logon Events" events on success should be enabled or disabled as appropriate.
Auditing of "Account Logon: Other Account Logon Events" events on failure should be enabled or disabled as appropriate.
Auditing of "Account Logon: Credential Validation" events on success should be enabled or disabled as appropriate.
Auditing of "Account Logon: Credential Validation" events on failure should be enabled or disabled as appropriate.
CCE Technical Mechanisms
(1) defined by the object's SACL
?
(1) defined by the object's SACL
(1) defined by the object's SACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
CIS W2K Server Level 2
Benchmark v2.2.1
DISA Gold Disk Check Name for
W2K (golddisk.win2k.ecve.txt)
4.4.3.1 %System Drive% - Everyone: Failures (this folder, propagate inheritable permissions to all subfolders and files)
4.4.3.2 HKLM\Software – Everyone: Failures (this key, propagate inheritable permission to all subkeys)
Reg Auditing Local Machine
4.4.3.3 HKLM\System – Everyone: Failures (this key, propagate inheritable permission to all subkeys)
Reg Auditing Local Machine
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
SystemDrive ACL
(1) defined by the object's DACL
Autoexec.bat ACL
(1) defined by the object's DACL BOOT.INI ACL
(1) defined by the object's DACL
CONFIG.SYS ACL
4.4.1.15 %ProgramFiles% - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List
Program Files ACL
4.4.1.16 %Program Files%\Resource Kit – Administrators: Full; System: Full
Resource Kit ACL Servers and DCs
4.4.1.17 %Program Files%\Resource Pro Kit – Administrators: Full; System: Full
Resource Kit ACL Workstation
4.4.1.1 %SystemDrive%\ - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List
4.4.1.2 %SystemDrive%\autoexec.bat - Administrator: Full; System: Full
4.4.1.3 %SystemDrive%\boot.ini – Administrators: Full; System: Full4.4.1.4 %SystemDrive%\config.sys - Administrators: Full; System: Full
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL DrWatson ACL
(1) defined by the object's DACL
?
4.4.1.10 %SystemDrive%\Documents and Settings - Administrators: Full; System: Full; Users: Read and Execute, List
Documents and Settings ACL
4.4.1.11 %SystemDrive%\Documents and Settings\Administrator - Administrators: Full; System: Full Documents and
Settings\Administrator ACL
4.4.1.12 %SystemDrive%\Documents and Settings\All Users – Administrators: Full; System: Full; Users: Read and Execute, List
Documents and Settings\All Users ACL
4.4.1.13 %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson – Administrators: Full; System: Full;Creator Owner: Full; Users: Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions (This folder, subfolders, and files); Users: Traverse Folder/Execute Files, CreateFiles/Write Data, Create Folder/Append Data (Subfolders and files only)
DrWatson Log ACL
(1) defined by the object's DACL
Default User ACL
(1) defined by the object's DACL
IO.SYS ACL
(1) defined by the object's DACL
MSDOS.SYS ACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL NTLDR ACL
(1) defined by the object's DACL
?
Temp ACL
(1) defined by the object's DACL
?
(1) defined by the object's DACL
4.4.1.14 %SystemDrive%\Documents and Settings\Default User - Administrators: Full; System: Full; Users: Read and Execute, List
4.4.1.5 %SystemDrive%\io.sys - Administrators: Full; System: Full
4.4.1.6 %SystemDrive%\msdos.sys - Administrators: Full; System: Full
4.4.1.7 %SystemDrive%\ntbootdd.sys - Administrators: Full; System: Full
NTBOOTDD.SYS ACL
4.4.1.8 %SystemDrive%\ntdetect.com – Administrators: Full; System: Full
NTDETECT.COM ACL
4.4.1.9 %SystemDrive%\ntldr - Administrators: Full; System: Full
My Download ACL
4.4.1.47 %SystemDrive%\System Volume Information – (Do not allow permissions on this folder to be replaced)
(1) defined by the object's DACL System Root ACL
(1) defined by the object's DACL Driver.cab ACL
(1) defined by the object's DACL System Root ACL
(1) defined by the object's DACL
(1) defined by the object's DACL ?
(1) defined by the object's DACL CSC ACL
(1) defined by the object's DACL Debug ACL
4.4.1.18 %SystemRoot% – Administrators: Full; System: Full; Creator Onwer: Full; Users: Read and Execute, List
4.4.1.18 %SystemRoot% – Administrators: Full; System: Full; Creator Onwer: Full; Users: Read and Execute, List
4.4.1.19 %SystemRoot%\$NtServicePackUninstall$ – Administrators: Full; System: Full
%SystemRoot%\$NtServicePackUninstall$
NT SP Uninstall ACL
4.4.1.20 %SystemRoot%\CSC – Administrators: Full; System: Full
4.4.1.21 %SystemRoot%\Debug - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL regedit.exe ACL
(1) defined by the object's DACL
?
NTDS ACL
(1) defined by the object's DACL
4.4.1.22 %SystemRoot%\Debug\UserMode - Administrators: Full; System: Full; Users: Traverse Folder/Execute File, Listfolder/Read data, Create files/Write data (This folder, only); Create files/Write data, Create folders/Append data(Files only)
UserMode Directory ACL
4.4.1.31 %SystemRoot%\regedit.exe – Administrators: Full; System: Full
4.4.1.23 %SystemRoot%\Offline Web Pages – Ignore Parent Permission Changes
(1) defined by the object's DACL Registration ACL
(1) defined by the object's DACL
(1) defined by the object's DACL Repair ACL
(1) defined by the object's DACL Security ACL
(1) defined by the object's DACL
?
SYSVOL ACL
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
Temp ACL
(1) defined by the object's DACL System32 ACL
(1) defined by the object's DACL appmgmt ACL
4.4.1.24 %SystemRoot%\Registration - Administrators: Full; System: Full; Users: Read
4.4.1.25 %SystemRoot%\repair - Administrators: Full; System: Full
4.4.1.26 %SystemRoot%\security - Administrators: Full; System: Full; Creator Owner: Full
%SystemRoot%\SYSVOL\domain\Policies
4.4.1.27 %SystemRoot%\system32 - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List4.4.1.36 %SystemRoot%\system32\appmgmt – Administrators: Full; System: Full; Users: Read and Execute, List
(1) defined by the object's DACL at.exe ACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL CONFIG ACL
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
4.4.1.28 %SystemRoot%\system32\at.exe – Administrators: Full; System: Full
4.4.1.37 %SystemRoot%\system32\config – Administrators: Full; System: Full
%SystemRoot%\System32\CONFIG\AppEvent.evt
%SystemRoot%\System32\CONFIG\SecEvent.evt
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL dllcache ACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
4.4.1.38 %SystemRoot%\system32\dllcache – Administrators: Full; System: Full; Creator Owner: Full
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL GroupPolicy ACL
(1) defined by the object's DACL ias ACL
(1) defined by the object's DACL
(1) defined by the object's DACL
4.4.1.39 %SystemRoot%\system32\DTCLog - Administrators: Full; System: Full; Creator Owner: Full; Users: Read andExecute, List
4.4.1.40 %SystemRoot%\system32\Group Policy - Administrators: Full; System: Full; Authenticated Users: Read andExecute, List
4.4.1.41 %SystemRoot%\system32\ias - Administrators: Full; System: Full; Creator Owner: Full
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL NTMSData ACL
(1) defined by the object's DACL
4.4.1.29 %SystemRoot%\system32\Ntbackup.exe – Administrators: Full; System: Full
NTbackup.exe ACL
4.4.1.42 %SystemRoot%\system32\NTMSData – Administrators: Full; System: Full
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL Rcp.exe ACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL Rexec.exe ACL
4.4.1.30 %SystemRoot%\system32\rcp.exe – Administrators: Full; System: Full
4.4.1.32 %SystemRoot%\system32\regedt32.exe – Administrators: Full; System: Full
Regedt32.exe ACL
4.4.1.43 %SystemRoot%\system32\reinstallbackups – Administrators: Full; System: Full; Creator Owner: Full; PowerUsers: Read and Execute, List
4.4.1.33 %SystemRoot%\system32\rexec.exe – Administrators: Full; System: Full
(1) defined by the object's DACL
(1) defined by the object's DACL Rsh.exe ACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
?
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL Setup ACL
4.4.1.34 %SystemRoot%\system32\rsh.exe – Administrators: Full; System: Full
4.4.1.35 %SystemRoot%\system32\secedit.exe – Administrators: Full; System: Full
4.4.1.44 %SystemRoot%\system32\Setup – Administrators: Full; System: Full; Users: Read and Execute, List
(1) defined by the object's DACL
?
repl ACL
(1) defined by the object's DACL
?
Export ACL
(1) defined by the object's DACL
?
Import ACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
4.4.1.45 %SystemRoot%\system32\spool\printers – Administrators: Full; System: Full; Creator Owner: Full; Users:Traverse Folder, Execute File, Read, Read Extended Attributes, Create folders, Append Data
Spool\Printers ACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
MQSeries ACL
(1) defined by the object's DACL
?
(1) defined by the object's DACL 269
(1) defined by the object's DACL SECEDIT.SDB ACL
(1) defined by the object's DACL
?
4.4.1.46 %SystemRoot%\Tasks - (Do not allow permissions on this folder to be replaced)
MQSeries Queue ACL
Registry ACL Check CLASSES_ROOT
(1) defined by the object's DACL
? ?
(1) defined by the object's DACL
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
4.4.2.2 HKLM\Software – Administrators Full; System: Full; Creator Owner: Full; Users: Read
Registry ACL Check Software
4.4.2.1 HKLM\Software\Classes - Administrators: Full; System: Full; Creator Owner: Full; Users: Read
\SOFTWARE\Classes\Regfile\Shell\Open\Command
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
4.4.2.3 HKLM\Software\Microsoft\Net DDE – Administrators: Full; System: Full
Reg ACL NetDDE Check test
4.4.2.4 HKLM\Software\Microsoft\OS/2 Subsystem for NT – Administrators: Full; System: Full; Creator Owner: Full
Reg ACL OS2 Check test
4.4.2.5 HKLM\Software\Microsoft\Windows NT\CurrentVersion\AsrCommands – Administrators: Full; System: Full;Creator Owner: Full; Users: Read; Backup Operators: Query Value, Set Value, Create Subkey, EnumerateSubkeys, Notify, Delete, Read (this key and subkeys)
Reg ACL Check AsrCommands
4.4.2.6 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib – Administrators: Full; System: Full; CreatorOwner: Full; Interactive: Read (this key and subkeys)
Registry ACL Check Perflib
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
4.4.2.7 HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy - Administrators: Full; System: Full;Authenticated Users: Read
Reg ACL Check Group Policy
4.4.2.8 HKLM\Software\Microsoft\Windows\CurrentVersion\Installer - Administrators Full; System: Full; Users: Read
Reg ACL Check Installer
4.4.2.9 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies - Administrators: Full; System: Full; AuthenticatedUsers: Read
Reg ACL Check Policies
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
4.4.2.10 HKLM\System - Administrators Full; System: Full; Creator Owner: Full; Users: Read
Registry ACL Check SYSTEM
4.4.2.11 HKLM\System\Clone – Allow inheritable permissions to propagate to this object
4.4.2.12 HKLM\System\ControlSet001 - Administrators Full; System: Full; Creator Owner: Full; Users: Read
Registry ACL Check controlset001
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read
Registry ACL Check controlset002
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read
Registry ACL Check controlset003
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read
Registry ACL Check controlset004
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read
Registry ACL Check controlset005
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read
Registry ACL Check controlset006
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read
Registry ACL Check controlset007
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read
Registry ACL Check controlset008
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read
Registry ACL Check controlset009
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read
Registry ACL Check controlset010
(1) defined by the object's DACL Winreg ACL
(1) defined by the object's DACL
? ?
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
4.4.2.14 HKLM\System\CurrentControlSet\Control\SecurePipeServers\WinReg – Administrators: Full
4.4.2.15 HKLM\System\CurrentControlSet\Control\WMI\Security – Administrators: Full; System: Full; Creator Owner: Full(this key and subkeys)
Registry ACL Check Security
4.4.2.16 HKLM\System\CurrentControlSet\Enum - (Do not allow permissions on this key to be replaced)
4.4.2.17 HKLM\System\CurrentControlSet\Hardware Profiles – Administrators Full; System: Full; Creator Owner: Full;Users: Read
Registry ACL Check Hardware Profiles
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
4.4.2.18 HKLM\System\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers - Administrators Full; System: Full;Creator Owner: Full
Registry ACL Check Permitted Managers
4.4.2.19 HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities - Administrators Full; System: Full;Creator Owner: Full
Registry ACL Check ValidCommunities
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
4.4.2.20 HKU\.Default - Administrators Full; System: Full; Creator Owner: Full; Users: Read
Registry ACL Check Default
4.4.2.21 HKU\.Default\Software\Microsoft\NetDDE - Administrators Full; System: Full
Registry ACL Check NetDDE
4.4.2.22 HKU\.Default\Software\Microsoft\Protected Storage System Provider – No entries
(1) defined by the object's DACL
?
(1) defined by the object's DACL
Registry ACL Check CLASSES_ROOT
(1) defined by the SeDenyNetworkLogonRight setting in Local or Group Policy
4.2.11 Deny access to this computer from the network: Guests
User Right Check deny access from network
(1) defined by the SeNetworkLogonRight setting in Local or Group Policy
4.2.1 Access this computer from the network: Users, Administrators (or none)
User Right Check Network Logon
(1) defined the SeTcbPrivilege setting in by Local or Group Policy
4.2.2 Act as part of the operating system: None
User Right Check Act as OS
(1) defined the SeBackupPrivilege setting in by Local or Group Policy
4.2.4 Back up files and directories: Administrators
User Right Check Backup
(1) defined the SeChangeNotifyPrivilege setting in by Local or Group Policy
4.2.5 Bypass traverse checking: Users
User Right Check Bypass Traverse checking
(1) defined the SeSystemTimePrivilege setting in by Local or Group Policy
4.2.6 Change the system time: Administrators
User Right Check change system time
(1) defined the SeCreatePagefilePrivilege setting in by Local or Group Policy
4.2.7 Create a pagefile: Administrators
User Right Check create pagefile
(1) defined the SeCreateTokenPrivilege setting in by Local or Group Policy
4.2.8 Create a token object: None
User Right Check create token object
(1) defined the SeCreatePermanentPrivilege setting in by Local or Group Policy
4.2.9 Create permanent shared objects: None
User Right Check create permanent shared objects
(1) defined the SeDebugPrivilege setting in by Local or Group Policy
4.2.10 Debug Programs: None
User Right Check debug programs
(1) defined the SeRemoteShutdownPrivilege setting in by Local or Group Policy
4.2.16 Force shutdown from a remote system: Administrators
User Right Check remote shutdown
(1) defined the SeAuditPrivilege setting in by Local or Group Policy
4.2.17 Generate security audits: None
User Right Check generate security audits
(1) defined the SeIncreaseQuotaPrivilege setting in by Local or Group Policy
4.2.18 Increase quotas: Administrators
User Right Check increase quotas
(1) defined the SeIncreaseBasePriorityPrivilege setting in by Local or Group Policy
4.2.19 Increase scheduling priority: Administrators
User Right Check increase scheduling priority
(1) defined the SeLoadDriverPrivilege setting in by Local or Group Policy
4.2.20 Load and unload device drivers: Administrators
User Right Check load and unload device drivers
(1) defined the SeLockMemoryPrivilege setting in by Local or Group Policy
4.2.21 Lock pages in memory: None
User Right Check lock pages in memory
(1) defined the SeBatchLogonRight setting in by Local or Group Policy
4.2.22 Log on as a batch job: None
User Right Check log on as a batch job
(1) defined the SeServiceLogonRight setting in by Local or Group Policy
4.2.23 Log on as a service: None
User Right Check log on as a service job
(1) defined the SeInteractiveLogonRight setting in by Local or Group Policy
4.2.24 Log on locally: Users, Administrators (further restriction allowable)
User Right Check log on locally
(1) defined the SeSecurityPrivilege setting in by Local or Group Policy
4.2.25 Manage auditing and security log: Administrators
Manage Auditing and Security Logs on a Member Server
(1) defined the SeSystemEnvironmentPrivilege setting in by Local or Group Policy
4.2.26 Modify firmware environment values: Administrators
User Right Check modify firmware
User Right restore
(1) defined the SeProfileSingleProcessPrivilege setting in by Local or Group Policy
4.2.27 Profile single process: Administrators
User Right Check Profile single process
(1) defined the SeSystemProfilePrivilege setting in by Local or Group Policy
4.2.28 Profile system performance: Administrators
User Right Check Profile system performance
(1) defined the SeUndockPrivilege setting in by Local or Group Policy
4.2.29 Remove computer from docking station: Users, Administrators
User Right Check undock
(1) defined the SeAssignPrimaryTokenPrivilege setting in by Local or Group Policy
4.2.30 Replace a process level token: None
User Right replace process token
(1) defined the SeRestorePrivilege setting in by Local or Group Policy
4.2.31 Restore files and directories: Administrators
(1) defined the SeShutdownPrivilege setting in by Local or Group Policy
4.2.32 Shut down the system: Users, Administrators
User Right shut down
(1) defined the SeTakeOwnershipPrivilege setting in by Local or Group Policy
4.2.34 Take ownership of file or other objects: Administrators
User Right take ownership
(1) defined the SeSynchAgentPrivilege setting in by Local or Group Policy
4.2.33 Synchronize directory service data: Not Applicable
User Right synch directory
(1) defined the SeDenyInteractiveLogonRight setting in by Local or Group Policy
4.2.14 Deny logon locally: None by default (others allowable as appropriate)
User Right Check deny logon locally
(1) defined the SeEnableDelegationPrivilege setting in by Local or Group Policy
4.2.15 Enable computer and user accounts to be trusted for delegation: Not Applicable
User Right Check allow trust for delegation
(1) defined the SeMachineAccountPrivilege setting in by Local or Group Policy
4.2.3 Add workstations to domain: Not applicable
User Right Check Add wkstn to domain
(1) defined the SeRemoteInteractiveLogonRight setting in by Local or Group Policy
(1) defined the SeDenyBatchLogonRight setting in by Local or Group Policy
(1) defined the SeDenyServiceLogonRight setting in by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined the SeDenyRemoteInteractiveLogonRight setting in by Local or Group Policy
(1) defined the SeManageVolumePrivilege setting in by Local or Group Policy
Reset Account Lockout After: 15 Minutes (minimum)
Lockout Reset (15)
Account Lockout Duration: 15 Minutes (minimum)
Lockout Duration (15)
Account Lockout Threshold: 3 Bad Login Attempts (maximum)
Lockout Count (3)
Audit Account Logon Events: Success and Failure
Account logon auditing
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
? ?
(1) defined by Local or Group Policy
? ?
(1) defined by Local or Group Policy logon auditing
(1) defined by Local or Group Policy logon auditing
Audit Account Logon Events: Success and Failure
Account logon auditing
Audit Account Management: Success and Failure
Account management auditing
Audit Account Management: Success and Failure
Account management auditing
Audit Logon Events: Success and Failure
Audit Logon Events: Success and Failure
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy priv use auditing
(1) defined by Local or Group Policy priv use auditing
(1) defined by Local or Group Policy
?
(1) defined by Local or Group Policy
?
Audit Object Access: Failure (minimum)
object access auditing
Audit Object Access: Failure (minimum)
object access auditing
Audit Policy Change: Failure (minimum)
policy change auditing
Audit Policy Change: Failure (minimum)
policy change auditing
Audit Privilege Use: Failure (minimum)
Audit Privilege Use: Failure (minimum)
Audit Process Tracking: Not Defined
Audit Process Tracking: Not Defined
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
?
(1) defined by Local or Group Policy
?
? ?
? ?
Audit System Events: Success and Failure
System Event auditing
Audit System Events: Success and Failure
System Event auditing
Allow System to be Shut Down Without Having to Log On
Decoy Admin, Account Exists
(1) In Windows Explorer: Tools->Folder Options->File Types->[file type]->Advanced
(1) `REGSVR32 "C:\Windows\System\Scrrun.dll"` (2) `UNREGSVR32 "C:\Windows\System\Scrrun.dll"`
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\RestrictGuestAccess (2) defined by Group Policy
Application Log: Restrict Guest Access to Logs: Enabled
Anonymous Access to the Application Event Log value
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\MaxSize
Application Log: Maximum Event Log Size: 80 Mb (minimum)
Application Event Log size key value
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy
Application Log: Log Retention Method: “Overwrite Events As Needed”
Application Event Log retention key value
Application Event Log retention key value
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\RestrictGuestAccess (2) defined by Group Policy
Security Log: Restrict Guest Access to Logs: Enabled
Anonymous Access to the Security Event Log value
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\MaxSize
Security Log: Maximum Event Log Size: 80 Mb (minimum)
Security Event Log size key value
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy
Security Log: Log Retention Method: “Overwrite Events As Needed”
Security Event Log retention key value
Security Event Log retention key value
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\RestrictGuestAccess (2) defined by Group Policy
System Log: Restrict Guest Access to Logs: Enabled
Anonymous Access to the System Event Log value
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\MaxSize
System Log: Maximum Event Log Size: 80 Mb (minimum)
System Event Log size key value
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy
System Log: Log Retention Method: “Overwrite Events As Needed”
System Event Log retention key value
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) determined by the local filesystem
?
(1) defined by Local or Group Policy EnPasFlt Check
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
System Event Log retention key value
All passwords are no more than 90 days old (maximum).
Maximum Password Age (90)
Minimum Password Age: 1 day
Minimum Password Age
All passwords are at least 8 characters long (minimum).
Password Length (8)
Check for Enpasflt.dll
Password Complexity: Enabled
Password History: 24 Passwords Remembered
Password History (24)
Store Passwords using Reversible Encryption: Disabled
Reversible Pwd Encryption
4.1.1 Alerter – Disabled
?
4.1.2 Clipbook – Disabled
?
s
?
?
?
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
4.1.3 Computer Browser – Disabled
Computer Browser Disabled
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
4.1.4 Fax Service – Disabled
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
4.1.5 FTP Publishing Service – Disabled
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
4.1.6 IIS Admin Service – Disabled
?
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
4.1.8 Messenger – Disabled
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
4.1.9 NetMeeting Remote Desktop Sharing – Disabled
NetMeeting Remote Desktop Sharing Disabled
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
?
?
?
?
?
?
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
4.1.7 Internet Connection Sharing – Disabled
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
4.1.10 Remote Registry Service – Disabled
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
4.1.11 Routing and Remote Access – Disabled
Remote Access Auto Connection Manager Disabled
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RshSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Remote Shell Service
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SIMPTCP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Simple TCP/IP Service
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
4.1.12 Simple Mail Transfer Protocol (SMTP) – Disabled
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
4.1.13 Simple Network Management Protocol (SNMP) Service – Disabled
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMPTRAP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
4.1.14 Simple Network Management Protocol (SNMP) Trap – Disabled
4.1.15 Telnet – Disabled Telnet Disabled
?
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
4.1.16 World Wide Web Publishing Services – Disabled
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate (2) defined by the Services Administrative Tool (3) definied by Group Policy
4.1.17 Automatic Updates – Not Defined
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
4.1.18 Background Intelligent Transfer Service – Not Defined
(1) defined by the Services Administrative Tool (2) definied by Group Policy
Print Services for UNIX
? ?
? ?
? ?
? ?
? ?
? ?
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
? ?
? ?
Printer Permissions
? ?
? ?
? ?
? ?
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
? ?
?
? ?
? ?
(1) defined by Local or Group Policy ?
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
"Schedule" service is run as the system account.
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
Additional Restrictions for Anonymous Connections: “No Access Without Explicit Anonymous Permissions”
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous (2) defined by Local or Group Policy
Restrict Anonymous value
?
(1) Local Users and Groups MMC
?
(1) Local Users and Groups MMC
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AnonymousNameLookup (2) defined by Local or Group
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
Anonymous access to the event logs is not restricted.
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg
Anonymous access to the Registry is not restricted.
Guest Account Disabled
?
?
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption (2) defined by Local or Group Policy
Message Title for Users Attempting to Log On: “Warning:” or custom title.
Legal notice is not configured to display before console logon.
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText (2) defined by Local or Group Policy
Message Text for Users Attempting to Log On: Custom Message or “This
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks
Remove administrative shares on workstation (Professional): HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug\Auto
Disable Automatic Execution of the System Debugger: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\AEDebug\Auto (REG_DWORD) 0
CIS: Automatic Execution of the System Debugger value
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon
Disable Automatic Logon: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon(REG_DWORD) 0
Admin Autologon Value
Autoplay value?
?
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot
Disable automatic reboots after a Blue Screen of Death: HKLM\System\CurrentControlSet\Control\CrashControl\AutoReboot (REG_DWORD) 0
CIS: Disable Reboot After Crash value
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
Disable autoplay from any disk type, regardless of application: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun (REG_DWORD) 255
(1) HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
Disable autoplay for current user: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun (REG_DWORD) 255
(1) HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
Disable autoplay for new users by default: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun (REG_DWORD) Not Defined
CIS: Disable Media Autoplay (HKU-.Default hive)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDrom\Autorun
Disable CD Autorun: HKLM\System\CurrentControlSet\Services\CDrom\Autorun (REG_DWORD) 0
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MrxSmb\Parameters\RefuseReset
Protect against Computer Browser Spoofing Attacks: HKLM\System\CurrentControlSet\Services\MrxSmb\Parameters\RefuseReset (REG_DWORD) 1
Computer Browser Spoofing Attacks
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesTcpip\Parameters\EnableICMPRedirect
Ensure ICMP Routing via shortest path first: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect (REG_DWORD) 0
Disable ICMP Redirect
?
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting
Protect against source-routing spoofing: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting (REG_DWORD) 2
Disable IP Source Routing
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery
Ensure Router Discovery is Disabled: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery (REG_DWORD) 0
Disable Router Discovery
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt
Enable IPSec to protect Kerberos RSVP Traffic: HKLM\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt
CIS: Enable IPSec security for Kerberos RSVP Traffic value
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DrWatson\CreateCrashDump
Suppress Dr. Watson Crash Dumps: HKLM\Software\Microsoft\DrWatson\CreateCrashDump
CIS: Allow Dr. Watson Crash Dumps value
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName
Don’t display username of last successful logon at the logon screen: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName (REG_SZ) Not Defined; 3.2.1.15 Do Not Display Last User Name in Logon Screen: Enabled
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable
Enable the File System Checker and Disable Popups: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable (REG_DWORD) Not Defined
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan
Enable the System File Checker to verify all operating system files at boot time: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan (REG_DWORD) Not DefinedNote: Due to the processor-intensive nature of the System File Checker, it is no longer required on startup.
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCShowProgress
Do not show the System File Checker progress meter: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCShowProgress (REG_DWORD) Not Defined
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden
3.2.2.24 Do not announce this computer to domain master browsers: HKLM\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden (REG_DWORD) 1
CIS: Hide computer Name from other domain controllers value
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect
Protect the Default Gateway network setting: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect (REG_DWORD) 0
Disable Dead Gateway Detection
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime
Manage Keep-alive times: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime(REG_DWORD) 300000
TCP Connection Keep-Alive Time
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen
SYN Attack protection – Manage TCP Maximum half-open sockets: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen (REG_DWORD) 100
Half-open TCP Sockets
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried
SYN Attack protection – Manage TCP Maximum half-open retired sockets: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetired (REG_DWORD) 80
Half-open retired TCP Sockets
?
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand
Protect Against Malicious Name-Release Attacks: HKLM\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand (REG_DWORD) 1
Name-Release Attacks
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery
Help protect against packet fragmentation: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery (REG_DWORD) 0
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect
Protect against SYN Flood attacks: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect (REG_DWORD) 2
SYN Attack Protection
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\EnhancedSecurityLevel
Protect Kernel object attributes
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security\WarningLevel
Audit Log Warning Level
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\DisableSavePassword
Disable saving of dial up password
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel (2) defined by Local or Group Policy
Encrypt Secure Channel Traffic Value
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel (2) defined by Local or Group Policy
Sign Secure Channel Traffic Value
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Session Manager\SafeDllSearchMode
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon\SyncForegroundPolicy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\DeleteRoamingCache
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system\LogonType
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Policies\system\DisableBkGndGroupPolicy
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA
(1) defined by Local or Group Policy
?
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
?
?
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\KMPrintersAreBlocked
Allow Server Operators to Schedule Tasks: Not Applicable
Rename Administrator Account: Any value other than ‘Administrator’
Administrator Account Renamed
Rename Guest Account: Any value other than ‘Guest’
Guest Account Renamed
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect (2) defined by Local or Group Policy
Amount of Idle Time Required Before Disconnecting Session: 30 Minutes (minimum)
Amount of idle time before disconnecting value (<= 15)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects (2) defined by Local or Group Policy
Audit the access of global system objects: Not Defined
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing (2) defined by Local or Group Policy
Audit the use of backup and restore privilege: Not Defined
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD (2) defined by Local or Group Policy
Disable CTRL+ALT+Delete Requirement for Logon: Disabled
Ctrl+Alt+Del security attention sequence is Disabled.
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel (2) defined by Local or Group Policy
LAN Manager Authentication Level: “Send NTLMv2 response only” (minimum)
LMCompatibility Value
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LMCompatibilityLevel Paramenters: (1) level
The Send download LanMan compatible password option is not set to "Send LM and NTLM - Use NTLMv2 if Negotiated."
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers (2) defined by Local or Group Policy
Prevent Users from Installing Printer Drivers: Enabled
Print Driver Installation value
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel (2) defined by Local or Group Policy
Recovery Console: Allow Automatic Administrative Logon: Disabled
Recovery Console Autologon value
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand (2) defined by Local or Group Policy
Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders: Disabled
Recovery Console Full Access Value
?
?
(1) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms (2) defined by Local or Group Policy
Restrict CD-ROM Access to Locally Logged-On User Only: Enabled
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies (2) defined by Local or Group Policy
Restrict Floppy Access to Locally Logged-On User Only: Enabled
Floppy Allocation
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode (2) defined by Local or Group Policy
Strengthen Default Permissions of Global System Objects (e.g. Symbolic Links): Enabled
Strength permissions on GSO value
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey (2) defined by Local or Group Policy
Secure Channel: Require Strong (Windows 2000 or later) Session Key: Not Defined
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword (2) defined by Local or Group Policy
Send Unencrypted Password to Connect to Third-Party SMB Servers: Disabled
Send unencrypted password to 3rd party SMB value
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Driver Signing\Policy (2) defined by Local or Group Policy
Unsigned Driver Installation Behavior: “Warn, but allow installation” (minimum) or “Do Not Allow Installation”.
Unsigned Driver Behavior Value
Unsigned Non-Driver Installation Behavior: “Warn, but allow installation” (minimum) or “Do Not Allow Installation”
Unsigned Non-Driver Behavior Value
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning (2) defined by Local or Group Policy
Prompt User to Change Password Before Expiration: 14 Days (minimum)
Password Expiration value
(1) defined by Local or Group Policy
?
?
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail (2) defined by Local or Group Policy
Shut Down system immediately if unable to log security audits: Not Defined
Crash on audit fail Value
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon (2) defined by Local or Group Policy
Allow System to be Shut Down Without Having to Log On: Disabled
The system allows shutdown from the logon dialog box
Automatically Log Off Users When Logon Time Expires (local): Enabled
Logon Time Enforcement (0)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown (2) defined by Local or Group Policy
Clear Virtual Memory Pagefile When System Shuts Down: Enabled
Clear Pagefile value
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature (2) defined by Local or Group Policy
Digitally Sign Client Communication (Always): Not Defined
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature (2) defined by Local or Group Policy
Digitally Sign Client Communication (When Possible): Enabled
Enable Security Signature Value
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature (2) defined by Local or Group Policy
Digitally Sign Server Communication (Always): Not Defined
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature (2) defined by Local or Group Policy
Digitally Sign Server Communication (When Possible): Enabled
SMB Server Packet Signing Value
?
?
?
(1) defined in %Systemroot%\boot.ini ? ?
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount (2) defined by Local or Group Policy
Number of Previous Logons to Cache: 1 (maximum)
Logon Caching value (<= 2)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD (2) defined by Local or Group Policy
Allowed to Eject Removable NTFS Media: Administrators
NTFS Media Ejection value
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal (2) defined by Local or Group Policy
Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always): Not Defined
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel (2) defined by Local or Group Policy
Secure Channel: Digitally Encrypt Secure Channel Data (When Possible): Enabled
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel (2) defined by Local or Group Policy
Secure Channel: Digitally Sign Secure Channel Data (When Possible): Enabled
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption (2) defined by Local or Group Policy
Smart Card Removal Behavior: “Lock Workstation” (minimum)
Smart Card Removal Behavior Value
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange (2) defined by Local or Group Policy
Prevent System Maintenance of Computer Account Password: Disabled
Disable password change Value
(1) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon (2) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogoff (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPathsHKLM (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest (2) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) Disk Management MMC
(1) ? ?
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec (2) defined by Local or Group Policy
4.3.1 Ensure all disk volumes are using the NTFS file system
Non-NTFS Partition
Unused USB ports are not disabled.
?
?
?
?
(1) HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
current user scrnsave.exe
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
Current user screensaver timeout
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure
Current user screensaver secure
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive
Current user screensaver active
(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\SCRNSAVE.EXE
(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaveTimeOut
(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaverIsSecure
(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaveActive
(1) HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive
GPO path: User Configuration\Administrative Templates\Control Panel\Display\Hide Screen Saver tab
GPO path: User Configuration\Administrative Templates\Control Panel\Display\Password protect the screen saver
GPO path: User Configuration\Administrative Templates\Control Panel\Display\Screen saver
GPO path: User Configuration\Administrative Templates\Control Panel\Display\Screen Saver executable name
GPO path: User Configuration\Administrative Templates\Control Panel\Display\Screen Saver timeout
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
Always Install with Elevated Privileges
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\SafeForScripting\
Disable IE Security Prompt for Windows Installer Scripts
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableUserControl
Enable User Control Over Installs
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownBrowse
Enable User to Browse for Source While Elevated
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownMedia
Enable User to Use Media Source While Elevated
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableAdminTSRemote
Allow Admin to Install from Terminal Services Session
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownPatch
Enable User to Patch Elevated Products
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\TransformSecure
Cache Transforms in Secure Location on Workstation
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer\DisableAutoupdate
(1) HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer\PreventCodecDownload
?
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\{9b017612-c9f1-11d2-8d9f-0000f875c541}\Disabled (2) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MessengerService
Windows Messenger Internet Access
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventRun
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventAutoRun
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Property Pages
Hide Property Pages
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Task Creation
Prohibit New Task Creation
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fSingleSessionPerUser
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxInstanceCount
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fWritableTSCCPermTab
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\Shadow
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\PerSessionTempDir
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\DeleteTempDirsOnExit
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fReconnectSame
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fResetBroken
-1
-1
-1
-1
-1
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\KeepAliveEnable
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\ErrorReporting\DoReport
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions
`
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC\EnableAuthEpResolution
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC\RestrictRemoteClients
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewallHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptionsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\AllowUserPrefMerge
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\FileAndPrint\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\RemoteDesktop\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\UPnPFramework\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogDroppedPackets (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log Dropped Packets
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogFilePath (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log file path and name (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile Tab\Logging\Name
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogFileSize (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Size limit (KB)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogSuccessfulConnections (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log successful connections
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableUnicastResponsesToMulticastBroadcastHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\AllowUserPrefMerge
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewallHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\AllowUserPrefMerge
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ICMPSettings\*
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\UPnPFramework\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogDroppedPackets (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile\Windows Firewall: Allow Logging - Log Dropped Packets
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogFilePath
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogFileSize
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogSuccessfulConnections
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableUnicastResponsesToMulticastBroadcast
?
POSIX.EXE, "PSXSS.EXE" or "PSXDLL.DLL" exist
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\AllowUserPrefMerge
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxPortsExhausted
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Subsystems\Optional,HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Subsystems\Os2,HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Os2LibPath
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Subsystems\posix
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\NukeOnDelete
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\SCForceOption
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Inbound Connections Tab\(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultInboundAction
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultOutboundAction
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalPolicyMerge
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalIPsecPolicyMerge
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultInboundAction
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultOutboundAction
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableNotifications
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableUnicastResponsesToMulticastBroadcast
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\AllowLocalPolicyMerge
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\AllowLocalIPsecPolicyMerge
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultInboundAction
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultOutboundAction
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableNotifications
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableUnicastResponsesToMulticastBroadcast
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalPolicyMerge
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalIPsecPolicyMerge
(1) Computer Configuration\Administrative Templates\System\Logon (2)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableLocalMachineRun
(1) Computer Configuration\Administrative Templates\System\Logon (2)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableLocalMachineRunOnce
(1) Computer Configuration\Administrative Templates\System\Group Policy (2)HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}!NoBackgroundPolicy, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}!NoGPOListChanges
(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWebServices
(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Messenger\Client!CEIP
(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\SearchCompanion!DisableContentFileUpdates
(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableHTTPPrinting
(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload
(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DontSearchWindowsUpdate
(1) Computer Configuration\Administrative Templates\System\Credential User Interface (2)HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators
(1) Computer Configuration\Administrative Templates\System\Credential User Interface (2)HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnableSecureCredentialPrompting
(1) Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management (2)HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!RestrictToList
(1) Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management (2)HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!ListBox_Support_CLSID
(1) Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Remote Desktop Connection (2)HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DisablePasswordSaving
(1) Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Device and Resource Redirection (2)HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCdm(1) User Configuration\Administrative Templates\System (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
(1) User Configuration\Administrative Templates\System\Power Mangement (2)HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Power\PromptPasswordOnResume
(1) User Configuration\Administrative Templates\System\Attachment Manager (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation
(1) User Configuration\Administrative Templates\System\Attachment Manager (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\HideZoneInfoOnProperties
(1) User Configuration\Administrative Templates\System\Attachment Manager (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus
(1) User Configuration\Administrative Templates\Windows Components\Internet Explorer (2)HKEY_CURRENT_USER\Software\Microsoft\Outlook Express\BlockExeAttachments
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options (2)HKEY_LOCAL_MACHINE\System\Currentcontrolset\Control\Lsa\SCENoApplyLegacyAuditPolicy
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup\ChannelAccess
(2)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Windows Search Service\Start
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet\Disabled
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI\DisableWcnUi
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings\AllowRemoteRPC
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings\DisableSystemRestore
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings\DisableSendGenericDriverNotFoundToWER
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EventViewer\MicrosoftEventVwrDisableLinks
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports\PreventHandwritingErrorReports
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\HelpSvc\Headlines
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\HelpSvc\MicrosoftKBSearchs
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Internet Connection Wizard\ExitOnMSICW
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Registration Wizard Control\NoRegistration
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoOnlinePrintsWizard
(2)[HKEY_LOCAL_MACHINE | HKEY_CURRENT_USER] \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPublishingWizard
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\CodecDownload
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\WebHelp
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\WebPublish
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWelcomeScreen
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableStartupSound
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\DCSettingIndex
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ACSettingIndex
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\CreateEncryptedOnlyTickets
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\UseCustomMessages
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\UseBandwidthOptimization
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\LoggingEnabled
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\IIS\PreventIISInstall
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Assistance\Client\1.0\NoActiveHelp
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Assistance\Client\1.0\NoUntrustedContent
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search\PreventIndexingUncachedExchangeFolders
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\TurnOffWinCal
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\CorporateSQMURL
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer\NoHeapTerminationOnCorruption
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\DisableLUAPatching
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ReportControllerMissing
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Mail\DisableCommunities
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Mail\ManualLaunchAllowed
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WMDRM\DisableOnline
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Collaboration\TurnOffWindowsCollaboration
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Collaboration\TurnOnWindowsCollaborationAuditing
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffUnsignedGadgets
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\OverrideMoreGadgetsLink
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffUserInstalledGadgets
Computer Configuration\Administrative Templates\Windows Components\Digital Locker
Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Components\Game Explorer
Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Outbound Rules
Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Outbound Rules
2007: GPO Settings:Computer Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 System / Security Settings , Registry Keys: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\12.0\Common\VbaOff 2003: (1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Disable VBA for Office applications (2) HKLM\Software\Policies\Microsoft\Office\11.0\Common - VbaOff (3) User Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Disable VBA for Office applications (4) HKCU\Software\Policies\Microsoft\Office\11.0\Common - VbaOff
2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 system / Security /ActiveX Control InitializationSettings , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\Common\Security\UFIControls 2003: (1) User Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\ActiveX Control Initialization (2) HKCU\Software\Policies\Microsoft\Office\Common\Security - UFIControls
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 / Privacy / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Common\QMEnable
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 / Privacy / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Common\UpdateReliabilityData
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 system / Tools / Options / General / Service Options / Online Content , Registry Keys: HKEY_CURRENT_USER\Softtware\Polices\Microsoft\Office\12.0\Common\Internet\UseOnlineContent
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Access 2007 / Application Settings / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Access\Security\VBAWarnings
2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Excel 2007 / Excel Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\VBAWarnings
2007GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Excel 2007 / Excel Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\AccessVBOM 2003: (1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Excel: Trust access to Visual Basic Project (2) HKLM\Software\Policies\Microsoft\Office\11.0\Excel\Security - AccessVBOM (3) User Configuration\Administrative Templates\Microsoft Office Excel 2003\Tools\Macros\Security\Trust access to Visual Basic Project (4) HKCU\Software\Policies\Microsoft\Office\11.0\Excel\Security - AccessVBOM
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office PowerPoint 2007 / PowerPoint Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\VBAWarnings
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office PowerPoint 2007 / PowerPoint Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\AccessVBOM
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\EnableRememberPwd
2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\AddinTrust 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Configure Add-In Trust Level (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - AddinTrust
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\EnableRememberPwd
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\MinEncKey
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\SupressNameChecks
2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\ClearSign 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Send all signed messages as clear signed messages (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - ClearSign
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\RequestSecureReceipt
2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\PublishToGalDisabled 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Disable 'Publish to GAL' button (2) HKCU\Software\Policies\Microsoft\office\11.0\outlook\Security - PublishToGalDisabled
2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\WarnAboutInvalid 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Signature Warning (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - WarnAboutInvalid
2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\ConvertSMIMEBlobSignedIcons 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Enable cryptography icons (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - ConvertSMIMEBlobSignedIcons
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography / Signature Status Dialog Box , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\UseCRLChasing
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Word 2007 / Word Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\VBAWarnings
2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Word 2007 / Word Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Policies\Microsoft\Office\12.0\Word\Security\AccessVBOM 2003: (1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Word: Trust access to Visual Basic Project (2) HKLM\Software\Policies\Microsoft\Office\11.0\Word\Security - AccessVBOM (3) User Configuration\Administrative Templates\Microsoft Office Word 2003\Tools\Macro\Security\Trust access to Visual Basic Project (4) HKCU\Software\Policies\Microsoft\Office\11.0\Word\Security - AccessVBOM
2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Word 2007 / Word Options / Security , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Options\vpref\fWarnRevisions_1805_1 2003: (1) User Configuration\Administrative Templates\Microsoft Office Word 2003\Tools\Options\Security\Warn before printing or saving or sending a file that contains tracked changes or comments (2) HKCU\Software\Policies\Microsoft\Office\11.0\Word\Options\vpre
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 / Miscellaneous , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\Common\OfficeUpdate\BlockUpdates
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Web Options\General\Underline hyperlinks (2) Software\Policies\Microsoft\Office\12.0\Access\Internet
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\General\General\Number of documents in the Recent Documents list (0-9) (2) Software\Policies\Microsoft\Office\12.0\Access\Settings
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins (2) Software\Policies\Microsoft\Office\12.0\Access\Security
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Disable all application add-ins (2) Software\Policies\Microsoft\Office\12.0\Access\Security
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher (2) Software\Policies\Microsoft\Office\12.0\Access\Security
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted LocationsDisable all trusted locations (2) Software\Policies\Microsoft\Office\12.0\Access\Security\Trusted Locations
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted Locations\Allow Trusted Locations not on the computer (2) Software\Policies\Microsoft\Office\12.0\Access\Security\Trusted Locations
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted Locations\Modal Trust Decision Only (2) Software\Policies\Microsoft\Office\12.0\Access\Security\Trusted Locations
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Office Button | E-Mail (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Access Options | Customize | All Commands | Insert Hyperlink (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Database Tools | Encrypt with Password (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permission | User and Group Permissions (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permissions | User and Group Accounts (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permission | User-Level Security Wizard... (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Database Tools | Encode/Decode Database (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Macro | Visual Basic (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Macro | Run Macro (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Database Tools | Macro | Convert Macros to Visual Basic (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Database Tools | Macro | Create Shortcut Menu from Macro (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable shortcut keys (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Ctrl+K (Office Button | Access Options | Customize | All Commands | Insert Hyperlinks) (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Alt+F11 (Database Tools | Macro | Visual Basic) (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Miscellaneous\Default file format (Access 2007 | Access 2002-2003) (2) Software\Policies\Microsoft\Office\12.0\Access\Settings
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Miscellaneous\Do not prompt to convert older databases (2) Software\Policies\Microsoft\Office\12.0\Access\Settings
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Proofing\Autocorrect Options\Internet and network paths as hyperlinks (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\Save Excel files as (Excel Workbook (*.xlsx) | Excel Macro-Enabled Workbook (*.xlsm) | Excel Binary Workbook (*.xlsb) | Web Page (*.htm; *.html) | Excel 97-2003 Workbook (*.xls) | Excel 5.0/95 Workbook (*.xls)) (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\Disable AutoRepublish (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\AutoRepublish Warning Alert (Always show the alert before publishing | Never show the alert before publishing) (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Determine whether to force encrypted macros to be scanned in Microsoft Excel Open XML workbooks (2) Software\Policies\Microsoft\Office\12.0\Excel\Security
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Force file extension to match file type (Allow different | Allow different, but warn | Always match file type) (2) Software\Policies\Microsoft\Office\12.0\Excel\Security
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Store macro in Personal Macro Workbook by default (2) Software\Policies\Microsoft\Office\12.0\Excel\Security
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Disable all application add-ins (2) Software\Policies\Microsoft\Office\12.0\Excel\Security
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher (2) Software\Policies\Microsoft\Office\12.0\Excel\Security
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins (2) Software\Policies\Microsoft\Office\12.0\Excel\Security
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\Trusted Locations
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Trusted LocationsDisable all trusted locations (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\Trusted Locations
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Ignore other applications (2) Software\Policies\Microsoft\Office\12.0\Excel\Options\BinaryOptions
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Ask to update automatic links (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Number of documents in the Recent Documents list (0-17) (2) Software\Policies\Microsoft\Office\12.0\Excel\File MRU
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Web Options…\GeneralSave any additional data necessary to maintain formulas (2) Software\Policies\Microsoft\Office\12.0\Excel\Internet
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Web Options…\GeneralLoad pictures from Web pages not created in Excel (2) Software\Policies\Microsoft\Office\12.0\Excel\Internet
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Do not show data extraction options when opening corrupt workbooks (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Assume structured storage format of workbook is intact when recovering data (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Corrupt formula conversion (Convert unrecoverable references to: values | #REF or #NAME) (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Access Security\Connection File Locations (2) Software\Policies\Microsoft\Office\Common\Server Links\Published
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Access Security\Automatic Query Refresh (Prompt for all workbooks | Do not prompt; do not allow auto refresh | Do not prompt; allow auto refresh) (2) Software\Policies\Microsoft\Office\Common\Server Links\Published
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Save as Web Page (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Web Page Preview (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect Sheet (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect Workbook (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect and Share Workbook (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Record Macro (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Document Location (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink) (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F8 (Developer | Code | Macros) (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic) (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to Excel 2007 (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Open XML file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Binary 12 file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Binary file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Html and Xmlss files types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Xml file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of DIF and SYLK file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Text file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Xll file type (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Open Xml file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Binary12 file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Binary file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Html and Xmlss file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving Xml file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving DIF and SYLK file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Text file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Locally cache network file storages (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Locally cache PivotTable reports (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\OLAP PivotTable User Defined Function (UDF) security setting (Allow ALL UDFs | Allow safe UDFs only | Allow NO UDFs) (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Recognize SmartTags (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Tools | Options\General\Number of documents in the Recent Documents list (0 - 9) (2) Software\Policies\Microsoft\Office\12.0\InfoPath
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Tools | Options\Advanced\Offline\Offline Mode status (Disabled | Enabled, InfoPath in Offline Mode | Enabled, InfoPath not in Offline Mode) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Editor\Offline
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Print (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Send to Mail Recipient (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Open from SharePoint Site (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Print Preview (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Page Setup (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Insert | Hyperlinks... (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Set Language (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Customize... (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Options... (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Help | Microsoft Office Online (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Office Diagnostics (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Help | Activate Product... (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Print Default (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys - Print Shortcut (Ctrl+P) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys - Insert Hyperlink Shortcut (Ctrl+K) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior for Windows SharePoint Services gradual upgrade (Allow redirections to any location | Allow redirections to Intranet only | Block all redirections) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Disable opening of solutions from the Internet security zone (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Disable fully trusted solutions full access to computer (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Allow the use of ActiveX Custom Controls in InfoPath forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Run forms in restricted mode if they do not specify a publish location and use only features introduced before InfoPath 2003 SP1 (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Allow file types as attachments to forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Block specific file types as attachments to forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Prevent users from allowing unsafe file types to be attached to forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Display a warning that a form is digitally signed (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Internet security zone (Block | Prompt | Allow) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Open Behaviors
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Intranet security zone (Block | Prompt | Allow) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Open Behaviors
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Local Machine security zone (Block | Prompt | Allow) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Open Behaviors
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Trusted Site security zone (Block | Prompt | Allow) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Open Behaviors
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Beaconing UI for forms opened in InfoPath (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Beaconing UI for forms opened in InfoPath Editor ActiveX (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Disable all application add-ins (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Control behavior when opening InfoPath e-mail forms containing code or script (Run without prompting | Prompt before running | Never run) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable sending form template with e-mail forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Deployment
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable dynamic caching of the form template in InfoPath e-mail forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Deployment
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable sending InfoPath 2003 Forms as e-mail forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms running in restricted security level (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Internet security zone (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Intranet security zone (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Full Trust security zone (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable InfoPath e-mail forms in Outlook (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Restricted Features\Information Rights Management (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Designer\RestrictedFeatures
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Restricted Features\Custom code (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Designer\RestrictedFeatures
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Miscellaneous\Email Forms Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Word (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Excel (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in PowerPoint (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Access (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Outlook (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Word (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Excel (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in PowerPoint (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Access (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Outlook (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Word (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Excel (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in PowerPoint (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Access (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Outlook (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | AutoCorrect Options... (Excel, Word, PowerPoint and Access)\Recognize smart tags in Excel (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable Clip Art and Media downloads from the client and from Office Online website (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable template downloads from the client and from Office Online website (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable access to updates, add-ins, and patches on the Office Online website (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Prevents users from uploading document templates to the Office Online community. (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable training practice downloads from the Office Online website (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable customer-submitted templates downloads from Office Online (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Files\Open Office documents as read/write while browsing (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Browsers\Rely on VML for displaying graphics in browsers (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Browsers\Allow PNG as an output format (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | Spelling\Proofing Data Collection\Improve Proofing Tools (2) Software\Policies\Microsoft\Office\12.0\Common\PTWatson
(1) User Configuration\Administrative Templates\Classic Administrative Templates\Microsoft Office 2007\Privacy \Trust Center\Disable Opt-in Wizard on first run (2) HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Common\QMEnable(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Help\Microsoft Office Online (2) Software\Policies\Microsoft\Office\12.0\Common\Internet(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable Password Caching (2) Software\Policies\Microsoft\Office\12.0\Common\Security
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable all Trust Bar notifications for security issues (2) Software\Policies\Microsoft\Office\12.0\Common\TrustCenter
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Protect document metadata for rights managed Office Open XML Files (2) Software\Policies\Microsoft\Office\12.0\Common\Security
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Protect document metadata for password protected files. (2) Software\Policies\Microsoft\Office\12.0\Common\Security
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Encryption type for password protected Office Open XML files (2) Software\Policies\Microsoft\Office\12.0\Common\Security
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Encryption type for password protected Office 97-2003 files (2) Software\Policies\Microsoft\Office\12.0\Common\Security
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Load Controls in Forms3 (1 | 2 | 3 | 4) (2) Software\Policies\Microsoft\VBA\Security
2007: (1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Automation Security (Disable macros by default | Use application macro security level | Macros enabled) (2) Software\Policies\Microsoft\Office\Common\Security 2003: (1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Automation Security (2) HKLM\Software\Policies\Microsoft\Office\11.0\Common\Security - AutomationSecurity
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Prevent Word and Excel from loading managed code extensions (2) Software\Policies\Microsoft\Office\Common\Smart Tag
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable hyperlink warnings (2) Software\Policies\Microsoft\Office\12.0\Common\Security
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable password to open UI (2) Software\Policies\Microsoft\Office\12.0\Common\Security
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Download Office Controls (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable All ActiveX (2) Software\Policies\Microsoft\Office\Common\Security
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Trust Center\Allow mix of policy and user locations (2) Software\Policies\Microsoft\Office\12.0\Common\Security\Trusted Locations
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Smart Documents (Word, Excel)\Disable Smart Document's use of manifests (2) Software\Policies\Microsoft\Office\Common\Smart Tag
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Smart Documents (Word, Excel)\Completely disable the Smart Documents feature in Word and Excel (2) Software\Policies\Microsoft\Office\Common\Smart Tag
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Services\Fax\Disable Internet Fax feature (2) Software\Policies\Microsoft\Office\12.0\Common\Services\Fax
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Prevent users from changing permissions on rights managed content (2) Software\Policies\Microsoft\Office\12.0\Common\DRM
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Allow users with earlier versions of Office to read with browsers... (2) Software\Policies\Microsoft\Office\12.0\Common\DRM
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Always require users to connect to verify permission (2) Software\Policies\Microsoft\Office\12.0\Common\DRM
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Always expand groups in Office when restricting permission for documents (2) Software\Policies\Microsoft\Office\12.0\Common\DRM\AutoExpandDls
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Never allow users to specify groups when restricting permission for documents (2) Software\Policies\Microsoft\Office\12.0\Common\DRM
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Disable Microsoft Passport service for content with restricted permission (2) Software\Policies\Microsoft\Office\12.0\Common\DRM
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Do not allow users to upgrade Information Rights Management configuration (2) Software\Policies\Microsoft\Office\12.0\Common\DRM
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Key Usage Filtering (2) Software\Policies\Microsoft\Office\12.0\Common\General(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\EKU filtering (2) Software\Policies\Microsoft\Office\12.0\Common\Signatures
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Legacy format signatures (2) Software\Policies\Microsoft\Office\12.0\Common\Signatures
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Suppress Office Signing Providers (Enable Western and East Asian | Suppress default Western | Suppress default East Asian | Suppress both Western and East Asian) (2) Software\Policies\Microsoft\Office\12.0\Common\Signatures
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Suppress external signature services menu item (2) Software\Policies\Microsoft\Office\12.0\Common\Signatures
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Office Diagnostics\Disable Check For Solutions (2) Software\Policies\Microsoft\Office\Common\OffDiag
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Microsoft Save As PDF and XPS add-ins\Disable inclusion of document properties in PDF and XPS output (2) Software\Policies\Microsoft\Office\12.0\Common\FixedFormat
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Document Information Panel\Disable Document Information Panel (2) Software\Policies\Microsoft\Office\12.0\Common\DocumentInformationPanel
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Document Information Panel\Document Information Panel Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone) (2) Software\Policies\Microsoft\Office\12.0\Common\DocumentInformationPanel
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Server Settings\Disable the Office client from polling the Office server for published links (2) Software\Policies\Microsoft\Office\12.0\Common\Portal
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to Word 2007 through the Compatibility Pack for the 2007 Office system and Word 2007 Open XML/Word 97-2003 Format Converter (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to Excel 2007 through the Compatibility Pack for the 2007 Office system and Excel 2007 Converter (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to PowerPoint 2007 through the Compatibility Pack for the 2007 Office system and PowerPoint 2007 Converter (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Control Blogging (Enabled | Only SharePoint blogs allowed | All blogging disabled) (2) Software\Policies\Microsoft\Office\12.0\Common\Blog
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Enable Smart Resume (2) Software\Policies\Microsoft\Office\12.0\Common\Restore Workspace
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Do not upload media files (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Disable hyperlinks to web templates in File | New and task panes (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Prevent access to Web-based file storage (2) Software\Policies\Microsoft\Office\12.0\Common\WebServices
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Do not allow attachment previewing in Outlook (2) Software\Policies\Microsoft\Office\12.0\Outlook\Preferences
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Read e-mail as plain text (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Read signed e-mail as plain text (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServicePrevent publishing to Office Online (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServicePrevent publishing to a DAV server (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceRestrict level of calendar details users can publish (All options are available | Disables 'Full details' | Disables 'Full details' and 'Limited details') (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceAccess to published calendars (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceRestrict upload method (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Hide Junk Mail UI (2) Software\Policies\Microsoft\Office\12.0\Outlook
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Junk E-mail protection level (No Protection, Low, High, Trusted Lists Only) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Trust E-mail from Contacts (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Add e-mail recipients to users' Safe Senders Lists (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Warn before switching dial-up connection (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Hang up when finished sending, receiving, or updating (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Automatically dial during a background Send/Receive (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Do not allow creating, replying, or forwarding signatures for e-mail messages (2) Software\Policies\Microsoft\Office\12.0\Common\MailSettings
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Send copy of pictures with HTML messages instead of reference to Internet location (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Outlook Rich Text options (Convert to HTML | Convert to Plain Text format | Send Using Outlook Rich Text format) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Plain text options (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Plain text options - Encode attachments in UUENCODE format when sending a plain text message (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Message FormatSet message format (HTML | Rich Text | Plain Text) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Make Outlook the default program for E-mail, Contacts, and Calendar (2) software\policies\microsoft\office\12.0\outlook\options\general
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow folders in non-default stores to be set as folder home pages (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Use Unicode format when dragging e-mail message to file system (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\General
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow Outlook object model scripts to run for shared folders (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow Outlook object model scripts to run for public folders (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Set maximum level of online status on a person name (Do not allow | Allow everywhere except To and CC field | Allow everywhere) (2) Software\Policies\Microsoft\Office\12.0\Outlook\IM
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Display online status on a person name (Never | Everywhere except To and CC field | Everywhere) (2) Software\Policies\Microsoft\Office\12.0\Outlook\IM
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Turn off Enable the Person Names Smart Tag option (2) Software\Policies\Microsoft\Office\12.0\Outlook\IM
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Outlook Security Mode (Outlook Default Security | Use Security Form from 'Outlook Security Settings' Public Folder | Use Security Form from 'Outlook 10 Security Settings' Public Folder | Use Outlook Security Group Policy) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Display Level 1 attachments (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Allow users to demote attachments to Level 2 (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Do not prompt about Level 1 attachments when sending an item (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Do not prompt about Level 1 attachments when closing an item (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Allow in-place activation of embedded OLE objects (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Display OLE package objects (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Add file extensions to block as Level 1 (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Remove file extensions blocked as Level 1 (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Add file extensions to block as Level 2 (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Remove file extensions blocked as Level 2 (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Allow scripts in one-off Outlook forms (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Set Outlook object model Custom Actions execution prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Set control ItemProperty prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when sending mail (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when accessing an address book (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when reading address information (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when responding to meeting and task requests (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when executing Save As (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt When accessing the Formula property of a UserProperty object (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when accessing address information via UserProperties.Find (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Required Certificate Authority (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME interoperability with external clients: (Handle internally | Handle externally | Handle if possible) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Always use Rich Text formatting in S/MIME messages (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings (2) Software\Policies\Microsoft\Cryptography\Defaults\Provider\Microsoft Exchange Cryptographic Provider v1.0
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings - Default S/MIME password time (minutes): (0 - 2147483647) (2) Software\Policies\Microsoft\Cryptography\Defaults\Provider\Microsoft Exchange Cryptographic Provider v1.0
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings - Maximum S/MIME password time (minutes): (0 - 2147483647) (2) Software\Policies\Microsoft\Cryptography\Defaults\Provider\Microsoft Exchange Cryptographic Provider v1.0
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Message Formats (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Message Formats - Support the following message formats: (S/MIME | Exchange | Fortezza | S/MIME and Exchange | S/MIME and Fortezza | Exchange and Fortezza | S/MIME, Exchange, and Fortezza) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
2007: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Do not provide Continue option on Encryption warning dialog boxes (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Disable Continue button on all Encryption warning dialogs (2) HKCU\Software\Policies\Microsoft\office\11.0\outlook\Security - DisableContinue
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Run in FIPS compliant mode (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
2007: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Encrypt all e-mail messages (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Encrypt all e-mail messages (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - AlwaysEncrypt
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Sign all e-mail messages (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\URL for S/MIME certificates (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Ensure all S/MIME signed messages have a label (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME receipt requests (Open message if receipt can't be sent | Don't open message if receipt can't be sent | Always prompt before sending receipt | Never send S/MIME ) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Fortezza certificate policies (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Require SuiteB algorithms for S/MIME operations (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing CRLs (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing CRLs - Indicate a missing CRL as a(n): (warning | error) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing root certificates (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing root certificates - Indicate a missing root certificate as a(n): (neither error nor warning | warning | error) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Promote Level 2 errors as errors, not warnings (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Attachment Secure Temporary Folder (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Display pictures and external content in HTML e-mail (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Do not permit download of content from safe zones (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Block Trusted Zones (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Include Internet in Safe Zones for Automatic Picture Download (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Include Intranet in Safe Zones for Automatic Picture Download (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Security setting for macros (Always warn | Never warn, disable all | Warn for signed, disable unsigned | No security check) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Enable links in e-mail messages (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Apply macro security settings to macros, add-ins, and SmartTags (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Automatically configure profile based on Active Directory Primary SMTP address (2) Software\Policies\Microsoft\Office\12.0\Outlook\AutoDiscover
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Do not allow users to change permissions on folders (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Folders
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Enable RPC encryption (2) Software\Policies\Microsoft\Office\12.0\Outlook\RPC
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Authentication with Exchange Server (Kerberos/NTLM Password Authentication | Kerberos Password Authentication | NTLM Password Authentication) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Synchronize Outlook RSS Feeds with Common Feed List (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Turn off RSS feature (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Automatically download enclosures (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Download full text of articles as HTML attachments (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Internet Calendars\Automatically download attachments (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\WebCal
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Internet Calendars\Do not include Internet Calendar integration in Outlook (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\WebCal
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Meeting Workspace\Disable user entries to server list (Publish default, allow others | Publish default, disallow others) (2) Software\Policies\Microsoft\Office\12.0\Meetings\Profile
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Miscellaneous\Do not expand distribution lists (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Save\Save files in this format (PowerPoint Presentation (*.pptx) | PowerPoint Macro-Enabled Presentation (*.pptm) | PowerPoint 97-2003 Presentation (*.ppt)) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Options
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Advanced\Number of documents in the Recent Documents list (0 - 50) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\File MRU
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Determine whether to force encrypted macros to be scanned in Microsoft PowerPoint Open XML presentations (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Run Programs (disable (don't run any programs) | enable (prompt user before running) | enable all (run without prompting)) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Make hidden markup visible (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Unblock automatic download of linked images (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Disable all application add-ins (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Trusted Locations
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Trusted LocationsDisable all trusted locations (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Trusted Locations
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Web Page Preview (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Review | Proofing | Language (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Document Location (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Disable shortcut keys (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Ctrl+K (Insert | Links | Hyperlink) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Alt+F8 (Developer | Code | Macros) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Alt+F11 (Developer | Code | Visual Basic) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to PowerPoint 2007 (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Open Xml files types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Binary file types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Html file types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Outlines (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Converters (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Open Xml file types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Binary file types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Html file types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Outlines (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of GraphicFilters (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Miscellaneous\Disable Slide Update (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\slide libraries
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Display\Hidden text (2) Software\Policies\Microsoft\Office\12.0\Word\Options\vpref
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Save\Save files in this format (Word document (*.docx) | Single Files Web Page (*.mht) | Web Page (*.htm; *.html) | Web Page, Filtered (*.htm, *.html) | Rich Text Format (*.rtf) | Plain Text (*.txt) | Word 6.0/95 (*.doc) | Word 6.0/95 - Chinese (Simplified) (*.doc) | Word 6.0/95 - Chinese (Traditional) (*.doc) | Word 6.0/95 - Japanese (*.doc) | Word 6.0/95 - Korean (*.doc) | Word 97-2002 & 6.0/95 - RTF | Word 5.1 for Macintosh (*.mcw) | Word 5.0 for Macintosh (*.mcw) | Word 2.x for Windows (*.doc) | Works 4.0 for Windows (*.wps) | WordPerfect 5.x for Windows (*.doc) | WordPerfect 5.1 for DOS (*.doc) | Word 2007 Macro Enabled Document (*.docm) | Word 2007 Macro Free Template (*.dotx) | Word 2007 Macro Enabled Template (*.dotm) | Word 97 - 2003 Document (*.doc) | Word 97 - 2003 Template (*.dot) | Flat XML Document (*.xml)) (2) Software\Policies\Microsoft\Office\12.0\Word\Options
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\Number of documents in the Recent Documents list (0-50) (2) Software\Policies\Microsoft\Office\12.0\Word\File MRU
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\Update automatic links at Open (2) Software\Policies\Microsoft\Office\12.0\Word\Options
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\E-mail Options\Save smart tags in e-mail (2) Software\Policies\Microsoft\Office\12.0\Word\Options\vpref
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents (2) Software\Policies\Microsoft\Office\12.0\Word\Security
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Disable all application add-ins (2) Software\Policies\Microsoft\Office\12.0\Word\Security
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher (2) Software\Policies\Microsoft\Office\12.0\Word\Security
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins (2) Software\Policies\Microsoft\Office\12.0\Word\Security
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer (2) Software\Policies\Microsoft\Office\12.0\Word\Security\Trusted Locations
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Trusted LocationsDisable all trusted locations (2) Software\Policies\Microsoft\Office\12.0\Word\Security\Trusted Locations
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Word Options | Customize | All Commands | Save As Web Page (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Word Options | Customize | All Commands | Web Page Preview (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Review | Protect | Protect Document (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Record Macro (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Templates | Document Template (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+F (Home | Editing | Find) (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink) (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F8 (Developer | Code | Macros) (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic) (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to Word 2007 (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Open XML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Binary file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of HTML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Word 2003 XML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of RTF file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block open Converters (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Text file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Internal file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of files before version (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Open XML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Binary file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of HTML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Word 2003 XML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of RTF file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Converters (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Text file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock
(1) Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\InfoPath APTCA Assembly Whitelist (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security\APTCA
(1) Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\Windows Internet Explorer Feature Control Opt-In (None | InfoPath.exe, Document Information Panel and Workflow forms | InfoPath.exe, Document Information Panel, Workflow forms and 3rd Party Hosting) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\InfoPath APTCA Assembly Whitelist Enforcement (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\Disable Package Repair (2) Software\Policies\Microsoft\Office\12.0\Common\OpenXMLFormat
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - excel.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - powerpnt.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - pptview.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - winword.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - outlook.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - spDesign.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - msaccess.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - excel.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - powerpnt.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - pptview.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - winword.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - outlook.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - spDesign.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - msaccess.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - excel.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - powerpnt.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - pptview.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - winword.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - outlook.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - spDesign.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - msaccess.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - excel.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - powerpnt.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - pptview.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - winword.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - outlook.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - spDesign.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - msaccess.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - excel.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - powerpnt.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - pptview.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - winword.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - outlook.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - spDesign.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - msaccess.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Prevent users from customizing attachment security settings (2) HKCU\Software\Policies\Microsoft\Office\12.0\Outlook - DisallowAttachmentCustomization
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Access: Macro Security Leve (2) HKLM\Software\Policies\Microsoft\Office\11.0\Access\Security - Level (3) User Configuration\Administrative Templates\Microsoft Office Access 2003\Tools\Macros\Security\Security level (4) HKCU\Software\Policies\Microsoft\Office\11.0\Access\Security - Level
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Access: Trust all installed add – ins and templates (2) HKLM\Software\Policies\Microsoft\Office\11.0\Access\Security - DontTrustInstalledFiles (3) User Configuration\Administrative Templates\Microsoft Office Access 2003\Tools\Macros\Security\Trust all installed add-ins and templates (4) HKCU\Software\Policies\Microsoft\Office\11.0\Access\Security - DontTrustInstalledFiles
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Excel: Macro Security Level (2) HKLM\Software\Policies\Microsoft\Office\11.0\Excel\Security - Level(3) User Configuration\Administrative Templates\Microsoft Office Excel 2003\Tools\Macros\Security\Security level (4) HKCU\Software\Policies\Microsoft\Office\11.0\Excel\Security - Level
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Excel: Trust all installed add – ins and templates (2) HKLM\Software\Policies\Microsoft\Office\11.0\Excel\Security - DontTrustInstalledFiles (3) User Configuration\Administrative Templates\Microsoft Office Excel 2003\Tools\Macros\Security\Trust all installed add-ins and templates (4) HKCU\Software\Policies\Microsoft\Office\11.0\Excel\Security - DontTrustInstalledFiles
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Outlook: Macro Security Level (2) HKLM\Software\Policies\Microsoft\Office\11.0\Outlook\Security - Level (3) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Macros\Security\Security Level (4) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook - Security\Level
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Macros\Security\Outlook: Trust all installed add-ins and templates (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - DontTrustInstalledFiles
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Outlook virus security settings (2) HKCU\Software\Policies\Microsoft\Security - CheckAdminSettings
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\S/MIME receipt requests (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - RespondToReceiptRequests
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\PowerPoint: Macro Security Level (2) HKLM\Software\Policies\Microsoft\Office\11.0\PowerPoint\Security - Level (3) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2003\Tools\Macro\Security\Security Level (4) HKCU\Software\Policies\Microsoft\Office\11.0\PowerPoint - Security\Level
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\PowerPoint: Trust all installed add – ins and templates (2) HKLM\Software\Policies\Microsoft\Office\11.0\PowerPoint\Security - DontTrustInstalledFiles (3) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2003\Tools\Macro\Security\Trust all installed add – ins and templates (4) HKCU\Software\Policies\Microsoft\Office\11.0\PowerPoint\Security - DontTrustInstalledFiles
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Publisher: Macro Security Level (2) HKLM\Software\Policies\Microsoft\Office\11.0\Publisher\Security - Level
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Publisher: Trust all installed add–ins and templates (2) HKLM\Software\Policies\Microsoft\Office\11.0\Publisher\Security - DontTrustInstalledFiles
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Word: Macro Security Level (2) HKLM\Software\Policies\Microsoft\Office\11.0\Word\Security - Level (3) User Configuration\Administrative Templates\Microsoft Office Word 2003\Tools\Macro\Security\Security Level (4) HKCU\Software\Policies\Microsoft\Office\11.0\Word - Security\Level
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Word: Trust all installed add–ins and templates (2) HKLM\Software\Policies\Microsoft\Office\11.0\Word\Security - DontTrustInstalledFiles (3) User Configuration\Administrative Templates\Microsoft Office Word 2003\Tools\Macro\Security\Trust all installed add – ins and templates (4) HKCU\Software\Policies\Microsoft\Office\11.0\Word\Security - DontTrustInstalledFiles
(1) User Configuration\Administrative Templates\Microsoft Office Word 2003\Tools\Options\Security\Store random number to improve merge accuracy (2) HKCU\Software\Policies\Microsoft\Office\11.0\Word\Options\vpref - fDontSaveRSID_1804_1
(1) User Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Prevent Users from Changing Office Encryption Settings (2) HKCU\Software\Policies\Microsoft\Office\11.0\Common\Security - DisableCustomEncryption
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Use_HKLM_only Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
Security Zones: Use Only Machine Settings
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL!explorer.exe, HKLM\Software\Policies\Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict ActiveX Install, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\iexplore.exe
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_Zones_Map_Edit Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_zones_map_edit
Security Zones: Do Not Allow Users to Add/Delete Sites
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoUpdateCheck Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoUpdateCheck
Disable Periodic Check for Internet Explorer Software Updates
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!explorer.exe, HKLM\Software\Policies\Microsoft\Internet,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Protection From Zone Elevation, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\iexplore.exe
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!explorer.exe, HKLM\Software\Policies\Microsoft\Internet E,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Binary Behavior Security Restriction, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\iexplore.exe
HKLM\Software\Policies\Microsoft\Internet Explorer\Download!RunInvalidSignatures,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Download\RunInvalidSignatures
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL!explorer.exe, HKLM\Software\Policies\Microsoft,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/MK Protocol Security Restriction, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\iexplore.exe
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoMSAppLogo5ChannelNotify,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict File Download, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\iexplore.exe
Disable Software Update Shell Notifications on Program Launch
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD!explorer.exe, Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict File Download, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\iexplore.exe
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoJITSetup,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoJITSetup
Disable Automatic Install of Internet Explorer Components
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
Make Proxy Settings Per Machine
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoExtensionManagement
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoCrashDetection,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoCrashDetection
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS!explorer.exe, Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Scripted Window Security Restrictions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\iexplore.exe
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit
Security Zones: Do Not Allow Users to Change Policies
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!explorer.exe, Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Mime Sniffing Safety Feature, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\iexplore.exe
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Download\CheckExeSignatures
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\DisableRIED
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1407
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2400
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1407
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1208
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2400
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\AdvancedTab
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\PrivacyTab
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\PreventIgnoreCertErrors
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Internet Settings/Component Updates/Periodic Check for Updates to Internet Explorer and Internet Tools, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\Update_Check_Page
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Internet Settings/Component Updates/Periodic Check for Updates to Internet Explorer and Internet Tools, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\Update_Check_Interval
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Add-on Management, Registry Keys:[HKLM | HKCU]\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\ListBox_Support_CLSID
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Add-on Management, Registry Keys:[HKLM | HKCU]\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\RestrictToList
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\History, [HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\DaysToKeep
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Autoconfig
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Connection Settings, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Connwiz Admin Lock
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Proxy
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoSplash
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Security\DisableFixSecuritySettings
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\SQM\DisableCustomerImprovementProgram
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Settings
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\DisableDeleteBrowsingHistory
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\PhishingFilter\Enabled
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCAL
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\Enable Browser Extensions
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\NoUpdateCheck
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1406
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1802
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1604
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1800
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2102
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1209
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2103
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2200
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1001
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1004
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1201
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1C00
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1804
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A00
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2402
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1607
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2100
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1E05
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1809
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1606
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2101
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2401
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1609
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1609
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1609
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1406
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2000
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1802
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1803
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1604
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1800
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1608
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2102
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1209
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1001
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2200
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1001
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1004
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1201
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1C00
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1804
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1A00
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2402
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1607
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2100
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2004
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2001
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1405
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1402
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1E05
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1809
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1606
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2101
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2401
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1609
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1609
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\XMLHTTP
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!FormSuggest Passwords, HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\FormSuggest Passwords
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!NoJITSetup
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Page_Transitions
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Use FormSuggest, HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!FormSuggest
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoSelectDownloadDir
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Certificates
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoExternalBranding
HKCU\Software\Microsoft\Outlook Express!BlockExeAttachments
HKCU\Software\Policies\Microsoft\Internet Connection Wizard!DisableICW
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Connwiz Admin Lock
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!ResetWebSettings
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoSubscriptionContent
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoAddingSubscriptions
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoAddingChannels
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoEditingScheduleGroups
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoScheduledUpdates
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoEditingSubscriptions
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoChannelUI
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoRemovingChannels
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoRemovingSubscriptions
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoChannelLogging
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Increase a process working set
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for standard users
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
GPO Setting: User Configuration\Administrative Templates\Windows Components\Windows Explorer\Remove CD Burning features
GPO Setting: User Configuration\Administrative Templates\Windows Components\Windows Explorer\Remove Security tab
GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page\Empty Temporary Internet Files folder when browser is closed
GPO Setting: User Configuration\Administrative Templates\Windows Components\Internet Explorer\Disable changing Temporary Internet files settings
GPO Setting: Computer Configuration\Administrative Templates\System\Group Policy\Internet Explorer Maintenance Policy Processing
GPO Setting: Computer Configuration\Administrative Templates\System\Group Policy\Internet Explorer Maintenance Policy Processing
GPO Setting: Computer Configuration\Administrative Templates\System\Group Policy\Internet Explorer Maintenance Policy Processing
GPO Setting: Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) driver
GPO Setting: Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) driver
GPO Setting: Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) driver
GPO Setting: Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) driver
GPO Setting: Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) driver
GPO Setting: Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) driver
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1C00
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1C00
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1C00
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1C00
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1C00
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1C00
GPO Setting: Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now
GPO Setting: Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now
GPO Setting: Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now
GPO Setting: Computer Configuration\Administrative Templates\Windows Components\ActiveX Installer Service\Approved Installation Sites for ActiveX ControlsGPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Disable Logging
GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Disable Windows Error Reporting
GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Do not send additional data
GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Advanced Error Reporting Settings\Configure Corporate Windows Error Reporting
GPO Setting: User Configuration\Administrative Templates\Start Menu and Taskbar\Remove Default Programs link from the Start menu; Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMConfigurePrograms
GPO Setting: User Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Help Experience Improvement Program
GPO Setting: User Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Help Ratings
GPO Setting: User Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Windows Online
GPO Setting: User Configuration\Administrative Templates\Windows Components\Network Sharing\Prevent users from sharing files within their profiles
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access Credential Manager as a trusted caller
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the time zone
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create Symbolic Links
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify an object label
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths and subpaths
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Admin Approval Mode for the Built-in Administrator account
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate executables that are signed and validated
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate UIAccess applications that are installed in secure locations
(1) defined by the object's DACL
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Run all administrators in Admin Approval Mode
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Switch to the secure desktop when prompting for elevation
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Virtualize file and registry write failures to per-user locations
(1) defined by the object's DACL (2) defined through group policy
GPO Setting: Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network
GPO Settings: Computer Configuration\Administrative Templates\System\Error Reporting\Display Error Notification, Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Display Error NotificationGPO Setting: Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Setup\Maximum Log Size (KB)
GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List
GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\Turn on Protected Mode
GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone\Download signed ActiveX controls
GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone\Allow status bar updates via script
(1) GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Turn on Protected Mode (2) Registry Keys:[HKLM|HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500
GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Configure Microsoft Spynet Reporting
GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Do Not Show First Use Dialog Boxes
GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Prevent Desktop Shortcut CreationGPO Setting: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile Tab\Settings\Firewall settings\Display a notification
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging\LogDroppedPackets (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Private Profile\Windows Firewall: Allow Logging - Log Dropped Packets
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging\LogSuccessfulConnections (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Private Profile\Windows Firewall: Allow Logging - Log successful connections (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile Tab\Logging\Logged successful connections
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging\LogFilePath (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Private Profile\Windows Firewall: Allow Logging - Log file path and name (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile Tab\Logging\Name
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging\LogFileSize (2) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile Tab\Logging\Size limit (KB)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging\LogDroppedPackets (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Public Profile\Windows Firewall: Allow Logging - Log Dropped Packets
(1) via auditpol
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging\LogSuccessfulConnections (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Public Profile\Windows Firewall: Allow Logging - Log successful connections (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile Tab\Logging\Logged successful connections
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging\LogFilePath (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Public Profile\Windows Firewall: Allow Logging - Log file path and name (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile Tab\Logging\Name
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging\LogFileSize (2) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile Tab\Logging\Size limit (KB)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\DisableComponents
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\DisableComponents
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\DisableComponents
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
? ?
4.4.3.1 %SystemDrive%? ?
? ?
?
?
%AllUsersProfile%?
DISA Gold Disk for WXP
NSA Security Guide for WXP (NSA-XP-C44-
026-02.pdf)
CIS WXP Pro Benchmark v1.3
CIS WXP Pro Benchmark
v2.01 (CIS_WindowsXP_Benchmark_
v2.01.pdf)
4.4.3.2 HKEY_LOCAL_MACHINE\Software
4.4.3.3 HKEY_LOCAL_MACHINE\System
File Auditing - Must Have ACE (CID:269)
%AllUsersProfile%\Application Data
?
?
?
?
?
?
?
%AllUsersProfile%\Application Data\Microsoft
%AllUsersProfile%\Application Data\Microsoft\Crypto\DSSHKLMKeys
%AllUsersProfile%\Application Data\Microsoft\Crypto\RSAHKLMKeys
%AllUsersProfile%\Application Data\Microsoft\Dr Watson
%AllUsersProfile%\Application Data\Microsoft\Dr Watson\drwtsn32.log
%AllUsersProfile%\Application Data\Microsoft\HTML Help
%AllUsersProfile%\Application Data\Microsoft\Media Index
?
?
?
%ProgramFiles%
%SystemDrive% 4.4.1.1 %SystemDrive%?
?
%AllUsersProfile%\Documents\desktop.ini
%AllUsersProfile%\DRM
System Drive ACL (CID:2000)
%SystemDrive%\autoexec.bat
%SystemDrive%\config.sys
?
?
%SystemDrive%\Documents and Settings
%SystemDrive%\Documents and Settings\Administrator
?
?
?
?
?
?
?
%SystemDrive%\Documents and Settings\Default User
%SystemDrive%\io.sys
%SystemDrive%\msdos.sys
%SystemDrive%\ntbootdd.sys
%SystemDrive%\ntdetect.com
%SystemDrive%\ntldr
%SystemDrive%\System Volume Information
?
%SystemRoot%
Driver.cab ACL (CID:4083)
?
?
?
?
%SystemRoot%\$NtServicePackUninstall$
%SystemRoot%\CSC
%SystemRoot%\Debug
?
? ?
?
?
?
%SystemRoot%\Debug\UserMode
%SystemRoot%\Debug\UserMode\userenv.log
%SystemRoot%\Installer
%SystemRoot%\Offline Web Pages
%SystemRoot%\Prefetch
regedit.exe ACL (CID:2001)
%SystemRoot%\regedit.exe
4.4.1.17 %SystemRoot%\regedit.exe
?
?
?
?
?
arp.exe ACL (CID:2002)
%SystemRoot%\Registration
%SystemRoot%\Registration\CRMLog
%SystemRoot%\repair
%SystemRoot%\security
%SystemRoot%\Temp
%SystemRoot%\system32
%SystemRoot%\system32\arp.exe
at.exe ACL (CID:2003)
attrib.exe ACL (CID:2004)
?
cacls.exe ACL (CID:2005)
?
?
?
?
?
Eventlog ACL (CID:225)
?
debug.exe ACL (CID:2006)
?
?
%SystemRoot%\system32\at.exe
4.4.1.2 %SystemRoot%\system32\at.exe
4.4.1.3 %SystemRoot%\system32\attrib.exe
4.4.1.4 %SystemRoot%\system32\cacls.exe
%SystemRoot%\system32\ciadv.msc
%SystemRoot%\system32\Com\comexp.msc
%SystemRoot%\system32\compmgmt.msc
%SystemRoot%\system32\config
4.4.1.5 %SystemRoot%\system32\debug.exe
%SystemRoot%\system32\devmgmt.msc
?
?
?
? ?
? ?
edlin.exe ACL (CID:2007)
?
?
?
?
?
%SystemRoot%\system32\dfrg.msc
%SystemRoot%\system32\diskmgmt.msc
%SystemRoot%\system32\dllcache
4.4.1.6 %SystemRoot%\system32\drwatson.exe
4.4.1.7 %SystemRoot%\system32\drwtsn32.exe
4.4.1.8 %SystemRoot%\system32\edlin.exe
eventcreate.exe ACL (CID:2008)
4.4.1.9 %SystemRoot%\system32\eventcreate.exe
eventtriggers.exe ACL (CID:2009)
4.4.1.10 %SystemRoot%\system32\eventtriggers.exe
%SystemRoot%\system32\eventvwr.msc
%SystemRoot%\system32\fsmgmt.msc
ftp.exe ACL (CID:2010)
?
?
?
?
?
?
?
4.4.1.11 %SystemRoot%\system32\ftp.exe
%SystemRoot%\system32\gpedit.msc
%SystemRoot%\system32\Group Policy
%SystemRoot%\system32\ias
%SystemRoot%\system32\lusrmgr.msg
%SystemRoot%\system32\MSDTC
%SystemRoot%\system32\nbstat.exe
?
net.exe ACL (CID:2012)
?
net1.exe ACL (CID:2013)
?
netsh.exe ACL (CID:2014)
?
?
nbtstat.exe ACL (CID:2011)
4.4.1.12 %SystemRoot%\system32\net.exe
4.4.1.13 %SystemRoot%\system32\net1.exe
%SystemRoot%\system32\netsh.exe
4.4.1.14 %SystemRoot%\system32\netsh.exe
netstat.exe ACL (CID:2015)
%SystemRoot%\system32\netstat.exe
nslookup.exe ACL (CID:2016)
%SystemRoot%\system32\nslookup.exe
ntbackup.exe ACL (CID:2017)
%SystemRoot%\system32\Ntbackup.exe
%SystemRoot%\system32\NTMSData
%SystemRoot%\system32\ntmsoprq.msc
?
?
rcp.exe ACL (CID:2018)
reg.exe ACL (CID:2019)
regini.exe ACL (CID:2021)?
rexec.exe ACL (CID:2023)
%SystemRoot%\system32\ntmsmgr.msc
%SystemRoot%\system32\perfmon.msc
%SystemRoot%\system32\rcp.exe
4.4.1.15 %SystemRoot%\system32\rcp.exe
%SystemRoot%\system32\reg.exe
4.4.1.16 %SystemRoot%\system32\reg.exe
regedt32.exe ACL (CID:2020)
%SystemRoot%\system32\regedt32.exe
4.4.1.18 %SystemRoot%\system32\regedt32.exe
%SystemRoot%\system32\regini.exe
regsvr32.exe ACL (CID:2022)
4.4.1.19 %SystemRoot%\system32\regsvr32.exe
%SystemRoot%\system32\rexec.exe
4.4.1.20 %SystemRoot%\system32\rexec.exe
route.exe ACL (CID:2024)
rsh.exe ACL (CID:2025)?
? ?
sc.exe ACL (CID:2026)
?
?
?
?
%SystemRoot%\system32\route.exe
%SystemRoot%\system32\rsh.exe
4.4.1.21 %SystemRoot%\system32\rsh.exe
%SystemRoot%\system32\RSoP.msc
4.4.1.22 %SystemRoot%\system32\runas.exe
4.4.1.23 %SystemRoot%\system32\sc.exe
secedit.exe ACL (CID:2027)
%SystemRoot%\system32\secedit.exe
%SystemRoot%\system32\secpol.msc
%SystemRoot%\system32\services.msc
%SystemRoot%\system32\Setup
?
subst.exe ACL (CID:2028)
?
telnet.exe ACL (CID:2030)
?
tftp.exe ACL (CID:2031)
%SystemRoot%\system32\spool\Printers
4.4.1.24 %SystemRoot%\system32\subst.exe
systeminfo.exe ACL (CID:2029)
%SystemRoot%\system32\systeminfo.exe
4.4.1.25 %SystemRoot%\system32\telnet.exe
%SystemRoot%\system32\tftp.exe
4.4.1.26 %SystemRoot%\system32\tftp.exe
tlntsvr.exe ACL (CID:2032)
?
?
?
? ?
4.4.1.27 %SystemRoot%\system32\tlntsvr.exe
%SystemRoot%\system32\wmimgmt.msc
%SystemRoot%\Tasks
?
4.4.2.1 HKLM\Software
?
?
?
HKEY_LOCAL_MACHINE\SOFTWARE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC
4.4.2.9 HKLM\Software\Microsoft\MSDTC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\Security\XAKey
?
?
?
?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetDDE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Asr\Commands
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
?
?
?
?
?
?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit
4.4.2.11 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer
4.4.2.2 HKLM\Software\Microsoft\Windows\CurrentVersion\Installer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
4.4.2.3 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings
4.4.2.8 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony
?
4.4.2.4 HKLM\System?
HKEY_LOCAL_MACHINE\SYSTEM
HKEY_LOCAL_MACHINE\SYSTEM\clone
?
?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network
Winreg ACL (CID:237)
? ??
?
?
?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Wmi\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum
4.4.2.5 HKLM\System\CurrentControlSet\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security
?
?
?
?
?
?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ersvc\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRENUM\Security
?
?
?
?
?
?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netdde\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netddedsdm\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rpcss\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security
?
?
?
?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scarddrv\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scardsvr\Security
SNMP - Permitted Managers (CID:1033)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers
4.4.2.6 HKLM\System\CurrentControlSet\Services\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers
SNMP Communities (CID:4046)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities
4.4.2.7 HKLM\System\CurrentControlSet\Services\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Stisvc\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries
?
?
?
?
?
?
?
?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tapisrv\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32time\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi\Security
HKEY_USER\.DEFAULT
HKEY_USER\.DEFAULT\Software\Microsoft\NetDDE
? ??
4.2.7 Bypass traverse checking
HKEY_USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
4.4.2.10 HKEY_USER\.Default\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
User Right Check deny access from network (CID:162)
Deny access to this computer from the network: Not Defined
4.2.13 Deny access to this computer from the network
User Right Check Logon on network (CID:152)
Access this computer from a network: Administrators, Users
4.2.1 Access this computer from the network
User Right Check act as OS (CID:153)
Act as part of the operating system
4.2.2 Act as part of the operating system
User Right Check Backup (CID:155)
Back up files and directories: Administrators
4.2.6 Back up files and directories
User Right Check Bypass Traverse Checking (CID:156)
Bypass traverse checking: Users
4.2.8 Change the system time
4.2.9 Create a pagefile
4.2.10 Create a token object
4.2.12 Debug Programs
4.2.20 Generate security audits
User Right Check change system time (CID:157)
Change the system time: Administrators
User Right Check create pagefile (CID:158)
Create a pagefile: Administrators
User Right Check create token object (CID:159)
Create a token object: No One
User Right Check create permanent shared objects (CID:160)
Create permanent shared objects: No One
4.2.11 Create permanent shared objects
User Right Check debug programs (CID:161)
Debug programs: No One
User Right Check remote shutdown (CID:165)
Force shutdown from a remote system: Administrators
4.2.19 Force shutdown from a remote system
User Right Check generate security audits (CID:173)
Generate security audits: LOCAL SERVICE, NETWORK SERVICE
User Right Check increase quotas (CID:166)
Adjust memory quotas for a process: Administrators,NETWORK SERVICE, LOCAL SERVICE
4.2.4 Adjust memory quotas for a process
4.2.23 Lock pages in memory
4.2.24 Log on as a batch job
4.2.25 Log on as a service
4.2.26 Log on locally?
User Right Check increase scheduling priority (CID:167)
Increase scheduling priority: Administrators
4.2.21 Increase scheduling priority
User Right Check load and unload device drivers (CID:168)
Load and unload device drivers: Administrators
4.2.22 Load and unload device drivers
User Right Check lock pages in memory (CID:169)
Lock pages in memory: No One
User Right Check log on as a batch job (CID:170)
Log on as a batch job: No One
User Right Check log on as a service job (CID:171)
Log on as a service: Network Service
User Right Check log on locally (CID:172)
Log on locally: Administrators, Users
Manage auditing and security log: Administrators
4.2.27 Manage auditing and security log
User Right Check modify firmware (CID:174)
Modify firmware environment variables: Administrators
4.2.28 Modify firmware environment values
4.2.30 Profile single process
4.2.35 Shut down the system
User Right Check Profile single process (CID:175)
Profile single process: Administrators
User Right Check Profile system performance (CID:176)
Profile system performance: Administrators
4.2.31 Profile system performance
User Right Check undock (CID:177)
Remove computer from docking station: Administrators, Users
4.2.32 Remove computer from docking station
User Right replace process token (CID:178)
Replace a process level token: LOCAL SERVICE, NETWORK SERVICE
4.2.33 Replace a process level token
User Right restore (CID:179)
Restore files and directories: Administrators
4.2.34 Restore files and directories
User Right shut down (CID:180)
Shut down the system: Administrators, Users
User Right take ownership (CID:182)
Take ownership of files or other objects: Administrators
4.2.37 Take ownership of file or other objects
4.2.16 Deny logon locally
?
?
4.2.15 Deny logon as a service
User Right synch directory (CID:181)
Synchronize directory service data: No One
4.2.36 Synchronize directory service data
User Right Check deny logon locally (CID:163)
Deny logon locally: Not Defined
User Right Check allow trust for delegation (CID:164)
Enable computer and user accounts to be trusted for delegation: No One
4.2.18 Enable computer and user accounts to be trusted for delegation
User Right Check Add wkstn to domain (CID:154)
Add workstations to domain
4.2.3 Add workstations to domain
User Right allow logon terminal service (CID:737)
Allow logon through Terminal Services: No One
4.2.5 Allow logon through terminal services
Deny logon as a batch job: No One
4.2.14 Deny logon as a batch job
Deny logon as a service: No One
Lockout Reset (CID:45)
Lockout Duration (CID:44)
Lockout Count (CID:43)
User Right deny logon terminal service (CID:738)
Deny logon through Terminal Services: Everyone
4.2.17 Deny logon through Terminal Service
User Right perform volume maintenance (CID:739)
Perform volume maintenance tasks: Administrators
4.2.29 Perform volume maintenance tasks
Reset account lockout counter after (15 min.)
2.2.3.3 Reset Account Lockout After
Account lockout duration (15 minutes)
2.2.3.1 Account Lockout Duration
Account lockout threshold (3 invalid attempts)
2.2.3.2 Account Lockout Threshold
Account logon auditing (CID:49)
Audit account logon events (Success, Failure)
2.2.1.1 Audit Account Logon Events
?
?
logon auditing (CID:53) 2.2.1.4 Audit Logon Events
logon auditing (CID:53) 2.2.1.4 Audit Logon Events
Account logon auditing (CID:49)
Audit account logon events (Success, Failure)
2.2.1.1 Audit Account Logon Events
Account management auditing (CID:51)
Audit account management (Success, Failure)
2.2.1.2 Audit Account Management
Account management auditing (CID:51)
Audit account management (Success, Failure)
2.2.1.2 Audit Account Management
Audit directory service access (No auditing)
2.2.1.3 Audit Directory Service Access
Audit directory service access (No auditing)
2.2.1.3 Audit Directory Service Access
Audit logon events (Success, Failure)
Audit logon events (Success, Failure)
2.2.1.5 Audit Object Access
2.2.1.5 Audit Object Access
2.2.1.6 Audit Policy Change
2.2.1.6 Audit Policy Change
priv use auditing (CID:58) 2.2.1.7 Audit Privilege Use
priv use auditing (CID:58) 2.2.1.7 Audit Privilege Use
?
2.2.1.8 Audit Process Tracking?
2.2.1.8 Audit Process Tracking
object access auditing (CID:55)
Audit object access (Failure)
object access auditing (CID:55)
Audit object access (Failure)
policy change auditing (CID:56)
Audit policy change (Success, Failure)
policy change auditing (CID:56)
Audit policy change (Success, Failure)
Audit privilege use (Failure)
Audit privilege use (Failure)
Audit process tracking (No Auditing)
Audit process tracking (No Auditing)
2.2.1.9 Audit System Events
2.2.1.9 Audit System Events
2.2.4.1.2 Restrict Guest Access
2.2.4.1.3 Log Retention Method
system event auditing (CID:59)
Audit system events (Success, Failure)
system event auditing (CID:59)
Audit system events (Success, Failure)
Anonymous Access to the Security Event Log value (CID:479)
Restrict guest access to application Log
Application log size (CID:82)
Maximum application log size
2.2.4.1.1 Maximum Event Log Size
Application log retention (CID:85)
Retention method for application Log
2.2.4.1.4 Log Retention
2.2.4.2.2 Restrict Guest Access
Security log size (CID:80)
2.2.4.2.3 Log Retention Method
Retain security log 2.2.4.2.4 Log Retention
2.2.4.3.2 Restrict Guest Access
System log size (CID:81)
2.2.4.3.3 Log Retention Method
Retain application log
Anonymous Access to the Security Event Log value (CID:477)
Restrict guest access to security Log
Maximum security log size
2.2.4.2.1 Maximum Event Log Size
Security log retention (CID:83)
Retention method for security log
Anonymous Access to the Security Event Log value (CID:482)
Restrict guest access to system Log
Maximum system log size
2.2.4.3.1 Maximum Event Log Size
System log retention (CID:84)
Retention method for system log
Retain system log 2.2.4.3.4 Log Retention
2.2.2.1 Minimum Password Age
Password Length (CID:39)
?
2.2.2.4 Password Complexity
Password History (CID:42) 2.2.2.5 Password History
Maximum Password Age (CID:40)
Maximum Password Age (90)
2.1.2 Maximum Password Age, 2.2.2.2 Maximum Password Age
Minimum Password Age (CID:41)
Minimum Password Age (1)
Minimum Password Length (12)
2.1.1 Minimum Password Length, 2.2.2.3 Minimum Password Length
Passwords must meet complexity requirements (Enabled)
Enforce password history (24 passwords)
Reversible Pwd Encryption (CID:232)
Store password using reversible encryption for all users in the domain (Disabled)
2.2.2.6 Store Passwords using Reversible Encryption
? ?
4.1.1 Alerter? ?
4.1.2 Automatic Updates? ?
? ?
4.1.4 Clipbook
?
4.1.5 Computer Browser?
4.1.6 Fax Service? ?
? ?
4.1.7 FTP Publishing Service?
4.1.8 IIS Admin Service
4.1.3 Background Intelligent Transfer Service
Computer Browser Disabled (CID:22)
Fast User Swithcing Compatibility Disabled (CID:729)
Internet Information System Installed - IIS Admin (CIS:4066)
? ?
4.1.9 Indexing Service?
4.1.10 Messenger?
? ?
4.1.11 Net Logon?
?
?
?
Windows Messenger Internet Access (CIS:4036)
.NET Framework service (CIS:4035)
NetMeeting Romote Desktop Sharing Disabled (CIS:730)
4.1.12 NetMeeting Remote Desktop Sharing
Print Services for Unix Service (CIS:4031)
Remote Access Auto Connection Manager Disabled (CIS:731)
Remote Desktop Help Session Manager Disabled (CIS:732)
4.1.13 Remote Desktop Help Session Manager
? ?
4.1.14 Remote Registry Service?
?
?
? ?
?
?
Routing and Remote Access Disabled (CIS:733)
4.1.15 Routing and Remote Access
Remote Shell Service (CIS:24)
Simple TCP/IP Service (CIS:25)
4.1.16 Simple Mail Transfer Protocol (SMTP)
Management and Monitoring Tools Installed - SNMP Service (CIS:4071)
4.1.17 Simple Network Management Protocol (SNMP) Service
Management and Monitoring Tools Installed - SNMP Trap (CIS:4072)
4.1.18 Simple Network Management Protocol (SNMP) Trap
?
?
4.1.19 Task Scheduler?
4.1.20 Telnet?
4.1.21 Terminal Services? ?
?
SSDP Discovery Service Disabled (CIS:734)
Task Scheduler Check (CIS:28)
23 - Telnet Disabled (CIS:23)
Terminal Services Disabled (CIS:735)
4.1.22 Universal Plug and Play Device Host
Internet Information Sytem Installed - World Wide Web Publishing (CIS:4067)
4.1.23 World Wide Web Publishing Services
? ?
? ?
? ?
? ?
? ?
? ?
File Shares (CIS:230)
?
? ?
? ?
? ?
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
? ?
? ?
? ?
Printer ACL (CIS:229)
?
? ?
? ?
? ?
? ?
? ?
? ?
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
? ?
? ?
? ?
? ?
? ?
? ?
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
Restrict Anonymous value (CIS:97)
Network access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled
3.1.3 Network Access: Do not allow Anonymous Enumeration of SAM Accounts and Shares
?
?
?
?
?
?
Network access: Do not allow anonymous enumeration of SAM accounts: Enabled
3.1.2 Network Access: Do not allow Anonymous Enumeration of SAM Accounts
Network access: Allow anonymous SID/Name translation: Disabled
3.1.1 Network Access: Allow Anonymous SID/Name Translation
Anon Access to Application log (CIS:78)
Anon Access to Security log (CIS:79)
Anon Access to System log (CIS:77)
Guest Account Disabled (CIS:29)
Accounts: Guest account status: Disabled
3.2.1.2 Accounts: Guest Account Status
Accounts: Administrator account status: Enabled
3.2.1.1 Accounts: Administrator Account Status
?
?
? ?
?
3.2.2.6 Disable Automatic Logon
Interactive logon: Message title for users attempting to log on
3.2.1.27 Interactive Logon: Message Title for Users Attempting to Log On
Interactive logon: Message test for users attempting to log on: <Configure Locally>
3.2.1.26 Interactive Logon: Message Text for Users Attempting to Log On
3.2.2.9 Remove administrative shares on workstation (Professional)
CIS: Automatic Execution of the System Debugger value (CIS:749)
3.2.2.2 Disable Automatic Execution of the System Debugger
Admin Autologon password values not exist: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword; Admin Autologon Value: HKEY_LOCAL_MACHINE\*\AutoAdminLogon (CIS:188, 189)
Interactive logon: Allow Automatic Administator Logon - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon = 0
?
Autoplay value (CID:103)
?
? ?
?
? ?
? ?
? ?
CIS: Disable Reboot After Crash value (CID:755)
3.2.2.7 Disable automatic reboots after a Blue Screen of Death
3.2.2.3 Disable autoplay from any disk type, regardless of application
3.2.2.4 Disable autoplay for current user
Disable Media Autoplay (HKEY_USER-.Default hive) Value (CID:752)
3.2.2.5 Disable autoplay for the default profile3.2.2.8 Disable CD Autorun: HKLM\System\CurrentControlSet\Services\Cdrom\Autorun (REG_DWORD)
3.2.2.10 Protect against Computer Browser Spoofing Attacks
3.2.2.13 Ensure ICMP Routing via shortest path first
? ?
? ?
?
?
?
3.2.2.11 Protect against source-routing spoofing
3.2.2.17 Ensure Router Discovery is Disabled
CIS: Enable IPSec secuiryt for Kerberos RSVP Traffic value (CID:758)
3.2.2.21 Enable IPSec to protect Kerberos RSVP Traffic
CIS: Allow Dr. Watson Crash Dumps value (CID:746)
3.2.2.1 Suppress Dr. Watson Crash Dumps
Interactive logon: Do no display last user name - Enabled
3.2.1.24 Interactive Logon: Do Not Display Last User Name
?
? ?
? ?
? ?
? ?
CIS: Hide computer Name from other domain controllers value (CID:761)
3.2.2.22 Hide workstation from Network Browser listing: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden
3.2.2.12 Protect the Default Gateway network setting: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect
3.2.2.15 Manage Keep-alive times: HKEY_LOCAL_MACHINE\System\CurrentControlSEt\Services\Tcpip\Parameters\KeepAliveTime
3.2.2.19 SYN Attack protection – Manage TCP Maximum half-open sockets: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen
3.2.2.20 SYN Attack protection – Manage TCP Maximum half-open retired sockets: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried
? ?
? ?
? ?
3.2.2.16 Protect Against Malicious Name-Release Attacks: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand
3.2.2.14 Help protect against packet fragmentation: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery
3.2.2.18 Protect against SYN Flood attacks: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect
Disable saving of dial up password (CID:105)
?
?
?
?
?
?
Safe DLL Search Mode value (CID:774)
System objects: Set safe search path for DLLs
3.2.2.23 Enable Safe DLL Search Mode: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode
Always Wait for the Network at Computer Startup and Logon (CID:927)
Cached Profiles value (CID:93)
Always Use Classic Logon (CID:924)
Turn Off Background Refresh of Group Policy (CID:930)
Internet Connection Sharing (CID:942)
Prohibit Installation and Configuration of Network Bridge on the DNS Domain Network (CID:945)
?
?
?
?
Disallow Installation of Printers Using Kernel-mode Drivers (CID:948)
Domain controller: Allow server operators to schedule tasks: Not Defined
3.2.1.15 Domain Controller: Allow Server Operators to Schedule Tasks
Administrator Account Renamed (CID:30)
Accounts: Rename administrator account: Administrator
3.2.1.4 Accounts: Rename Administrator Account
Guest Account Renamed (CID:31)
Accounts: Rename guest account: <Configure locally>
3.2.1.5 Accounts: Rename Guest Account
Amount of idle time before disconnecting value (CID:213)
Microsoft network server: Amount of idle time required before suspending session
3.2.1.35 Microsoft Network Server: Amount of Idle Time Required Before Disconnecting Session
Audit: Audit the access of global system objects: Not Defined
3.2.1.6 Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore privilege: Not Defined
3.2.1.7 Audit: Audit the use of backup and restore privilege
?
Interactive logon: Do not require CTRL+ALT+DEL: Disabled
3.2.1.25 Interactive Logon: Do not require CTRL+ALT+DEL
LMCompatibility Value (CID:123)
Network security: LAN Manager authentication level: Send LM & NTLM - use NTLMv2 session security if negotiated
3.2.1.47 Network Security: LAN Manager Authentication Level
Print Driver Installation value (CID:99)
Devices: Prevent users from installing printer drivers: Enabled
3.2.1.11 Devices: Prevent users from installing printer drivers
Recovery Console Autologon value (CID:117)
Recovery console: Allow automatic administrative logon: Disabled
3.2.1.51 Recovery Console: Allow Automatic Administrative Logon
Recovery Console Full Access Value (CID:119)
Recovery console: Allow floppy copy and access to all drives and all folders: Disabled
3.2.1.52 Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders
?
Floppy Allocation (CID:89)
Devices: Restrict CD-ROM access to locally logged-on user only: Enabled
3.2.1.12 Devices: Restrict CD-ROM Access to Locally Logged-On User Only
Devices: Restrict floppy access to locally logged-on user only: Enabled
3.2.1.13 Devices: Restrict Floppy Access to Locally Logged-On User Only
Strength permissions on GSO value (CID:204)
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links): Enabled
3.2.1.58 System objects: Strengthen default permissions of internal system objects
Domain member: Require strong (Windows 2000 or later) session key value (CID:770)
Domain member: Require strong (Windows 2000 or later) session key: Enabled
3.2.1.23 Domain Member: Require Strong (Windows 2000 or later) Session Key
Send unencrypted password to 3rd party SMB value (CID:207)
Microsoft network client: Send unencrypted password to third-party SMB servers
3.2.1.34 Microsoft Network Client: Send Unencrypted Password to Connect to Third-Party SMB Server
Unsigned Driver Behavior Value (CID:127)
Devices: Unsigned driver installation behavior: Warn but allow installation
3.2.1.14 Devices: Unsigned Driver Installation Behavior
Password Expiration value (CID:199)
Interactive logon: Prompt user to change password before expiration: 14 days
3.2.1.29 Interactive Logon: Prompt User to Change Password Before Expiration
? ?
?
?
?
Crash on audit fail Value (CID:121)
Audit: Shut down system immediately if unable to log security audits: Disabled
3.2.1.8 Audit: Shut Down system immediately if unable to log security alerts
Shutdown before logon Check (CID:217)
Shutdown: Allow system to be shut down without having to log on: Enabled
3.2.1.53 Shutdown: Allow System to be Shut Down Without Having to Log On
Clear Pagefile value (CID:101)
Shutdown: Clear virtual memory pagefile: Disabled
3.2.1.54 Shutdown: Clear Virtual Memory Pagefile
Microsoft network client: Digitally sign communications (always)
3.2.1.32 Microsoft Network Client: Digitally sign communications (always)
Enable Security Signature Value (CID:113)
Microsoft network client: Digitally sign communications (if server agrees)
3.2.1.33 Microsoft Network Client: Digitally sign communications (if server agrees)
Microsoft network server: Digitally sign communications (always)
3.2.1.36 Microsoft Network Server: Digitally sign communications (always)
Microsoft network server: Digitally sign communications (if client agrees): Enabled
3.2.1.37 Microsoft Network Server: Digitally sign communications (if client agrees)
Logon Caching value (CID:91)
Interactive logon: Number of previous logons to cache (in case domain controller is not available): 0 logons
3.2.1.28 Interactive Logon: Number of Previous Logons to Cache
NTFS Media Ejection value (CID:2010)
Devices: Allowed to format and eject removable media: Administrators
3.2.1.10 Devices: Allowed to format and eject removable media
Digitally encrypt or sign secure channel data (always) value (CID:743)
Domain member: Digitally encrypt or sign secure channel data (always): Not Defined
3.2.1.18 Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always)
Sign Secure Channel Traffic Value (CID:109)
Domain member: Digitally encrypt secure channel data (when possible): Enabled
3.2.1.19 Domain Member: Digitally Encrypt Secure Channel Data (When Possible)
Sign Secure Channel Traffic Value (CID:107)
Domain member: Digitally sign secure channel data (when possible): Enabled
3.2.1.20 Domain Member: Digitally Sign Secure Channel Data (When Possible)
Smart Card Removal Behavior Value (CID:125)
Interactive logon: Smart card removal behavior: Lock Workstation
3.2.1.31 Interactive Logon: Smart Card Removal Behavior
Disable password change Value (CID:111)
Domain member: Disable machine account password changes:Disabled
3.2.1.21 Domain Member: Disable Machine Account Password Changes
?
?
Use FIPS compliant algorithms for encryption, hashing, and signing (CID:804)
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Enabled
3.2.1.55 System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
Default owner for objects created by members of the Administrators group (CID:807)
System objects: Default owner for objects created by members of the Administrators group: Object Creator
3.2.1.56 System objects: Default owner for objects created by members of the Administrators group
System Object: Require Case Insensitivity for Non-Windows Subsystems (CID:810)
System objects: Require case insensitivity for non-Windows subsystems: Enabled
3.2.1.57 System objects: Require case insensitivity for non-Windows subsystems
Limit Blank Passwords value (CID:764)
Accounts: Limit local account user of blank passwords to console logon only: Enabled
3.2.1.3 Accounts: Limit local account use of blank passwords to console logon only
Devices: Allow undock without having to log on: Disabled
3.2.1.9 Devices: Allow undock without having to log on
Domain controller: LDAP server signing requirements: Not Defined
3.2.1.16 Domain Controller: LDAP Server Signing Requirements
?
LDAP client signing requirements (CID:795)
Network security: LDAP client signing requirements
3.2.1.48 Network Security: LDAP client signing requirements
Domain controller: Refuse machine account password changes: Not Defined
3.2.1.19(note: different enumeration) Domain Controller: Refuse machine account password changes
Accounts: Maximum machine account password age value (CID:767)
Domain member: Maximum machine account password age: 7 Days
3.2.1.22 Domain Member: Maximum Machine Account Password Age
Domain Controller Authentication to Unlock Workstation Value (CID:777)
Interactive logon: Require Domain Controller authentication to unlock workstation: Enabled
3.2.1.30 Interactive Logon: Require Domain Controller authentication to unlock workstation
Automatically log off user when logon time expires value (CID:210)
Microsoft network server: Disconnect clients when logon hours expire: Enabled
3.2.1.38 Microsoft Network Server: Disconnect clients when logon hours expire
Do not allow storage of credentials or .NET Passports for network authentication value (CID:780)
Network access: Do not allow storage of credentials or .NET Passports: Enabled
3.2.1.39 Network Access: Do not allow storage of credentials or .NET passports for network authentication
?
?
?
Let Everyone permissions apply to anonymous users Value (CID:783)
Network access: Let Everyone permissions apply to anonymous users: Disabled
3.2.1.40 Network Access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously: Not Defined
3.2.1.41 Network Access: Named pipes that can be accessed anonymously
Network access: Remotely accessible registry paths: Classic - local users authenticate as themselves
3.2.1.42 Network Access: Remotely accessible registry paths
Network access: Shares that can be accessed anonymously: Not Defined
3.2.1.43 Network Access: Shares that can be accessed anonymously
Sharing and security model for local accounts Value (CID:786)
Network access: Sharing and security model for local accounts: Classic - local users authenticate as themselves
3.2.1.44 Network Access: Sharing and security model for local accounts
Do not store LAN Manager hash value on next password change (CID:789)
Network security: Do not store LAN Manager hash value on next password change: Enabled
3.2.1.45 Network Security: Do not store LAN Manager password hash value on next password change
Logon Time Enforcement (CID:46)
Network security: Force logoff when logon hours expire: Enabled
3.2.1.46 Network Security: Force logoff when logon hours expire
Minimum session security for NTLM SSP based clients (CID:798)
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients: Require NTLMv2 session security, Require 128-bit encryption
3.2.1.49 Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients
Minimum session security for NTLM SSP based servers (CID:801)
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers: Require NTLMv2 session security, Require 128-bit encryption
3.2.1.50 Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers
Non-NTFS Partition (CID:10)
Chapter 10: Modifying File System Security Settings with Security Templates
4.3.1 Ensure volumes are using the NTFS file system
?
?
?
?
?
Default user scrnsave.exe (CID:67)
Default user screensaver timeout (CID:68, 71)
Default user screensaver secure (CID:69)
Default user screensaver active (CID:70)
Current user scrnsave.exe (CID:76)
?
?
?
Current user screensaver timeout (CID:74)
Current user screensaver secure (CID:72)
Current user screensaver active (CID:73)
Always Install with Elevated Privileges (CID:888)
?
?
Disable IE Security Prompt for Windows Installer Scripts (CID:891)
Enable User Control Over Installs (CID:894)
Enable User to Use Media Source While Elevated (CID:900)
Allow Admin to Install from Terminal Services Session (CID:906)
Enable User to Patch Elevated Products (CID:903)
Cache Transforms in Secure Location on Workstation (CID:908)
Disable Media Player for XP automatic Updates (CID:912)
951 - Prevent Codec Download
?
?
?
Do Not Allow Windows Messenger to be Run (CID:915)
918 - Do Not Automatically Start Windows Messenger Initially
Prohibit New Task Creation (CID:843)
Limit Users to One Remote Session (CID:849)
Limit users to one remote session
Limit Number of Connections (CID:852)
Limit number of connections
Do Not Allow New Client Connections (CID:855)
Do not allow new client connections
Do Not Allow Local Administrators to Customize (CID:858)
Do not allow local administrator to customize permissions
Remote Control Settings (CID:861)
Remote control settings
Always Prompt Client for Password upon Connection (CID:864)
Always prompt client for password upon connection
Set Client Connection Encryption (CID:867)
Set client connection encryption level
Do Not Use Temp Folders per Session (CID:870)
Do not use temp folders per session
Do Not Delete Temp Folder upon Exit (CID:873)
Do not delete temp folder upon exit
Set Time Limit for Disconnected Sessions (CID:876)
Set time limit for disconnected sessions
Set Time Limit for Idle Sessions (CID:879)
Set time limit for idle sessions
Allow Reconnection from Original Client Only (CID:882)
Allow reconnection from original client only
Terminate Session When Time Limits are Reached (CID:885)
Terminate session when time limits are reached
?
?
?
Report Errors (CID:939)
?
?
?
?
?
?
Keep-Alive Messages (CID:846)
Solicited Remote Assistance (CID:933)
Unsolicited Remote Assistance (CID:936)
Enforce user logon restrictions (Enabled)
Maximum lifetime for service ticket (600 minutes)
Maximum lifetime for user ticket (10 hours)Maximum lifetime for user ticket renewal (7 days)
Maximum tolerance for computer clock synchronization (5 minutes)
5.1.1.1 RPC Endpiont Mapper Client Authentication (SP2 only)
5.1.1.2 Restrictions for Unauthenticated RPC clients (SP2 only)
5.2.1.1.1.1 Protect all network connections (SP2 only)
5.2.1.1.1.2 Do not allow exceptions (SP2 only)5.2.1.1.1.3 Allow local program exceptions
5.2.1.1.1.4 Allow remote administration
5.2.1.1.1.5 Allow file and printer sharing exception (SP2 only)
5.2.1.1.1.6 Allow ICMP exceptions (SP2 only)5.2.1.1.1.7 Allow Remote Desktop exception (SP2 only)
5.2.1.1.1.8 Allow UPnP framework exception (SP2 only)
5.2.1.1.1.9 Prohibit notifications
5.2.1.1.1.10 Log dropped packets (SP2 only)
5.2.1.1.1.11 Log file path and name (SP2 only)
5.2.1.1.1.12 Log file size limit (SP2 only)
5.2.1.1.1.13 Log successful connections (SP2 only)
5.2.1.1.1.14 Prohibit unicast response to multicast or broadcast (SP2 only)
5.2.1.1.1.15 Define port exceptions (SP2 only)5.2.1.1.16 Allow local port exceptions (SP2 only)
5.2.1.1.2.1 Protect all network connections (SP2 only)
5.2.1.1.2.2 Do not allow exceptions (SP2 only)5.2.1.1.2.3 Allow local program exceptions (SP2 only)
5.2.1.1.2.4 Allow remote administration exception (SP2 only)
5.2.1.1.2.4 Allow file and printer sharing exception (SP2 only)
5.2.1.1.2.6 Allow ICMP exceptions (SP2 only)
5.2.1.1.2.7 Allow Remote Desktop exception (SP2 only)
5.2.1.1.2.8 Allow UPnP framework exception (SP2 only)
5.2.1.1.2.9 Prohibit notifications (SP2 only)
5.2.1.1.2.10 Log Dropped Packets (SP2 only)
5.2.1.1.2.11 Log file path and name (SP2 only)
5.2.1.1.2.12 Log file size limit (SP2 only)
5.2.1.1.2.13 Log Successful Connections (SP2 only)
5.2.1.1.2.14 Prohibit unicast response to multicast or broadcast (SP2 only)
5.2.1.1.2.15 Define port exceptions (SP2 only)5.2.1.1.2.16 Allow local port exceptions (SP2 only)
5.2.1.1. Windows Firewall
Disable Periodic Check for Internet Explorer Software Updates (CID:834)
Disable Automatic Install of Internet Explorer Components (CID:831)
CIS WXP Pro Benchmark v2.01 OVAL (cis-winxp-oval.xml)
NIST 800-68 Windows XPPDF
(SP800-68-20051102.pdf)
NIST 800-68 Windows XP
XCCDF (NIST-800-68-53-
WinXPPro_XCCDF_10102006.xml)
NIST 800-68 Windows XP OVAL
(NIST-800-68-53-WinXPPro_OVAL_
10102006.xml)
regedit.exePermissions oval:gov.nist.1:def:146
%SystemRoot%\system32\regedit.exe Table: 9.19 Value: Administrators: Full System: Full
arp.exePermissions oval:gov.nist.1:def:128
%SystemRoot%\system32\arp.exe Table: 9.1 Value: Administrators: Full System: Full
at.exePermissions oval:gov.nist.1:def:129
attrib.exePermissions oval:gov.nist.1:def:130
cacls.exePermissions oval:gov.nist.1:def:131
oval:gov.nist.1:def:132 debug.exePermissions
%SystemRoot%\system32\at.exe Table: 9.2 Value: Administrators: Full System: Full%SystemRoot%\system32\attrib.exe Table: 9.3 Value: Administrators: Full
%SystemRoot%\System32\cacls.exe Table: 9.4 Value: Administrators: Full System: Full
%SystemRoot%\System32\debug.exe Table: 9.5 Value: Administrators: Full System: Full
edlin.exePermissions oval:gov.nist.1:def:133
oval:gov.nist.1:def:134
oval:gov.nist.1:def:135
%SystemRoot%\system32\edlin.exe Table: 9.6 Value: Administrators: Full System: Full
%SystemRoot%\system32\eventcreate.exe Table: 9.7 Value: Administrators: Full System: Full
eventcreate.exePermissions
%SystemRoot%\System32\eventtriggers.exe Table: 9.8 Value: 9.8
eventtriggers.exePermissions
oval:gov.nist.1:def:136
%SystemRoot%\system32\ftp.exe Table: 9.9 Value: Administrators: Full System: Full ftp.exePermissions
nbtstat.exePermissions oval:gov.nist.1:def:137
net.exePermissions oval:gov.nist.1:def:138
net1.exePermissions oval:gov.nist.1:def:139
netsh.exePermissions oval:gov.nist.1:def:140
netstat.exePermissions oval:gov.nist.1:def:141
nslookup.exePermissions oval:gov.nist.1:def:142
ntbackup.exePermissions oval:gov.nist.1:def:143
%SystemRoot%\system32\nbtstat.exe Table: 9.10 Value: Administrators: Full System: Full
%SystemRoot%\system32\net.exe Table: 9.11 Value: Administrators: Full System: Full
%SystemRoot%\system32\net1.exe Table: 9.12 Value: Administrators: Full System: Full
%SystemRoot%\system32\netsh.exe Table: 9.13 Value: Administrators: Full System: Full
%SystemRoot%\system32\netstat.exe Table: 9.14 Value: Administrators: Full System: Full
%SystemRoot%\system32\nslookup.exe Table: 9.15 Value: Administrators: Full System: Full
%SystemRoot%\system32\Ntbackup.exe Table: 9.16 Value: Administrators: Full System: Full
rcp.exePermissions oval:gov.nist.1:def:144
reg.exePermissions oval:gov.nist.1:def:145
regedt32.exePermissions oval:gov.nist.1:def:147
regini.exePermissions oval:gov.nist.1:def:148
regsvr32.exePermissions oval:gov.nist.1:def:149
rexec.exePermissions oval:gov.nist.1:def:150
%SystemRoot%\system32\rcp.exe Table: 9.17 Value: Administrators: Full System: Full
%SystemRoot%\system32\reg.exe Table: 9.18 Value: Administrators: Full System: Full
%SystemRoot%\system32\Regedt32.exe Table: 9.20 Value: Administrators: Full System: Full
%SystemRoot%\system32\regini.exe Table: 9.21 Value: Administrators: Full System: Full
%SystemRoot%\system32\regsvr32.exe Table: 9.22 Value: Administrators: Full System: Full
%SystemRoot%\system32\rexec.exe Table: 9.23 Value: Administrators: Full System: Full
route.exePermissions oval:gov.nist.1:def:151
rsh.exePermissions oval:gov.nist.1:def:152
sc.exePermissions oval:gov.nist.1:def:153
secedit.exePermissions oval:gov.nist.1:def:154
%SystemRoot%\system32\route.exe Table: 9.24 Value: Administrators: Full System: Full
%SystemRoot%\system32\rsh.exe Table: 9.25 Value: Administrators: Full System: Full
%SystemRoot%\system32\sc.exe Table: 9.26 Value: Administrators: Full System: Full
%SystemRoot%\system32\secedit.exe Table: 9.27 Value: Administrators: Full System: Full
subst.exePermissions oval:gov.nist.1:def:155
systeminfo.exePermissions oval:gov.nist.1:def:156
telnet.exePermissions oval:gov.nist.1:def:157
tftp.exePermissions oval:gov.nist.1:def:158
%SystemRoot%\system32\subst.exe Table: 9.28 Value: Administrators: Full System: Full
%SystemRoot%\system32\systeminfo.exe Table: 9.29 Value: Administrators: Full System: Full
%SystemRoot%\system32\telnet.exe Table: 9.30 Value: Administrators: Full System: Full
%SystemRoot%\system32\tftp.exe Table: 9.31 Value: Administrators: Full System: Full
tlntsvr.exePermissions oval:gov.nist.1:def:159
%SystemRoot%\system32\tlntsvr.exe Table: 9.32 Value: Administrators: Full System: Full
DenyAccessFromNetwork oval:gov.nist.1:def:175
oval:gov.nist.1:def:162
BypassTraverseChecking oval:gov.nist.1:def:168
Deny access to this computer from the network Table: 4.15 Value: Guests, SUPPORT
Access this computer from the network Table: 4.1 Value: Administrators, not defined
AccessComputerFromNetwork, AccessComputerFromNetworkUsers
oval:gov.nist.1:def:161, oval:gov.nist.1:def:231
Act as part of the operating system Table:
4.2 Value: noneActAsPartOfOperatingSystem
Back up files and directories Table: 4.7 Value: Administrators, not defined
BackUpFilesAndDirectories, BackUpFilesAndDirectoriesOperators
oval:gov.nist.1:def:167, oval:gov.nist.1:def:234
Bypass traverse checking Table: 4.8 Value: Administrators, Users, not defined
ChangeSystemTime oval:gov.nist.1:def:169
CreatePagefile oval:gov.nist.1:def:170
CreateTokenObject oval:gov.nist.1:def:171
oval:gov.nist.1:def:172
DebugPrograms oval:gov.nist.1:def:173
oval:gov.nist.1:def:180
GenerateSecurityAudits oval:gov.nist.1:def:181
AdjustMemoryQuotas oval:gov.nist.1:def:164
Change the system time Table: 4.9 Value: Administrators
Create pagefile Table: 4.10 Value: Administrators
Create a token object Table: 4.11 Value: None, not defined
Create permanent share objects Table: 4.13 Value: None, not defined
CreatePermanentSharedObjects
Debug programs Table: 4.14 value: None, Administrators
Force shutdown from a remote system Table: 4.21 Value: Administrators
ShutdownFromRemoteSystem
Generate security audits Table: 4.22 Value: LOCAL SERVICE, NETWORK SERVICE
Adjust memory quotas for a process Table: 4.4 Value: Administrators, LOCAL SERVICE, NETWORK SERVICE
IncreaseSchedulingPriority oval:gov.nist.1:def:182
oval:gov.nist.1:def:183
LockPagesInMemory oval:gov.nist.1:def:184
LogOnAsBatchJob oval:gov.nist.1:def:185
LogOnAsService oval:gov.nist.1:def:186
oval:gov.nist.1:def:188
Increase scheduling priority Table: 4.24 Value: Administrators
Load and unload device drivers Table: 4.25 Value: Administrators
LoadAndUnloadDeviceDrivers
Lock pages in memory Table: 4.26 Value: none
Log on as a batch job Table: 4.27 Value: none, not defined
Log on as a service Table: 4.28 Value: LOCAL SERVICE, NETWORK SERVICE
Allow log on locally Table: 4.5 Value: Users, Administrators
AllowLogOnLocally, AllowLogOnLocallyAuthenticatedUsers
oval:gov.nist.1:def:165, oval:gov.nist.1:def:233
Manage auditing and security log Table: 4.29 Value: Administrators
ManageAuditingAndSecurityLog, ManageAuditingAndSecurityLogNone
oval:gov.nist.1:def:187, oval:gov.nist.1:def:235
Modify firmware environment values Table: 4.30 Value: Administrators
ModifyFirmwareEnvironmentValues
ProfileSingleProcess oval:gov.nist.1:def:190
ProfileSystemPerformance oval:gov.nist.1:def:191
oval:gov.nist.1:def:193
oval:gov.nist.1:def:194
ShutDownSystem oval:gov.nist.1:def:195
TakeOwnershipOfFiles oval:gov.nist.1:def:196
Profile single process Table: 4.32 Value: Administrators
Profile system performance Table: 4.33 Value: Administrators
Remove computer from docking station Table: 4.34 Value: Users, Administrators
RemoveComputerFromDockingStation, RemoveComputerFromDockingStationNone
oval:gov.nist.1:def:192, oval:gov.nist.1:def:236
Replace a process-level token Table: 4.35 Value: LOCAL SERVICE, NETWORK SERVICE
ReplaceProcessLevelToken
Restore files and directories Table: 4.36 Value: Administrators
RestoreFilesAndDirectories
Shut down the system Table: 4.37 Value: Users, Administrators
Take ownership of files and other objects Table: 4.39 Value: Administrators
oval:gov.nist.1:def:238
DenyLogonLocally oval:gov.nist.1:def:177
oval:gov.nist.1:def:179
oval:gov.nist.1:def:166
DenyLogonAsBatchJob oval:gov.nist.1:def:176
*** ***
Syncronize directory service data Table: 4.38 Value: not defined
SynchronizeDirectoryServiceData
Deny logon locally Table: 4.18 Value: Guests, SUPPORT_388945a0, any service accounts
Enable computer and user accounts to be trusted for delegation Table: 4.20 Value: none, not defined
AccountsTrustedForDelegation
Add workstations to domain Table: 4.3 Value: Administrators
AddWorkstationsToDomain, AddWorkstationsToDomainNone
oval:gov.nist.1:def:163, oval:gov.nist.1:def:232
Allow logon through Terminal Services Table: 4.6 Value: none, not defined
AllowLogOnThroughTerminalServices
Deny logon as a batch job Table: 4.16 Value: Guests, SUPPORT_388945a0
Deny logon as a service Table: 4.17 Value: not defined
oval:gov.nist.1:def:178
oval:gov.nist.1:def:189
AccountLockoutReset oval:gov.nist.1:def:26
AccountLockoutDuration oval:gov.nist.1:def:23
AccountLockoutThreshold oval:gov.nist.1:def:24
AuditAccountLogin oval:gov.nist.1:def:27
Deny logon through Terminal Services Table: 4.19 Value: Everyone, not defined
DenyLogonThroughTerminalServices
Profile volume maintenance tasks Table: 4.31 Value: Administrators
PerformVolumeMaintenanceTasks
Reset account lockout counter after Table: 2.3 value: 15
Account lockout duration Table: 2.1 Value: 15
Account lockout threshold Table: 2.2 Value: 10, 50
Audit account logon events Table: 3.1 Value: success, success and failure
AuditAccountLogin oval:gov.nist.1:def:27
AuditAccountManagement oval:gov.nist.1:def:29
AuditAccountManagement oval:gov.nist.1:def:29
Not applicable Not applicable
Not applicable Not applicable
AuditLogonEvents oval:gov.nist.1:def:32
AuditLogonEvents oval:gov.nist.1:def:32
Audit account logon events Table: 3.1 Value: success, success and failure
Audit account management Table: 3.2 Value success, failure
Audit account management Table: 3.2 Value success, failure
Audit directory service acces Table: 3.3 Value: not defined
Audit directory service acces Table: 3.3 Value: not defined
Audit logon events Table: 3.4 Value: success, success and failure
Audit logon events Table: 3.4 Value: success, success and failure
AuditObjectAccess oval:gov.nist.1:def:34
AuditObjectAccess oval:gov.nist.1:def:34
oval:gov.nist.1:def:35
oval:gov.nist.1:def:35
AuditPrivilegeUse oval:gov.nist.1:def:36
AuditPrivilegeUse oval:gov.nist.1:def:36
AuditProcessTracking oval:gov.nist.1:def:40
AuditProcessTracking oval:gov.nist.1:def:40
Audit object access Table: 3.5 Value: failure, no auditing
Audit object access Table: 3.5 Value: failure, no auditing
Audit policy change Table: 3.6 Value: success
AuditPolicyChangesSuccessOnly
Audit policy change Table: 3.6 Value: success
AuditPolicyChangesSuccessOnly
Audit privilege use Table: 3.7 Value: failure, no auditing
Audit privilege use Table: 3.7 Value: failure, no auditing
Audit process tracking Table: 3.8 Value: no auditing
Audit process tracking Table: 3.8 Value: no auditing
oval:gov.nist.1:def:37
oval:gov.nist.1:def:37
oval:gov.nist.1:def:200
oval:gov.nist.1:def:197
Audit system events Table: 3.9 Value: success
AuditSystemEventsSuccessOnly
Audit system events Table: 3.9 Value: success
AuditSystemEventsSuccessOnly
Prevent local guestsgroup from accessingapplication log Table: 6.4 Value: enabled
PreventGuestApplicationLogAccess
Maximum Application log size Table: 6.1 Value: 16384 kilobytes
MaximumApplicationLogSize
Retain application log Table: 6.7 Value: not defined
oval:gov.nist.1:def:203
oval:gov.nist.1:def:201
MaximumSecurityLogSize oval:gov.nist.1:def:198
oval:gov.nist.1:def:204
oval:gov.nist.1:def:202
MaximumSystemLogSize oval:gov.nist.1:def:199
Retention method for application log Table: 6.10 Value: as needed
ApplicationLogRetentionMethod
Prevent local guestsgroup from accessingsecurity log Table: 6.5 Value: enabled
PreventGuestSecurityLogAccess
Maxium security log size Table: 6.2 Value: 81920 kilobytes
Retain security log Table: 6.8 Value: not defined
Retention method forsystem log Table: 6.11 Value: as needed
SecurityLogRetentionMethod
Prevent local guestsgroup from accessingsystem log Table: 6.6 Value: enabled
PreventGuestSystemLogAccess
Maximum system log size Table: 6.3 Value: 16384 kilobytes
Retain system log Table: 6.9 Value: not defined
oval:gov.nist.1:def:205
MaximumPasswordAge oval:gov.nist.1:def:17
MinimumPasswordAge oval:gov.nist.1:def:18
MinimumPasswordLength oval:gov.nist.1:def:19
PasswordComplexity oval:gov.nist.1:def:21
oval:gov.nist.1:def:16
oval:gov.nist.1:def:22
Retention method for system log Table: 6.12 Value: not defined
SystemLogRetentionMethod
Maximum password age Table: 1.2 Value: 90
Minimum password age Table: 1.3 Value: 1
Minimum password length Table: 1.4 Value: 12, 8
Password must meet complexity requirements Table: 1.5 Value: enabled
Enforce password history Table: 1.1 Value: 24
PasswordHistoryEnforcement
Store passwrd using reversible encryptin for all users in the domain Table: 1.6 Value: disabled
PasswordStorageReversibleEncryption
AlerterService oval:gov.nist.1:def:209
*** ***
*** ***
ClipBookService oval:gov.nist.1:def:210
BrowserService oval:gov.nist.1:def:211
FaxService oval:gov.nist.1:def:212
FTPPublishingService oval:gov.nist.1:def:213
IISAdminService oval:gov.nist.1:def:214
Alerter Service Table: 8.1 Value: disabled
Automatic update service Table: 8.4 Value: not defined
Background Intelligent Transfer Service Table: 8.5 Value: not defined
ClipBook service Table: 8.6 Value: disabled
Computer Browswer Service Table: 8.9 Value: disabled
Fast User SwitchingCompatibility Table: 8.17 Value: not defined
Fax Servce Table: 8.18 Value: disabled
FTP Publishing Service Table: 8.19 Value: disabled
IIS Admin service Table: 8.22 Value: disabled
IndexingService oval:gov.nist.1:def:215
MessengerService oval:gov.nist.1:def:216
oval:gov.nist.1:def:217
oval:gov.nist.1:def:218
Indexing Service Table: 8.24 Value: disabled
Messenger service Table: 8.30 Value: disabled
Net Logon service Table: 8.32 Value: not defined
Net meeting Remote Desktop Sharing Table: 8.33 Value: disabled
NetMeetingRemoteDesktopSharingService
Remote Access Auto Connection Manager Table: 8.45 Value: not defined
Remote Desktop Help Session Manager Table: 8.47 Value: disabled
RemoteDesktopHelpSessionManagerService
oval:gov.nist.1:def:219
SMTPService oval:gov.nist.1:def:220
SNMPService oval:gov.nist.1:def:221
SNMPTrap oval:gov.nist.1:def:222
Internet ConnectionFirewall (ICF)/InternetConnection Sharing(ICS) Table: 8.26 Value: not defined
Remote Registery service Table: 8.50 Value: not defined
Routing and Remote Access service Table: 8.52 Value: disabled
RoutingAndRemoteAccessService
Simple Mail TransferProtocol (SMTP) Table: 8.59 Value: disabled
Simple NetworkManagement Protocol(SNMP) Service Table: 8.60 Value: disabled
Simple NetworkManagement Protocol(SNMP) Trap Table: 8.61 Value: disabled
SSDPService oval:gov.nist.1:def:223
TaskSchedulerService oval:gov.nist.1:def:224
TelnetService oval:gov.nist.1:def:225
TerminalServicesService oval:gov.nist.1:def:226
oval:gov.nist.1:def:227
oval:gov.nist.1:def:228
Simple ServiceDiscovery Protocol(SSDP) DiscoveryService Table: 8.62 Value: disabled
Task Scheduler service Table: 8.65 Value: disabled
Telnet service Table: 8.68 Value: disabled
Terminal Services service Table: 8.69 Value: disabled
Universal Plug and Play Device Host Disabled Table: 8.73 Value: Not defined
UniversalPlugAndPlayDeviceHostService
World Wide Web Publishing Services Table: 8.85 Value: Disabled
WWWPublishingServicesService
Print Spooler service Table: 8.42 Value: not defined
oval:gov.nist.1:def:88
Plug and Play service Table: 8.40 Value: not defined
Network access: Do notallow anonymousenumeration of SAMaccounts and shares Table: 5.45 Value: enabled
AnonymousEnumerationOfAccountsAndShares
oval:gov.nist.1:def:87
GuestAccountStatus oval:gov.nist.1:def:243
oval:gov.nist.1:def:242
Network access: Do notallow anonymousenumeration of SAMaccounts Table: 5.44 Value: enabled
AnonymousEnumerationOfAccounts
Network access: Allowanonymous SID/Nametranslation Table: 5.43 Value: disabled
Accounts: Guestaccount status Table: 5.2 Value: disabled
Accounts: Administratoraccount status Table: 5.1 Value: enabled
AdministratorAccountStatus
LogonMessageTitle oval:gov.nist.1:def:71
LogonMessageText oval:gov.nist.1:def:70
AutomaticLogonDisabled oval:gov.nist.1:def:110
Interactive logon: Messagetitle for users attempting tolog on Table: 5.30 Value: <DoJ Approved>
Interactive logon: Messagetext for users attempting tolog on Table: 5.29 Value: <DoJ approved>
MSS: (AutoShareWks)Enable AdministrativeShares Table: 5.72 Value: not defined
MSS: (AutoAdminLogon)Enable Automatic Logon Table: 5.70 Value: disabled
oval:gov.nist.1:def:113
MSS: (AutoReboot) AllowWindows to automaticallyrestart after a system crash Table: 5.71 Value: not defined
MSS:(NoDriveTypeAutoRun)Disable Autorun for alldrives Table: 5.80 Value: 255
DisableAutorunForAllDrives
MSS:(EnableICMPRedirect)Allow ICMP redirects tooverride OSPF generatedroutes Table: 5.76 Value: disabled
AllowICMPRedirectsDisabled
oval:gov.nist.1:def:111
RouterDiscovery oval:gov.nist.1:def:121
oval:gov.nist.1:def:116
oval:gov.nist.1:def:117
oval:gov.nist.1:def:68
MSS:(DisableIPSourceRouting)IP source routing protectionlevel Table: 5.73 Value: Highestprotection,source routingis completelydisabled
IPSourceRoutingProtectionLevel
MSS:(PerformRouterDiscovery)Allow IRDP to detect andconfigure DefaultGatewayaddresses Table: 5.83 Value: enabledMSS: (NoDefaultExempt)Enable NoDefaultExemptfor IPSec Filtering Table: 5.79 Value: Multicast, broadcast, and ISAKMP
NoDefaultExemptForIPSecFiltering
Interactive logon: Do notdisplay last user name Table: 5.27 Value: enabled
LastUserNameNotDisplayedForLogon
HideFromBrowseList oval:gov.nist.1:def:114
oval:gov.nist.1:def:112
KeepAliveTime oval:gov.nist.1:def:115
MSS: (Hidden) HideComputer From the BrowseList Table: 5.77 Value: enabled
MSS:(EnableDeadGWDetect)Allow automatic detectionof dead network gateways Table: 5.75 Value: disabled
AutomaticDetectionOfDeadGWs
MSS: (KeepAliveTime)How often keep-alivepackets are sent inmilliseconds Table: 5.78 Value: 300,000ms (5 minutes)
NameReleaseRequests oval:gov.nist.1:def:118
SynAttackProtectionLevel oval:gov.nist.1:def:124
oval:gov.nist.1:def:127
MSS:(NoNameReleaseOnDemand) Allow the computer toignore NetBIOS namerelease requests exceptfrom WINS servers Table: 5.81 Value: enabled
MSS: (SynAttackProtect) Syn attact protection level Table: 5.86 Value: Connections time out sooner if attack is detected (1)
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Table: 5.89 Value: 90
EventLogThresholdWarning
MSS:(DisableSavePassword)Prevent the dial-uppassword from being saved Table: 5.74 Value: not defined
SafeDLLSearchMode oval:gov.nist.1:def:122
MSS: (SafeDllSearchMode)Enable Safe DLL searchmode Table: 5.84 value: enabled
SessionTimeout oval:gov.nist.1:def:83
oval:gov.nist.1:def:45
oval:gov.nist.1:def:52
Domain controller: Allow server operators to schedule tasks Table: 5.17 Value: not defined
Accounts: Rename administrator account Table: 5.4 Value: not defined
Accounts: Rename guest account Table: 5.5 Value: not defined
Microsoft network server:Amount of idle timerequired before suspendingsession Table: 5.39 Value: 15 minutes
Audit: Audit the access of global system objects Table: 5.6 Value: disabled
AuditAccessToGlobalObjects
Audit: Audit the use of backup and restore privilege Table: 5.7 Value: disabled
AuditBackupAndRestorePrivilegeDisabled
RequireCTRL_ALT_DEL oval:gov.nist.1:def:69
oval:gov.nist.1:def:56
oval:gov.nist.1:def:101
oval:gov.nist.1:def:102
Interactive logon: Do notrequire CTRL+ALT+DEL Table: 5.28 Value: diabled
Network security: LANManager authenticationlevel Table: 5.55 Value: Send NTLMv2responseonly\refuse LM& NTLM or Send NTLMv2 response only\refuse LM
LANManagerAuthenticationRefuseLM, LANManagerAuthenticationRefuseLM_NTLM
oval:gov.nist.1:def:97, oval:gov.nist.1:def:96
Devices: Prevent users from installing priter drivers Table: 5.13 Value: enabled or disabled
PreventUsersFromInstallingPrinterDrivers
Recovery console: Allowautomatic administrativelogon Table: 5.59 Value: disabled
RecoveryConsoleAutoLogon
Recovery console: Allowfloppy copy and access toall drives and all folders Table: 5.60 Value: disabled
RecoveryConsoleFullSystemAccess
oval:gov.nist.1:def:102
oval:gov.nist.1:def:59
oval:gov.nist.1:def:109
RequireStrongSessionKey oval:gov.nist.1:def:66
oval:gov.nist.1:def:82
oval:gov.nist.1:def:60
PasswordExpirationPrompt oval:gov.nist.1:def:74
Devices: Restrict CD-ROM access to locally logged-on user only Table: 5.14 Value: disabled
RecoveryConsoleFullSystemAccess
Devices: Restrict floppy access to locally logged-on user only Table: 5.15 Value: disabled
RestrictFloppyAccessDisabled
System objects: Strengthendefault permissions ofinternal system objects(e.g. Symbolic Links) Table: 5.67 Value: enabled
InternalSystemObjectsPermissions
Domain member: Requirestrong (Windows 2000 orlater) session key Table: 5.25 Value: enabled
Microsoft network client:Send unencryptedpassword to third-partySMB servers Table: 5.38 Value: disabled
UnencryptedSMBPasswords
Devices: Unsigned driver installation behavior Table: 5.16 Value: warn but allow isntallation
UnsignedDriverInstallationWarning
Interactive logon: Promptuser to change passwordbefore expiration Table: 5.32 Value: 14 days
ShutdownWithoutLogon oval:gov.nist.1:def:103
ClearPagefileOnShutdown oval:gov.nist.1:def:104
oval:gov.nist.1:def:79
oval:gov.nist.1:def:81
oval:gov.nist.1:def:84
oval:gov.nist.1:def:85
Audit: Shut down system immediately if unable to log security audits Table: 5.8 Value: not defined
Shutdown: Allow system tobe shut down withouthaving to log on Table: 5.61 Value: disabled
Shutdown: Clear virtualmemory pagefile Table: 5.62 Value: enabled
Microsoft network client:Digitally signcommunications (always) Table: 5.36 Value: enabled
ClientAlwaysSignCommunications
Microsoft network client:Digitally signcommunications (if serveragrees) Table: 5.37 Value: enabled
SignCommunicationsIfServerAgrees
Microsoft network server:Digitally signcommunications (always) Table: 5.40 Value: enabled
ServerAlwaysSignCommunications
Microsoft network server:Digitally signcommunications (if clientagrees) Table: 5.41 Value: enabled
SignCommunicationsIfClientAgrees
PreviousLogonsCached oval:gov.nist.1:def:72
oval:gov.nist.1:def:61
oval:gov.nist.1:def:62
oval:gov.nist.1:def:63
SmartCardRemoval oval:gov.nist.1:def:78
oval:gov.nist.1:def:64
Interactive logon: Numberof previous logons to cache(in case domain controlleris not available) Table: 5.31 Value: 0 logons or 2 logons
Devices: Allowed to format and eject removeable media Table: 5.12 Value: Administrators or Administrators and interactive users
RestrictAccessToFormatAndEjectRemovableMediaAdministrators, RestrictAccessToFormatAndEjectRemovableMedia
oval:gov.nist.1:def:43, oval:gov.nist.1:def:44
Domain member: Digitallyencrypt or sign securechannel data (always) Table: 5.20 Value: enabled
AlwaysDigitallyEncryptSecureChannelData
Domain member: Digitallyencrypt secure channeldata (when possible) Table: 5.21 Value: enabled
WhenPossibleDigitallyEncryptSecureChannelData
Domain member: Digitallysign secure channel data(when possible) Table: 5.22 Value: enabled
WhenPossibleDigitallySignSecureChannelData
Interactive logon: Smart card removal behavior Table: 5.35 Value: lock workstation
Domain member: Disablemachine account passwordchanges Table: 5.23 Value: disabled
MachineAccountPasswordChanges
FIPSCompliantEncryption oval:gov.nist.1:def:105
oval:gov.nist.1:def:106
RequireCaseInsensitivity oval:gov.nist.1:def:107
LimitBlankPasswordUse oval:gov.nist.1:def:42
oval:gov.nist.1:def:53
System cryptography: UseFIPS compliant algorithmsfor encryption, hashing,and signing Table: 5.64 Value enabled
System objects: Defaultowner for objects createdby members of theAdministrators group Table: 5.65 Value: Object creator
AdministratorsGroupObjectCreatorOwner
System objects: Requirecase insensitivity for non-Windows subsystems Table: 5.66 Value: enabled
Accounts: Limit local account use of blank passwords to console logon only Table: 5.3 Value: enabled
Devices: Allow undock without having to logon Table: 5.11 Value: disabled
AllowUndockWithoutLoginDisabled
Domain controller: LDAP server signin requirements Table: 5.18 Value: not defined
oval:gov.nist.1:def:98
oval:gov.nist.1:def:65
oval:gov.nist.1:def:75
LogonTimeExpiration oval:gov.nist.1:def:86
CredentialsStorage oval:gov.nist.1:def:89
Network security: LDAPclient signing requirements Table: 5.56 Value: Negotiate signing
LDAPClientSigningRequirements
Domain controller: Refuse machine account password changes Table: 5.19 Value: not defined
Domain member: Maximummachine account passwordage Table: 5.24 Value:30 days
MaximumMachineAccountPasswordAge
Interactive logon: RequireDomain Controllerauthentication to unlockworkstation Table: 5.33 Value: enabled or disabled
DomainControllerAuthenticationRequired
Microsoft network server:Disconnect clients whenlogon hours expire Table: 5.42 Value: enabled
Network access: Do notallow storage of credentialsor .NET Passports fornetwork authentication Table: 5.46 Value: enabled
oval:gov.nist.1:def:90
oval:gov.nist.1:def:91
oval:gov.nist.1:def:92
oval:gov.nist.1:def:93
oval:gov.nist.1:def:94
Network access: LetEveryone permissionsapply to anonymous users Table: 5.47 Value: disabled
AnonymousUsersPermissions
Network access: NamedPipes that can be accessedanonymously Table: 5.48 Value: COMNAPCOMNODESQL\QUERYSPOOLSSLLSRPCbrowser
AnonymouslyAccessedNamedPipes
Network access: Remotelyaccessible registry paths Table: 5.49 Value: System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Control\Server Applications, System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,
RemotelyAccessibleRegistryPaths
Network access: Sharesthat can be accessedanonymously Table: 5.51 Value: COMCFGDFS$
AnonymouslyAccessedShares
Network access: Sharingand security model for localaccounts Table: 5.52 Value: Classic - local users authenticate as themselves
LocalAccountsSecurityModel
LANManagerHashStorage oval:gov.nist.1:def:95
ForceLogoff oval:gov.nist.1:def:244
oval:gov.nist.1:def:99
oval:gov.nist.1:def:100
Network security: Do notstore LAN Manager hashvalue on next passwordchange Table: 5.53 Value: enabled`
Network security: Forcelogoff when logon hoursexpire Table: 5.54 Value: enabled
Network security: Minimumsession security for NTLMSSP based (includingsecure RPC) clients Table: 5.57 Value: Require message integrityRequire message confidentialityRequire NTLMv2 session securityRequire 128-bit encryption
NTLM_SSP_BasedClientsSessionSecurity
Network security: Minimumsession security for NTLMSSP based (includingsecure RPC) servers Table: 5.58 Value: Require message integrityRequire message confidentialityRequire NTLMv2 session securityRequire 128-bit encryption
NTLM_SSP_BasedServersSessionSecurity
oval:gov.nist.1:def:123
MSS:(ScreenSaverGracePeriod)The time in seconds beforethe screen saver graceperiod expires Table: 5.85 Value: 0
ScreenSaverGracePeriod
Create global objects Table: 4.12 Value: not defined
Impersonate a client after authentication Table: 4.23 Value: not defined
DCOM: Machine access of the global system objects Table: 5.9 Value: disabled
DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax Table: 5.10 Value: not defined
Interactive logon: Display user information when the session is locked Table: 5.26 Value: not defined
Interactive logon: Requre smart card Table: 5.34 Value: not defined
oval:gov.nist.1:def:125
oval:gov.nist.1:def:126
BackupOperators oval:gov.nist.1:def:206
PowerUsers oval:gov.nist.1:def:207
RemoteDesktopUsers oval:gov.nist.1:def:208
Network access: Restrict anonymous access to named pipes and shares Table: 5.50 Value: not defined
System cryptography: Force strong key protection for user keys stored on the computer Table: 5.63 Value: not defined
System settings: optional subsystems Table: 5.68 Value: not defined
System settings: Use Certificate Rules on Windows Executables for Software Restriction Polices Table: 5.69 Value: not definedMSS:(TCPMaxConnectResponseRetransmission) SYN-ACK retansmissions when a connection request is not acknowledged Table: 5.87 Value: 3 and 6 sec, half open connections dropped after 21 sec
TCPConnectionResponses
MSS:(TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted Table: 5.88 Value: 3
TCPMaxDataRetransmissions
Backup Operators Table: 7.1 Value: nonePower Users Table: 7.2 Value: none
Remote Desktop Users Table: 7.3 Value: none
Application Layer Gateway Service Table: 8.2 Value: not defined
Application Management Table: 8.3 Value: not definedCryptographic Services Table: 8.10 Value: not defined
DHCP Client Table: 8.11 Value: not defined
Distributed Link Tracking Client Table: 8.12 Value: not defined
Distributed Transaction Coordinator Table: 8.13 Value: not defined
DNS Client Table: 8.14 Value: not definedError Reporting Service Table: 8.15 Value: not definedEvent Log Table: 8.16 Value: not definedHelp and Support Table: 8.20 Value: not defined
Human Interface Device Access Table: 8.21 Value: not defined
IMAPI CD-Burning COM Service Table: 8.23 Value: not defined
Infrared Monitor Table: 8.25 Value: not defined
IPSEC Services Table: 8.27 Value: not definedLogical Disk Manager Table: 8.28 Value: not defined
Logical Disk Manager Administrative Service Table: 8.29 Value: not defined
DDEService oval:gov.nist.1:def:245
DDEdsdmService oval:gov.nist.1:def:246
RasManService oval:gov.nist.1:def:247
MS Software Shadow Copy Provider Table: 8.31 Value: not definedNetwork Connections Table: 8.34 Value: not defined
Network Dynamic Data Exchange (DDE) Table: 8.35 Value: not defined
Network DDE DDE Share Database Manager (DSDM) Table: 8.36 Value: not defined
Network Location Awareness (NLA) Table: 8.37 Value: not defined
NT LM Security Support Provider Table: 8.38 Value: not definedPerformance Logs and Alerts Table: 8.39 Value: not defined
Portable Media Serial Number Service Table: 8.41 Value: not definedProtected Storage Table: 8.43 Value: not defined
QoS RSVP Table: 8.44 Value: not defined
Remote Access Connection Manager Table: 8.46 Value: not definedRemote Procedure Call (RPC) Table: 8.48 Value: not defined
Remote Procedure Call (RPC) Locator Table: 8.49 Value: not definedRemovable Storage Table: 8.51 Value: not defined
Secondary Logon Table: 8.53 Value: not definedSecurity Accounts Manager Table: 8.54 Value: not definedServer Table: 8.55 Value: not defined
Smart Card Table: 8.57 Value: not definedSmart Card Helper Table: 8.58 Value: not defined
System Event Notification Table: 8.63 Value: not definedSystem Restore Service Table: 8.64 Value: not definedTCP/IP NetBIOS Helper Table: 8.66 Value: not definedTelephony Table: 8.67 Value: not definedThemes Table: 8.70 Value: not definedUninterruptable Power Supply Table: 8.71 Value: not defined
Upload Manager Table: 8.72 Value: not definedVolume Shadow Copy Table: 8.74 Value: not definedWebclient Table: 8.75 Value: not defined
Windows Audio Table: 8.76 Value: not defined
Windows Image Acquisition (WIA) Table: 8.77 Value: not definedWindows Installer Table: 8.78 Value: not defined
oval:gov.nist.1:def:119
Windows Management Instrumentation Table: 8.79 Value: not defined
Windows Management Instrumentation Driver Extensions Table: 8.80 Value: not defined
Windows Time Table: 8.81 Value: not defined
Wireless Zero Configuration Table: 8.82 Value: not definedWMI Performance Adapter Table: 8.83 Value: not defined
Workstation Table: 8.84 Value: not defined
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames. Table: 5.82 Value: enabled
Disable8Dot3NameCreation
5.2.1.1.2.4 Allow remote administration exception (SP2 only)
5.2.1.1.2.7 Allow Remote Desktop exception (SP2 only)
OVAL10088
OVAL10219
Microsoft Security Guide for
Windows Server 2003
Center for Internet Security Windows
Server 2003DISA Stig for
Windows 2003
NIST SCAP Windows Vista XCCDF (SCAP-
WinVista-XCCDF.xml rev 2007-02-06)
….
…. ….
…. ….
Table 3.28 Deny access to this computer from the network: ANONYMOUS LOGON; Built-in Administrator, Guests; Support_388945a0; Guest; all NON-Operating System service accounts (Legacy Client, Enterprise Client, and High Security)
4.2.15 Deny access to this computer from the network (minimum): Not Defined
Table 4.2 Access this computer from the network: Administrators, Authenticated Users, Enterprise Domain Controllers (High Security); Legacy Client and Enterprise Client are not defined
4.2.1 Access this computer from the network: Not Defined; Administrators, Authenticated Users, Enterprise Domain Controllers (Specialized Security)
5.1 User Rights: (4.015: CAT I) Built-in Guest account, Everyone group, guests group, and Domain Guests group DO NOT have the right to "access this computer from the network"
Table 3.21 Act as part of the operating system: Not defined (Legacy Client and Enterprise Client); revoke all security groups and accounts (High Security)
4.2.2 Act as part of the operating system: none
5.1 User Rights: (4.009: CAT I) Individual and group accounts DO NOT have the right to "act as part of the operating system"
4.2.36 Backup files and directories: Administrators (Specialized Security)
4.2.8 Bypass traverse checking: Not Defined
….
…. ….
…. ….
…. ….
….
….
….
….
Table 3.26 Change the system time: Administrators and Power Users (default); Administrators (High Security); Legacy client and Enterprise Client are not defined
4.2.9 Change the system time: Administrators
4.2.10 Create a pagefile: Administrators (Specialized Security)
4.2.11 Create a token object: None
4.2.13 Create permanent shared objects: None
Table 3.27 Debug programs: Administrators (default); Revoke all security groups and accounts (Legacy Client, Enterprise client and High Security)
4.2.14 Debug Programs: None
Table 3.32 Force shutdown from a remote system: Administrators (High Security): Legacy client and Enterprise Client are not defined
4.2.21 Force shutdown from a remote system: Administrators (Specialized Security)
Table 3.33 Generate security audits: Network Service, Local Service (High Security): Legacy Client and Enterprise Client are not defined
4.2.22 Generate security audits: Local Service, Network Service (Specialized Security)
Table 3.23 Adjust memory quotas for a process: Administrators, Network Service, Local Service (High Security); Legacy client and Enterprise Client are not defined
4.2.4 Adjust memory quotas for a process: Network Service, Local Service, Administrators (Specialized Security)
….
….
….
….
…. ….
….
….
Table 3.35 Increase scheduling priority: Administrators (High Security): Legacy Client and Enterprise Client are not defined
4.2.24 Increase scheduling priority: Administrators (Specialized Security)
Table 3.36 Load and unload device drivers: Administrators (High Security): Legacy Client and Enterprise Client are not defined
4.2.25 Load and unload device drivers: Administrators
Table 3.37 Lock pages in memory: Administrators (High Security): Legacy Client and Enterprise Client are not defined
4.2.26 Lock pages in memory: Administrators (Specialized Security)
Table 3.38 Log on as a batch job: Support_388945a0, Local Service (Default); Revoke all security groups and accounts (High Security); Legacy Client and Enterprise Client are not defined
4.2.27 Log on as a batch job: None
4.2.28 Log on as a service: Not Defined
Table 4.4 Allow log on locally: Administrators (Legacy client, Enterprise Client, and High Security)
4.2.5 Allow log on locally: Administrators
5.1 User rights: (4.026: CAT II) Built-in Guest account, guests group, and Domain guests group, HelpAssistant, and Suppor_388945a0 are assigned the right to DENY log on locally
Table 3.39 Manage auditing and security log: Administrators (High Security); Legacy Client and Enterprise Client are not defined
4.2.29 Manage auditing and security log: Administrators (Specialized Security)
Table 3.40 Modify firmware environment values: Administrators (High Security); Legacy client and Enterprise Client are not defined
4.2.30 Modify firmware environment values: Administrators (Specialized Security)
….
….
….
….
….
….
….
Table 3.42 Profile single process: Administrators (High Security); Legacy Client and Enterprise Client are not defined
4.2.32 Profile single process: Administrators (Specialized Security)
Table 3.43 Profile system performance: Administrators (High Security); Legacy client and Enterprise Client are not defined
4.2.33 Profile system performance: Administrators (Specialized Security)
Table 3.44 Remove computer from docking station: Administrators, Power Users (Default)/Administrators (High Security); Legacy client and Enterprise Client are not defined
4.2.34 Remove computer from docking station: Administrators (Specialized Security)
Table 3.45 Replace a process level token: Local Service, Network Service (High Security); Legacy Client and Enterprise Client are not defined
4.2.35 Replace a process level token: Network Service, Local Service
Table 3.46 Restore files and directories: Administrators and Backup Operators (Default)/Administrators (High Security); Legacy Client and Enterprise Client are not defined
4.2.36 Restore files and directories: Administrators (Specialized Security)
Table 3.47 Shut down the system: Backup Operators, Power Users and Administrators (Default)/Administrators (High Security); Legacy Client and Enterprise Client are not defined
4.2.37 Shut down the system: Administrators (Enterprise, Specialized Security)
Table 3.49 Take ownership of files or other objects: Administrators (High Security); Legacy Client and Enterprise Client are not defined
4.2.39 Take ownership of file or other objects: Administrators
….
….
….
….
….
…. ….
Table 3.48 Synchronize directory service data: Revoke all security groups and accounts (High Security); legacy client and Enterprise Client are not defined
4.2.38 Synchronize directory service data: None
4.2.18 Deny logon locally: Not Defined
5.1 User rights: (4.026: CAT II) Built-in Guest account, guests group, and Domain guests group, HelpAssistant, and Suppor_388945a0 are assigned the right to DENY log on locally
Table 4.7 Enable computer and user accounts to be trusted for delegation: Administrators (High Security); Legacy client and Enterprise Client are not defined
4.2.20 enable computer and user accounts to be trusted for delegation: None
Table 3.22 Add workstations to domain: Administrators (High Security); Legacy Client and Enterprise Client are not defined
4.2.3 Add workstations to domain: Not Defined; None (Specialized Security)
Table 3.25 Allow log on through Terminal Services: Administrators (High Security); Administrators and Remote Desktop Users (Legacy Client and Enterprise Client)
4.2.6 Allow logon through terminal services: Administrators
5.1 User Rights: (4.040: CAT I) No one has the right to allow logn through Terminal Services unless the machine is performing the role of a Terminal Server
Table 4.18 Deny log on as a batch job: Support_388945a0 and Guest (Legacy Client, Enterprise Client, and High Security)
4.2.16 Deny logon as a batch job: Not Defined
4.2.17 Deny logon as a service: Not Defined
reset-account-lockout-counter
account-lockout-duration
account-lockout-threshold
…. audit-account-logon-events
Table 4.18 Deny log on through Terminal Services: Built-in Administrator; all NON-operating system service accounts (Legacy Client, Enterprise Client, and High Security)
4.2.19 Deny logon through Terminal Services: Not Defined
5.1 User Rights: (4.041: CAT II) The Everyone group is assigned the right to deny logon through Terminal Services unless the machine is performing the roale of a Terminal Server, then the Guests group is assigned
Table 3.41 Perform volume maintenance tasks: Administrators (High Security); Legacy client and Enterprise Client are not defined
4.2.31 Perform volume maintenance tasks: Administrators (Specialized Security)
5.4.5.1 [AP] User Rights Assignments: Perform Volume Maintenance Tasks: Administrators
Table 2.11 Reset account lockout counter after: 30 minutes; 15 minutes (High Security); 30 minutes (Legacy Client and Enterprise Client)
2.2.3.3 Reset Account Lockout After: 15 minutes
5.4.2.2 [A] Bad Logon Counter Reset: 15 minutes
Table 2.9 Account lockout duration: 15 minutes (High Security); 30 minutes (Legacy Client and Enterprise Client)
2.2.3.1 Account Lockout Duration: 15 minutes
4.5.3 Password Policy (4.004: CAT II) The Account Lockout duration set to 15 minutes or more
Table 2.10 Account lockout threshold: 50 invalid login attempts (Legacy Client and Enterprise Client); 10 invalid login attempts (High Security)
2.2.3.2 Account Lockout Threshold: 15 attempts; 10 attempts (Specialized Security)
4.5.3 Password Policy (4.002: CAT II) The Account Lockout Threshold will be set to 3 or less
Table 3.2 Audit account logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security)
2.2.1.1 Audit Account Logon Events: Success/Failure
…. audit-account-logon-events
…. audit-account-management
…. audit-account-management
audit-directory-services-access
audit-directory-services-access
audit-logon-events
audit-logon-events
Table 3.2 Audit account logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security)
2.2.1.1 Audit Account Logon Events: Success/Failure
Table 3.4 Audit account management: Success/Failure (Legacy Client, Enterprise Client, and High Security)
2.2.1.2 Audit Account Management: Success/Failure
Table 3.4 Audit account management: Success/Failure (Legacy Client, Enterprise Client, and High Security)
2.2.1.2 Audit Account Management: Success/Failure
Table 3.6 Audit directory service access: Success/Failure (Legacy Client, Enterprise Client, and High Security)
2.2.1.3 Audit Directory Service Access: Not Defined
6.4 System Audit Settings: Audit directory service access: Not Defined
Table 3.6 Audit directory service access: Success/Failure (Legacy Client, Enterprise Client, and High Security)
2.2.1.3 Audit Directory Service Access: Not Defined
6.4 System Audit Settings: Audit directory service access: Not Defined
Table 3.8 Audit logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security)
2.2.1.4 Audit Logon Events: Success and Failure
6.4 System Audit Settings: Audit logon events: Success, Failure
Table 3.8 Audit logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security)
2.2.1.4 Audit Logon Events: Success and Failure
6.4 System Audit Settings: Audit logon events: Success, Failure
…. audit-object-access
…. audit-object-access
audit-policy-change
audit-policy-change
audit-privilege-use
audit-privilege-use….
…. …. audit-process-tracking
…. …. audit-process-tracking
Table 3.10 Audit object access: Success/Failure (Legacy Client, Enterprise Client, and High Security)
2.2.1.5 Audit Object Access: Success/Failure
Table 3.10 Audit object access: Success/Failure (Legacy Client, Enterprise Client, and High Security)
2.2.1.5 Audit Object Access: Success/Failure
Table 3.12 Audit policy change: Success (legacy client, Enterprise Client, and High Security)
2.2.1.6 Audit Policy Change: Success
6.4 System Audit Settings: Audit policy change: Success, Failure
Table 3.12 Audit policy change: Success (legacy client, Enterprise Client, and High Security)
2.2.1.6 Audit Policy Change: Success
6.4 System Audit Settings: Audit policy change: Success, Failure
Table 3.14 Audit privilege use: Success/Failure (High Security); No Auditing (Legacy Client); Failure (Enterprise Client)
2.2.1.7 Audit Privilege Use: Not Defined
6.4 System Audit Settings: Audit privilege use: Failure
Table 3.14 Audit privilege use: Success/Failure (High Security); No Auditing (Legacy Client); Failure (Enterprise Client)
2.2.1.7 Audit Privilege Use: Not Defined
6.4 System Audit Settings: Audit privilege use: Failure
6.4 System Audit Settings: Audit process tracking: Not Defined
6.4 System Audit Settings: Audit process tracking: Not Defined
audit-system-events
audit-system-events
…. ….
…. …. ….
…. …. ….
…. …. ….
…. ….
Maximum-Application-Log-Size
…. ….
Table 3.18 Audit system events: Success (Legacy Client, Enterprise Client, and High Security)
2.2.1.9 Audit System Events: Success
6.4 System Audit Settings: Audit system events: Success, Failure
Table 3.18 Audit system events: Success (Legacy Client, Enterprise Client, and High Security)
2.2.1.9 Audit System Events: Success
6.4 System Audit Settings: Audit system events: Success, Failure
Table 3.102 Shutdown: Allow system to be shut down without having to log on: Disabled (Legacy Client, Enterprise Client, and High Security)
2.2.4.1.2 Restrict Guest Access: Enabled
Prevent-Guest-Application-Log-Access
Table 3.110 Maximum application log size: 16,384 KB (Legacy Client, Enterprise Client, and High Security)
2.2.4.1.1 Maximum Event Log Size: 16MB
5.4.7.1 [A] Event Log Sizes: Maximum application log size: 16384 kilobytes
Retention-Method-For-Application-Log
…. Prevent-Guest-Security-Log-Access
Maximum-Security-Log-Size
…. Retention-Method-For-Security-Log
….
Prevent-Guest-System-Log-Access
Maximum-System-Log-Size
…. Retention-Method-For-System-Log
Table 3.116 Retention method for application log: As needed (Legacy Client, Enterprise Client, and High Security)
2.2.4.1.3 Log Retention Method: Not Defined
5.4.7.3 [AP] Preserving Security Events: Retention method for application log: Do not overwrite events (clear log manually)
2.2.4.2.2 Restrict Guest Access: Enabled
3.5 [M] Access to Security Event Log: Auditors
Table 3.111 Maximum security log size: 81,920 KB (Legacy Client, Enterprise Client, and High Security)
5.4.7.1 [A] Event Log Sizes: Maximum security log size: 16384 kilobytes
6.2 Audit Log Requirements: (5.002: CAT II) minimum of 81920KB
Table 3.117 Retention method for security log: As needed (Legacy Client, Enterprise Client, and High Security)
2.2.4.2.3 Log Retention Method: Not Defined
2.2.4.3.2 Restrict Guest Access: Enabled
5.4.7.2 [A] Restrict Event Log Access Over Network: Prevent local guests group from accessing security log: Enabled
Table 3.112 Maximum system log size: 16,384 KB (Legacy Client, Enterprise Client, and High Security)
2.2.4.3.1 Maximum Event Log Size: 16MB
5.4.7.1 [A] Even Log Sizes: Maximum system log size: 16384 kilobytes
6.2 Audit Log Requirements: (5.002: CAT II) minimum of 81920KB
…. ….
maximum-password-age
minimum-password-age
minimum-password-length
…. …. ….
password-complexity
enforce-password-history
reversible-password-encryption
3.118 Retention method for system log: As needed (Legacy Client, Enterprise Client, and High Security)
Table 2.4 Maximum password age: 42 days (Legacy Client, Enterprise Client, and High Security)
2.1.2 Maximum Password Age: 90 Days
4.5.3 Password Policy: (4.011: CAT II) Maximum password age is set to 90 days or less
Table 2.5 Minimum password age: 2 days (Legacy Client, Enterprise Client, and High Security)
2.2.2.1 Minimum Password Age: 1 day
4.5.3 Password Policy: (4.012: CAT II) Minimum password age is set to 1 day or more
Table 2.6 Minimum password length: 12 characters (High Security); 8 characters (Legacy Client and Enterprise Client)
2.2.2.3 Minimum Password Length: 8 characters; 12 characters (Specialized Security)
5.4.1.3 [AP] Minimum Password Length: 8 characters
Table 2.7 Password must meet complexity requirements: Enabled (Legacy Client, Enterprise Client, and High Security)
2.2.2.4 Password Complexity: Enabled
5.4.1.5 [M] Enable strong Password Filtering: Password must meet complexity requirements: Enabled
Table 2.3 Enforce password history: 24 passwords remembered (Legacy Client, Enterprise Client, and High Security)
2.2.2.5 Password History: 24 passwords remembered
5.4.1.4 [A] Password Uniqueness: Enforce password history: 24 passwords
Table 2.8 Store password using reversible encryption: Disabled (Legacy Client, Enterprise Client, and High Security)
2.2.2.6 Store Passwords Using Reversible Encryption: Disabled
5.4.1.6 [M] Disable Reversible Password Encryption: Disabled
4.1.1 Alerter: Disabled ….
….
….
4.1.3 Clipbook: Disabled ….
…. ….
…. …. ….
….
….
Table 3.119 Alerter Service: Disabled (Legacy Client, Enterprise Client, and High Security)
Table 3.123 Automatic updates service: Automatic (Legacy Client, Enterprise Client, and High Security)
7.6.1 Automatic Updates Service: Disable if not needed
Table 3.124 Background Intelligent Transfer Service: Manual (Legacy Client, Enterprise Client, and High Security)
7.6.2 Background Intelligent Transfer Service (BITs): Disable if not needed
Table 3.127 Clipbook service: Disabled (Legacy Client, Enterprise Client, and High Security)
Table 10.5 Computer Browser service: Automatic (default); Disabled (Enterprise)
Table 3.143 Fax Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)
4.1.4 Fax Service: Disabled
Table 3.146 FTP Publishing Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)
4.1.7 FTP Publishing Service: Disabled
7.6.3 FTP Service: Disabled
Table 3.151 IIS Admin Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)
4.1.10 IIS Admin Service: Disabled
….
….
…. …. ….
Disable-remote-Desktop-Sharing
…. ….
Table 3.153 Indexing Service: Disabled (Legacy Client, Enterprise Client, and High Security)
4.1.11 Indexing Service: Disabled
Table 3.167 Messenger Service: Disabled (Legacy Client, Enterprise Client, and High Security)
4.1.13 Messenger: Disabled
8.3.4 Windows Messenger: Disabled
Do-not-allow-Windows-Messenger-to-be-run
Table 3.172 .NET Framework Support Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)
8.4.3 .NET Framework: (5.069: CAT II) the .NET Framwork is not active on the system unless it only supports locally developed .NET applications
Table 3.174 NetMeeting Remote Desktop Sharing: Disabled (Legacy Client, Enterprise Client, and High Security)
4.1.15 NetMeeting Remote Desktop Sharing: Disabled
7.6.4 NetMeeting Remote Desktop Sharing Service: (5.063: CAT II) Disabled
7.6.5 Print Services for Unix: (5.026: CAT II) Remove if not required
Table 3.187 Remote Access Auto Connection Manager: Manual (default); Disabled (Legacy Client, Enterprise Client, and High Security)
4.1.20 Remote Access Auto Connection Manager: Disabled
7.6.7 Remote Access Auto Connection Manager Service: (5.064: CAT II) Disabled
Table 3.190 Remote Desktop Help Session Manager: Manual (default); Disabled (Legacy Client, Enterprise Client, and High Security)
4.1.23 Remote Desktop Help Session Manager: Disabled
7.6.8 Remote Desktop Help Session Manager: (5.065: CAT II) Disabled
…. ….
….
…. ….
….
….
….
8.3.9.1 Internet Connection Sharing: (3.085: CAT II) Prohibit use of Internet Connection Sharing on your DNS domain networks is Enabled
Table 3.194 Remote Registry Service: Automatic (Legacy Client, Enterprise Client, and High Security)
4.1.26 Remote Registry Service: Disabled (Specialized Security)
7.6.9 Remote Registry Service: Disabled
Table 3.201 Routing and Remote Access Service: Disabled (Legacy Client, Enterprise Client, and High Security)
7.6.11 Routing and Remote Access Service: (5.067: CAT II) Disabled if not required
7.6.10 Remote Shell Service: (5.008: CAT II) Service is removed by typing instsrv rshsvc remove at the command prompt
Table 3.208 Simple TCP/IP Services: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)
7.6.16 Telnet Servers: (5.010: CAT II) Simple TCP/IP services are disabled
Table 3.207 Simple Mail Transport Protocol (SMTP): Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)
4.1.31 Simple Mail Transfer Protocol: Disabled
Table 3.211 SNMP Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)
4.1.32 Simple Network Management Protocol Service: Disabled
7.6.13 SNMP Service: (5.026: CAT II) SNMP is disabled if not required
Table 3.212 SNMP Trap Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)
4.1.33 Simple Network Management Protocol Trap: Disabled
…. ….
….
4.1.35 Telnet: Disabled ….
…. ….
….
….
….
…. ….
7.6.14 Simple Service Discovery Protocol (SSDP) Service: 5.019: CAT I) Disabled
Table 3.216 Task Scheduler: Automatic (default); Disabled (Legacy Client, Enterprise Client, and High Security)
7.6.15 Task Scheduler Service: (5.009: CAT II) Disabled
Table 3.220 Telnet Service: Disabled (Legacy Client, Enterprise Client, and High Security)
Table 3.221 Terminal Services: Manual (default); Automatic (Legacy Client, Enterprise Client, and High Security)
4.1.36 Terminal Services: Disabled (Specialized Security)
7.6.17 Terminal Services: (5.020: CAT I) Disabled on machines that are not performing as Terminal Servers
Table 3.182 Plug and Play: Automatic (Legacy Client, Enterprise Client, and High Security)
Table 3.245 World Wide Web Publishing Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)
4.1.39 World Wide Web Publishing Services: Disabled
Table 11.3 Automatic Update Service: Disabled
7.6.1 Automatic Updates Service: Disable if not needed
Table 11.4 Background Intelligent Transfer Service: Disabled
7.6.2 Background Intelligent Transfer Service (BITs): Disable if not needed
7.6.5 Print Services for Unix: (5.026: CAT II) Remove if not required
4.1.1. Alerter: Disabled ….
…. ….
…. …. ….
…. 4.1.3 Clipbook: Disabled ….
…. …. ….
…. ….
…. …. ….
…. ….
…. ….
…. ….
Table 3.119 Alerter Service: Disabled (Legacy Client, Enterprise Client, and High Security)
Table 3.123 Automatic Updates Service: Automatic (Legacy Client, Enterprise Client, and High Security)
4.1.4 Fax Service: Disabled
4.1.7 FTP Publishing Service: Disabled
4.1.10 IIS Admin Service: Disabled
4.1.11 Indexing Service: Disabled
…. ….
…. …. ….
…. ….
…. ….
….
…. ….
…. ….
…. …. ….
…. ….
…. ….
4.1.13 Messenger: Disabled
4.1.15 NetMeeting Remote Desktop Sharing: Disabled
4.1.19 Print Spooler: Disabled (Specialized Security)
4.1.20 Remote Access Auto Connection Manager: Disabled
7.6.7 Remote Access Auto Connection Manager Service: (5.064: CAT II) Disabled
4.1.23 Remote Desktop Help Session Manager: Disabled
4.1.26 Remote Registry Service: Disabled (Specialized Security)
4.1.31 Simple Mail Transfer Protocol: Disabled
4.1.32 Simple Network Management Protocol Service: Disabled
…. ….
…. …. ….
…. 4.1.35 Telnet: Disabled ….
…. ….
…. …. ….
…. ….
…. …. ….
4.1.33 Simple Network Management Protocol Trap: Disabled
4.1.36 Terminal Services: Disabled (Specialized Security)
4.1.39 World Wide Web Publishing Services: Disabled
3.86 Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled (Legacy Client, Enterprise Client, and High Security)
3.1.3 Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled (Enterprise and Specialized Security)
5.4.6.53 [AP] Restrict Anonymous Network Shares: Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled
do-not-allow-anonymous-enumeration-sam-accounts-shares
…. ….
Anonymous-SID-Name-Translation
…. …. ….
…. …. ….
…. ….
…. …. ….
…. …. guest-account-status
…. …. …. administrator-account-status
3.85 Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled (Legacy Client, Enterprise Client, and High Security)
do-not-allow-anonymous-enumeration-sam
Table 2.13 Network Access: Allow anonymous SID/NAME translation: Disabled
3.1.1 Network Access: Allow Anonymous SID/Name Translation: Disabled (Specialized Security)
5/4/6/52 Network Access: Allow anonymous SID/Name translation: Disabled
3.5 [M] Access to Security Event Log: Auditors
5.2 Windows Server 2003 Built-in Accounts: (4.048: CAT II) Disabled
message-title-users-attempting-logon
message-text-users-attempting-logon
…. …. ….
…. …. ….
…. …. enable-automatic-logon
Table 3.73 Interactive logon: Message title for users attempting to log on: "It is an offense to continue without proper authorization" (Legacy Client, Enterprise Client, and High Security)
3.2.1.27 Interactive Logon: Message Title for Users Attmpting to Log On: <Custom or DoJ Approved>
5.4.6.22 [AP] Display Legal Notice: Interactive Logon: Message title for users attempting to log on: US Deparment of Defense Warning Statement
Table 3.72 Interactive logon: Message text for users attempting to log on: "This system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted. If unauthorized, terminate access now! Clicking on OK indicates your acceptance of the information in the background. (Legacy Client, Enterprise Client, and High Security)
3.2.1.26 Interactive Logon: Message Text for Users Attempting to Log On: <Custom or DoJ Approved>
5.4.6.22 Interactive Logon: Message text for users attempting to log on
5.4.6.38 [A] Disable Administrator Automatic Logon: Disabled
…. …. ….
…. ….
…. …. ….
…. ….
…. …. ….
…. …. ….
…. …. enable-icmp-redirect
5.4.6.47 [A] Disable Media Autoplay: MSS: Disable Autorun on all drives: 255, disable Autorun for all drives
Turn-off-Autoplay, no-drive-type-auto-run
5.4.6.41 [A] ICMP Redirects: MSS: (EnablEICMPRedirect) Allow ICMP redirects to override OSPF generated routes: Disabled
…. disable-ip-source-routing
…. …. perform-router-discovery
…. …. ….
…. …. ….
…. do-not-display-last-user-name
…. …. ….
…. …. ….
3.2.1.69 MSS: IP Source Routing protection level: Highest Protection, source routing is automatically disabled
5.4.6.39 MISS: DisableIPSourceRouting, IP source routing packet spoofing: Highest protection, source routing is completely disabled
3.2.1.74 MSS: Allow IRDP to detect and configure DefaultGateway addresses: Disabled
Table 3.70 Interactive logon: Do not display last user name: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.24 Interactive Logon: Do Not Display Last User Name: Enabled
…. …. ….
…. …. …. hide-system-from-browse-list
enable-dead-gw-detect
keep-alive-time
…. …. ….
…. …. ….
Table. 3.246 Security Consideration for Network Attack: EnableDeadGWDetect = 0 (Legacy Client, Enterprise Client, and High Security)
3.2.1.70 MSS: Allow automatic detection of dead network gateways: Disabled
5.4.6.40 [A] Detection of Dead Gateways: MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways: Disabled
Table 3.246 Security Consideration for Network Attacks: KeepAliveTime = 300,000 (Legacy Client, Enterprise Client, and High Security)
3.2.1.82 MSS: How often keepalive packets are sent in milliseconds: 300000
5.4.6.49 MSS: How often keepalive packets are sent in milliseconds: 300000
no-name-release-on-demand
….
syn-attack-protect
…. …. ….
…. …. …. warning-level
…. ….
Table 3.248 Configure NetBIOS Name Release Security: Allow the computer to ignore NetBIOS name release requests except from WINS server: NoNameReleaseOnDemand = 1 (Legacy Client, Enterprise Client, and High Security)
3.2.1.73 MSS: Allow the computer to ignore NetBIOS name release requestions except from WINS servers: Enabled
5.4.6.42 [A] NetBIOS Name Release: MSS: (NoNameReleaseOnDemand) Allow computer to ignore NetBIOS name release requests except from WINS Servers: Enabled
Table 3.246 Security Consideration for Network Attacks: EnablePMTUDiscovery = 0 (Legacy Client, Enterprise Client, and High Security)
3.2.1.72 MSS: EnablePMTUDiscovery, Allow automatic detection of MTU size: Enabled (Specialized Security)
Table 3.246 Security Consideration for Network Attacks: SynAttackProtect = 1 (Legacy Client, Enterprise Client, and High Security)
5.4.6.44 MSS (SynAttackProtect) Syn attack protection level: Connections time out sooner if a SYN attack is detected
5.4.6.6 ConGp: Prevent the dial-up password from being saved: Enabled
Table 3.64 Domain member: Digitally encrypt or sign secure channel data (always): Enabled (High Security); Disabled (Legacy Client and Enterprise Client)
3.2.1.19 Domain Member: Digitally Encrypt Secure Channel Data (When Possible): Enabled
5.4.6.16 [A] Encryption of Secure Channel Traffic: Domain Member: Digitally encrypt secure channel data (when possible): Enabled
safe-dll-search-mode
…. ….
…. …. ….
…. …. ….
…. ….
…. …. ….
…. ….
Table 3.65 Domain member: Digitally encrypt or sign secure channel data (when possible): Enabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.20 Domain Member: Digitally Sign Secure Channel Data (When Possible): Enabled
5.4.6.17: [A] Signing of Secure Channel Traffic: Domain Membore: Digitally sign secure channel data (when possible): Enabled
Table 3.253 Enable Safe DLL Search Order: Enable Safe DLL search mode (recommended): SafeDllSearchMode = 1 (Legacy Client, Enterprise Client, and High Security)
3.2.1.80 MSS: Enable Safe DLL search mode: Enabled
5.4.6.48 [A] Safe DLL Search Mode: MSS: Enable Safe DLL search mode: Enabled
8.3.5 Always wait for the network at computer startup: Enabled
8.3.6 Group Policy: (3.080: CAT II) Turn off backroung refresh of Group Policy is set to Disabled
8.3.9.2 Network Bridge: (3.086: CAT II) The setting Prohibit installation and configuration of network Bridge on your DNS doman network is set to Enabled
…. ….
…. ….
…. …. rename-administrator
…. …. rename-guest
`
audit-access-global-system-objects
…. audit-use-backup-restore-privilege
8.3.10 Installation of Printers Using Kernel-mode Drivers: (3.087: CAT II) the setting Disallow installation of printers using kernel-mode drivers is set to Enabled
Table 3.61 Domain controller: Allow server operators to schedule tasks: Not Defined (default); Disabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.15 Domain Controller: Allow Server Operators to Schedule Tasks: Disabled
5.4.6.12 [A] Server Operators Scheduling Tasks: Domain Controller: Allo server operators to schedule tasks: Disabled
5.4.6.3 Accounts: Rename administrator account: Should not be Administrator
5.4.6.4 Account: Rename guest account: Any value other than ‘Guest’
Table 3.81 Microsoft network server: Amount of idle time required before suspending session: 15 minutes (Legacy Client, Enterprise Client, and High Security)
5.4.6.30[A] Idle Time Before Suspending a Session: Microsoft Network Server: Amount of idle time required before suspending a session: 15 minutes
amount-of-idle-time-required-before-suspending-session
Table 3.52 Audit: Audit the access of global system objects: Disabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.6 Audit: Audit the access of global system objects: Not Defined
5.4.7.76 [A] Global System Object Permission Strength: System objects: Strengthen default permissions of internal system objects: Enabled
Table 3.53 Audit: Audit the use of backup and restore privilege: Disabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.7 Audit: Audit the use of backup and restore privilege: Not Defined
…. do-not-require-ctrlaltdel
…. …. ….
prevent-users-installing-printers
Table 3.71 Interactive logon: Do not require CRTL+ALT+DEL: Disabled (Legacy Client, Enterprise Client, and High Security)
5.4.6.21 [A] CTRL+ALT+DEL Security Attention Sequence: Interactive Logon: Do not require CTRL+ALT+DEL: Disabled
Table 3.96 Network security: LAN Manager authentication level: Send NTLM response only (default); Send NTLMv2 response only\refuse LM & NTLM (High Security); Send NTLMv2 responses only (Legacy Client and Enterprise Client)
3.2.1.50 Network Security: LAN Manager Authentication Level: Send NTLMv2 (Legacy), Send NTLMv2, refuse LM (Enterprise), Send NTLMv2, refuse LM and NTLM (Specialized Security)
5.4.6.64 [AP] LanMan Compatible Password Option Not Properly Set: Network Security: LAN Manager authentication level: Send NTLMv2 response only/refuse LM & NTLM
Table 3.57 Devices: Prevent users from installing printer drivers: Enabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.11 Devices: Prevent users from installing printer drivers: Enabled
5.4.6.9 [A] Secure Print Driver Installation: Devices: Prevent users from installing printer drivers: Enabled
Table 3.100 Recovery console: Allow automatic administrative logon: Disabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.54 Recovery Console: Allow Automatic Administrative Logon: Disabled
5.4.6.68 [A] Recovery Console - Automatic Logon: Allow automatic administrative logon: Disabled
Table 3.101 Recovery console: Allow floppy copy and access to all drives and all folders: Disabled (High Security); Enabled (Legacy Client and Enterprise Client)
3.2.1.55 Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders: Not Defined
5.4.6.69 [A] Recovery Console - Set Command: Recovery console: Allow floppy copy and access to all drives and folders: Disabled
…. ….
require-strong-session-key
….
…. …. ….
3.2.1.12 Devices: Restrict CD-ROM Access to Locally Logged-On User Only: Not Defined
restrict-cdrom-access-local-users-only
Table 10.2 Devices: Restrict floppy access to locally logged-on user only: Enabled (Enterprise Client)
3.2.1.13 Devices: Restrict Floppy Access to Locally Logged-On User only: Not Defined
5.4.6.10 [A] Secure Removable Media: Devices: Restrict floppy access to locally logged-on user only: Enabled
restrict-floppy-access-local-users-only
Table 3.108 System ojects: Strengthen default permissions of internal system objects: Enabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.62 System Objects: Strengthen default permissions of internal system objects: Enabled
5.4.6.76 [A] Global System Object Permission Strength: System Objects: Strengthen default permissions of internal system objects: Enabled
Table 3.69 Domain member: Require strong (W2K or later) session key: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.23 Domain Member: Require Strong (Windows 2000 or later) Session Key: Not Defined
5.4.6.20 [AP] Strong Session Key (WIN2K/W2K3 Native Domains): Domain Member: Require Strong (Windows 2000 or later) Session Key: Enabled
Table 3.80 Microsoft network client: Send unencrypted password to third-party SMB servers: Disabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.35 Microsoft Network Client: Send Unencrypted Password to Connect to Third-Party SMB Server: Disabled
5.4.6.29 [A] Unencrypted Passwords to 3rd party SMB Servers: Disabled
send-unencrypted-password-to-third-party-smb-servers
3.2.1.14 Devices: Unsigned driver installation behavior: "Warn, but allow . . . "
5.4.6.11 [AP] Unsigned Driver installation Behavior: Warn but allow installation
Table 3.75 Interactive logon: Prompt user to change password before expiration: 14 days (Legacy Client, Enterprise Client, and High Security)
3.2.1.29 Interactive Logon: Prompt User to Change Password Before Expiration: 14 days
5.4.6.24 [A] Password Expiration Warning: Interactive Logon: Prompt user to change password before expiration: 14 days
prompt-user-to-change-password-before-expiration
shutdown-system-unable-log-audits
….
…. …. ….
….
…. …. ….
….
….
Table 3.54 Audit: Shut down system immediately if unable to log security audits: Disabled (Legacy Client and Enterprise Client); Enabled (High Security)
3.2.1.8 Audit: Shut down system immediately if unable to log security alerts: Enabled (Specialized Security)
5.4.6.5 [AP] Halt on Audit Failure: Audit: Shut down system immediately if unable to log security audits: Enabled
Table 3.102 Shutdown: Allow system to be shut down without having to log on: Disabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.56 Shutdown: Allow system to be shut down without having to log on: Disabled
Table 3.103 Shutdown: Clear virtual memory page file: Disabled (Legacy Client and Enterprise Client); Enabled (High Security)
3.2.1.57 Shutdown: Clear virtual memory pagefule: Not Defined
5.4.6.71 [AP] Clear System Page File During Shutdown: Shutdown: Clear virtual memory pagefile: Enabled
3.2.1.33 Microsoft Network Client: Digitally sign communications (always): Enabled (Specialized Security)
5.4.6.27 [A] SMB Client Packet Signing (Always): Microsoft Network Client: Digitally sign communications (always): Enabled
digitally-sign-communications-client-always
digitally-sign-communications-client-server-agrees
3.2.1.37 Microsoft Network Server: Digitally sign communications (always): Not Defined
5.4.6.31 [A] SMB Server Packet Signing (Always): Microsoft Network Server: Digitally sign communications (always): Enabled
digitally-sign-communications-server-always
Microsoft network server: Digitally sign communications (if client agrees): Disabled
5.4.6.32 Microsoft Network Server: digitally sign server communications (if client agrees): Enabled
digitally-sign-communications-server-client-agrees
number-of-previous-logons-to-cache
allow-format-eject-removable-media
smart-card-removal-behaviour
…. …. ….
…. …. ….
Table 3.74 Interactive logon: Number of previous logons to cache: 1 (Legacy Client); 0 (Enterprise Client and High Security)
3.2.1.28 Interactive Logon: Number of Previous Logons to Cache: Not Defined
5.4.6.23 Interactive Logon: Number of previous logons to cache (in case Domain Controller is unavailable): 0 logons or 1 logon
Table 3.56 Devices: Allowed to format and eject removable media: Administrators (Legacy Client, Enterprise Client, and High Security)
3.2.1.10 Devices: Allowed to format and eject removable media: Administrators
5.4.6.8 [A] Format and Eject Removable Media: Devices: Allowed to Format and Eject Removable Media: Administrators
Table 3.64 Domain member: Digitally encrypt or sign secure channel data: Enabled (High Security); disabled (Legacy Client and Enterprise Client)
3.2.1.18 Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always): Not Defined
5.4.6.15 [A] Encrypting and Signing of Secure Channel Traffic: Domain Member: Digitally encrypt or sign secure channel data (always): Enabled
digitally-encrypt-or-sign-secure-channel-data-always
Table 3.65 Domain member: Digitally encrypt secure channel data (when possible): Enabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.19 Domain Member: Digitally Encrypt Secure Channel Data (When Possible): Enabled
5.4.6.16 [A] Encryption of Secure Channel Traffic: Domain Member: Digitally encrypt secure channel data (when possible): Enabled
digitally-encrypt-secure-channel-data-when-possible
Table 3.66 Domain member: Digitally sign secure channel data (when possible): Enabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.20 Domain Member: Digitally Sign Secure Channel Data (When Possible): Enabled
5.4.6.17 [A] Signing of Secure Channel Traffic: Domain Member: Digitally sign secure channel data (when possible): Enabled
digitally-sign-secure-channel-data-when-possible
Table 3.77 Interactive logon: Smart card removal behavior: Lock Workstation (Enterprise Client and High Security); Legacy Client is not defined
3.2.1.32 Interactive Logon: Smart Card Removale Behavior: Lock Workstation
5.4.6.26 [A] Smart Card Removal Option: interactive Logon: Smart card removal behavior: Lock Workstation or Force Logoff
disable-machine-account-password-changes
limit-blank-password-use
allow-undock-no-logon
Table 3.105 System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Disabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.59 System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Not Defined
5.4.6.73 [A] FIPS compliant algorithms: System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Enabled
Table 3.106 System objects: Default owner for objects created by members of the Administrators group: Administrators group (default); Object creator (Legacy Client, Enterprise Client, and High Security)
3.2.1.60 System Objects: Default owner for objects created by members of the Administrators group: Object Creator
5.4.6.74 [A] Object Created by members of the Administrators Group: System ojects: Default owner for object created by members of the Administrators groups: Object creator
Table 3.107 System objects: Require case insensitivity for non-Windows subsystems: Enabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.61 System objects: Require case insensitivity for non-Windows subsystems: Not Defined
5.4.6.75 [A] Case Insensitivity for Non-Windows Subsystems: System object: Require Case Insensitivity for non-Windows Subsystems: Enabled
Table 3.51 Accounts: Limit local account use of blank passwords to console logon only: Enabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.3 Accounts: Limit local account use of blank passwords to console logon only: Enabled
5.4.6.2 [A] Limit Blank Passwords: Accounts: Limit local account use of blank passwords to console logon only: Enabled
Table 3.55 Devices: Allow undock without having to log on: Enabled (default); Disabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.9 Devices: Allow undock without having to log on: Enabled (Specialized Security)
5.4.6.7 [A] Undock Without Loggon On: Devices: Allow Undock Without Having to Log On: Disabled
Table 3.62 Domain controller: LDAP server signing requirements: Not Defined (Legacy Client and Enterprise Client); Require signing (High Security)
3.2.1.16 Domain Controller: LDAP Server Signing Requirements: Require Signing (Specialized Security)
5.4.6.13 [A] LDA Signing Requirements (Domain Controller): Domain controller: LDAP Server signing requirements: Require signing
Table 3.97 Network security: LDAP client signing requirements: Negotiate signing (Legacy Client, Enterprise Client, and High Security)
3.2.1.51 Network Security: LDAP client signing requirements: Negotiate Signing or Require Signing
5.4.6.65 [A] LDAP Client Signing: Network security: LDAP client signing requirements: Negotiate signing
Table 3.63 Domain controller: Refuse machine account password changes: Not Defined (default); Disabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.17 Domain Controller: Refuse machine account password changes: Disabled
5.4.6.14 [A] computer Account Password change Requests: Domain Controller: Refuse machine account password changes: Disabled
Table 3.68 Domain member: Maximum machine account password age: 30 days (Legacy Client, Enterprise Client, and High Security)
3.2.1.22 Domain Member: Maximum Machine Account Password Age: 30 days
5.4.6.19 [A] Maximum Machine Account Password Age: Domain Member: Maximum Machine Account Password Age: 30
maximum-machine-account-password-age
Table 3.76 Interactive logon: Require domain controller authentication to unlock workstation: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.30 Interactive Logon: Require Domain Controller authentication to unlock workstation: Not Applicable
5.4.6.25 [A] Domain Controller Authentication to Unlock Workstation: Interactive logon: Require domain controller authentication to unlock workstation: Enabled
require-domain-controller-authentication-to-unlock
Table 3.84 Microsoft network server: Disconnect clients when logon hours expire: Enabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.30 Microsoft Network Server: Disconnect clients when logon hours expire: Enabled
5.4.6.33 [A] forcibly disconnect when logon hours expire: Microsoft network Server: Disconnect clients when logon hours expire: Enabled
disconnect-client-when-logon-hours-expire
Table 3.87 Network access: Do not allow storage of credentials or .NET Passports for network authentications: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.40 Network Access: Do not allow storage of credentials or .NET passports for network authentication: Enabled (Specialized Security)
5.4.6.54 [A] Storage of credentials or .NET passports: Network Access: Do not allow storage of credentials or .NET passports for network authentication: Enabled
do-not-allow-storage-credentials-net-passports-network-authn
named-pipes-accessed-anonymously
Table 3.88 Network access: Let Everyone permissions apply to anonymous users: Disabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.41 Network Access: Let Everyone permissions apply to anonymous users: Disabled
5.4.6.55 [AP] Everyone Permissions Apply to Anonymous Users: Network Access: Let everyone permissions apply to anonymous users: Disabled
let-everyone-permissions-apply-to-anonymous-users
Table 3.89 Network access: Named Pipes that can be accessed anonymously: None (Legacy Client, Enterprise Client, and High Security)
3.2.1.42 Network Access: Named pipes that can be accessed anonymously: None
5.4.6.56 [MA] Anonymous Access to Named Pipes: Network Access: Named pipes that can be accessed anonymously: COMNAP, COMNODE, SQL\QUERY, SPOOLSS, EPMAPPER, LOCATOR, TrkWks, and TrkSvr
Table 3.90 Network access: Remotely accessible registry paths: System\currentControlSet\Control\Products Options; System\CurrentControlSet\Control\server Applications; Software\Microsoft\Windows NT\CurrentVersion (Legacy Client, Enterprise Client, and High Security)
3.2.1.43 Network Access: Remotely accessible registry paths: System\CurrentControlSet\Control\Product Options, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\WindowsNT\CurrentVersion
5.4.6.57 [MA] Remotely Accessible Registry Paths: Network Access: Remotely accessible registry paths: System\currentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion
Remotely-accessible-registry-paths, Remotely-accessible-registry-paths-and-sub-paths
Table 3.93 Network Access: Shares that can be accessed anonymously: None (Legacy Client, Enterprise Client, and High Security)
3.2.1.46 Network Access: Shares that can be accessed anonymously: None
5.4.6.60 [MA] Anonymous Access to Network Shares: Network Access: Shares that can be accessed anonymously: <should be blank>
Shares-that-can-be-accessed-anonymously -- NOTE: COMMENTED OUT
Table 3.94 Network Access: Sharing and security model for local accounts: Classic - local users authenticate as themselves (Legacy Client, Enterprise Client, and High Security)
3.2.1.47 Network Access: Sharing and security model for local accounts: Classic
5.4.6.61 [A] Sharing and Security Model for Local Accounts: Network Access: Sharing and security model for local accounts: "Classis - local users authenticate as themselves"
Sharing-and-security-model-for-local-accounts
…. …. ….
…. …. ….
Table 3.95 Network Security: Do not store LAN Manager hash value on next password change: Enabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.48 Network Security:Do not store LAN Manager password hash value on next password change: Enabled (Specialized Security)
5.4.6.62 [AP] LAN Manager Hash Value: network security: Do not store LAN Manager hash value on next password change: Enabled
Do-not-store-LAN-Manager-hash-value-on-next-password-change
Table 2.14 Network Security: Force Logoff when logon hours expire: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)
3.2.1.49 Network Security: Force logoff when logon hours expire: Not Defined
5.4.6.63 [A] force Logoff when Logon Hours Expire: Enabled
Force-logoff-when-logon-hours-expire
Table 3.98 Network Security: Minimum session security for NTLM SSP based clients: No minimum (Legacy Client); Enabled all settings (Enterprise Client and High Security)
3.2.1.52 Network Security: Minimum session security for NTLM SSP based clients: Require Message Integrity, Message Confidentiality, NTLMv2 Session Security, 128-bit Encryption (Specialized Security)
5.4.6.66 [A] Minimum Session Security for NTLM SSP-based Clients: "Require NTLMv2 session security", "Require 128-bit encryption", "Require Message Integrity", and "Require Message Confidentiality"
Table 3.99 Network Security: Minimum session security for NTLM SSP based servers: No minimum (Legacy Client); Enabled all settings (Enterprise Client and High Security)
3.2.1.52 Network Security: Minimum session security for NTLM SSP based clients: Require Message Integrity, Message Confidentiality, NTLMv2 Session Security, 128-bit Encryption (Specialized Security)
5.4.6.67 [A] Minimum Session Security for NTLM SSP-based servers: "Require NTLMv2 session security", Require 128-bit encryption", Require Message Integrity", and "Require Message Confidentiality"
…. ….
…. screen-saver-grace-period
…. ….
…. ….
…. …. ….
…. ….
…. ….
…. ….
…. ….
5.5.1 [AP] Password Protected Screen Savers: Passwords are required
3.2.1.84 MSS: The time in seconds before the screen saver grace period expires: 0
7.5.1 Configuring Default User Screensaver Options: ScreenSaveTimeout: 900 Seconds (15 minutes)
7.5.1 Configuring Default User Screensaver Options: ScreenSaverIsSecure: 1
7.5.1 Configuring Default User Screensaver Options: ScreenSaveActive: 1
7.5.1 Configuring Default User Screensaver Options: ScreenSaveTimeout: 900 Seconds (15 minutes)
7.5.1 Configuring Default User Screensaver Options: ScreenSaverIsSecure: 1
7.5.1 Configuring Default User Screensaver Options: ScreenSaveActive: 1
5.5.1 [AP] Password Protected Screen Savers: Passwords are required
….
…. ….
…. ….
…. …. ….
….
…. …. ….
…. …. ….
….
…. ….
3.2.1.84 MSS: The time in seconds before the screen saver grace period expires: 0
7.5.1 Configuring Default User Screensaver Options: ScreenSaveTimeout: 900 Seconds (15 minutes)
7.5.1 Configuring Default User Screensaver Options: ScreenSaverIsSecure: 1
7.5.1 Configuring Default User Screensaver Options: ScreenSaveActive: 1
Table 3.251 Make screensaver password protection immediate: the time in seconds before the screen saver grace period expires: 0 (Legacy Client, Enterprise Client, and High Security)
5.5.1 [AP] Password Protected Screen Savers: Passwords are required
3.2.1.84 MSS: The time in seconds before the screen saver grace period expires: 0
7.5.1 Configuring Default User Screensaver Options: ScreenSaveTimeout: 900 Seconds (15 minutes)
8.3.3.1 Always Install with Elevated Privileges: (4.037: CAT II) Disabled
…. …. ….
…. ….
…. ….
…. ….
…. ….
…. ….
…. ….
…. ….
…. ….
8.3.3.3 Enable User Control Over Installs: (5.051: CAT II) Disabled
8.3.3.4 Enable User to Browse for Source While Elevated: (5.052: CAT II) Disabled
8.3.3.5 Enable User to Use Media Source While Elevated: (5.053: CAT II) Disabled
8.3.3.7 Allow Admin to Install from Terminal Services Session: (5.055: CAT II) Disabled
8.3.3.6 Enable User to Patch Elevated Products: (5.054: CAT II) Disabled
8.3.3.8 Cache Transforms in Secure Location on Workstation: (5.056: CAT II) Enabled
5.6.4.1 [A] Media Player - Disabling Media Player for Automatic Updates: Enabled
8.3.11 Media Player - Automatic Downloads: (5.061: CAT II) Prevent Codec Download is set to Enabled
…. ….
…. ….
…. ….
….
…. ….
…. ….
…. ….
…. ….
5.6.5.3 [A] Windows Messenger - internet Access Blocked: 1
Table 3.167 Messenger: Disabled (Legacy Client, Enterprise Client, and High Security)
4.1.13 Messenger: Disabled
8.3.4.1 Do Not Allow Windows Messenger to be Run: (5.017: CAT I) Enabled
8.3.4.2 Do Not Automatically Start Windows Messenger Intially: (5.029: CAT I) Enabled
7.6.15 Task Scheduler Service: (5.035: CAT III) Hide Property Page is Enabled
7.6.15 Task Scheduler Service: (5.036: CAT III) Prohibit New Task Creation is Enabled
8.3.2.2 Limit User to One Remote Session: (5.038: CAT II) Enabled
8.3.2.3 Limit Number of Connections: (5.039: CAT II) Enabled
8.3.2.4 Do Not Allow New Client Connections: (5.040: CAT II) Enabled
Allow-users-to-connect-remotely-using-Terminal-Services
5.6.3.3 [A] Terminal Services - Do Not Allow Local Administrators to Customize Permissions: Enabled
…. ….
…. ….
….
…. ….
…. ….
…. ….
…. ….
…. …..
…. ….
5.6.3.4 [A] Terminal Services - Remote Control Settings: "Set rules for remote control of Terminal Services user settings: Enabled
5.6.3.5 [A] Terminal Services - Always prompt client for password upon connections: Enabled
Always-prompt-client-for-password-upon-connection
Table 3.255 Set client connection encryption level: High (Legacy Client, Enterprise Client, and High Security)
5.6.3.6 [A] Terminal Services - Set Client Connection Encryption Level: Enabled
Set-client-connection-encryption-level
8.3.2.5 Do Not Use Temp Folders per Session: (5.044: CAT II) Disabled
8.3.2.6 Do Not Delete Temp Folder upon Exit: (5.045: CAT II) Disabled
5.6.3.10 [A] Terminal Services - Set time Limit for Disconnected Sessions: Enabled ("End a disconnected session" is set to "1")
8.3.2.7 Set Time Limit for Idle Sessions: (5.047: CAT II) Enabled and set to no more than 15 minutes
5.6.3.12 [A] Terminal Services - Allow Reconnection from Original Client Only: Enabled
8.3.2.8 Terminate Session When Time Limits are Reached: (5.049: CAT II) Enabled
…. ….
…. …. Solicited-Remote-Assistance
…. …. Offer-Remote-Assistance
….
…. ….
…. ….
…. ….
…. …. ….
…. ….
…. …. ….
8.3.2.1 Keep-Alive Messages: (5.037: CAT III) Enabled
5.6.8.1 [A] Remote Assistance - Solicited Remote Assistance: Disabled
5.6.8.2 [A] Remote Assistance - Offer Remote Assistance: Disabled
Table 3.257 Error Reporting: Disabled (Legacy Client, Enterprise Client, and High Security)
5.6.9.1 Report Errors: Disabled
5.4.3.1 [M] User Logon Restrictions: Enforce user logon restrictions: Enabled
5.4.3.2 [M] Service Ticket Lifetime: Maximum lifetime for service ticket: 600 minutes
5.4.3.3 [M] User Ticket Lifetime: Maximum lifetime for user ticket: 10 hours
5.4.3.5 [M] Computer Clock Synchronization: Maximum tolerance for computer clock synchronizations: 5 minutes
…. …. ….
…. …. ….
…. …. ….
…. …. ….
…. …. ….
…. …. ….
…. ….
…. ….
…. …. ….
…. …. ….
…. …. ….
Table 3.199 Removale Storage: Disabled (Legacy Client, Enterprise Client, and High Security)
…. ….
…. ….
…. …. Configure-Automatic-Updates
…. …. ….
…. …. ….
…. …. ….
…. …. ….
…. ….
…. …. ….
…. ….
…. ….
…. …. ….
Table 11.3 Automatic Updates: Disabled
Table 11.3 Automatic Updates: Disabled
Table 11.3 Automatic Updates: Disabled
Do-not-adjust-default-option-to-Install-Updates-and-Shut-Down
Do-not-display-Install-Updates-and-Shut-Down
Table 11.3 Automatic Updates: Disabled
No-auto-restart-for-scheduled-Automatic-Updates-installations
Table 11.3 Automatic Updates: Disabled
Reschedule-Automatic-Updates-scheduled-installations
2.2.2 Microsoft Software Updates Services: Specify intranet Microsoft update service location: enabled
…. …. ….
…. …. ….
…. …. ….
…. …. ….
MachineAccessRestrictions
MachineLaunchRestrictions
Require-Smart-Card
tcp-max-data-retransmissions
Restrict-anonymous-access-to-Named-Pipes-and-Shares
tcp-max-connect-response-retransmissions
ntfs-disable-8dot3-name-creation
RPC-Endpoint-Mapper-Client-Authentication
Restrictions-for-Unauthenticated-RPC-clients
Domain-Profile-Firewall-Protect-All-Network-Connections, Domain-Profile-Firewall-State
Domain-Profile-Firewall-Do-Not-Allow-Exceptions
Domain-Profile-Firewall-Allow-Local-Program-Exceptions
Domain-Profile-Firewall-Allow-Inbound-Remote-Administration-Exception
Domain-Profile-Firewall-Allow-Inbound-File-And-Printer-Sharing-Exception
Domain-Profile-Firewall-Allow-Inbound-Remote-Desktop-Exceptions
Domain-Profile-Firewall-Allow-Inbound-UPnP-Framework-Exceptions
Domain-Profile-Firewall-Prohibit-Notifications, Domain-Profile-Display-Notification
Domain-Profile-Firewall-Prohibit-Unicast-Response, Domain-Profile-Allow-Unicast-Response
Domain-Profile-Firewall-Define-Inbound-Port-Exceptions
Domain-Profile-Firewall-Allow-Local-Port-Exceptions
Standard-Profile-Firewall-Protect-All-Network-Connections
Standard-Profile-Firewall-Do-Not-Allow-Exceptions
Standard-Profile-Firewall-Define-Inbound-Program-Exceptions
Standard-Profile-Firewall-Allow-Inbound-Remote-Administration-Exception
Standard-Profile-Firewall-Allow-Inbound-File-And-Printer-Sharing-Exception,Standard-Profile-Firewall-Allow-Inbound-File-And-Printer-Sharing-Exceptions
Standard-Profile-Firewall-Allow-Inbound-Remote-Desktop-Exceptions
Standard-Profile-Firewall-Allow-Inbound-UPnP-Framework-Exceptions
Standard-Profile-Firewall-Prohibit-Notifications
Standard-Profile-Firewall-Prohibit-Unicast-Response
Standard-Profile-Firewall-Define-Inbound-Port-Exceptions
Standard-Profile-Firewall-Allow-Local-Port-Exceptions
3.2.1.78 MSS: TCPMaxPortsExhausted, How many dropped connect requests to initiate SYN attack protection: 5
Private-Profile-Firewall-State
Domain-Profile-Inbound-Connections
Domain-Profile-Outbound-Connections
Domain-Profile-Apply-Local-Firewall-Rules
Domain-Profile-Apply-Local-Connection-Security-Rules
Private-Profile-Inbound-Connections
Private-Profile-Outbound-Connections
Public-Profile-Firewall-State
Private-Profile-Display-Notification
Private-Profile-Allow-Unicast-Response
Private-Profile-Apply-Local-Firewall-Rules
Private-Profile-Apply-Local-Connection-Security-Rules
Public-Profile-Inbound-Connections
Public-Profile-Outbound-Connections
Public-Profile-Display-Notification
Do-Not-Process-Legacy-Run-List
Do-Not-Process-Run-Once-List
Registry-Policy-Processing
Public-Profile-Allow-Unicast-Response
Public-Profile-Apply-Local-Firewall-Rules
Public-Profile-Apply-Local-Connection-Security-Rules
Turn-off-Internet-download-for-Web-publishing-and-online-ordering-wizards
Turn-off-printing-over-HTTP
Do-not-allow-drive-redirection
Turn-off-the-Windows-Messenger-Customer-Experience-Improvement-Program
Turn-off-Search-Companion-content-file-updates
Turn-off-downloading-of-print-drivers-over-HTTP
Turn-off-Windows-Update-device-driver-searching
Enumerate-administrator-accounts-on-elevation
Require-trusted-path-for-credential-entry
Deny-all-add-ons-unless-specifically-allowed-in-the-Add-on-List
Do-not-allow-passwords-to-be-saved
override-audit-policy-settings
Log-Access-For-Setup-Log
Windows-Search
Prompt-for-password-on-resume-from-hibernate-suspend
Do-not-preserve-zone-information-in-file-attachments
Hide-mechanisms-to-remove-zone-information
Notify-antivirus-programs-when-opening-attachments
Turn-Off-Microsoft-Peer-to-Peer-Networking-Services
Prohibit-Access-of-the-Windows-Connect-Now-Wizards
Allow-remote-access-to-the-PnP-interface
Do-not-create-system-restore-point-when-new-device-driver-installed
Do-not-send-Windows-Error-Report-when-generic-driver-is-installed-on-device
Turn-Off-Access-to-All-Windows-Update-Feature
Turn-Off-Automatic-Root-Certificates-Update
Turn-Off-Event-Views-Events.asp-Links
Turn-Off-Handwriting-Reconition-Error-Reporting
Turn-Off-Help-and-Support-Center-Did-you-Know-Content
Turn-Off-Help-and-Support-Center-Microsoft-Knowledge-Base-Search
Turn-Off-Internet-Connection-Wizard-if-URL-Connection-is-Referring-to-Microsoft.com
Turn-Off-Internet-File-Association-Service
Turn-Off-Registration-if-URL-Connection-is-Referring-to-Microsoft.com
Turn-Off-the-Order-Prints-Picture-Task
Turn-off-the-Publish-to-Web-task-for-files-and-folders
Turn-Off-Windows-Movies-Maker-Automatic-Codec-Downloads
Turn-Off-Windows-Movie-Maker-Online-Web-Links
Turn-Off-Windows-Movie-Maker-Saving-to-Online-Video-Hosting-Provider
Do-Not-Display-the-Getting-Started-Welcome-Screen-at-Logon
Turn-off-Windows-Startup-Sound
Require-a-Password-when-a-Computer-Wakes-On-Battery
Require-a-Password-when-a-Computer-Wakes-Plugged
Turn-on-session-logging
Prevent-IIS-Installation
Turn-Off-Active-Help
Turn-Off-Untrusted-Content
Turn-off-Windows-Calendar
Turn-off-Windows-Defender
Allow-only-Vista-or-later-connections
Customization-Warning-Messages
Turn-on-bandwidth-optimization
Turn-off-downloading-enclosures
Allow-indexing-of-encrypted-files
Prevent-indexing-uncached-Exchange-folders
Allow-Corporate-Redirection-Customer-Experience-Improvement-Program-Uploads
Turn-off-windows-mail-app
Override-more-gadgets-Lnk
Turn-off-heap-termination-corruption
Turn-off-shell-protocol-protected-mode
Prohibit-Non-Administrators-applying-vendorpatches
Report-logon-server-not-available-during-user-logon
Turn-off-communication-features
Prevent-Windows-Media-DRM-Internet-Access
Turn-off-windows-meeting-space
Turn-on-windows-meeting-space-auditing
Disable-unpacking-installation-gadgets-not-digitally-signed
ipv6_block_protocols_41
ipv6_block_udp_3544
Turn-off-user-installed-windows-sidebar-gidgets
do_not_allow_digital_locker_to_run_var
turn_off_downloading_of_game_information
…. ….
8.3.1.1 Security Zones: Use Only Machine Settings: (5.028: CAT II) Enabled
Security-Zones-Use-only-machine-settings
Internet-Explorer-Processes-Restrict-ActiveX-Install
…. ….
…. ….
8.3.1.3 Security Zones: Do Not Allow Users to Add/Delete Sites: (5.030: CAT II) Enabled
Security-Zones-Do-not-allow-users-to-add-delete-sites
8.3.1.6 Disable Peridoic Check for Internet Explorer Software Updates: (5.033: CAT II) Enabled
Disable-Periodic-Check-for-Internet-Explorer-software-updates
Internet-Explorer-Processes-Zone-Elevation-Protection
….
Internet-Explorer-Processes-Consistent-MIME-Handling
Allow-software-to-run-or-install-even-if-the-signature-is-invalid
Internet-Explorer-Processes-MK-Protocol
…. ….
…. ….
…. …. Make-proxy-settings-per-machine
8.3.1.7 Disable Software Update Shell Notificiations on Program Launch: (5.034: CAT II) Disabled
Disable-software-update-shell-notifications-on-program-launch
Internet-Explorer-Processes-Restrict-File-Download
8.3.1.5 Disable Automatic Install of Internet Explorer Components: (5.032: CAT II) Enabled
Disable-Automatic-Install-of-Internet-Explorer-components
8.3.1.4 Make Proxy Settings Per Machine: (5.031: CAT II) Enabled
Turn-off-Crash-Detection
…. ….
Do-not-allow-users-to-enable-or-disable-add-ons
Internet-Explorer-Processes-Scripted-Window-Security-Restrictions
8.3.1.2 Security Zones: Do Not Allow Users to Change Policies: (5.029: CAT II) Enabled
Security-Zones-Do-not-allow-users-to-change-policies
Internet-Explorer-Processes-MIME-Sniffing
Remove-CD-Burning-features
Remove-Security-tab
Internet-Explorer-Maintenance-Policy-Processing-Enabled
Internet-Explorer-Maintenance-Policy-Processing-Enabled
Internet-Explorer-Maintenance-Policy-Processing-Enabled
Turn-on-Mapper-IO-LLTDIO-driver
Turn-on-Mapper-IO-LLTDIO-driver
Turn-on-Mapper-IO-LLTDIO-driver
Turn-on-Responder-RSPNDR-driver
Turn-on-Responder-RSPNDR-driver
Turn-on-Responder-RSPNDR-driver
Configuration-of-Wireless-Settings-Using-Windows-Connect-Now
Configuration-of-Wireless-Settings-Using-Windows-Connect-Now
Disable-Logging
Do-Not-Send-Additional-Data
Turn-off-Help-Ratings
Turn-off-Windows-Online
Configuration-of-Wireless-Settings-Using-Windows-Connect-Now
Approved-Installation-Sites-for-ActiveX-Controls
Disable-Windows-Error-Reporting
Configure-Corporate-Windows-Error-Reporting
Remove-Default-Programs-Link-from-the-Start-Menu
Turn-off-Help-Experience-Improvement-Program
Prevent-users-from-sharing-files-within-their-profile
NIST SCAP Windows Vista OVAL (SCAP-WinVista-
OVAL.xml rev 2007-02-06)NIST Office 2007
Recommendations placeholder
oval:com.secure-elements.oval:def:6009
oval:com.secure-elements.oval:def:6007
oval:com.secure-elements.oval:def:6008
oval:com.secure-elements.oval:def:6010
oval:com.secure-elements.oval:def:6010
oval:com.secure-elements.oval:def:6011
oval:com.secure-elements.oval:def:6011
oval:com.secure-elements.oval:def:6012
oval:com.secure-elements.oval:def:6012
oval:com.secure-elements.oval:def:6013
oval:com.secure-elements.oval:def:6013
oval:com.secure-elements.oval:def:6017
oval:com.secure-elements.oval:def:6017
oval:com.secure-elements.oval:def:6014
oval:com.secure-elements.oval:def:6014
oval:com.secure-elements.oval:def:6015
oval:com.secure-elements.oval:def:6015
oval:com.secure-elements.oval:def:6016
oval:com.secure-elements.oval:def:6016
oval:com.secure-elements.oval:def:6018
oval:com.secure-elements.oval:def:6018
oval:com.secure-elements.oval:def:6509
oval:com.secure-elements.oval:def:6506
oval:com.secure-elements.oval:def:6512
oval:com.secure-elements.oval:def:6511
oval:com.secure-elements.oval:def:6507
oval:com.secure-elements.oval:def:6513
oval:com.secure-elements.oval:def:6510
oval:com.secure-elements.oval:def:6508
oval:com.secure-elements.oval:def:6514
oval:com.secure-elements.oval:def:6002
oval:com.secure-elements.oval:def:6004
oval:com.secure-elements.oval:def:6001
oval:com.secure-elements.oval:def:6005
oval:com.secure-elements.oval:def:6003
oval:com.secure-elements.oval:def:6006
oval:com.secure-elements.oval:def:6601
oval:com.secure-elements.oval:def:6595
oval:com.secure-elements.oval:def:6071
oval:com.secure-elements.oval:def:6070
oval:com.secure-elements.oval:def:6020
oval:com.secure-elements.oval:def:6019
oval:com.secure-elements.oval:def:6042
oval:com.secure-elements.oval:def:6041
oval:com.secure-elements.oval:def:6054
oval:com.secure-elements.oval:def:6574, oval:com.secure-elements.oval:def:6060
oval:com.secure-elements.oval:def:6057
oval:com.secure-elements.oval:def:6055
oval:com.secure-elements.oval:def:6063
oval:com.secure-elements.oval:def:6039
oval:com.secure-elements.oval:def:6058
oval:com.secure-elements.oval:def:6056
oval:com.secure-elements.oval:def:6059
oval:com.secure-elements.oval:def:6061
oval:com.secure-elements.oval:def:6066
oval:com.secure-elements.oval:def:6069
oval:com.secure-elements.oval:def:6064
oval:com.secure-elements.oval:def:6022
oval:com.secure-elements.oval:def:6023
oval:com.secure-elements.oval:def:6050
oval:com.secure-elements.oval:def:6024
oval:com.secure-elements.oval:def:6025
oval:com.secure-elements.oval:def:6040
oval:com.secure-elements.oval:def:6030
oval:com.secure-elements.oval:def:6031
oval:com.secure-elements.oval:def:6032
oval:com.secure-elements.oval:def:6038
oval:com.secure-elements.oval:def:6049
oval:com.secure-elements.oval:def:6044
oval:com.secure-elements.oval:def:6027
oval:com.secure-elements.oval:def:6047
oval:com.secure-elements.oval:def:6048
oval:com.secure-elements.oval:def:6051
oval:com.secure-elements.oval:def:6052
oval:com.secure-elements.oval:def:6043
oval:com.secure-elements.oval:def:6029
oval:com.secure-elements.oval:def:6034
oval:com.secure-elements.oval:def:6033
oval:com.secure-elements.oval:def:6035
oval:com.secure-elements.oval:def:6046
oval:com.secure-elements.oval:def:6036
oval:com.secure-elements.oval:def:6021
oval:com.secure-elements.oval:def:6028
oval:com.secure-elements.oval:def:6037
oval:com.secure-elements.oval:def:6045
oval:com.secure-elements.oval:def:6053
oval:com.secure-elements.oval:def:6072
oval:com.secure-elements.oval:def:6073
oval:com.secure-elements.oval:def:6074
oval:com.secure-elements.oval:def:6075oval:com.secure-elements.oval:def:6076
oval:com.secure-elements.oval:def:6079
oval:com.secure-elements.oval:def:6080
oval:com.secure-elements.oval:def:6081
oval:com.secure-elements.oval:def:6065
oval:com.secure-elements.oval:def:6597
oval:com.secure-elements.oval:def:6599
oval:com.secure-elements.oval:def:6600
oval:com.secure-elements.oval:def:6564
oval:com.secure-elements.oval:def:6563
oval:com.secure-elements.oval:def:6604
oval:com.secure-elements.oval:def:6603
oval:com.secure-elements.oval:def:6602
oval:com.secure-elements.oval:def:6605
oval:com.secure-elements.oval:def:6606
oval:com.secure-elements.oval:def:6082
oval:com.secure-elements.oval:def:6077
oval:com.secure-elements.oval:def:6067
oval:com.secure-elements.oval:def:6068
oval:com.secure-elements.oval:def:6062
oval:com.secure-elements.oval:def:6566
oval:com.secure-elements.oval:def:6565
oval:com.secure-elements.oval:def:6547, oval:com.secure-elements.oval:def:6515
oval:com.secure-elements.oval:def:6544
oval:com.secure-elements.oval:def:6541
oval:com.secure-elements.oval:def:6537
oval:com.secure-elements.oval:def:6536
oval:com.secure-elements.oval:def:6538
oval:com.secure-elements.oval:def:6539
oval:com.secure-elements.oval:def:6545, oval:com.secure-elements.oval:def:6518
oval:com.secure-elements.oval:def:6546, oval:com.secure-elements.oval:def:6519
oval:com.secure-elements.oval:def:6542
oval:com.secure-elements.oval:def:6540
oval:com.secure-elements.oval:def:6559
oval:com.secure-elements.oval:def:6556
oval:com.secure-elements.oval:def:6555
oval:com.secure-elements.oval:def:6549
oval:com.secure-elements.oval:def:6548,oval:com.secure-elements.oval:def:6553
oval:com.secure-elements.oval:def:6550
oval:com.secure-elements.oval:def:6551
oval:com.secure-elements.oval:def:6557
oval:com.secure-elements.oval:def:6558
oval:com.secure-elements.oval:def:6554
oval:com.secure-elements.oval:def:6552
oval:com.secure-elements.oval:def:6516
oval:com.secure-elements.oval:def:6517
oval:com.secure-elements.oval:def:6520
oval:com.secure-elements.oval:def:6521
oval:com.secure-elements.oval:def:6522
oval:com.secure-elements.oval:def:6523
oval:com.secure-elements.oval:def:6524
oval:com.secure-elements.oval:def:6525
oval:com.secure-elements.oval:def:6526
oval:com.secure-elements.oval:def:6527
oval:com.secure-elements.oval:def:6528
oval:com.secure-elements.oval:def:6529
oval:com.secure-elements.oval:def:6530
oval:com.secure-elements.oval:def:6531
oval:com.secure-elements.oval:def:6532
oval:com.secure-elements.oval:def:6533
oval:com.secure-elements.oval:def:6534
oval:com.secure-elements.oval:def:6535
oval:com.secure-elements.oval:def:6560
oval:com.secure-elements.oval:def:6561
oval:com.secure-elements.oval:def:6562
oval:com.secure-elements.oval:def:6568
oval:com.secure-elements.oval:def:6569
oval:com.secure-elements.oval:def:6570
oval:com.secure-elements.oval:def:6571
oval:com.secure-elements.oval:def:6572
oval:com.secure-elements.oval:def:6573
oval:com.secure-elements.oval:def:6575
oval:com.secure-elements.oval:def:6576
oval:com.secure-elements.oval:def:6594
oval:com.secure-elements.oval:def:6596
oval:com.secure-elements.oval:def:6598
oval:com.secure-elements.oval:def:6500
oval:com.secure-elements.oval:def:6714
oval:com.secure-elements.oval:def:6502
oval:com.secure-elements.oval:def:6503
oval:com.secure-elements.oval:def:6504
oval:com.secure-elements.oval:def:6505
oval:com.secure-elements.oval:def:6026
oval:com.secure-elements.oval:def:6701
oval:com.secure-elements.oval:def:6148
oval:com.secure-elements.oval:def:6662
oval:com.secure-elements.oval:def:6665
oval:com.secure-elements.oval:def:6667
oval:com.secure-elements.oval:def:6668
oval:com.secure-elements.oval:def:6669
oval:com.secure-elements.oval:def:6673
oval:com.secure-elements.oval:def:6674
oval:com.secure-elements.oval:def:6675
oval:com.secure-elements.oval:def:6676
oval:com.secure-elements.oval:def:6677
oval:com.secure-elements.oval:def:6678
oval:com.secure-elements.oval:def:6679
oval:com.secure-elements.oval:def:6680
oval:com.secure-elements.oval:def:6681
oval:com.secure-elements.oval:def:6682
oval:com.secure-elements.oval:def:6567
oval:com.secure-elements.oval:def:6696
oval:com.secure-elements.oval:def:6684
oval:com.secure-elements.oval:def:6697
oval:com.secure-elements.oval:def:6687
oval:com.secure-elements.oval:def:6688
oval:com.secure-elements.oval:def:6689
oval:com.secure-elements.oval:def:6690
oval:com.secure-elements.oval:def:6691
oval:com.secure-elements.oval:def:6692
oval:com.secure-elements.oval:def:6693
oval:com.secure-elements.oval:def:6694
oval:com.secure-elements.oval:def:6107
oval:com.secure-elements.oval:def:6108
oval:com.secure-elements.oval:def:6109
oval:com.secure-elements.oval:def:6110
oval:com.secure-elements.oval:def:6704
oval:com.secure-elements.oval:def:6705
oval:com.secure-elements.oval:def:6111
oval:com.secure-elements.oval:def:6112
oval:com.secure-elements.oval:def:6113
oval:com.secure-elements.oval:def:6118
oval:com.secure-elements.oval:def:6119
oval:com.secure-elements.oval:def:6122
oval:com.secure-elements.oval:def:6123
oval:com.secure-elements.oval:def:6124
oval:com.secure-elements.oval:def:6125
oval:com.secure-elements.oval:def:6126
oval:com.secure-elements.oval:def:6127
oval:com.secure-elements.oval:def:6128
oval:com.secure-elements.oval:def:6129
oval:com.secure-elements.oval:def:6130
oval:gov.nist.fdcc.vista:def:6698
oval:gov.nist.fdcc.vista:def:6703
placeholder
placeholder
oval:com.secure-elements.oval:def:6131
oval:gov.nist.fdcc.vistafirewall:def:6491
oval:gov.nist.fdcc.vistafirewall:def:6492
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
placeholder
oval:com.secure-elements.oval:def:6584
oval:com.secure-elements.oval:def:6592
oval:com.secure-elements.oval:def:6582
oval:com.secure-elements.oval:def:6578
oval:com.secure-elements.oval:def:6591
oval:com.secure-elements.oval:def:6588
oval:com.secure-elements.oval:def:6586
oval:com.secure-elements.oval:def:6587
oval:com.secure-elements.oval:def:6579
oval:com.secure-elements.oval:def:6593
oval:com.secure-elements.oval:def:6577
oval:com.secure-elements.oval:def:6581
oval:com.secure-elements.oval:def:6580
oval:com.secure-elements.oval:def:6585
oval:com.secure-elements.oval:def:6590
oval:com.secure-elements.oval:def:6583
oval:com.secure-elements.oval:def:6589
oval:com.secure-elements.oval:def:6716
oval:com.secure-elements.oval:def:6717
oval:com.secure-elements.oval:def:6671
oval:com.secure-elements.oval:def:6671
oval:com.secure-elements.oval:def:6671
oval:com.secure-elements.oval:def:6660
oval:com.secure-elements.oval:def:6660
oval:com.secure-elements.oval:def:6660
oval:com.secure-elements.oval:def:6661
oval:com.secure-elements.oval:def:6661
oval:com.secure-elements.oval:def:6661
oval:com.secure-elements.oval:def:6666
oval:com.secure-elements.oval:def:6666
oval:com.secure-elements.oval:def:6666
oval:com.secure-elements.oval:def:6695
oval:com.secure-elements.oval:def:6114
oval:com.secure-elements.oval:def:6115
oval:com.secure-elements.oval:def:6117
oval:com.secure-elements.oval:def:6706
oval:com.secure-elements.oval:def:6709
oval:com.secure-elements.oval:def:6710
oval:com.secure-elements.oval:def:6711
oval:com.secure-elements.oval:def:6713
oval:com.secure-elements.oval:def:6715
Microsoft Office 2007 Recommendations (Security
Settings for Office 2007 Applications.xlsx)
NIST SCAP Microsoft Office 2007 OVAL (SCAP-Office2007-OVAL-Beta-
v1.xml)
NIST SCAP Microsoft Office
2007 XCCDF (SCAP-Office2007-
XCCDF-Beta-v1.xml )
oval:org.mitre.oval:def:771
oval:org.mitre.oval:def:814
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable VBA for Office applications, Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\Disable VBA for Office applications
DisableVBAForOfficeApplications
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\ActiveX Control Initialization (1 | 2 | 3 | 4 | 5 | 6)
ActiveXControlInitialization
oval:org.mitre.oval:def:829
oval:org.mitre.oval:def:1473
oval:org.mitre.oval:def:1302 OnlineContentOptions
oval:org.mitre.oval:def:1403
oval:org.mitre.oval:def:649
User Configuration\Administrative Templates\Microsoft Office 2007 system\Privacy\Trust Center\Enable Customer Experience Improvement Program
EnableCustomerExperienceImprovementProgram
User Configuration\Administrative Templates\Microsoft Office 2007 system\Privacy\Trust Center\Automatically receive small updates to improve reliability
AutomaticallyReceiveSmallUpdatesToImproveReliability
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Service Options...\Online Content\Online content options (Never show online content or entry points | Search only offline content whenever available | Search online content whenever available)
User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\VBA Macro Warning Settings (Trust Bar warning for all macros | Trust Bar warning for digitally signed macros only (unsigned macros will be disabled) | No Warnings for all macros but disable all macros | No Security checks for macros (Not recommended, code in all documents can run))
VBAMacroWarningSettings-Access
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\VBA Macro Warning Settings (Trust Bar warning for all macros | Trust Bar warning for digitally signed macros only (unsigned macros will be disabled) | No Warnings for all macros but disable all macros | No Security checks for macros (Not recommended, code in all documents can run))
VBAMacroWarningSettings-Excel
oval:org.mitre.oval:def:1560
oval:org.mitre.oval:def:654
oval:org.mitre.oval:def:665
oval:org.mitre.oval:def:1298
oval:org.mitre.oval:def:1390
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Trust access to Visual Basic Project
TrustAccessToVisualBasicProject-Excel
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\VBA Macro Warning Settings (Trust Bar warning for all macros | Trust Bar warning for digitally signed macros only (unsigned macros will be disabled) | No Warnings for all macros but disable all macros | No Security checks for macros (Not recommended, code in all documents can run))
VBAMacroWarningSettings-PowerPoint
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Trust access to Visual Basic Project TrustAccessToVisualBasi
cProject-PowerPoint
DisableRememberPassword
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Trusted Add-insConfigure trusted add-ins
ConfigureAddInTrustLevel
oval:org.mitre.oval:def:1232
oval:org.mitre.oval:def:661
oval:org.mitre.oval:def:1399
oval:org.mitre.oval:def:1388
oval:org.mitre.oval:def:705
oval:org.mitre.oval:def:741
DisableRememberPasswordForInternetEmailAccounts
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Minimum encryption settings
MinimumEncryptionSettings
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Do not check e-mail address against address of certificates being used DoNotCheckEmailAddres
sAgainstAddressOfCertificatesBeingUsed
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Send all signed messages as clear signed messages
SendAllSignedMessagesAsClearSignedMessages
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Request an S/MIME receipt for all S/MIME signed messages RequestAnSMIMEReceip
tForAllSMIMESignedMessages
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Do not display 'Publish to GAL' button
DoNotDisplayPublishToGALButton
oval:org.mitre.oval:def:756 SignatureWarning
oval:org.mitre.oval:def:1716 EnableCryptographyIcons
oval:org.mitre.oval:def:1700 RetrievingCRLs
oval:org.mitre.oval:def:1350
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Warning (Let user decide if they want to be warned | Always warn about invalid signatures | Never warn about invalid signatures)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Enable Cryptography Icons
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Retrieving CRLs (Certificate Revocation Lists) (Use system Default | When online always retreive the CRL | Never retreive the CRL)
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\VBA Macro Warning Settings (Trust Bar warning for all macros | Trust Bar warning for digitally signed macros only (unsigned macros will be disabled) | No Warnings for all macros but disable all macros | No )
VBMacroWarningSettings-Word
oval:org.mitre.oval:def:1713
oval:org.mitre.oval:def:788
oval:org.mitre.oval:def:1755
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Trust access to Visual Basic Project
TrustAccessToVisualBasicProject-Word
WarnBeforePrintingSavingOrSendingAFileThatContainsTrackedChangesOrComments
User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Block updates from the Office Update Site from applying
BlockUpdatesFromTheOfficeUpdateSiteFromApplying
User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Web Options\General\Underline hyperlinks
User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\General\General\Number of documents in the Recent Documents list (0-9)
User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins
User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Disable all application add-ins
User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher
User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted Locations\Disable all trusted locations
User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted Locations\Allow Trusted Locations not on the computer
User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted Locations\Modal Trust Decision Only
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Office Button | E-Mail
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Access Options | Customize | All Commands | Insert Hyperlink
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Database Tools | Encrypt with Password
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permission | User and Group Permissions
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permissions | User and Group Accounts
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permission | User-Level Security Wizard...
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Database Tools | Encode/Decode Database
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Macro | Visual Basic
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Macro | Run Macro
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Database Tools | Macro | Convert Macros to Visual Basic
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Database Tools | Macro | Create Shortcut Menu from Macro
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable shortcut keys
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Ctrl+K (Office Button | Access Options | Customize | All Commands | Insert Hyperlinks)
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Alt+F11 (Database Tools | Macro | Visual Basic)
User Configuration\Administrative Templates\Microsoft Office Access 2007\Miscellaneous\Default file format (Access 2007 | Access 2002-2003)
User Configuration\Administrative Templates\Microsoft Office Access 2007\Miscellaneous\Do not prompt to convert older databases
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Proofing\Autocorrect Options\Internet and network paths as hyperlinks
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\Save Excel files as (Excel Workbook (*.xlsx) | Excel Macro-Enabled Workbook (*.xlsm) | Excel Binary Workbook (*.xlsb) | Web Page (*.htm; *.html) | Excel 97-2003 Workbook (*.xls) | Excel 5.0/95 Workbook (*.xls))
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\Disable AutoRepublish
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\AutoRepublish Warning Alert (Always show the alert before publishing | Never show the alert before publishing)
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Determine whether to force encrypted macros to be scanned in Microsoft Excel Open XML workbooks
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Force file extension to match file type (Allow different | Allow different, but warn | Always match file type)
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Store macro in Personal Macro Workbook by default
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Disable all application add-ins
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Trusted LocationsDisable all trusted locations
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Ignore other applications
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Ask to update automatic links
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Number of documents in the Recent Documents list (0-17)
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Web Options…\GeneralSave any additional data necessary to maintain formulas
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Web Options…\GeneralLoad pictures from Web pages not created in Excel
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Do not show data extraction options when opening corrupt workbooks
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Assume structured storage format of workbook is intact when recovering data
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Corrupt formula conversion (Convert unrecoverable references to: values | #REF or #NAME)
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Access Security\Connection File Locations
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Access Security\Automatic Query Refresh (Prompt for all workbooks | Do not prompt; do not allow auto refresh | Do not prompt; allow auto refresh)
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Save as Web Page
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Web Page Preview
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect Sheet
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect Workbook
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect and Share Workbook
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Record Macro
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Document Location
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink)
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F8 (Developer | Code | Macros)
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic)
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to Excel 2007
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Open XML file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Binary 12 file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Binary file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Html and Xmlss files types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Xml file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of DIF and SYLK file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Text file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Xll file type
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Open Xml file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Binary12 file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Binary file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Html and Xmlss file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving Xml file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving DIF and SYLK file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Text file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Locally cache network file storages
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Locally cache PivotTable reports
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\OLAP PivotTable User Defined Function (UDF) security setting (Allow ALL UDFs | Allow safe UDFs only | Allow NO UDFs)
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Recognize SmartTags
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Tools | Options\General\Number of documents in the Recent Documents list (0 - 9)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Tools | Options\Advanced\Offline\Offline Mode status (Disabled | Enabled, InfoPath in Offline Mode | Enabled, InfoPath not in Offline Mode)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Print
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Send to Mail Recipient
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Open from SharePoint Site
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Print Preview
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Page Setup
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Insert | Hyperlinks...
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Set Language
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Customize...
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Options...
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Help | Microsoft Office Online
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Office Diagnostics
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Help | Activate Product...
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Print Default
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys - Print Shortcut (Ctrl+P)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys - Insert Hyperlink Shortcut (Ctrl+K)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior for Windows SharePoint Services gradual upgrade (Allow redirections to any location | Allow redirections to Intranet only | Block all redirections)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Disable opening of solutions from the Internet security zone
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Disable fully trusted solutions full access to computer
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Allow the use of ActiveX Custom Controls in InfoPath forms
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Run forms in restricted mode if they do not specify a publish location and use only features introduced before InfoPath 2003 SP1
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Allow file types as attachments to forms
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Block specific file types as attachments to forms
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Prevent users from allowing unsafe file types to be attached to forms
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Display a warning that a form is digitally signed
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Internet security zone (Block | Prompt | Allow)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Intranet security zone (Block | Prompt | Allow)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Local Machine security zone (Block | Prompt | Allow)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Trusted Site security zone (Block | Prompt | Allow)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Beaconing UI for forms opened in InfoPath (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Beaconing UI for forms opened in InfoPath Editor ActiveX (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Disable all application add-ins
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Control behavior when opening InfoPath e-mail forms containing code or script (Run without prompting | Prompt before running | Never run)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable sending form template with e-mail forms
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable dynamic caching of the form template in InfoPath e-mail forms
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable sending InfoPath 2003 Forms as e-mail forms
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms running in restricted security level
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Internet security zone
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Intranet security zone
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Full Trust security zone
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable InfoPath e-mail forms in Outlook
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Restricted Features\Information Rights Management
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Restricted Features\Custom code
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Miscellaneous\Email Forms Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone)
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Word
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Excel
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in PowerPoint
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Access
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Outlook
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Word
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Excel
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in PowerPoint
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Access
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Outlook
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Word
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Excel
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in PowerPoint
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Access
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Outlook
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | AutoCorrect Options... (Excel, Word, PowerPoint and Access)\Recognize smart tags in Excel
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable Clip Art and Media downloads from the client and from Office Online website
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable template downloads from the client and from Office Online website
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable access to updates, add-ins, and patches on the Office Online website
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Prevents users from uploading document templates to the Office Online community.
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable training practice downloads from the Office Online website
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable customer-submitted templates downloads from Office Online
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Files\Open Office documents as read/write while browsing
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Browsers\Rely on VML for displaying graphics in browsers
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Browsers\Allow PNG as an output format
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | Spelling\Proofing Data Collection\Improve Proofing Tools
User Configuration\Administrative Templates\Microsoft Office 2007 system\Privacy\Trust Center\Disable Opt-in Wizard on first run
User Configuration\Administrative Templates\Microsoft Office 2007 system\Help\Microsoft Office OnlineUser Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable Password Caching
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable all Trust Bar notifications for security issues
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Protect document metadata for rights managed Office Open XML Files
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Protect document metadata for password protected files.
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Encryption type for password protected Office Open XML files
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Encryption type for password protected Office 97-2003 files
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Load Controls in Forms3 (1 | 2 | 3 | 4)
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Automation Security (Disable macros by default | Use application macro security level | Macros enabled)
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Prevent Word and Excel from loading managed code extensions
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable hyperlink warnings
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable password to open UI
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Download Office Controls
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable All ActiveX
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Trust Center\Allow mix of policy and user locations
User Configuration\Administrative Templates\Microsoft Office 2007 system\Smart Documents (Word, Excel)\Disable Smart Document's use of manifests
User Configuration\Administrative Templates\Microsoft Office 2007 system\Smart Documents (Word, Excel)\Completely disable the Smart Documents feature in Word and Excel
User Configuration\Administrative Templates\Microsoft Office 2007 system\Services\Fax\Disable Internet Fax feature
User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Prevent users from changing permissions on rights managed content
User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Allow users with earlier versions of Office to read with browsers...
User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Always require users to connect to verify permission
User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Always expand groups in Office when restricting permission for documents
User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Never allow users to specify groups when restricting permission for documents
User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Disable Microsoft Passport service for content with restricted permission
User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Do not allow users to upgrade Information Rights Management configuration
User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Key Usage FilteringUser Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\EKU filtering
User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Legacy format signatures
User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Suppress Office Signing Providers (Enable Western and East Asian | Suppress default Western | Suppress default East Asian | Suppress both Western and East Asian)
User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Suppress external signature services menu item
User Configuration\Administrative Templates\Microsoft Office 2007 system\Office Diagnostics\Disable Check For Solutions
User Configuration\Administrative Templates\Microsoft Office 2007 system\Microsoft Save As PDF and XPS add-ins\Disable inclusion of document properties in PDF and XPS output
User Configuration\Administrative Templates\Microsoft Office 2007 system\Document Information Panel\Disable Document Information Panel
User Configuration\Administrative Templates\Microsoft Office 2007 system\Document Information Panel\Document Information Panel Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone)
User Configuration\Administrative Templates\Microsoft Office 2007 system\Server Settings\Disable the Office client from polling the Office server for published links
User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to Word 2007 through the Compatibility Pack for the 2007 Office system and Word 2007 Open XML/Word 97-2003 Format Converter
User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to Excel 2007 through the Compatibility Pack for the 2007 Office system and Excel 2007 Converter
User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to PowerPoint 2007 through the Compatibility Pack for the 2007 Office system and PowerPoint 2007 Converter
User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Control Blogging (Enabled | Only SharePoint blogs allowed | All blogging disabled)
User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Enable Smart Resume
User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Do not upload media files
User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Disable hyperlinks to web templates in File | New and task panes
User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Prevent access to Web-based file storage
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Do not allow attachment previewing in Outlook
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Read e-mail as plain text
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Read signed e-mail as plain text
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServicePrevent publishing to Office Online
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServicePrevent publishing to a DAV server
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceRestrict level of calendar details users can publish (All options are available | Disables 'Full details' | Disables 'Full details' and 'Limited details')
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceAccess to published calendars
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceRestrict upload method
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Hide Junk Mail UI
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Junk E-mail protection level (No Protection, Low, High, Trusted Lists Only)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Trust E-mail from Contacts
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Add e-mail recipients to users' Safe Senders Lists
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Warn before switching dial-up connection
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Hang up when finished sending, receiving, or updating
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Automatically dial during a background Send/Receive
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Do not allow creating, replying, or forwarding signatures for e-mail messages
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Send copy of pictures with HTML messages instead of reference to Internet location
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Outlook Rich Text options (Convert to HTML | Convert to Plain Text format | Send Using Outlook Rich Text format)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Plain text options
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Plain text options - Encode attachments in UUENCODE format when sending a plain text message
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Message FormatSet message format (HTML | Rich Text | Plain Text)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Make Outlook the default program for E-mail, Contacts, and Calendar
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow folders in non-default stores to be set as folder home pages
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Use Unicode format when dragging e-mail message to file system
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow Outlook object model scripts to run for shared folders
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow Outlook object model scripts to run for public folders
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Set maximum level of online status on a person name (Do not allow | Allow everywhere except To and CC field | Allow everywhere)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Display online status on a person name (Never | Everywhere except To and CC field | Everywhere)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Turn off Enable the Person Names Smart Tag option
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Outlook Security Mode (Outlook Default Security | Use Security Form from 'Outlook Security Settings' Public Folder | Use Security Form from 'Outlook 10 Security Settings' Public Folder | Use Outlook Security Group Policy)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Display Level 1 attachments
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Allow users to demote attachments to Level 2
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Do not prompt about Level 1 attachments when sending an item
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Do not prompt about Level 1 attachments when closing an item
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Allow in-place activation of embedded OLE objects
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Display OLE package objects
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Add file extensions to block as Level 1
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Remove file extensions blocked as Level 1
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Add file extensions to block as Level 2
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Remove file extensions blocked as Level 2
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Allow scripts in one-off Outlook forms
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Set Outlook object model Custom Actions execution prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Set control ItemProperty prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when sending mail (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when accessing an address book (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when reading address information (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when responding to meeting and task requests (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when executing Save As (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt When accessing the Formula property of a UserProperty object (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when accessing address information via UserProperties.Find (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Required Certificate Authority
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME interoperability with external clients: (Handle internally | Handle externally | Handle if possible)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Always use Rich Text formatting in S/MIME messages
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings - Default S/MIME password time (minutes): (0 - 2147483647)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings - Maximum S/MIME password time (minutes): (0 - 2147483647)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Message Formats
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Message Formats - Support the following message formats: (S/MIME | Exchange | Fortezza | S/MIME and Exchange | S/MIME and Fortezza | Exchange and Fortezza | S/MIME, Exchange, and Fortezza)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Do not provide Continue option on Encryption warning dialog boxes
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Run in FIPS compliant mode
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Encrypt all e-mail messages
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Sign all e-mail messages
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\URL for S/MIME certificates
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Ensure all S/MIME signed messages have a label
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME receipt requests (Open message if receipt can't be sent | Don't open message if receipt can't be sent | Always prompt before sending receipt | Never send S/MIME )
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Fortezza certificate policies
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Require SuiteB algorithms for S/MIME operations
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing CRLs
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing CRLs - Indicate a missing CRL as a(n): (warning | error)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing root certificates
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing root certificates - Indicate a missing root certificate as a(n): (neither error nor warning | warning | error)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Promote Level 2 errors as errors, not warnings
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Attachment Secure Temporary Folder
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Display pictures and external content in HTML e-mail
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Do not permit download of content from safe zones
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Block Trusted Zones
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Include Internet in Safe Zones for Automatic Picture Download
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Include Intranet in Safe Zones for Automatic Picture Download
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Security setting for macros (Always warn | Never warn, disable all | Warn for signed, disable unsigned | No security check)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Enable links in e-mail messages
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Apply macro security settings to macros, add-ins, and SmartTags
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Automatically configure profile based on Active Directory Primary SMTP address
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Do not allow users to change permissions on folders
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Enable RPC encryption
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Authentication with Exchange Server (Kerberos/NTLM Password Authentication | Kerberos Password Authentication | NTLM Password Authentication)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Synchronize Outlook RSS Feeds with Common Feed List
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Turn off RSS feature
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Automatically download enclosures
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Download full text of articles as HTML attachments
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Internet Calendars\Automatically download attachments
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Internet Calendars\Do not include Internet Calendar integration in Outlook
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Meeting Workspace\Disable user entries to server list (Publish default, allow others | Publish default, disallow others)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Miscellaneous\Do not expand distribution lists
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Save\Save files in this format (PowerPoint Presentation (*.pptx) | PowerPoint Macro-Enabled Presentation (*.pptm) | PowerPoint 97-2003 Presentation (*.ppt))
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Advanced\Number of documents in the Recent Documents list (0 - 50)
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Determine whether to force encrypted macros to be scanned in Microsoft PowerPoint Open XML presentations
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Run Programs (disable (don't run any programs) | enable (prompt user before running) | enable all (run without prompting))
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Make hidden markup visible
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Unblock automatic download of linked images
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Disable all application add-ins
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Trusted LocationsDisable all trusted locations
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Web Page Preview
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Review | Proofing | Language
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Document Location
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Disable shortcut keys
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Ctrl+K (Insert | Links | Hyperlink)
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Alt+F8 (Developer | Code | Macros)
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Alt+F11 (Developer | Code | Visual Basic)
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to PowerPoint 2007
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Open Xml files types
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Binary file types
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Html file types
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Outlines
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Converters
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Open Xml file types
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Binary file types
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Html file types
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Outlines
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of GraphicFilters
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Miscellaneous\Disable Slide Update
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Display\Hidden text
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Save\Save files in this format (Word document (*.docx) | Single Files Web Page (*.mht) | Web Page (*.htm; *.html) | Web Page, Filtered (*.htm, *.html) | Rich Text Format (*.rtf) | Plain Text (*.txt) | Word 6.0/95 (*.doc) | Word 6.0/95 - Chinese (Simplified) (*.doc) | Word 6.0/95 - Chinese (Traditional) (*.doc) | Word 6.0/95 - Japanese (*.doc) | Word 6.0/95 - Korean (*.doc) | Word 97-2002 & 6.0/95 - RTF | Word 5.1 for Macintosh (*.mcw) | Word 5.0 for Macintosh (*.mcw) | Word 2.x for Windows (*.doc) | Works 4.0 for Windows (*.wps) | WordPerfect 5.x for Windows (*.doc) | WordPerfect 5.1 for DOS (*.doc) | Word 2007 Macro Enabled Document (*.docm) | Word 2007 Macro Free Template (*.dotx) | Word 2007 Macro Enabled Template (*.dotm) | Word 97 - 2003 Document (*.doc) | Word 97 - 2003 Template (*.dot) | Flat XML Document (*.xml))
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\Number of documents in the Recent Documents list (0-50)
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\Update automatic links at Open
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\E-mail Options\Save smart tags in e-mail
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Disable all application add-ins
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Trusted LocationsDisable all trusted locations
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Word Options | Customize | All Commands | Save As Web Page
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Word Options | Customize | All Commands | Web Page Preview
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Review | Protect | Protect Document
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Record Macro
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Templates | Document Template
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+F (Home | Editing | Find)
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink)
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F8 (Developer | Code | Macros)
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic)
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to Word 2007
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Open XML file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Binary file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of HTML file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Word 2003 XML file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of RTF file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block open Converters
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Text file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Internal file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of files before version
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Open XML file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Binary file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of HTML file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Word 2003 XML file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of RTF file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Converters
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Text file types
Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\InfoPath APTCA Assembly Whitelist
Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\Windows Internet Explorer Feature Control Opt-In (None | InfoPath.exe, Document Information Panel and Workflow forms | InfoPath.exe, Document Information Panel, Workflow forms and 3rd Party Hosting)
Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\InfoPath APTCA Assembly Whitelist Enforcement
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\Disable Package Repair
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - excel.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - powerpnt.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - pptview.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - winword.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - outlook.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - spDesign.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - msaccess.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - excel.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - powerpnt.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - pptview.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - winword.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - outlook.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - spDesign.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - msaccess.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - excel.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - powerpnt.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - pptview.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - winword.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - outlook.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - spDesign.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - msaccess.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - excel.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - powerpnt.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - pptview.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - winword.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - outlook.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - spDesign.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - msaccess.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - excel.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - powerpnt.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - pptview.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - winword.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - outlook.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - spDesign.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - msaccess.exe
NIST SCAP Microsoft Internet Explorer Version 7.0 OVAL(SCAP-IE7-OVAL-Beta-
v3.xml)
NIST SCAP Microsoft Internet
Explorer Version 7.0 XCCDF (SCAP-IE7-XCCDF-Beta-v3.xml
oval:org.mitre.oval:def:1277, oval:org.mitre.oval:def:2050
UseOnlyMachineSettings-LocalComputer, UseOnlyMachineSettings-LocalComputer-Disabled
oval:org.mitre.oval:def:658
IEProcesses-RestrictActiveXInstall-LocalComputer
oval:org.mitre.oval:def:1400
DoNotAllowUsersAddDeleteSites-LocalComputer
oval:org.mitre.oval:def:1357
DisablePeriodicCheckForIESoftwareUpdates-LocalComputer
oval:org.mitre.oval:def:620
oval:org.mitre.oval:def:884
IEProcesses-ConsistentMimeHandling-LocalComputer
oval:org.mitre.oval:def:680, oval:org.mitre.oval:def:1392
AllowSoftwareRunInstallSignatureInvalid-LocalComputer, AllowSoftwareToRununOrInstallEvenIfSignatureInvalid-LocalUser
oval:org.mitre.oval:def:617
IEProcesses-MKProtocolSecurityRestriction-LocalComputer
oval:org.mitre.oval:def:1188
DisableSoftwareUpdateShellNotifications-LocalComputer
oval:org.mitre.oval:def:320
IEProcesses-RestrictFileDownload-LocalComputer
oval:org.mitre.oval:def:1198
DisableAutomaticInstallOfIEComponents-LocalComputer
oval:org.mitre.oval:def:1181
MakeProxySettingsPerMachine-LocalComputer
oval:org.mitre.oval:def:1380, oval:org.mitre.oval:def:1358, oval:org.mitre.oval:def:1694
DoNotAllowUsersEnableDisableAddOns-LocalComputer, DoNotAllowUsersEnableDisableAddOns-LocalUser
oval:org.mitre.oval:def:487
TurnOffCrashDetection-LocalComputer
oval:org.mitre.oval:def:465
IEProcesses-ScriptedWindowSecurityRestrictions-LocalComputer
oval:org.mitre.oval:def:1404
DoNotAllowUsersChangePolicies-LocalComputer
oval:org.mitre.oval:def:317
IEProcesses-MimeSniffingSafetyFeature-LocalComputer
oval:org.mitre.oval:def:395
CheckSignatureDownloadedPrograms-LocalComputer
oval:org.mitre.oval:def:583
DoNotAllowResettingIESettings-LocalComputer
oval:org.mitre.oval:def:506, oval:org.mitre.oval:def:533
AllowCutCopyPasteOperationsFromClipboardViaScript-InternetZone-LocalComputer, AllowCutCopyPasteOperationsFromClipboardViaScript-InternetZone-LocalUser
oval:org.mitre.oval:def:1119
TurnOffFirst-RunOpt-In-InternetZone-LocalComputer
oval:org.mitre.oval:def:242
WebBrowserApplications-InternetZone-LocalComputer
oval:org.mitre.oval:def:249, oval:org.mitre.oval:def:1393
AllowCutCopyPasteOperationsFromClipboardViaScript-RestrictedSitesZone-LocalComputer, AllowCutCopyPasteOperationsFromClipboardViaScript-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:621
TurnOffFirst-RunOpt-In-RestrictedSitesZone-LocalComputer
oval:org.mitre.oval:def:580
WebBrowserApplications-RestrictedSitesZone-LocalComputer
oval:org.mitre.oval:def:559, oval:org.mitre.oval:def:1370
IncludeAllNetworkPaths-LocalComputer, IncludeAllNetworkPaths-LocalUser
oval:org.mitre.oval:def:934, oval:org.mitre.oval:def:660
DisableTheAdvancedPage-LocalComputer, DisableTheAdvancedPage-LocalUser
oval:org.mitre.oval:def:1111
DisableThePrivacyPage-LocalComputer
oval:org.mitre.oval:def:672, oval:org.mitre.oval:def:601
DisableTheSecurityPage-LocalComputer, DisableTheSecurityPage-LocalUser
oval:org.mitre.oval:def:655, oval:org.mitre.oval:def:1129
PreventIgnoingCertificateErrors-LocalComputer, PreventIgnoingCertificateErrors-LocalUser
oval:org.mitre.oval:def:715
TurnOffChangingURLDisplay-LocalComputer
oval:org.mitre.oval:def:1187
TurnOffConfiguringUpdateCheckInterval-LocalComputer
oval:org.mitre.oval:def:626
AddOnList-LocalComputer
oval:org.mitre.oval:def:1278
DenyAllAddOns-LocalComputer
oval:org.mitre.oval:def:757, oval:org.mitre.oval:def:1365
DisableConfiguringHistory-LocalComputer, DisableConfiguringHistory-LocalUser
oval:org.mitre.oval:def:1285, oval:org.mitre.oval:def:613
DisableChangingAutomaticConfigurationSettings-LocalComputer, DisableChangingAutomaticConfigurationSettings-LocalUser
oval:org.mitre.oval:def:355, oval:org.mitre.oval:def:1128
DisableChangingConnectionSettings-LocalComputer, DisableChangingConnectionSettings-LocalUser
oval:org.mitre.oval:def:398, oval:org.mitre.oval:def:635
DisableChangingProxySettings-LocalComputer, DisableChangingProxySettings-LocalUser
oval:org.mitre.oval:def:1164
DisableShowingSplashScreen-LocalComputer
oval:org.mitre.oval:def:448, oval:org.mitre.oval:def:640
PreventFixSettingsFunctionality-LocalComputer, PreventFixSettingsFunctionality-LocalUser
oval:org.mitre.oval:def:1171, oval:org.mitre.oval:def:1391
PreventParticipationInCustomerExperienceImprovementPrograms-LocalComputer, PreventParticipationInCustomerExperienceImprovementPrograms-LocalUser
oval:org.mitre.oval:def:1322
PreventPerformanceOfFirstRunCustomizeSettings-LocalComputer
oval:org.mitre.oval:def:1382, oval:org.mitre.oval:def:703
PerventDeletationOfTempInternetFiles-LocalComputer, PerventDeletationOfTempInternetFiles-LocalUser
oval:org.mitre.oval:def:458, oval:org.mitre.oval:def:1474
TurnOffDeleteBrowsingHistoryFunctionality-LocalComputer, TurnOffDeleteBrowsingHistoryFunctionality-LocalUser
oval:org.mitre.oval:def:501
TurnOffManagingPhishingFilter-LocalComputer
oval:org.mitre.oval:def:916, oval:org.mitre.oval:def:1034
TurnOffSecuritySettingsCheckFeature-LocalComputer, TurnOffSecuritySettingsCheckFeature-LocalUser
oval:org.mitre.oval:def:400
AllowActiveContentFromCD-LocalComputer
oval:org.mitre.oval:def:110
AllowThird-PartyBrowserExtensions-LocalComputer
oval:org.mitre.oval:def:656, oval:org.mitre.oval:def:1360
AutomaticallyCheckIEUpdates-LocalComputer, AutomaticallyCheckForIEUpdates-LocalUser
oval:org.mitre.oval:def:172, oval:org.mitre.oval:def:1502
CheckServerCertificateRevocation-LocalComputer, CheckForServerCertificateRevocation-LocalUser
oval:org.mitre.oval:def:674, oval:org.mitre.oval:def:650
AccessDataSourcesAcrossDomains-InternetZone-LocalComputer, AccessDataSourcesAcrossDomains-InternetZone-LocalUser
oval:org.mitre.oval:def:1083, oval:org.mitre.oval:def:547
AllowDragDropOrCopyPasteFiles-InternetZone-LocalComputer, AllowDragDropOrCopyPasteFiles-InternetZone-LocalUser
oval:org.mitre.oval:def:524, oval:org.mitre.oval:def:659
AllowFontDownloads-InternetZone-LocalComputer, AllowFontDownloads-InternetZone-LocalUser
oval:org.mitre.oval:def:223, oval:org.mitre.oval:def:541
AllowInstallationOfDesktopItems-InternetZone-LocalComputer, AllowInstallationOfDesktopItems-InternetZone-LocalUser
oval:org.mitre.oval:def:589, oval:org.mitre.oval:def:1476
AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints-InternetZone-LocalComputer, AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints-InternetZone-LocalUser
oval:org.mitre.oval:def:1043
AllowScriptlets-InternetZone-LocalComputer
oval:org.mitre.oval:def:226, oval:org.mitre.oval:def:1208
AllowStatusBarUpdatesViaScript-InternetZone-LocalComputer, AllowStatusBarUpdatesViaScript-InternetZone-LocalUser
oval:org.mitre.oval:def:1113, oval:org.mitre.oval:def:562
AutomaticPromptingFileDownloads-InternetZone-LocalComputer, AutomaticPromptingFileDownloads-InternetZone-LocalUser
oval:org.mitre.oval:def:1199, oval:org.mitre.oval:def:546
DownloadSignedActiveXControls-InternetZone-LocalComputer, DownloadSignedActiveXControls-InternetZone-LocalUser
oval:org.mitre.oval:def:391, oval:org.mitre.oval:def:1200
DownloadUnsignedActiveXControls-InternetZone-LocalComputer, DownloadUnsignedActiveXControls-InternetZone-LocalUser
oval:org.mitre.oval:def:1040, oval:org.mitre.oval:def:739
InitializeScriptActiveXControlsNotMarkedAsSafe-InternetZone-LocalComputer, JavaPermissions-InternetZone-LocalComputer, InitializeScriptActiveXControlsNotMarkedAsSafe-InternetZone-LocalUser
oval:org.mitre.oval:def:1174, oval:org.mitre.oval:def:725
JavaPermissions-InternetZone-LocalUser
oval:org.mitre.oval:def:611, oval:org.mitre.oval:def:1487
LaunchingApplicationsAndFilesInIFRAME-InternetZone-LocalComputer, LaunchingApplicationsAndFilesInIFRAME-InternetZone-LocalUser
oval:org.mitre.oval:def:691, oval:org.mitre.oval:def:1123
LogonOptions-InternetZone-LocalComputer, LogonOptions-InternetZone-LocalUser
oval:org.mitre.oval:def:240
LooseXAMLFiles-InternetZone-LocalComputer
oval:org.mitre.oval:def:612, oval:org.mitre.oval:def:1394
NavigateSub-framesAcrossDifferentDomains-InternetZone-LocalComputer, NavigateSub-framesAcrossDifferentDomains-InternetZone-LocalUser
oval:org.mitre.oval:def:953, oval:org.mitre.oval:def:1300
OpenFilesBasedOnContent-InternetZone-LocalComputer, OpenFilesBasedOnContent-InternetZone-LocalUser
oval:org.mitre.oval:def:302, oval:org.mitre.oval:def:1398
SoftwareChannelPermissions-InternetZone-LocalComputer, SoftwareChannelPermissions-InternetZone-LocalUser
oval:org.mitre.oval:def:1179, oval:org.mitre.oval:def:558
UsePop-upBlocker-InternetZone-LocalComputer, UsePop-upBlocker-InternetZone-LocalUser
oval:org.mitre.oval:def:1108
UserdataPersistence-InternetZone-LocalComputer
oval:org.mitre.oval:def:265, oval:org.mitre.oval:def:1432
WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone-InternetZone-LocalComputer, WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone-InternetZone-LocalUser
oval:org.mitre.oval:def:628
XPSFiles-InternetZone-LocalComputer
oval:org.mitre.oval:def:245
DisplayMixedContent-LockedDownInternetZone-LocalComputer
oval:org.mitre.oval:def:1166
DisplayMixedContent-IntranetZone-LocalComputer
oval:org.mitre.oval:def:247
DisplayMixedContent-LockedDownIntranetZone-LocalComputer
oval:org.mitre.oval:def:383
DisplayMixedContent-LocalMachineZone-LocalComputer
oval:org.mitre.oval:def:418
DisplayMixedContent-LockedDownLocalMachineZone-LocalComputer
oval:org.mitre.oval:def:652, oval:org.mitre.oval:def:750
AccessDataSourcesAcrossDomains-RestrictedSitesZone-LocalComputer, AccessDataSourcesAcrossDomains-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:293, oval:org.mitre.oval:def:561
AllowActiveScripting-RestrictedSitesZone-LocalComputer, AllowActiveScripting-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:365, oval:org.mitre.oval:def:1314
AllowBinaryAndScriptBehaviors-RestrictedSitesZone-LocalComputer, AllowBinaryAndScriptBehaviors-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:498, oval:org.mitre.oval:def:1465
AllowDragDropOrCopyPasteFiles-RestrictedSitesZone-LocalComputer, AllowDragDropOrCopyPasteFiles-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:1184, oval:org.mitre.oval:def:1318
AllowFileDownloads-RestrictedSitesZone-LocalComputer, AllowFileDownloads-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:1109, oval:org.mitre.oval:def:1410
AllowFontDownloads-RestrictedSitesZone-LocalComputer, AllowFontDownloads-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:251, oval:org.mitre.oval:def:1257
AllowInstallationOfDesktopItems-RestrictedSitesZone-LocalComputer, AllowInstallationOfDesktopItems-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:1218, oval:org.mitre.oval:def:1270
AllowMETAREFRESH-RestrictedSitesZone-LocalComputer, AllowMETAREFRESH-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:1234, oval:org.mitre.oval:def:574
AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints-RestrictedSitesZone-LocalComputer, AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:1217
AllowScriptlets-RestrictedSitesZone-LocalComputer
oval:org.mitre.oval:def:378, oval:org.mitre.oval:def:1320
AllowStatusBarUpdatesViaScript-RestrictedSitesZone-LocalComputer, AllowStatusBarUpdatesViaScript-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:252, oval:org.mitre.oval:def:1312
AutomaticPromptingFileDownloads-RestrictedSitesZone-LocalComputer, AutomaticPromptingFileDownloads-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:1019, oval:org.mitre.oval:def:1389
DownloadSignedActiveXControls-RestrictedSitesZone-LocalComputer, DownloadSignedActiveXControls-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:949, oval:org.mitre.oval:def:579
DownloadUnsignedActiveXControls-RestrictedSitesZone-LocalComputer, DownloadUnsignedActiveXControls-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:273, oval:org.mitre.oval:def:1342
InitializeScriptActiveXControlsNotMarkedAsSafe-RestrictedSitesZone-LocalComputer, InitializeScriptActiveXControlsNotMarkedAsSafe-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:824, oval:org.mitre.oval:def:732
JavaPermissions-RestrictedSitesZone-LocalComputer, JavaPermissions-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:274, oval:org.mitre.oval:def:1223
LaunchingApplicationsAndFilesInIFRAME-RestrictedSitesZone-LocalComputer, LaunchingApplicationsAndFilesInIFRAME-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:326, oval:org.mitre.oval:def:1378
LogonOptions-RestrictedSitesZone-LocalComputer, LogonOptions-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:275
LooseXAMLFiles-RestrictedSitesZone-LocalComputer
oval:org.mitre.oval:def:1229, oval:org.mitre.oval:def:1292
NavigateSub-framesAcrossDifferentDomains-RestrictedSitesZone-LocalComputer, NavigateSub-framesAcrossDifferentDomains-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:706, oval:org.mitre.oval:def:1421
OpenFilesBasedOnContent-RestrictedSitesZone-LocalComputer, OpenFilesBasedOnContent-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:329, oval:org.mitre.oval:def:599
RunNETFrameworkReliantComponentsNotSignedWithAuthenticode-RestrictedSitesZone-LocalComputer, RunNETFrameworkReliantComponentsNotSignedWithAuthenticode-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:276, oval:org.mitre.oval:def:1428
RunNETFrameworkReliantComponentsSignedWithAuthenticode-RestrictedSitesZone-LocalComputer, RunNETFrameworkReliantComponentsSignedWithAuthenticode-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:571, oval:org.mitre.oval:def:1594
RunActiveXControlsAndPlugins-RestrictedSitesZone-LocalComputer, RunActiveXControlsAndPlugins-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:602, oval:org.mitre.oval:def:1274
ScriptActiveXControlsMarkedSafeForScripting-RestrictedSitesZone-LocalComputer, ScriptActiveXControlsMarkedSafeForScripting-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:280, oval:org.mitre.oval:def:641
ScriptingOfJavaApplets-RestrictedSitesZone-LocalComputer, ScriptingOfJavaApplets-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:290, oval:org.mitre.oval:def:1214
SoftwareChannelPermissions-RestrictedSitesZone-LocalComputer, SoftwareChannelPermissions-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:1100, oval:org.mitre.oval:def:1286
UsePop-upBlocker-RestrictedSitesZone-LocalComputer, UsePop-upBlocker-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:300
UserdataPersistence-RestrictedSitesZone-LocalComputer
oval:org.mitre.oval:def:1219, oval:org.mitre.oval:def:1243
WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone-RestrictedSitesZone-LocalComputer, WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone-RestrictedSitesZone-LocalUser
oval:org.mitre.oval:def:1176
XPSFiles-RestrictedSitesZone-LocalComputer
oval:org.mitre.oval:def:314
DisplayMixedContent-LockedDownRestrictedSitesZone-LocalComputer
oval:org.mitre.oval:def:1153
DisplayMixedContent-TrustedSitesZone-LocalComputer
oval:org.mitre.oval:def:1183
DisplayMixedContent-LockedDownTrustedSitesZone-LocalComputer
oval:org.mitre.oval:def:338
EnableNativeXMLHttpSupport-LocalComputer
oval:org.mitre.oval:def:645
DisableSaveThisProgramToDiskOption-LocalUser
oval:org.mitre.oval:def:523
AllowInstallOnDemandIE-LocalUser
oval:org.mitre.oval:def:1206
TurnOffPageTransitions-LocalUser
oval:org.mitre.oval:def:1516
DisableAutoCompleteForForms-LocalUser
oval:org.mitre.oval:def:505
AllowInstallOnDemandIE-LocalUser
oval:org.mitre.oval:def:1362
DisableChangingCertificateSettings-LocalUser
oval:org.mitre.oval:def:1384
DisableExternalBrandingOfIE-LocalUser
oval:org.mitre.oval:def:1238
ConfigureOutlookExpress-LocalUser
oval:org.mitre.oval:def:604
InternetConnectionWizardSettings-LocalUser
oval:org.mitre.oval:def:1355
DisableInternetConnectionWizard-LocalUser
oval:org.mitre.oval:def:1437
DisableResetWebSettingsFeature-LocalUser
oval:org.mitre.oval:def:1080
DisableDownloadingOfSiteSubscriptionContent-LocalUser
oval:org.mitre.oval:def:1293
DisableAddingSchedulesForOfflinePages-LocalUser
oval:org.mitre.oval:def:1383
DisableAddingChannels-LocalUser
oval:org.mitre.oval:def:1397
DisableEditingAndCreatingOfScheduleGroups-LocalUser
oval:org.mitre.oval:def:1501
DisableAllScheduledOfflinePages-LocalUser
oval:org.mitre.oval:def:1565
DisableEditingSchedulesForOfflinePages-LocalUser
oval:org.mitre.oval:def:1782
DisableChannelUserInterfaceCompletely-LocalUser
oval:org.mitre.oval:def:1801
DisableRemovingChannels-LocalUser
oval:org.mitre.oval:def:1954
DisableRemovingSchedulesForOfflinePages-LocalUser
oval:org.mitre.oval:def:2026
DisableOfflinePageHitLogging-LocalUser
oval:org.mitre.oval:def:2039
JavaPermissions-LockedDownIntranetZone-LocalComputer
oval:org.mitre.oval:def:1422
JavaPermissions-LocalMachineZone-LocalComputer
oval:org.mitre.oval:def:1986
JavaPermissions-LockedDownLocalMachineZone-LocalComputer
oval:org.mitre.oval:def:1753
JavaPermissions-LockedDownRestrictedSitesZone-LocalComputer
oval:org.mitre.oval:def:1379
JavaPermissions-TrustedSitesZone-LocalComputer
oval:org.mitre.oval:def:1699
JavaPermissions-LockedDownTrustedSitesZone-LocalComputer
Recommended