CCE Windows List - Mitre Corporationcce.mitre.org/lists/data/downloads/Windows-CCE-4.2.xls · XLS file · Web view4.4.1.26 %SystemRoot ... (Windows 2000 orlater) session key Table:

Outline CCE Id CCE Description

CCE-25

CCE-899

CCE-727

CCE-211

CCE-39

CCE-83

CCE Parameters

File & Registry Permissions & Auditing

File & Registry Auditing

The required auditing for %SystemDrive% directory should be enabled.

(1) set of accounts (2) events to audit (3) applicability

The required auditing for the registry key HKEY_LOCAL_MACHINE\SOFTWARE should be enabled.


The required auditing for the registry key HKEY_LOCAL_MACHINE\SYSTEM should be enabled.


File Permissions

The required permissions for the directory %ALL% should be assigned.

(1) set of accounts (2) list of permissions (3) applicability

The required permissions for the directory %AllUsersProfile% should be assigned.


The required permissions for the directory %AllUsersProfile%\Application Data should be assigned.


CCE-854

CCE-783

CCE-713

CCE-387

CCE-527

CCE-686

CCE-3

The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft should be assigned.


The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Crypto\DSSHKLMKeys should be assigned.


The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Crypto\RSAHKLMKeys should be assigned.


The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Dr Watson should be assigned.


The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Dr Watson\drwtsn32.log should be assigned.


The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\HTML Help should be assigned.


The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\MediaIndex should be assigned.


CCE-356

CCE-85

CCE-24

CCE-570

CCE-204

CCE-411

CCE-816

CCE-746

CCE-987

The required permissions for the directory %AllUsersProfile%\Documents\desktop.ini should be assigned.


The required permissions for the directory %AllUsersProfile%\DRM should be assigned.


The required permissions for the directory %ProgramFiles% should be assigned.


The required permissions for the directory %ProgramFiles%\Resource Kit should be assigned.


The required permissions for the directory %ProgramFiles%\Resource Pro Kit should be assigned.


The required permissions for the directory %SystemDrive% should be assigned.


The required permissions for the file %SystemDrive%\AUTOEXEC.BAT should be assigned.


The required permissions for the file %SystemDrive%\BOOT.INI should be assigned.


The required permissions for the file %SystemDrive%\CONFIG.SYS should be assigned.


CCE-419

CCE-120

CCE-181

CCE-868

CCE-776

The required permissions for the file %SystemDrive%\Documents and Settings should be assigned.


The required permissions for the directory %SystemDrive%\Documents and Settings\Administrator should be assigned.


The required permissions for the directory %SystemDrive%\Documents and Settings\All Users should be assigned.


The required permissions for the directory %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson should be assigned.


The required permissions for the file %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson\drwtsn32.log should be assigned.


CCE-714

CCE-540

CCE-602

CCE-399

CCE-192

CCE-561

CCE-755

CCE-341

CCE-971

The required permissions for the directory %SystemDrive%\Documents and Settings\Default User should be assigned.


The required permissions for the file %SystemDrive%\IO.SYS should be assigned.


The required permissions for the file %SystemDrive%\MSDOS.SYS should be assigned.


The required permissions for the file %SystemDrive%\NTBOOTDD.SYS should be assigned.


The required permissions for the file %SystemDrive%\NTDETECT.COM should be assigned.


The required permissions for the file %SystemDrive%\NTLDR should be assigned.


The required permissions for the directory %SystemDrive%\Temp should be assigned.


The required permissions for the directory %SystemDrive%\My Download Files should be assigned.


The required permissions for the file %SystemDrive%\System Volume Information should be assigned.


CCE-645

CCE-579

CCE-505

CCE-640

CCE-328

CCE-134

CCE-293

The required permissions for the directory %SystemRoot% should be assigned.


The required permissions for the directory %SystemRoot%\Driver Cache\I386\Driver.cab should be assigned.


The required permissions for the directory %SystemRoot%\$NtServicePackUninstall$ should be assigned.


The required permissions for the directory %SystemRoot%\$NtServicePackUninstall$ should be assigned.


The required permissions for any of the %SystemRoot%\$NtUninstall* directories should be assigned.


The required permissions for the directory %SystemRoot%\CSC should be assigned.


The required permissions for the directory %SystemRoot%\Debug should be assigned.


CCE-94

CCE-152

CCE-482

CCE-147

CCE-737

CCE-795

CCE-248

CCE-398

The required permissions for the directory %SystemRoot%\Debug\UserMode should be assigned.


The required permissions for the directory %SystemRoot%\Debug\UserMode\userenv.log should be assigned.


The required permissions for the file %SystemRoot%\Installer should be assigned.


The required permissions for the file %SystemRoot%\Offline Web Pages should be assigned.


The required permissions for the file %SystemRoot%\Prefetch should be assigned.


The required permissions for the file %SystemRoot%\regedit.exe should be assigned.


The required permissions for the directory %SystemDrive%\NTDS should be assigned.


The required permissions for the directory %SystemRoot%\Offline Web Pages should be assigned.


CCE-155

CCE-323

CCE-873

CCE-67

CCE-979

CCE-701

CCE-380

CCE-45

CCE-600

The required permissions for the directory %SystemRoot%\Registration should be assigned.


The required permissions for the directory %SystemRoot%\Registration\CRMLog should be assigned.


The required permissions for the directory %SystemRoot%\repair should be assigned.


The required permissions for the directory %SystemRoot%\security should be assigned.


The required permissions for the directory %SystemRoot%\SYSVOL should be assigned.


The required permissions for the directory %SystemRoot%\SYSVOL\domain\Policies should be assigned.


The required permissions for the directory %SystemRoot%\Temp should be assigned.


The required permissions for the directory %SystemRoot%\System32 should be assigned.


The required permissions for the directory %SystemRoot%\System32\arp.exe should be assigned.


CCE-393

CCE-166

CCE-977

CCE-272

CCE-994

CCE-170

CCE-197

CCE-765

CCE-334

CCE-201

The required permissions for the file %SystemRoot%\System32\at.exe should be assigned.

(1) set of accounts (2) list of permissions (3) applicabilityThe required permissions

for the file %SystemRoot%\System32\attrib.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\cacls.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\ciadv.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\Com\comexp.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\compmgmt.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\CONFIG should be assigned.


The required permissions for the file %SystemRoot%\System32\CONFIG\AppEvent.evt should be assigned.


The required permissions for the file %SystemRoot%\System32\CONFIG\*.evt should be assigned.


The required permissions for the file %SystemRoot%\System32\debug.exe should be assigned.


CCE-386

CCE-941

CCE-981

CCE-350

CCE-403

CCE-972

CCE-20

CCE-489

CCE-917

CCE-846

The required permissions for the file %SystemRoot%\System32\devmgmt.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\dfrg.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\diskmgmt.msc should be assigned.


The required permissions for the directory %SystemRoot%\System32\dllcache should be assigned.


The required permissions for the file %SystemRoot%\System32\drwatson.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\drwtsn32.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\edlin.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\eventcreate.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\eventtriggers.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\eventvwr.msc should be assigned.


CCE-529

CCE-264

CCE-819

CCE-361

CCE-789

CCE-894

CCE-198

CCE-634

The required permissions for the file %SystemRoot%\System32\fsmgmt.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\ftp.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\gpedit.msc should be assigned.


The required permissions for the directory %SystemRoot%\System32\DTCLog should be assigned.


The required permissions for the directory %SystemRoot%\System32\GroupPolicy should be assigned.


The required permissions for the directory %SystemRoot%\System32\ias should be assigned.


The required permissions for the directory %SystemRoot%\System32\lusrmgr.msg should be assigned.


The required permissions for the directory %SystemRoot%\System32\MSDTC should be assigned.


CCE-550

CCE-731

CCE-607

CCE-158

CCE-220

CCE-242

CCE-821

CCE-486

CCE-548

The required permissions for the file %SystemRoot%\System32\nbstat.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\net.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\net1.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\netsh.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\netstat.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\nslookup.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\Ntbackup.exe should be assigned.


The required permissions for the directory %SystemRoot%\System32\NTMSData should be assigned.


The required permissions for the file %SystemRoot%\System32\ntmsoprq.msc should be assigned.


CCE-715

CCE-151

CCE-997

CCE-547

CCE-865

CCE-543

CCE-657

CCE-89

CCE-274

The required permissions for the file %SystemRoot%\System32\ntmsmgr.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\perfmon.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\Rcp.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\reg.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\Regedt32.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\regini.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\regsvr32.exe should be assigned.


The required permissions for the directory %SystemRoot%\system32\ReinstallBackups should be assigned.


The required permissions for the file %SystemRoot%\System32\Rexec.exe should be assigned.


CCE-168

CCE-353

CCE-27

CCE-340

CCE-516

CCE-922

CCE-847

CCE-904

CCE-587

The required permissions for the file %SystemRoot%\System32\route.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\Rsh.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\RSoP.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\runas.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\sc.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\Secedit.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\secpol.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\services.msc should be assigned.


The required permissions for the directory %SystemRoot%\System32\Setup should be assigned.


CCE-326

CCE-357

CCE-291

CCE-692

CCE-921

CCE-225

CCE-159

CCE-348

The required permissions for the directory %SystemRoot%\System32\repl should be assigned.


The required permissions for the directory %SystemRoot%\System32\repl\export should be assigned.


The required permissions for the directory %SystemRoot%\System32\repl\import should be assigned.


The required permissions for the directory %SystemRoot%\System32\spool\Printers should be assigned.


The required permissions for the file %SystemRoot%\System32\subst.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\systeminfo.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\telnet.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\tftp.exe should be assigned.


CCE-718

CCE-154

CCE-322

CCE-864

CCE-364

CCE-46

CCE-447

CCE-760

The required permissions for the file %SystemRoot%\System32\tlntsvr.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\wmimgmt.msc should be assigned.


The required permissions for the directory %SystemRoot%\Tasks should be assigned.


The required permissions for the directory %ALL%\Program Files\MQSeries should be assigned.


The required permissions for the directory %ALL%\Program Files\MQSeries\qmggr should be assigned.


The required permissions for the directory %SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\HTML Help ACL should be assigned.


The required permissions for the directory %SystemDrive%\WINNT\SECURITY\Database\SECEDIT.SDB ACL should be assigned.


Registry Permissions

The required permissions for the registry key HKEY_CLASSES_ROOT should be assigned.


CCE-813

CCE-279

CCE-843

CCE-253

CCE-59

CCE-90

CCE-477

The required permissions for the registry key HKEY_LOCAL_MACHINE should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Regfile\Shell\Open\Command should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography/Calais should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\Security\XAKey should be assigned.


CCE-394

CCE-826

CCE-240

CCE-618

CCE-19

The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetDDE should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OS/2 Subsystem for NT should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Asr\Commands should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib should be assigned.


CCE-363

CCE-790

CCE-268

CCE-321

CCE-131

CCE-34

The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony should be assigned.


CCE-135

CCE-558

CCE-867

CCE-545

CCE-289

CCE-465

CCE-254

The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\clone should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset001 should be assigned.










CCE-606

CCE-694

CCE-500

CCE-809

CCE-99

CCE-837

CCE-9











The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network should be assigned.


CCE-934

CCE-252

CCE-53

CCE-269

CCE-960

CCE-613

The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Subsystems should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Wmi\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security should be assigned.


CCE-930

CCE-163

CCE-978

CCE-877

CCE-683

CCE-238

The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ersvc\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRENUM\Security should be assigned.


CCE-101

CCE-788

CCE-823

CCE-246

CCE-902

CCE-193

The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netdd\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netddedsdm\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rpcss\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security should be assigned.


CCE-110

CCE-661

CCE-330

CCE-594

CCE-35

CCE-290

The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scarddrv\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scardsvr\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Stisvc\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries should be assigned.


CCE-202

CCE-603

CCE-748

CCE-907

CCE-127

CCE-483

CCE-796

The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tapisrv\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32time\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi\Security should be assigned.


The required permissions for the registry key HKEY_USERS\.DEFAULT should be assigned.


The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\NetDDE should be assigned.


The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider should be assigned.


CCE-845

CCE-730User Rights

CCE-898 (1) set of accounts





The required permissions for the registry key HKEY_CLASSES_ROOT should be assigned.


The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\Root\ProtectedRoots should be assigned.


The "deny access to this computer from the network" user right should be assigned to the correct accounts.

The "access this computer from the network" user right should be assigned to the correct accounts.

The "act as part of the operating system" user right should be assigned to the correct accounts.

The "back up files and directories" user right should be assigned to the correct accounts.

The "bypass traverse checking" user right should be assigned to the correct accounts.









The "change the system time" user right should be assigned to the correct accounts.

The "create a pagefile" user right should be assigned to the correct accounts.

The "Create a token object" user right should be assigned to the correct accounts.

The "create permanent shared objects" user right should be assigned to the correct accounts.

The "debug programs" user right should be assigned to the correct accounts.

The "force shutdown from a remote system" user right should be assigned to the correct accounts.

The "generate security audits" user right should be assigned to the correct accounts.

The "adjust memory quotas for a process" user right should be assigned to the correct accounts.









The "increase scheduling priority" user right should be assigned to the correct accounts.

The "load and unload device drivers" user right should be assigned to the correct accounts.

The "lock pages in memory" user right should be assigned to the correct accounts.

The "log on as a batch job" user right should be assigned to the correct accounts.

The "log on as a service" user right should be assigned to the correct accounts.

The "log on locally" user right should be assigned to the correct accounts.

The "manage auditing and security log" user right should be assigned to the correct accounts.

The "modify firmware environment values" user right should be assigned to the correct accounts.








The "profile single process" user right should be assigned to the correct accounts.

The "profile system performance" user right should be assigned to the correct accounts.

The "remove computer from docking station" user right should be assigned to the correct accounts.

The "replace a process-level token" user right should be assigned to the correct accounts.

The "restore files and directories" user right should be assigned to the correct accounts.

The "shut down the system" user right should be assigned to the correct accounts.

The "take ownership of files or other objects" user right should be assigned to the correct accounts.








The "synchronize directory service data" user right should be assigned to the correct accounts.

The "deny logon locally" user right should be assigned to the correct accounts.

The "enable computer and user accounts to be trusted for delegation" user right should be assigned to the correct accounts.

The "add workstations to domain" user right should be assigned to the correct accounts.

The "allow logon through Terminal Services" user right should be assigned to the correct accounts.

The "deny logon as a batch job" user right should be assigned to the correct accounts.

The "deny logon as a service" user right should be assigned to the correct accounts.



CCE-733

CCE-980

CCE-658Audit Policy

CCE-315

CCE-2628 enabled/disabled

The "deny logon through Terminal Services" user right should be assigned to the correct accounts.

The "perform volume maintenance tasks" user right should be assigned to the correct accounts.

Auditing and Account Policies

Account Lockout Policy

The "reset account lockout counter after" policy should meet minimum requirements.

(1) number of minutes

The "account lockout duration" policy should meet minimum requirements.


The "account lockout threshold" policy should meet minimum requirements.

(1) number of attempts

DEPRECATED in favor of CCE-2628, CCE-2543.

Auditing of "account logon" events on success should be enabled or disabled as appropriate..


CCE-596



CCE-10



CCE-429



CCE-812

Auditing of "account logon" events on failure should be enabled or disabled as appropriate..DEPRECATED in favor of CCE-2000, CCE-1646.

Auditing of "account management" events on success should be enabled or disabled as appropriate..

Auditing of "account management" events on failure should be enabled or disabled as appropriate..DEPRECATED in favor of CCE-2118, CCE-2390.

Auditing of "directory service access" events on success should be enabled or disabled as appropriate..

Auditing of "directory service access" events on failure should be enabled or disabled as appropriate..DEPRECATED in favor of CCE-1686, CCE-1744.

Auditing of "logon" events on success should be enabled or disabled as appropriate..

Auditing of "logon" events on failure should be enabled or disabled as appropriate..DEPRECATED in favor of CCE-2640, CCE-1991.



CCE-966



CCE-874


CCE-2584 enabled/disabledCCE-169 DEPRECATED.

CCE-8



Auditing of "object access" events on success should be enabled or disabled as appropriate..

Auditing of "object access" events on failure should be enabled or disabled as appropriate..DEPRECATED in favor of CCE-2412, CCE-2347.

Auditing of "policy change" events on success should be enabled or disabled as appropriate..

Auditing of "policy change" events on failure should be enabled or disabled as appropriate..DEPRECATED in favor of CCE-2431, CCE-2584.

Auditing of "privilege use" events on success should be enabled or disabled as appropriate..

Auditing of "privilege use" events on failure should be enabled or disabled as appropriate..


Auditing of "process tracking" events on success should be enabled or disabled as appropriate..

Auditing of "process tracking" events on failure should be enabled or disabled as appropriate..

CCE-149



CCE-396

CCE-916

CCE-475

CCE-141

CCE-299

CCE-185 (1) size of file

CCE-285 type of retention


Auditing of "system" events on success should be enabled or disabled as appropriate..

Auditing of "system" events on failure should be enabled or disabled as appropriate..

The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly.

(1) enabled/disabled

The "Decoy Admin Account Not Disabled" policy should be set correctly.


The "Confirm open after download" option should be properly set for all file types.

(1) file type (2) enabled/disabled

The Microsoft Script Runtime library, scrrun.dll, should be registered or not as appropriate.

(1) registered/unregistered

Event Log Settings

The "restrict guest access to application log" policy should be set correctly.


The application log maximum size should be configured correctly..

The "when maximum log size is reached" property should be set correctly for the Application log.

CCE-951 (1) number of days

CCE-462




CCE-726



If the Application log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.

The "restrict guest access to security log" policy should be set correctly.


The security log maximum size should be configured correctly..

The "when maximum log size is reached" property should be set correctly for the Security log.

If the Security log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.

The "restrict guest access to system log" policy should be set correctly.


The system log maximum size should be configured correctly..

The "when maximum log size is reached" property should be set correctly for the System log.





CCE-514

CCE-633

CCE-60

CCE-479

If the System log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.

Password Policy

The "maximum password age" policy should meet minimum requirements.

The "minimum password age" policy should meet minimum requirements.

The "minimum password length" policy should meet minimum requirements. The correct password filtering DLL should be installed.

(1) file name (2) version (3) file size (4) file hash

The "password must meet complexity requirments" policy should be set correctly.


The "enforce password history" policy should meet minimum requirements.

(1) number of passwords remembered

The "store password using reversible encryption for all users in the domain" policy should be set correctly.


Available Network Services

Services Running

CCE-487

CCE-496

CCE-148

CCE-954

CCE-637

CCE-294

CCE-800

CCE-78

CCE-712

CCE-311

The startup type of the Alerter service should be correct.

(1) disabled/manual/automatic

The startup type of the Automatic Update service should be correct.


The startup type of the Background Intelligent Transfer Service (BITS) service should be correct.


The startup type of the ClipBook service should be correct.


DEPRECATED in favor of CCE-232.

The startup type of the Computer Browser service should be correct.


The startup type of the Fast User Switching service should be correct.


The startup type of the Fax service should be correct.


The startup type of the FTP Publishing service should be correct.


The startup type of the IIS Admin service should be correct.


CCE-738

CCE-729

CCE-650

CCE-408

CCE-232

CCE-857

CCE-267

CCE-663

The startup type of the Indexing service should be correct.


The startup type of the Messenger service should be correct.


The startup type of the .NET Framework service should be correct.


The startup type of the Net Logon service should be correct.


The startup type of the NetMeeting Remote Desktop Sharing service should be correct.


The startup type of the Print Services for Unix service should be correct.


The startup type of the Remote Access Auto connection Manager service should be correct.


The startup type of the Remote Desktop Help Session Manager service should be correct.


CCE-672

CCE-73

CCE-223

CCE-522

CCE-531

CCE-870

CCE-975

CCE-892

The startup type of the Internet Connection Sharing service should be correct.


The startup type of the Remote Registry service should be correct.


The startup type of the Routing and Remote Access service should be correct.


The startup type of the Remote Shell service should be correct.


The startup type of the Simple TCP/IP service should be correct.


The startup type of the Simple Mail Transport Protocol (SMTP) service should be correct.


The startup type of the SNMP Service service should be correct.


The startup type of the SNMP Trap Service service should be correct.


CCE-940

CCE-40

CCE-75

CCE-974

CCE-608

CCE-758

CCE-559

CCE-445

CCE-115

The startup type of the SSDP Discovery service should be correct.


The startup type of the Task Scheduler service should be correct.


The startup type of the Telnet service should be correct.


The startup type of the Terminal Services service should be correct.


The startup type of the Universal Plug and Play Device Host (UPnP) service should be correct.


The startup type of the World Wide Web Publishing service should be correct.


The startup type of the Automatic Update service should be correct.


The startup type of the Background Intelligent Transfer Service (BITS) service should be correct.


The startup type of the Print Services for Unix service should be correct.


Service Permissions

CCE-669

CCE-889

CCE-61

CCE-476

CCE-643

CCE-87

CCE-968

CCE-4

CCE-792

CCE-444

The correct service permissions for the Alerter service should be assigned.

(1) set of accounts (2) list of permissions

The correct service permissions for the Automatic Updates service should be assigned.


The correct service permissions for the Background Intelligent Transfer service should be assigned.


The correct service permissions for the ClipBook service should be assigned.


The correct service permissions for the Computer Browser service should be assigned.


The correct service permissions for the Fax service should be assigned.


The correct service permissions for the File Shares service should be assigned.


The correct service permissions for the FTP Publishing service should be assigned.


The correct service permissions for the IIS Admin service should be assigned.


The correct service permissions for the Indexing service should be assigned.


CCE-79

CCE-497

CCE-21

CCE-109

CCE-157

CCE-915

CCE-219

CCE-779

CCE-426

CCE-56

The correct service permissions for the Messenger service should be assigned.


The correct service permissions for the Net Logon service should be assigned.


The correct service permissions for the NetMeeting service should be assigned.


The correct service permissions for the Printer service should be assigned.


The startup type of the Remote Access Auto connection Manager service should be correct.


The correct service permissions for the Remote Desktop Help Session Manager service should be assigned.


The correct service permissions for the Remote Registry service should be assigned.


The correct service permissions for the Routing and Remote Access service should be assigned.


The correct service permissions for the SMTP service should be assigned.


The correct service permissions for the SNMP service should be assigned.


CCE-521

CCE-407

CCE-944

CCE-605

CCE-869

CCE-143

CCE-310

CCE-195

The correct service permissions for the SNMP Trap service should be assigned.


The correct service permissions for the Task Scheduler service should be assigned.


The correct service permissions for the Telnet service should be assigned.


The correct service permissions for the Terminal Services service should be assigned.


The correct service permissions for the Universal Plug and Play service should be assigned.


The correct service permissions for the WWW Publishing service should be assigned.


Security Settings

Major Security Settings

The "Additional restrictions for anonymous connections" policy should be set correctly.


The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts and shares should be correct.

(1) restricted/unrestricted

CCE-318

CCE-953

CCE-983

CCE-142

CCE-653

CCE-464

CCE-332

CCE-499

The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts should be correct.

(1) restricted/unrestricted

The behavior surrounding Anonymous SID/Name translation should be correct.


Minor Security Settings

Additional Registry Settings

The "Anonymous access to the application event log" policy should be set correctly.

(1) exist/not exist (2) enabled/disabled

The "Anonymous access to the system event log" policy should be set correctly.


The "Anonymous access to the security event log" policy should be set correctly.


The "Anonymous access to the registry" policy should be set correctly.


Use of the built-in Guest account should be enabled or disabled as appropriate.


Use of the built-in Administrator account should be enabled or disabled as appropriate.


CCE-23 (1) text caption

CCE-829 (1) text statement

CCE-512

CCE-243

CCE-283

The "Message title for users attempting to log on" policy should be set correctly.

The "Message text for users attempting to log on" policy should be set correctly.

Administrative Shares should be properly configured.

(1) allowed/removed

Automatic Execution of the System Debugger should be properly configured.


Automatic Logon should be properly configured.


CCE-137

CCE-44

CCE-36

CCE-820

CCE-344

CCE-282 (1) enabled/ignored

CCE-150 (1) enabled/ignored

Automatic Reboot After System Crash should be properly configured.


Autoplay on all Drive Types should be properly configured.


Autoplay for Current User should be properly configured.


Autoplay for Default User should be properly configured.


CD-ROM Autorun should be properly configured.


Computer Browser ResetBrowser Frames should be properly configured.

ICMP Redirects should be properly configured.

CCE-564

CCE-952

CCE-501

CCE-536

CCE-65

CCE-544

CCE-580

IP Source Routing should be properly configured.


IRDP should be properly configured.


Kerberos and RSVP Traffic Protected by IPSec should be properly configured.


Dr. Watson Crash Dumps should be properly configured.


Display Last User Name in Logon Screen should be properly configured.


File System Checker and Popups should be properly configured.


System File Checker should be properly configured.


CCE-236 (1) visible/invisible

CCE-139 (1) available/hidden

CCE-897

CCE-188

CCE-333

CCE-751

System File Checker Progress Meter should be properly configured.

System availability to Master Browser should be properly configured.

TCP/IP Dead Gateway Detection should be properly configured.


The TCP/IP KeepAlive Time should be set correctly .

(1) number of milliseconds

The permitted number of TCP/IP Maximum Half-open Sockets should be set correctly .

(1) number of sockets

The permitted number of TCP/IP Maximum Retried Half-open Sockets should be set correctly .

(1) number of sockets

CCE-817

CCE-998

CCE-284

CCE-112 (1) security level

CCE-125 (1) warning level

CCE-156

CCE-601

TCP/IP NetBIOS Name Release on Request Prevented should be properly configured.


TCP/IP PMTU Discovery should be properly configured.


TCP/IP SYN Flood Attack Protection should be properly configured.


Protect Kernel object attributes should be properly configured.

Security Audit log warning level should be properly configured.

Disable saving of dial-up passwords should be properly configured.


The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly.


CCE-614

CCE-130

CCE-271

CCE-707

CCE-213

CCE-231 (1) logon type

CCE-50

CCE-81

CCE-896

The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly.



Safe DLL Search Mode should be properly configured.


Always Wait for the Network at Computer Startup and Logon should be properly configured.


Delete Roaming Cached Profiles should be properly configured.


Use Classic Logon should be properly configured.

Background Refresh of Group Policy should be properly configured.


Show Shared Internet Connection Access UI should be properly configured.


Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.


CCE-574

CCE-358

CCE-257

CCE-438 (1) valid names

CCE-834 (1) valid names

CCE-222

CCE-2

CCE-905

Disallow Installation of Printers Using Kernel-mode Drivers should be properly configured.



Security Options

The "Allow Server Operators to Schedule Tasks" policy should be set correctly.


The built-in Administrator account should be correctly named.

The built-in Guest account should be correctly named.

The amount of idle time required before disconnecting a session should be set correctly.


The "Audit the access of global system objects" policy should be set correctly.


The "Audit the use of backup and restore privilege" policy should be set correctly.


CCE-133

CCE-719

CCE-275

CCE-402

CCE-410

CCE-76

The "Disable CTRL+ALT+Delete Requirement for Logon" policy should be set correctly.


The "LAN Manager Authentication Level" policy should be set correctly.

(1) authentication level

The "Send LanMan compatible password" setting should be configured correctly.

The "Prevent Users from Installing Printer Drivers" policy should be set correctly.


The "Recovery Console: Allow Automatic Administrative Logon" policy should be set correctly.


The "Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders" policy should be set correctly.


CCE-565

CCE-463

CCE-508

CCE-417

CCE-228

CCE-413 (1) behavior


CCE-814

The "Restrict CD-ROM Access to Locally Logged-On User Only" policy should be set correctly.


The "Restrict Floppy Access to Locally Logged-On User Only" policy should be set correctly.


The "Strengthen Default Permissions of Global System Objects" policy should be set correctly.


The "Secure Channel: Require Strong (Windows 2000 or later) Session Key" policy should be set correctly.


The "Send Unencrypted Password to Connect to Third-Party SMB Servers" policy should be set correctly.


The "Unsigned Driver Installation Behavior" policy should be set correctly.

The "Unsigned Non-Driver Installation Behavior" policy should be set correctly.

The "Users Prompted to Change Password Before Expiration" policy should be set correctly.

(1) number of days prior to expiration

CCE-92

CCE-224

CCE-360

CCE-422

CCE-576

CCE-519

CCE-171

CCE-104

The "Shut Down system immediately if unable to log security audits" policy should be set correctly.


The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly.


The "Automatically Log Off Users When Logon Time Expires (local)" policy should be set correctly.


The "Clear Virtual Memory Pagefile at shutdown" policy should be set correctly.


The "Digitally Sign Client Communication (Always)" policy should be set correctly.


The "Digitally Sign Client Communication (When Possible)" policy should be set correctly.


The "Digitally Sign Server Communication (Always)" policy should be set correctly.


The "Digitally Sign Server Communication (When Possible)" policy should be set correctly.


CCE-773

CCE-919 (1) Group(s)

CCE-549

CCE-161

CCE-918


CCE-831

CCE-368

The "Number of Previous Logons to Cache" policy should be set correctly.

(1) number of logons

The "Allowed to Format and Eject Removable NTFS Media" policy should be set correctly.

The "Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)" policy should be set correctly.


The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly.


The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly.


The "Smart Card Removal Behavior" policy should be set correctly.

The "Prevent System Maintenance of Computer Account Password" policy should be set correctly.


The "System boot timeout" policy should be set correctly.

(1) number of seconds to wait

CCE-55

CCE-575

CCE-300

CCE-533

CCE-186

CCE-710

The "Use FIPS compliant algorithms for encryption, hashing, and signing" policy should be set correctly.


The "Default owner for objects created by members of the Administrators group" policy should be set correctly.


The "Require Case Insensitivity for Non-Windows Sybsystems" policy should be set correctly.


The "Limit local account user of blank passwords to console logon only" policy should be set correctly.


The "Allow undock without having to logon" policy should be set correctly.


The "LDAP server signing requirements" policy should be set correctly.


CCE-732

CCE-490

CCE-194

CCE-374

CCE-278

CCE-542

The "LDAP client signing requirements" policy should be set correctly.


The "Refuse machine account password change" policy should be set correctly.


The "Maximum machine account password age" policy should be set correctly.


The "Require Domain Controller authentication to unlock workstation" policy should be set correctly.


The "Disconnect clients when logon hours expire" policy should be set correctly.


The "Do not allow storage of credentials or .NET Passports" policy should be set correctly.


CCE-18

CCE-136

CCE-189 (1) set of paths

CCE-942 (1) set of shares

CCE-343

The "Let Everyone permissions apply to anonymous users" policy should be set correctly.


The "Named Pipes that can be accessed anonymously" policy should be set correctly.


The "Remotely accessible registry paths" policy should be set correctly.

The "Shares that can be accessed anonymously" policy should be set correctly.

The "Sharing and security model for local accounts" policy should be set correctly.

(1) Classic/Guest only

CCE-233

CCE-775

CCE-674

CCE-766

CCE-621

CCE-546

Screensaver

The "Do not store LAN Manager hash value on next password change" policy should be set correctly.


The "Force logoff when logon hours expire" policy should be set correctly.


The "Minimum session security for NTLM SSP based clients" policy should be set correctly.


The "Minimum session security for NTLM SSP based servers" policy should be set correctly.


System Requirements – Other

Local volumes should be formatted correctly.

(1) type of formatting

Unused USB Ports should be enabled or disabled as appropriate.


Application Registry Settings

CCE-764

CCE-830 (1) time in seconds

CCE-949

CCE-742

CCE-623


CCE-433

CCE-103

CCE-54

The "Current user screensaver" policy should be set correctly.


The "Current user screensaver timeout" policy should be set correctly.

The "Current user screensaver secure" policy should be set correctly.


The "Current user screensaver active" policy should be set correctly.


The "Default user screensaver" policy should be set correctly.


The "Default user screensaver timeout" policy should be set correctly.

The "Default user screensaver secure" policy should be set correctly.


The "Default user screensaver active" policy should be set correctly.


The "Current user screensaver" policy should be set correctly.



CCE-235

CCE-287

CCE-688 (1) enabled/disabled



CCE-631

CCE-481Installer

CCE-736

The "Current user screensaver timeout" policy should be set correctly.

The "Current user screensaver secure" policy should be set correctly.


The "Current user screensaver active" policy should be set correctly.


The "Hide Screen Saver tab" setting should be configured correctly.

The "password protect the screen saver" setting should be configured correctlyThe "Screen Saver" should be enabled or disabled as appropriate.

The "Screen Saver executable name" setting should be configured correctly.

(1) enabled/disabled (2) path to screensaver executable

The "Screen Saver timeout" should be set correctly.

(1) enabled/disabled (2) number of seconds

The "Always Install with Elevated Privileges" policy should be set correctly.


CCE-261

CCE-415

CCE-794

CCE-107

CCE-256

CCE-662

CCE-424

CCE-455

CCE-124

The "Set Safe for Scripting" policy should be set correctly.


The "Enable User Control Over Installs" policy should be set correctly.


The "Enable User to Browser for Source While Elevated" policy should be set correctly.


The "Enable User to Use Media Source While Elevated" policy should be set correctly.


The "Allow Administrator to Install from Terminal Services Session" policy should be set correctly.


The "Enable User to Patch Elevated Products" policy should be set correctly.


The "Cache Transforms in Secure Location" policy should be set correctly.


Windows MediaPlayer

The "Disable Media Player for automatic updates" policy should be set correctly.


The "Prevent Codec Download" policy should be set correctly for Windows MediaPlayer.


Windows Messenger

CCE-525

CCE-802

CCE-309Task Scheduler

CCE-785

CCE-578

CCE-507

CCE-80

CCE-401

CCE-824

Internet access for Windows Messenger should be configured correctly.


The "Do Not Allow Windows Messenger to be Run" policy should be set correctly.


The "Do Not Automatically Start Windows Messenger" policy should be set correctly.


The "Hide Property Pages" policy should be set correctly for the Task Scheduler.


The "Prohibit New Task Creation" policy should be set correctly for the Task Scheduler.


Terminal Services

The "Limit Users to One Remote Session" policy should be set correctly for Terminal Services.


The "Limit Number of Connections" policy should be set correctly for Terminal Services.

(1) Maximum number of connections allowed

The "Do Not Allow New Client Connections" policy should be set correctly for Terminal Services.


The "Do Not Allow Local Administrators to Customize Permissions" policy should be set correctly for Terminal Services.


CCE-190

CCE-855

CCE-397 (1) encryption level

CCE-670

CCE-961

CCE-920

CCE-123

CCE-524

CCE-568

The "Remote Control Settings" policy should be set correctly for Terminal Services.


The "Always Prompt Client for Password upon Connection" policy should be set correctly for Terminal Services.


The "Set Client connection Encryption Level" policy should be set correctly for Terminal Services.

The "Do not Use Temp folders per Session" policy should be set correctly for Terminal Services.


The "Do not Delete Temp folder on exit" policy should be set correctly for Terminal Services.


The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services.

(1) Time Limit (minutes)

The "Set time limit for idle sessions" policy should be set correctly for Terminal Services.

(1) Time limit (minutes)

The "Allow Reconnection from Original Client Only" policy should be set correctly for Terminal Services.


The "Terminate session when time limits are reached" policy should be set correctly for Terminal Services.


CCE-705

CCE-859

CCE-434PCHealth

CCE-592Kerberos

CCE-227 -1

CCE-6 -1

CCE-37 -1

CCE-33 -1

CCE-588 -1

CCE-888

The "Enable Keep-Alive Messages" policy should be set correctly for Terminal Services.


The "Allow Solicited Remote Assistance" policy should be set correctly for Terminal Services.


The "Allow Unsolicited Remote Assistance" policy should be set correctly for Terminal Services.


The "Enable Error Reporting" policy should be set correctly.


The "Enforce user logon restrictions" policy should be set correctly.

The "Maximum Service Ticket Litfetime" policy should be set correctly.

The "Maximum User Ticket Lifetime" policy should be set correctly. The "Maximum User Renewal Lifetime" policy should be set correctly.

The "Maximum tolerance for computer clock synchronization" policy should be set correctly.

Public Key Policies

The "Enroll certificates automatically" policy should be set correctly

CCE-627

CCE-513

CCE-676

CCE-63

CCE-628

CCE-777Printers

CCE-367

CCE-420

CCE-526Loopback

CCE-319

CCE-191

The "Renew expired certificates, update pending certificates, and remove revoked certificates" policy should be set correctly

The "Update certificates that use certificate templates" policy should be set correctly

The "Allow users to encrypt files using Encrypting File System (EFS)" policy should be set correctly.

The "Allow users to select new root certification authorities (CAs) to trust" policy should be set correctly.

The "Client computers can trust the following certificate stores" policy should be set correctly.

The "To perform certificate-based authentication of users and computers, CAs must meet the following criteria" policy should be set correctly.

The "Pre-populate printer search location text" setting should be configured correctly.

Removable Storage

Removable storage should have correct permissions setRemovable storage should have correct auditing set

The "User Group Policy loopback processing mode" should be set correctly

XP Service Pack 2

The delivery of XP Service Pack 2 should be set correctly.

SUS Client

CCE-861

CCE-244

CCE-306

CCE-566

CCE-989

CCE-1

CCE-456

CCE-641

CCE-778

CCE-804

CCE-932

CCE-82

The "Allow automatic updates immediate installation" should be set correctlyThe "Automatic Updates detection frequency" should be set correctlyThe "Configure Automatic Updates" should be set correctlyThe "Delay Restart for scheduled installations" should be set correctly

The "Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box" should be set correctly

The "Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box" should be set correctlyThe "Enable client-side targeting" should be set correctlyThe "No auto-restart for scheduled Automatic Updates installations

The "Re-prompt for restart with scheduled installations" should be set correctly

The "Reschedule Automatic Updates scheduled installations" should be set correctly

The "Specify intranet Microsoft update service location" should be set correctly

Client Installation Wizard Options

The "Custom Setup" option should be set correctly for the Client Installation Wizard.

CCE-866

CCE-551

CCE-454

CCE-106New for NIST

CCE-383

CCE-304

CCE-458

CCE-740

CCE-22

CCE-828

The "Restart Setup" option should be set correctly for the Client Installation Wizard.

The "Tools" option should be set correctly for the Client Installation Wizard.

Desktop/Active Directory

The "Maximum size of Active Directory searches" should be set correctly

MS Security Bulletin Login Script

The "Run logon scripts visible" setting should be set correctly.

The "Create global objects" user right should be assigned to the correct accounts.

The "Impersonate a client after authentication" user right should be assigned to the correct accounts.

The "DCOM: Machine access Restrictions in Security Descriptor Definition Language (SDDL) syntax" setting should be configured correctly.

The "DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax" security option should be set correctly.

The "Display user information when the session is locked" setting should be configured correctly.

The "Interactive logon: Requre smart card" setting should be configured correctly.

CCE-638

CCE-647

CCE-48

CCE-572

CCE-577

CCE-872

CCE-506 Backup Operators

CCE-990 Power Users

CCE-250 Remote Desktop Users

CCE-43

The "Network access: Restrict anonymous access to named pipes and shares" setting should be configured correctly.

The "System cryptography: Force strong key protection for user keys stored on the computer" setting should be configured correctly.

The "System settings: optional subsystems" setting should be configured correctly.

the "System settings: Use Certificate Rules on Windows Executables for Software Restriction Polices" setting should be configured correctly.

MSS:(TCPMaxConnectResponseRetransmission) SYN-ACK retansmissions when a connection request is not acknowledged

(1) number of seconds

MSS:(TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted

(1) number of seconds

Application Layer Gateway Service

CCE-167 Application Management

CCE-585 Cryptographic Services

CCE-484 DHCP Client

CCE-651

CCE-303

CCE-436 DNS Client

CCE-774 Error Reporting Service

CCE-435 Event Log

CCE-950 Help and Support

CCE-118

CCE-624

CCE-453 Infrared Monitor

CCE-72 IPSEC Services

CCE-988 Logical Disk Manager

CCE-891

Distributed Link Tracking Client

Distributed Transaction Coordinator

Human Interface Device Access

IMAPI CD-Burning COM Service

Logical Disk Manager Administrative Service

CCE-900

CCE-671 Network Connections

CCE-217

CCE-768

CCE-825

CCE-472

CCE-265

CCE-759

CCE-697 Protected Storage

CCE-706 QoS RSVP

CCE-750

CCE-993

CCE-164

CCE-741 Removable Storage

MS Software Shadow Copy Provider

Network Dynamic Data Exchange (DDE)

Network DDE DDE Share Database Manager (DSDM)

Network Location Awareness (NLA)

NT LM Security Support Provider

Performance Logs and Alerts

Portable Media Serial Number Service

Remote Access Connection Manager

Remote Procedure Call (RPC)

Remote Procedure Call (RPC) Locator

CCE-172 Secondary Logon

CCE-679

CCE-102 Server

CCE-98 Smart Card

CCE-1001 Smart Card Helper

CCE-772 System Event Notification

CCE-450 System Restore Service

CCE-665 TCP/IP NetBIOS Helper

CCE-428 Telephony

CCE-956 Themes

CCE-366

CCE-652 Upload Manager

CCE-538 Volume Shadow Copy

CCE-305 WebClient

CCE-851 Windows Audio

CCE-234

CCE-890 Windows Installer

Security Accounts Manager

Uninterruptable Power Supply

Windows Image Acquisition (WIA)

CCE-912

CCE-815

CCE-560 Windows Time

CCE-604

CCE-745

CCE-296 Workstation

CCE-511 (1) reg_dword

New For CIS CCE-145 (1) enabled/disabled





Windows Management Instrumentation

Windows Management Instrumentation Driver Extensions

Wireless Zero Configuration

WMI Performance Adapter

MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames.

RPC Endpiont Mapper Client Authentication (SP2 only)

Restrictions for Unauthenticated RPC clients (SP2 only)

New For CIS (SP2 firewall)

Domain Profile: Protect all network connections (SP2 only)Domain Profile: Do not allow exceptions (SP2 only)

Domain Profile: Allow local program exceptions

CCE-771



CCE-832




CCE-793 (1) File path

Domain Profile: Allow remote administration

(1) enabled/disabled (2) subnets for internal support only

Domain Profile: Allow file and printer sharing exception (SP2 only)Domain Profile: Allow ICMP exceptions (SP2 only)

Domain Profile: Allow Remote Desktop exception (SP2 only)

(1) enabled/disabled (2) subnets for internal support only

Domain Profile: Allow UPnP framework exception (SP2 only)

The "Windows Firewall: Prohibit notifications" setting should be configured correctly for the Domain Profile.

The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Domain Profile.

The log file path and name for the Windows Firewall should be configured correctly for the Domain Profile.

CCE-57 (1) Size limit (KB)










The log file size limit for the Windows Firewall should be configured correctly for the Domain Profile.

The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Domain Profile.

Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Domain Profile.

Domain Profile: Define port exceptions (SP2 only)

Domain Profile: Allow local port exceptions (SP2 only)

Standard Profile: Protect all network connections (SP2 only)Standard Profile: Do not allow exceptions (SP2 only)

Standard Profile: Allow local program exceptions (SP2 only)

Standard Profile: Allow remote administration exception (SP2 only)

Standard Profile: Allow file and printer sharing exception (SP2 only)

CCE-797





CCE-609 (1) file path




Standard Profile: Allow ICMP exceptions (SP2 only)

(1) enabled/ Allow outboud source quench, Allow inbound echo request, Allow outbound packet too big

Standard Profile: Allow Remote Desktop exception (SP2 only)

Standard Profile: Allow UPnP framework exception (SP2 only)

The "Windows Firewall: Prohibit notifications" setting should be configured correctly for the Standard Profile.

The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Standard Profile.

The log file path and name for the Windows Firewall should be configured correctly for the Standard Profile.

The log file size limit for the Windows Firewall should be configured correctly for the Standard Profile.

The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Standard Profile.

Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Standard Profile.




CCE-301

CCE-418CCE-2188

CCE-2258

CCE-1298

CCE-2166

CCE-1786

CCE-831

CCE-146

CCE-2065

CCE-1988

CCE-1984

Standard Profile: Define port exceptions (SP2 only)

Standard Profile: Allow local port exceptions (SP2 only)

The startup type of the Internet Connection Firewall service should be correct. Restricted Groups have been set on the system

(1) Group enumeration

MSS: TCPMaxPortsExhausted, How many dropped connect requests to initiate SYN attack protection.POSIX Subsystem File ComponentsDistributed Link Tracking Server Service DisabledLicense LoggingService DisabledNetwork News Transport Protocol Service Disabled

Resultant Set of Policy Provider Service Disabled

Resetting Computer Account Password RequirementsIE - Security Zones: Do Not Allow Users to Add/Delete Sites Requirements

OS/2 Subsystem Registry Keys Installed Requirements

POSIX Subsystem Registry Keys Installed RequirementsRecycle Bin Configured to Delete Files (Servers) Requirements

CCE-2253

Vista

CCE-249

CCE-485

CCE-400

CCE-584

CCE-7

CCE-29

CCE-32

CAC logon required (NIPRNet only) Requirement

Domain Profile - Inbound Connections

Domain Profile - Outbound Connections

Domain Profile - Apply Local Firewall Rules

Domain Profile - Apply Local Connection Security Rules

Private Profile- Firewall State

Private Profile - Inbound Connections

Private Profile - Outbound Connections

CCE-38


CCE-117

CCE-199

CCE-295

CCE-338

CCE-342

User notifications when a program is blocked from receiving inbound connections by Windows Firewall should be enabled or disabled as appropriate for the Private Profile.

yes/no/not configured

Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Private Profile.

Private Profile - Apply Local Firewall Rules

Private Profile - Apply Local Connection Security Rules

Public Profile- Firewall State

Public Profile - Inbound Connections

Public Profile - Outbound Connections

CCE-390


CCE-421

CCE-437

CCE-503

CCE-583

CCE-584

CCE-691

User notifications when a program is blocked from receiving inbound connections by Windows Firewall should be enabled or disabled as appropriate for the Public Profile.


Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Public Profile.

Public Profile - Apply Local Firewall Rules

Public Profile - Apply Local Connection Security Rules

Logon - Do not process the legacy run list

Logon - Do not process the run once list

Group Policy - Registry policy processing

Turn off Internet download for Web publishing and online ordering wizards

CCE-722

CCE-818

CCE-852

CCE-887

CCE-927

CCE-935

CCE-255

CCE-466

CCE-11 Add-on List

CCE-976

CCE-648

CCE-405

Turn off the Windows Messenger Customer Experience Improvement Program

Turn off Search Companion content file updates

Turn off printing over HTTP

Turn off downloading of print drivers over HTTP

Turn off Windows Update device driver searching

Enumerate administrator accounts on elevation

Require trusted path for credential entry

Deny all add-ons unless specifically allowed in the Add-on List

The "Do not allow passwords to be saved" setting should be configured correctly for Terminal Services.

The "Do not allow drive redirection" setting should be configured correctly for Terminal Services.

Access to registry editing tools is set correctly.

CCE-509

CCE-12

CCE-58

CCE-372

CCE-886

CCE-111






Prompt for password on resume from hibernate/suspend is set correctly.

Do not preserve zone information in file attachments is set correcly.

Hide mechanisms to remove zone information is set correcly.

Notify antivirus programs when opening attachments is set correcly.

Outlook Express attachment blocking is set correctly.

Audit: Force audit policy subcategory settings are set correcly.

The "Log Access For Setup Log" setting should be configured correctly.

The startup type of the Windows Search service should be configured correctly.

The startup type of Microsoft Peer-to-Peer Networking Services should be configured correctly.

The "Prohibit Access of the Windows Connect Now Wizards" setting should be configured correctly.

The "Allow remote access to the PnP interface" setting should be configured correctly.











The "Do not create system restore point when new device driver installed" setting should be configured correctly.

The "Do not send a Windows Error Report when a generic driver is installed on a device" setting should be configured correctly.

The "Turn Off Access to All Windows Update Feature" setting should be configured correctly.

The "Turn Off Automatic Root Certificates Update" setting should be configured correctly.

The "Turn Off Event Views 'Events.asp' Links" setting should be configured correctly.

The "Turn Off Handwriting Reconition Error Reporting" setting should be configured correctly.

The "Turn Off Help and Support Center "Did You Know?" Content" setting should be configured correctly.

The "Turn Off Help and Support Center Microsoft Knowledge Base Search" setting should be configured correctly.

The "Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com" setting should be configured correctly.

The "Turn Off Internet File Association Service" setting should be configured correctly.











The "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting should be configured correctly.

The "Turn Off the 'Order Prints' Picture Task" setting should be configured correctly.

The "Turn off the 'Publish to Web' task for files and folders" setting should be configured correctly.

The "Turn Off Windows Movies Maker Automatic Codec Downloads" setting should be configured correctly.

The "Turn Off Windows Movie Maker Online Web Links" setting should be configured correctly.

The "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting should be configured correctly.

The "Don't Display the Getting Started Welcome Screen at Logon" setting should be configured correctly.

The "Turn off Windows Startup Sound" setting should be configured correctly.

The "Require a Password when a Computer Wakes (On Battery)" setting should be configured correctly.

The "Require a Password when a Computer Wakes (Plugged)" setting should be configured correctly.














The "Allow only Vista or later connections" setting should be configured correctly.

The "Customization Warning Messages" setting should be configured correctly.

The "Turn on bandwidth optimization" setting should be configured correctly.The "Turn on session logging" setting should be configured correctly.

The "Prevent IIS Installation" setting should be configured correctly.The "Turn off Active Help" setting should be configured correctly.The "Turn off Untrusted Content" setting should be configured correctly.

The "Turn off downloading of enclosures" setting should be configured correctly.

The "Allow indexing of encrypted files" setting should be configured correctly.

The "Prevent indexing uncached Exchange folders" setting should be configured correctly.The "Turn off Windows Calendar" setting should be configured correctly.

The "Allow Corporate redirection of Customer Experience Improvement uploads" setting should be configured correctly.The "Turn off Windows Defender" setting should be configured correctly.












The "Turn off Heap termination on corruption" setting should be configured correctly.

The "Turn off shell protocol protected mode" setting should be configured correctly.

The "Prohibit non-administrators from applying vendor signed updates" setting should be configured correctly.

The "Report Logon Server Not Available During User logon" setting should be configured correctly.

The "Turn off the communitication features" setting should be configured correctly.

The "Turn off Windows Mail application" setting should be configured correctly.

The "Prevent Windows Media DRM Internet Access" setting should be configured correctly.

The "Turn off Windows Meeting Space" setting should be configured correctly.

The "Turn on Windows Meeting Space audting" setting should be configured correctly.

The "Disable unpacking and installation of gadgets that are not digitally signed" setting should be configured correctly.

The "Override the More Gadgets Link" setting should be configured correctly.





CCE-1293 enabled/disabledOffice 2007

2003/2007 CCE-116 enabled/disabled

2003/2007 CCE-908

The "Turn Off User Installed Windows Sidebar Gadgets" setting should be configured correctly.

The "Do not allow Digital Locker to run" setting should be configured correctly.

The "Turn Off Downloading of Game Information" setting should be configured correctly.

The "IPv6 Block of Protocols 41" setting should be configured correctly.

The "IPv6 Block of UDP 3544" setting should be configured correctly.

The "Disable VBA for Office applications" setting should be configured correctly.

The "ActiveX Control Initialization:" setting should be configured correctly.

1 = Do not prompt | 4 = Prompt user to use control defaults | 6 = Prompt user to use persisted data

2007 CCE-184 enabled/disabled


2007 CCE-967

2007 CCE-427

2007 CCE-649

The "Enable Customer Experience Improvement Program" setting should be configured correctly.

The "Enable Customer Experience Improvement Program" setting should be configured correctly.

The "Online content options" setting should be configured correctly.

0 = Never show online content or entry points | 1 = Search only offline content whenever available | 2 = Search online content whenever available

The "VBA Macro Warning Settings" setting should be configured correctly for Access 2007.

1 = No Security checks for macros | 2 = Trust Bar warning for all macros | 3 = Trust Bar warning for digitally signed macros only | 4 = No Warnings for all macros but disable all macros

The "VBA Macro Warning Settings" setting should be configured correctly for Excel 2007.



2007 CCE-567



2003/2007 CCE-786

The "Trust access to Visual Basic Project" setting should be configured correctly for Excel 2007 and 2003.

The "VBA Macro Warning Settings" setting should be configured correctly for PowerPoint 2007.


The "Trust access to Visual Basic Project" setting should be configured correctly for PowerPoint 2007.

The "Disable Remember Password" setting should be configured correctly.

The "Configure Add-In Trust Level" setting should be configured correctly.

0 = Trust all or use Exchange settings if present | 1 = Trust all loaded and installed COM addins | 2 = Do NOT trust loaded and installed COM addins







The "Disable 'Remember password' for Internet e-mail accounts" setting should be configured correctly.

The "Minimum encryption settings" setting should be configured correctly.

The "Do not check e-mail address against address of certificates being using" setting should be configured correctly.

The "Send all signed messages as clear signed messages" setting should be configured correctly.

The "Request an S/MIME receipt for all S/MIME signed messages" setting should be configured correctly.

The "Do not display 'Publish to GAL' button" setting should be configured correctly.

2003/2007 CCE-700


2007 CCE-395

2007 CCE-659

The "Signature Warning" setting should be configured correctly.

0 = Let user decide if they want to be warned | 1 = Always warn about invalid signatures | 2 = Never warn about invalid signatures

The "Enable Cryptography Icons" setting should be configured correctly.

The "Retrieving CRLs (Certificate Revocation Lists)" setting should be configured correctly.

0 = Use system Default | 1 = When online always retreive the CRL | 2 = Never retreive the CRL

The "VBA Macro Warning Settings" setting should be configured correctly for Word 2007.





2007 CCE-1395

enabled/disabled

2007 CCE-1137

enabled/disabled

The "Trust access to Visual Basic Project" setting should be configured correctly for Word 2007 and 2003.

The "Warn before printing, saving or sending a file that contains tracked changes or comments" setting should be configured correctly.

The "Block updates from the Office Update Site from applying" setting should be configured correctly.

ms user config

The "Underline hyperlinks" setting should be configured correctly for Access 2007.

The "Number of documents in the Recent Documents list (0-9)" setting should be configured correctly for Access 2007.

2007 CCE-1423

enabled/disabled

2007 CCE-1238

enabled/disabled

2007 CCE-1476

enabled/disabled

2007 CCE-1520

enabled/disabled

2007 CCE-780

enabled/disabled

2007 CCE-1214

enabled/disabled

2007 CCE-1370

enabled/disabled

2007 CCE-1268

enabled/disabled

The "Disable Trust Bar Notification for unsigned application add-ins" setting should be configured correctly for Access 2007.

The "Disable all application add-ins" setting should be configured correctly for Access 2007.

The "Require that application add-ins are signed by Trusted Publisher" setting should be configured correctly for Access 2007.

The "Disable all trusted locations" setting should be configured correctly for Access 2007.

The "Allow Trusted Locations not on the computer" setting should be configured correctly for Access 2007.

The "Modal Trust Decision Only" setting should be configured correctly for Access 2007.

The "Disable commands" setting should be configured correctly for Access 2007.

The "Disable commands - Office Button | E-Mail" setting should be configured correctly for Access 2007.

2007 CCE-1400

enabled/disabled

2007 CCE-1440

enabled/disabled

2007 CCE-581

enabled/disabled

2007 CCE-1480

enabled/disabled

2007 CCE-1489

enabled/disabled

2007 CCE-1392

enabled/disabled

The "Disable commands - Office Button | Access Options | Customize | All Commands | Insert Hyperlink" setting should be configured correctly for Access 2007.

The "Disable commands - Database Tools | Database Tools | Encrypt with Password" setting should be configured correctly for Access 2007.

The "Disable commands - Database Tools | Administer | Users and Permission | User and Group Permissions" setting should be configured correctly for Access 2007.

The "Disable commands - Database Tools | Administer | Users and Permissions | User and Group Accounts" setting should be configured correctly for Access 2007.

The "Disable commands - Database Tools | Administer | Users and Permission | User-Level Security Wizard..." setting should be configured correctly for Access 2007.

The "Disable commands - Database Tools | Database Tools | Encode/Decode Database" setting should be configured correctly for Access 2007.

2007 CCE-1414

enabled/disabled

2007 CCE-1418

enabled/disabled

2007 CCE-1405

enabled/disabled

2007 CCE-1550

enabled/disabled

2007 CCE-1075

enabled/disabled

2007 CCE-709

enabled/disabled

2007 CCE-1502

enabled/disabled

2007 CCE-1260

enabled/disabled

The "Disable commands - Database Tools | Macro | Visual Basic" setting should be configured correctly for Access 2007.

The "Disable commands - Database Tools | Macro | Run Macro" setting should be configured correctly for Access 2007.

The "Database Tools | Macro | Convert Macros to Visual Basic" setting should be configured correctly for Access 2007.

The "Database Tools | Macro | Create Shortcut Menu from Macro" setting should be configured correctly for Access 2007.

The "Disable shortcut keys" setting should be configured correctly for Access 2007.

The "Disable commands - Ctrl+K (Office Button | Access Options | Customize | All Commands | Insert Hyperlinks)" setting should be configured correctly for Access 2007.

The "Disable commands - Alt+F11 (Database Tools | Macro | Visual Basic)" setting should be configured correctly for Access 2007.

The "Default file format (Access 2007 | Access 2002-2003)" setting should be configured correctly for Access 2007.

2007 CCE-1510

enabled/disabled

2007 CCE-1532

enabled/disabled

2007 CCE-1039

enabled/disabled

2007 CCE-1295

enabled/disabled

2007 CCE-1334

enabled/disabled

2007 CCE-1308

enabled/disabled

2007 CCE-616

enabled/disabled

The "Do not prompt to convert older databases" setting should be configured correctly for Access 2007.

The "Internet and network paths as hyperlinks" setting should be configured correctly for Excel 2007.

The "Save Excel files as (Excel Workbook (*.xlsx) | Excel Macro-Enabled Workbook (*.xlsm) | Excel Binary Workbook (*.xlsb) | Web Page (*.htm; *.html) | Excel 97-2003 Workbook (*.xls) | Excel 5.0/95 Workbook (*.xls))" setting should be configured correctly for Excel 2007.

The "Disable AutoRepublish" setting should be configured correctly for Excel 2007.

The "AutoRepublish Warning Alert (Always show the alert before publishing | Never show the alert before publishing)" setting should be configured correctly for Excel 2007.

The "Determine whether to force encrypted macros to be scanned in Microsoft Excel Open XML workbooks" setting should be configured correctly

The "Force file extension to match file type (Allow different | Allow different, but warn | Always match file type)" setting should be configured correctly for Excel 2007.

2007 CCE-1246

enabled/disabled

2007 CCE-1251

enabled/disabled

2007 CCE-1524

enabled/disabled

2007 CCE-1422

enabled/disabled

2007 CCE-1444

enabled/disabled

2007 CCE-1449

enabled/disabled

2007 CCE-1471

enabled/disabled

2007 CCE-1119

enabled/disabled

2007 CCE-1378

enabled/disabled

The "Store macro in Personal Macro Workbook by default" setting should be configured correctly

The "Disable all application add-ins" setting should be configured correctly for Excel 2007.

The "Require that application add-ins are signed by Trusted Publisher" setting should be configured correctly for Excel 2007.

The "Disable Trust Bar Notification for unsigned application add-ins" setting should be configured correctly for Excel 2007.

The "Allow Trusted Locations not on the computer" setting should be configured correctly for Excel 2007.

The "Disable all trusted locations" setting should be configured correctly for Excel 2007.

The "Ignore other applications " setting should be configured correctly for Excel 2007.

The "Ask to update automatic links" setting should be configured correctly for Excel 2007.

The "Number of documents in the Recent Documents list (0-17)" setting should be configured correctly for Excel 2007.

2007 CCE-1277

enabled/disabled

2007 CCE-1464

enabled/disabled

2007 CCE-1094

enabled/disabled

2007 CCE-1129

enabled/disabled

2007 CCE-1389

enabled/disabled

2007 CCE-1433

enabled/disabled

2007 CCE-1323

enabled/disabled

2007 CCE-1469

enabled/disabled

The "Save any additional data necessary to maintain formulas" setting should be configured correctly for Excel 2007.

The "Load pictures from Web pages not created in Excel" setting should be configured correctly for Excel 2007.

The "Do not show data extraction options when opening corrupt workbooks" setting should be configured correctly for Excel 2007.

The "Assume structured storage format of workbook is intact when recovering data" setting should be configured correctly for Excel 2007.

The "Corrupt formula conversion (Convert unrecoverable references to: values | #REF or #NAME)" setting should be configured correctly for Excel 2007.

The "Connection File Locations" setting should be configured correctly for Excel 2007.

The "Automatic Query Refresh (Prompt for all workbooks | Do not prompt; do not allow auto refresh | Do not prompt; allow auto refresh)" setting should be configured correctly for Excel 2007.

The "Disable commands" setting should be configured correctly for Excel 2007.

2007 CCE-1473

enabled/disabled

2007 CCE-1499

enabled/disabled

2007 CCE-1024

enabled/disabled

2007 CCE-1530

enabled/disabled

2007 CCE-1120

enabled/disabled

2007 CCE-1252

enabled/disabled

2007 CCE-1151

enabled/disabled

2007 CCE-1301

enabled/disabled

The "Disable commands - Office Button | Excel Options | Customize | All Commands | Save as Web Page" setting should be configured correctly for Excel 2007.

The "Disable commands - Office Button | Excel Options | Customize | All Commands | Web Page Preview" setting should be configured correctly for Excel 2007.

The "Disable commands - Office Button | Send | Email" setting should be configured correctly for Excel 2007.

The "Disable commands - Insert | Links | Hyperlink" setting should be configured correctly for Excel 2007.

The "Disable commands - Review | Changes | Protect Sheet" setting should be configured correctly for Excel 2007.

The "Disable commands - Review | Changes | Protect Workbook" setting should be configured correctly for Excel 2007.

The "Disable commands - Review | Changes | Protect and Share Workbook" setting should be configured correctly for Excel 2007.

The "Disable commands - View | Macros | Macros" setting should be configured correctly for Excel 2007.

2007 CCE-1310

enabled/disabled

2007 CCE-1213

enabled/disabled

2007 CCE-1362

enabled/disabled

2007 CCE-1156

enabled/disabled

2007 CCE-1429

enabled/disabled

2007 CCE-1182

enabled/disabled

2007 CCE-1525

enabled/disabled

2007 CCE-1547

enabled/disabled

The "Disable commands - Developer | Code | Macros" setting should be configured correctly for Excel 2007.

The "Disable commands - Developer | Code | Record Macro" setting should be configured correctly for Excel 2007.

The "Disable commands - Developer | Code | Macro Security" setting should be configured correctly for Excel 2007.

The "Disable commands - Developer | Code | Visual Basic" setting should be configured correctly for Excel 2007.

The "Disable commands - Office Button | Excel Options | Customize | All Commands | Document Location" setting should be configured correctly for Excel 2007.

The "Disable shortcut keys" setting should be configured correctly for Excel 2007.

The "Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink)" setting should be configured correctly for Excel 2007.

The "Disable shortcut keys - Alt+F8 (Developer | Code | Macros)" setting should be configured correctly for Excel 2007.

2007 CCE-1300

enabled/disabled

2007 CCE-1331

enabled/disabled

2007 CCE-1468

enabled/disabled

2007 CCE-1490

enabled/disabled

2007 CCE-1512

enabled/disabled

2007 CCE-1543

enabled/disabled

2007 CCE-1195

enabled/disabled

2007 CCE-554

enabled/disabled

2007 CCE-1415

enabled/disabled

The "Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic)" setting should be configured correctly for Excel 2007.

The "Block opening of pre-release versions of file formats new to Excel 2007" setting should be configured correctly for Excel 2007.

The "Block opening of Open XML file types" setting should be configured correctly for Excel 2007.

The "Block opening of Binary 12 file types" setting should be configured correctly for Excel 2007.

The "Block opening of Binary file types" setting should be configured correctly for Excel 2007.

The "Block opening of Html and Xmlss files types" setting should be configured correctly for Excel 2007.

The "Block opening of Xml file types" setting should be configured correctly for Excel 2007.

The "Block opening of DIF and SYLK file types" setting should be configured correctly for Excel 2007.

The "Block opening of Text file types" setting should be configured correctly for Excel 2007.

2007 CCE-1437

enabled/disabled

2007 CCE-1446

enabled/disabled

2007 CCE-1098

enabled/disabled

2007 CCE-562

enabled/disabled

2007 CCE-1507

enabled/disabled

2007 CCE-1406

enabled/disabled

2007 CCE-573

enabled/disabled

2007 CCE-1336

enabled/disabled

2007 CCE-1230

enabled/disabled

2007 CCE-1375

enabled/disabled

The "Block opening of Xll file type" setting should be configured correctly for Excel 2007.

The "Block saving of Open Xml file types" setting should be configured correctly for Excel 2007.

The "Block saving of Binary12 file types" setting should be configured correctly for Excel 2007.

The "Block saving of Binary file types" setting should be configured correctly for Excel 2007.

The "Block saving of Html and Xmlss file types" setting should be configured correctly for Excel 2007.

The "Block saving Xml file types" setting should be configured correctly for Excel 2007.

The "Block saving DIF and SYLK file types" setting should be configured correctly for Excel 2007.

The "Block saving of Text file types" setting should be configured correctly for Excel 2007.

The "Locally cache network file storages" setting should be configured correctly for Excel 2007.

The "Locally cache PivotTable reports" setting should be configured correctly for Excel 2007.

2007 CCE-1380

enabled/disabled

2007 CCE-1376

enabled/disabled

2007 CCE-1398

enabled/disabled

2007 CCE-569

enabled/disabled

2007 CCE-1065

enabled/disabled

2007 CCE-1361

enabled/disabled

2007 CCE-1096

enabled/disabled

2007 CCE-1391

enabled/disabled

The "OLAP PivotTable User Defined Function (UDF) security setting (Allow ALL UDFs | Allow safe UDFs only | Allow NO UDFs)" setting should be configured correctly for Excel 2007.

The "Recognize SmartTags" setting should be configured correctly for Excel 2007.

The "Number of documents in the Recent Documents list (0 - 9)" setting should be configured correctly for InfoPath 2007.

The "Offline Mode status (Disabled | Enabled, InfoPath in Offline Mode | Enabled, InfoPath not in Offline Mode)" setting should be configured correctly for InfoPath 2007.

The "Disable commands" setting should be configured correctly for InfoPath 2007.

The "Disable commands - File | Print" setting should be configured correctly for InfoPath 2007.

The "Disable commands - File | Send to Mail Recipient" setting should be configured correctly for InfoPath 2007.

The "Disable commands - File | Open from SharePoint Site" setting should be configured correctly for InfoPath 2007.

2007 CCE-1519

enabled/disabled

2007 CCE-1523

enabled/disabled

2007 CCE-1171

enabled/disabled

2007 CCE-1457

enabled/disabled

2007 CCE-1426

enabled/disabled

2007 CCE-805

enabled/disabled

2007 CCE-1453

enabled/disabled

2007 CCE-1351

enabled/disabled

The "Disable commands - File | Print Preview" setting should be configured correctly for InfoPath 2007.

The "Disable commands - File | Page Setup" setting should be configured correctly for InfoPath 2007.

The "Disable commands - Insert | Hyperlinks..." setting should be configured correctly for InfoPath 2007.

The "Disable commands - Tools | Set Language" setting should be configured correctly for InfoPath 2007.

The "Disable commands - Tools | Customize..." setting should be configured correctly for InfoPath 2007.

The "Disable commands - Tools | Options..." setting should be configured correctly for InfoPath 2007.

The "Disable commands - Help | Microsoft Office Online" setting should be configured correctly for InfoPath 2007.

The "Disable commands - Office Diagnostics" setting should be configured correctly for InfoPath 2007.

2007 CCE-620

enabled/disabled

2007 CCE-1017

enabled/disabled

2007 CCE-1021

enabled/disabled

2007 CCE-1299

enabled/disabled

2007 CCE-1197

enabled/disabled

2007 CCE-704

enabled/disabled

2007 CCE-1105

enabled/disabled

2007 CCE-1114

enabled/disabled

The "Disable commands - Help | Activate Product..." setting should be configured correctly for InfoPath 2007.

The "Disable commands - Print Default" setting should be configured correctly for InfoPath 2007.

The "Disable shortcut keys" setting should be configured correctly for InfoPath 2007.

The "Disable shortcut keys - Print Shortcut (Ctrl+P)" setting should be configured correctly for InfoPath 2007.

The "Disable shortcut keys - Insert Hyperlink Shortcut (Ctrl+K)" setting should be configured correctly for InfoPath 2007.

The "Control behavior for Windows SharePoint Services gradual upgrade (Allow redirections to any location | Allow redirections to Intranet only | Block all redirections)" setting should be configured correctly for InfoPath 2007.

The "Disable opening of solutions from the Internet security zone" setting should be configured correctly for InfoPath 2007.

The "Disable fully trusted solutions full access to computer" setting should be configured correctly for InfoPath 2007.

2007 CCE-761

enabled/disabled

2007 CCE-739

enabled/disabled

2007 CCE-1259

enabled/disabled

2007 CCE-1267

enabled/disabled

2007 CCE-1060

enabled/disabled

2007 CCE-955

enabled/disabled

2007 CCE-1479

enabled/disabled

2007 CCE-1360

enabled/disabled

The "Allow the use of ActiveX Custom Controls in InfoPath forms" setting should be configured correctly for InfoPath 2007.

The "Run forms in restricted mode if they do not specify a publish location and use only features introduced before InfoPath 2003 SP1" setting should be configured correctly for InfoPath 2007.

The "Allow file types as attachments to forms" setting should be configured correctly for InfoPath 2007.

The "Block specific file types as attachments to forms" setting should be configured correctly for InfoPath 2007.

The "Prevent users from allowing unsafe file types to be attached to forms" setting should be configured correctly for InfoPath 2007.

The "Display a warning that a form is digitally signed" setting should be configured correctly for InfoPath 2007.

The "Control behavior when opening forms in the Internet security zone (Block | Prompt | Allow)" setting should be configured correctly for InfoPath 2007.

The "Control behavior when opening forms in the Intranet security zone (Block | Prompt | Allow)" setting should be configured correctly for InfoPath 2007.

2007 CCE-1386

enabled/disabled

2007 CCE-893

enabled/disabled

2007 CCE-1290

enabled/disabled

2007 CCE-1381

enabled/disabled

2007 CCE-1135

enabled/disabled

2007 CCE-1157

enabled/disabled

The "Control behavior when opening forms in the Local Machine security zone (Block | Prompt | Allow)" setting should be configured correctly for InfoPath 2007.

The "Control behavior when opening forms in the Trusted Site security zone (Block | Prompt | Allow)" setting should be configured correctly for InfoPath 2007.

The "Beaconing UI for forms opened in InfoPath (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone)" setting should be configured correctly for InfoPath 2007.

The "Beaconing UI for forms opened in InfoPath Editor ActiveX (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone)" setting should be configured correctly for InfoPath 2007.

The "Disable all application add-ins" setting should be configured correctly for InfoPath 2007.

The "Require that application add-ins are signed by Trusted Publisher" setting should be configured correctly for InfoPath 2007.

2007 CCE-1434

enabled/disabled

2007 CCE-1315

enabled/disabled

2007 CCE-1210

enabled/disabled

2007 CCE-1236

enabled/disabled

2007 CCE-884

enabled/disabled

2007 CCE-1518

enabled/disabled

2007 CCE-1170

enabled/disabled

The "Disable Trust Bar Notification for unsigned application add-ins" setting should be configured correctly for InfoPath 2007.

The "Control behavior when opening InfoPath e-mail forms containing code or script (Run without prompting | Prompt before running | Never run)" setting should be configured correctly for InfoPath 2007.

The "Disable sending form template with e-mail forms" setting should be configured correctly for InfoPath 2007.

The "Disable dynamic caching of the form template in InfoPath e-mail forms" setting should be configured correctly for InfoPath 2007.

The "Disable sending InfoPath 2003 Forms as e-mail forms" setting should be configured correctly for InfoPath 2007.

The "Disable e-mail forms running in restricted security level" setting should be configured correctly for InfoPath 2007.

The "Disable e-mail forms from the Internet security zone" setting should be configured correctly for InfoPath 2007.

2007 CCE-1316

enabled/disabled

2007 CCE-1567

enabled/disabled

2007 CCE-1265

enabled/disabled

2007 CCE-1538

enabled/disabled

2007 CCE-1564

enabled/disabled

2007 CCE-1212

enabled/disabled

2007 CCE-1344

enabled/disabled

2007 CCE-723

enabled/disabled

The "Disable e-mail forms from the Intranet security zone" setting should be configured correctly for InfoPath 2007.

The "Disable e-mail forms from the Full Trust security zone" setting should be configured correctly for InfoPath 2007.

The "Disable InfoPath e-mail forms in Outlook" setting should be configured correctly for InfoPath 2007.

The "Information Rights Management" setting should be configured correctly for InfoPath 2007.

The "Custom code" setting should be configured correctly for InfoPath 2007.

The "Email Forms Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone)" setting should be configured correctly for InfoPath 2007.

The "Disable user customization of Quick Access Toolbar via UI" setting should be configured correctly

The "Disable user customization of Quick Access Toolbar via UI - Disallow in Word" setting should be configured correctly

2007 CCE-1384

enabled/disabled

2007 CCE-1159

enabled/disabled

2007 CCE-1146

enabled/disabled

2007 CCE-1542

enabled/disabled

2007 CCE-582

enabled/disabled

2007 CCE-1291

enabled/disabled

2007 CCE-1326

enabled/disabled

2007 CCE-1330

enabled/disabled

The "Disable user customization of Quick Access Toolbar via UI - Disallow in Excel" setting should be configured correctly

The "Disable user customization of Quick Access Toolbar via UI - Disallow in PowerPoint" setting should be configured correctly

The "Disable user customization of Quick Access Toolbar via UI - Disallow in Access" setting should be configured correctly

The "Disable user customization of Quick Access Toolbar via UI - Disallow in Outlook" setting should be configured correctly

The "Disable all user customization of Quick Access Toolbar" setting should be configured correctly

The "Disable all user customization of Quick Access Toolbar - Disallow in Word" setting should be configured correctly

The "Disable all user customization of Quick Access Toolbar - Disallow in Excel" setting should be configured correctly

The "Disable all user customization of Quick Access Toolbar - Disallow in PowerPoint" setting should be configured correctly

2007 CCE-1335

enabled/disabled

2007 CCE-1229

enabled/disabled

2007 CCE-630

enabled/disabled

2007 CCE-1154

enabled/disabled

2007 CCE-1410

enabled/disabled

2007 CCE-1432

enabled/disabled

2007 CCE-1198

enabled/disabled

2007 CCE-929

enabled/disabled

The "Disable all user customization of Quick Access Toolbar - Disallow in Access" setting should be configured correctly

The "Disable all user customization of Quick Access Toolbar - Disallow in Outlook" setting should be configured correctly

The "Disable UI extending from documents and templates" setting should be configured correctly

The "Disable UI extending from documents and templates - Disallow in Word" setting should be configured correctly

The "Disable UI extending from documents and templates - Disallow in Excel" setting should be configured correctly

The "Disable UI extending from documents and templates - Disallow in PowerPoint" setting should be configured correctly

The "Disable UI extending from documents and templates - Disallow in Access" setting should be configured correctly

The "Disable UI extending from documents and templates - Disallow in Outlook" setting should be configured correctly

2007 CCE-1074

enabled/disabled

2007 CCE-1458

enabled/disabled

2007 CCE-1233

enabled/disabled

2007 CCE-1379

enabled/disabled

2007 CCE-1401

enabled/disabled

2007 CCE-1528

enabled/disabled

2007 CCE-1533

enabled/disabled

2007 CCE-646

enabled/disabled

The "Recognize smart tags in Excel" setting should be configured correctly

The "Disable Clip Art and Media downloads from the client and from Office Online website" setting should be configured correctly

The "Disable template downloads from the client and from Office Online website" setting should be configured correctly

The "Disable access to updates, add-ins, and patches on the Office Online website" setting should be configured correctly

The "Prevents users from uploading document templates to the Office Online community." setting should be configured correctly

The "Disable training practice downloads from the Office Online website" setting should be configured correctly

The "Disable customer-submitted templates downloads from Office Online" setting should be configured correctly

The "Open Office documents as read/write while browsing" setting should be configured correctly

2007 CCE-1438

enabled/disabled

2007 CCE-711

enabled/disabled

2007 CCE-1292

enabled/disabled


2007 CCE-1191

enabled/disabled

2007 CCE-1587

enabled/disabled

2007 CCE-1486

enabled/disabled

2007 CCE-1508

enabled/disabled

2007 CCE-1640

enabled/disabled

2007 CCE-1539

enabled/disabled

The "Rely on VML for displaying graphics in browsers" setting should be configured correctly

The "Allow PNG as an output format" setting should be configured correctly

The "Improve Proofing Tools" setting should be configured correctly

The "Disable Opt-in Wizard on first run" setting should be configured correctly.

The "Microsoft Office Online" setting should be configured correctlyThe "Disable Password Caching" setting should be configured correctly

The "Disable all Trust Bar notifications for security issues" setting should be configured correctly

The "Protect document metadata for rights managed Office Open XML Files" setting should be configured correctly

The "Protect document metadata for password protected files." setting should be configured correctly

The "Encryption type for password protected Office Open XML files" setting should be configured correctly

2007 CCE-1561

enabled/disabled

2007 CCE-1068

enabled/disabled

2003/2007 CCE-1574

enabled/disabled

2007 CCE-1239

enabled/disabled

2007 CCE-1623

enabled/disabled

2007 CCE-1083

enabled/disabled

2007 CCE-1343

enabled/disabled

2007 CCE-1242

enabled/disabled

2007 CCE-770

enabled/disabled

2007 CCE-903

enabled/disabled

The "Encryption type for password protected Office 97-2003 files" setting should be configured correctly

The "Load Controls in Forms3 (1 | 2 | 3 | 4)" setting should be configured correctly

The "Automation Security (Disable macros by default | Use application macro security level | Macros enabled)" setting should be configured correctly

The "Prevent Word and Excel from loading managed code extensions" setting should be configured correctly

The "Disable hyperlink warnings" setting should be configured correctly

The "Disable password to open UI" setting should be configured correctly

The "Download Office Controls" setting should be configured correctly

The "Disable All ActiveX" setting should be configured correctly

The "Allow mix of policy and user locations" setting should be configured correctly

The "Disable Smart Document's use of manifests" setting should be configured correctly

2007 CCE-1555

enabled/disabled

2007 CCE-1061

enabled/disabled

2007 CCE-1603

enabled/disabled

2007 CCE-1612

enabled/disabled

2007 CCE-1493

enabled/disabled

2007 CCE-1409

enabled/disabled

2007 CCE-1589

enabled/disabled

2007 CCE-1237

enabled/disabled

The "Completely disable the Smart Documents feature in Word and Excel" setting should be configured correctly

The "Disable Internet Fax feature" setting should be configured correctly

The "Prevent users from changing permissions on rights managed content" setting should be configured correctly

The "Allow users with earlier versions of Office to read with browsers..." setting should be configured correctly

The "Always require users to connect to verify permission" setting should be configured correctly

The "Always expand groups in Office when restricting permission for documents" setting should be configured correctly

The "Never allow users to specify groups when restricting permission for documents" setting should be configured correctly

The "Disable Microsoft Passport service for content with restricted permission" setting should be configured correctly

2007 CCE-1404

enabled/disabled

2007 CCE-1396

enabled/disabled

2007 CCE-1167

enabled/disabled

2007 CCE-1585

enabled/disabled

2007 CCE-1572

enabled/disabled

2007 CCE-1220

enabled/disabled

2007 CCE-1634

enabled/disabled

2007 CCE-1643

enabled/disabled

2007 CCE-1546

enabled/disabled

The "Do not allow users to upgrade Information Rights Management configuration" setting should be configured correctly

The "Key Usage Filtering" setting should be configured correctlyThe "EKU filtering" setting should be configured correctly

The "Legacy format signatures" setting should be configured correctly

The "Suppress Office Signing Providers (Enable Western and East Asian | Suppress default Western | Suppress default East Asian | Suppress both Western and East Asian)" setting should be configured correctly

The "Suppress external signature services menu item" setting should be configured correctly

The "Disable Check For Solutions" setting should be configured correctly

The "Disable inclusion of document properties in PDF and XPS output" setting should be configured correctly

The "Disable Document Information Panel" setting should be configured correctly

2007 CCE-1505

enabled/disabled

2007 CCE-1545

enabled/disabled

2007 CCE-1549

enabled/disabled

2007 CCE-1431

enabled/disabled

2007 CCE-1594

enabled/disabled

2007 CCE-1241

enabled/disabled

The "Document Information Panel Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone)" setting should be configured correctly

The "Disable the Office client from polling the Office server for published links" setting should be configured correctly

The "Block opening of pre-release versions of file formats new to Word 2007 through the Compatibility Pack for the 2007 Office system and Word 2007 Open XML/Word 97-2003 Format Converter" setting should be configured correctly

The "Block opening of pre-release versions of file formats new to Excel 2007 through the Compatibility Pack for the 2007 Office system and Excel 2007 Converter" setting should be configured correctly

The "Block opening of pre-release versions of file formats new to PowerPoint 2007 through the Compatibility Pack for the 2007 Office system and PowerPoint 2007 Converter" setting should be configured correctly

The "Control Blogging (Enabled | Only SharePoint blogs allowed | All blogging disabled)" setting should be configured correctly

2007 CCE-1607

enabled/disabled

2007 CCE-752

enabled/disabled

2007 CCE-1166

enabled/disabled

2007 CCE-654

enabled/disabled

2007 CCE-1192

enabled/disabled

2007 CCE-791

enabled/disabled

2007 CCE-1456

enabled/disabled

2007 CCE-1478

enabled/disabled

2007 CCE-1368

enabled/disabled

The "Enable Smart Resume" setting should be configured correctly

The "Do not upload media files" setting should be configured correctly

The "Disable hyperlinks to web templates in File | New and task panes" setting should be configured correctly

The "Prevent access to Web-based file storage" setting should be configured correctly

The "Do not allow attachment previewing in Outlook" setting should be configured correctly for Outlook 2007.

The "Read e-mail as plain text" setting should be configured correctly for Outlook 2007.

The "Read signed e-mail as plain text" setting should be configured correctly for Outlook 2007.

The "Prevent publishing to Office Online" setting should be configured correctly for Outlook 2007.

The "Prevent publishing to a DAV server" setting should be configured correctly for Outlook 2007.

2007 CCE-1641

enabled/disabled

2007 CCE-1266

enabled/disabled

2007 CCE-1399

enabled/disabled

2007 CCE-1187

enabled/disabled

2007 CCE-1588

enabled/disabled

2007 CCE-1117

enabled/disabled

2007 CCE-1130

enabled/disabled

The "Restrict level of calendar details users can publish (All options are available | Disables 'Full details' | Disables 'Full details' and 'Limited details')" setting should be configured correctly for Outlook 2007.

The "Access to published calendars" setting should be configured correctly for Outlook 2007.

The "Restrict upload method" setting should be configured correctly for Outlook 2007.

The "Hide Junk Mail UI" setting should be configured correctly for Outlook 2007.

The "Junk E-mail protection level (No Protection, Low, High, Trusted Lists Only)" setting should be configured correctly for Outlook 2007.

The "Trust E-mail from Contacts" setting should be configured correctly for Outlook 2007.

The "Add e-mail recipients to users' Safe Senders Lists" setting should be configured correctly for Outlook 2007.

2007 CCE-1093

enabled/disabled

2007 CCE-1599

enabled/disabled

2007 CCE-1621

enabled/disabled

2007 CCE-1269

enabled/disabled

2007 CCE-1419

enabled/disabled

2007 CCE-1551

enabled/disabled

2007 CCE-655

enabled/disabled

2007 CCE-1592

enabled/disabled

The "Dial-up options" setting should be configured correctly for Outlook 2007.

The "Dial-up options - Warn before switching dial-up connection" setting should be configured correctly for Outlook 2007.

The "Dial-up options - Hang up when finished sending, receiving, or updating" setting should be configured correctly for Outlook 2007.

The "Dial-up options - Automatically dial during a background Send/Receive" setting should be configured correctly for Outlook 2007.

The "Do not allow creating, replying, or forwarding signatures for e-mail messages" setting should be configured correctly for Outlook 2007.

The "Send copy of pictures with HTML messages instead of reference to Internet location" setting should be configured correctly for Outlook 2007.

The "Outlook Rich Text options (Convert to HTML | Convert to Plain Text format | Send Using Outlook Rich Text format)" setting should be configured correctly for Outlook 2007.

The "Plain text options" setting should be configured correctly for Outlook 2007.

2007 CCE-1614

enabled/disabled

2007 CCE-1526

enabled/disabled

2007 CCE-1111

enabled/disabled

2007 CCE-1494

enabled/disabled

2007 CCE-1287

enabled/disabled

2007 CCE-1529

enabled/disabled

2007 CCE-1560

enabled/disabled

The "Plain text options - Encode attachments in UUENCODE format when sending a plain text message" setting should be configured correctly for Outlook 2007.

The "Set message format (HTML | Rich Text | Plain Text)" setting should be configured correctly for Outlook 2007.

The "Make Outlook the default program for E-mail, Contacts, and Calendar" setting should be configured correctly for Outlook 2007.

The "Do not allow folders in non-default stores to be set as folder home pages" setting should be configured correctly for Outlook 2007.

The "Use Unicode format when dragging e-mail message to file system" setting should be configured correctly for Outlook 2007.

The "Do not allow Outlook object model scripts to run for shared folders" setting should be configured correctly for Outlook 2007.

The "Do not allow Outlook object model scripts to run for public folders" setting should be configured correctly for Outlook 2007.

2007 CCE-1596

enabled/disabled

2007 CCE-1604

enabled/disabled

2007 CCE-1648

enabled/disabled

2007 CCE-1516

enabled/disabled

2007 CCE-1296

enabled/disabled

2007 CCE-1388

enabled/disabled

The "Set maximum level of online status on a person name (Do not allow | Allow everywhere except To and CC field | Allow everywhere)" setting should be configured correctly for Outlook 2007.

The "Display online status on a person name (Never | Everywhere except To and CC field | Everywhere)" setting should be configured correctly for Outlook 2007.

The "Turn off Enable the Person Names Smart Tag option" setting should be configured correctly for Outlook 2007.

The "Outlook Security Mode (Outlook Default Security | Use Security Form from 'Outlook Security Settings' Public Folder | Use Security Form from 'Outlook 10 Security Settings' Public Folder | Use Outlook Security Group Policy)" setting should be configured correctly for Outlook 2007.

The "Display Level 1 attachments" setting should be configured correctly for Outlook 2007.

The "Allow users to demote attachments to Level 2" setting should be configured correctly for Outlook 2007.

2007 CCE-1652

enabled/disabled

2007 CCE-1569

enabled/disabled

2007 CCE-1459

enabled/disabled

2007 CCE-1608

enabled/disabled

2007 CCE-1617

enabled/disabled

2007 CCE-1631

enabled/disabled

2007 CCE-1155

enabled/disabled

2007 CCE-1556

enabled/disabled

The "Do not prompt about Level 1 attachments when sending an item" setting should be configured correctly for Outlook 2007.

The "Do not prompt about Level 1 attachments when closing an item" setting should be configured correctly for Outlook 2007.

The "Allow in-place activation of embedded OLE objects" setting should be configured correctly for Outlook 2007.

The "Display OLE package objects" setting should be configured correctly for Outlook 2007.

The "Add file extensions to block as Level 1" setting should be configured correctly for Outlook 2007.

The "Remove file extensions blocked as Level 1" setting should be configured correctly for Outlook 2007.

The "Add file extensions to block as Level 2" setting should be configured correctly for Outlook 2007.

The "Remove file extensions blocked as Level 2" setting should be configured correctly for Outlook 2007.

2007 CCE-1595

enabled/disabled

2007 CCE-1436

enabled/disabled

2007 CCE-1586

enabled/disabled

2007 CCE-1590

enabled/disabled

2007 CCE-1004

enabled/disabled

The "Allow scripts in one-off Outlook forms" setting should be configured correctly for Outlook 2007.

The "Set Outlook object model Custom Actions execution prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.

The "Set control ItemProperty prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly

The "Configure Outlook object model prompt when sending mail (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.

The "Configure Outlook object model prompt when accessing an address book (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.

2007 CCE-1273

enabled/disabled

2007 CCE-1172

enabled/disabled

2007 CCE-1568

enabled/disabled

2007 CCE-1573

enabled/disabled

The "Configure Outlook object model prompt when reading address information (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.

The "Configure Outlook object model prompt when responding to meeting and task requests (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.

The "Configure Outlook object model prompt when executing Save As (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.

The "Configure Outlook object model prompt When accessing the Formula property of a UserProperty object (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.

2007 CCE-1454

enabled/disabled

2007 CCE-1498

enabled/disabled

2007 CCE-1630

enabled/disabled

2007 CCE-1626

enabled/disabled

2007 CCE-1163

enabled/disabled

2007 CCE-1445

enabled/disabled

The "Configure Outlook object model prompt when accessing address information via UserProperties.Find (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.

The "Required Certificate Authority" setting should be configured correctly for Outlook 2007.

The "S/MIME interoperability with external clients: (Handle internally | Handle externally | Handle if possible)" setting should be configured correctly for Outlook 2007.

The "Always use Rich Text formatting in S/MIME messages" setting should be configured correctly for Outlook 2007.

The "S/MIME password settings" setting should be configured correctly for Outlook 2007.

The "S/MIME password settings - Default S/MIME password time (minutes): (0 - 2147483647)" setting should be configured correctly for Outlook 2007.

2007 CCE-1582

enabled/disabled

2007 CCE-1357

enabled/disabled

2007 CCE-1132

enabled/disabled

2003/2007 CCE-1511

enabled/disabled

2007 CCE-1018

enabled/disabled

The "S/MIME password settings - Maximum S/MIME password time (minutes): (0 - 2147483647)" setting should be configured correctly for Outlook 2007.

The "Message Formats" setting should be configured correctly for Outlook 2007.

The "Message Formats - Support the following message formats: (S/MIME | Exchange | Fortezza | S/MIME and Exchange | S/MIME and Fortezza | Exchange and Fortezza | S/MIME, Exchange, and Fortezza)" setting should be configured correctly for Outlook 2007.

2007: The "Do not provide Continue option on Encryption warning dialog boxes" setting should be configured correctly for Outlook 2007. 2003: The "Disable Continue button on all Encryption warning dialogs" setting should be configured correctly.

The "Run in FIPS compliant mode" setting should be configured correctly for Outlook 2007.

2003/2007 CCE-1181

enabled/disabled

2007 CCE-1639

enabled/disabled

2007 CCE-677

enabled/disabled

2007 CCE-687

enabled/disabled

2007 CCE-1613

enabled/disabled

2007 CCE-1402

enabled/disabled

2007 CCE-1658

enabled/disabled

2007 CCE-1662

enabled/disabled

The "Encrypt all e-mail messages" setting should be configured correctly for Outlook 2007 and 2003.

The "Sign all e-mail messages" setting should be configured correctly for Outlook 2007.

The "URL for S/MIME certificates" setting should be configured correctly for Outlook 2007.

The "Ensure all S/MIME signed messages have a label" setting should be configured correctly for Outlook 2007.

The "S/MIME receipt requests (Open message if receipt can't be sent | Don't open message if receipt can't be sent | Always prompt before sending receipt | Never send S/MIME )" setting should be configured correctly for Outlook 2007.

The "Fortezza certificate policies" setting should be configured correctly for Outlook 2007.

The "Require SuiteB algorithms for S/MIME operations" setting should be configured correctly for Outlook 2007.

The "Missing CRLs" setting should be configured correctly for Outlook 2007.

2007 CCE-1080

enabled/disabled

2007 CCE-1076

enabled/disabled

2007 CCE-1636

enabled/disabled

2007 CCE-943

enabled/disabled

2007 CCE-1591

enabled/disabled

2007 CCE-1133

enabled/disabled

2007 CCE-725

enabled/disabled

2007 CCE-1347

enabled/disabled

The "Missing CRLs - Indicate a missing CRL as a(n): (warning | error)" setting should be configured correctly for Outlook 2007.

The "Missing root certificates" setting should be configured correctly for Outlook 2007.

The "Missing root certificates - Indicate a missing root certificate as a(n): (neither error nor warning | warning | error)" setting should be configured correctly for Outlook 2007.

The "Promote Level 2 errors as errors, not warnings" setting should be configured correctly for Outlook 2007.

The "Attachment Secure Temporary Folder" setting should be configured correctly for Outlook 2007.

The "Display pictures and external content in HTML e-mail" setting should be configured correctly for Outlook 2007.

The "Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists" setting should be configured correctly for Outlook 2007.

The "Do not permit download of content from safe zones" setting should be configured correctly for Outlook 2007.

2007 CCE-1475

enabled/disabled

2007 CCE-1497

enabled/disabled

2007 CCE-1501

enabled/disabled

2007 CCE-1030

enabled/disabled

2007 CCE-1052

enabled/disabled

2007 CCE-1462

enabled/disabled

2007 CCE-1281

enabled/disabled

The "Block Trusted Zones" setting should be configured correctly for Outlook 2007.

The "Include Internet in Safe Zones for Automatic Picture Download" setting should be configured correctly for Outlook 2007.

The "Include Intranet in Safe Zones for Automatic Picture Download" setting should be configured correctly for Outlook 2007.

The "Security setting for macros (Always warn | Never warn, disable all | Warn for signed, disable unsigned | No security check)" setting should be configured correctly for Outlook 2007.

The "Enable links in e-mail messages" setting should be configured correctly for Outlook 2007.

The "Apply macro security settings to macros, add-ins, and SmartTags" setting should be configured correctly for Outlook 2007.

The "Automatically configure profile based on Active Directory Primary SMTP address" setting should be configured correctly for Outlook 2007.

2007 CCE-1303

enabled/disabled

2007 CCE-1082

enabled/disabled

2007 CCE-1712

enabled/disabled

2007 CCE-1131

enabled/disabled

2007 CCE-1620

enabled/disabled

2007 CCE-1541

enabled/disabled

2007 CCE-1311

enabled/disabled

2007 CCE-1682

enabled/disabled

The "Do not allow users to change permissions on folders" setting should be configured correctly for Outlook 2007.

The "Enable RPC encryption" setting should be configured correctly for Outlook 2007.

The "Authentication with Exchange Server (Kerberos/NTLM Password Authentication | Kerberos Password Authentication | NTLM Password Authentication)" setting should be configured correctly for Outlook 2007.

The "Synchronize Outlook RSS Feeds with Common Feed List" setting should be configured correctly for Outlook 2007.

The "Turn off RSS feature" setting should be configured correctly for Outlook 2007.

The "Automatically download enclosures" setting should be configured correctly for Outlook 2007.

The "Download full text of articles as HTML attachments" setting should be configured correctly for Outlook 2007.

The "Automatically download attachments" setting should be configured correctly for Outlook 2007.

2007 CCE-1461

enabled/disabled

2007 CCE-1041

enabled/disabled

2007 CCE-1565

enabled/disabled

2007 CCE-1719

enabled/disabled

2007 CCE-1477

enabled/disabled

2007 CCE-1142

enabled/disabled

The "Do not include Internet Calendar integration in Outlook" setting should be configured correctly for Outlook 2007.

The "Disable user entries to server list (Publish default, allow others | Publish default, disallow others)" setting should be configured correctly for Outlook 2007.

The "Do not expand distribution lists" setting should be configured correctly for Outlook 2007.

The "Save files in this format (PowerPoint Presentation (*.pptx) | PowerPoint Macro-Enabled Presentation (*.pptm) | PowerPoint 97-2003 Presentation (*.ppt))" setting should be configured correctly for PowerPoint 2007.

The "Number of documents in the Recent Documents list (0 - 50)" setting should be configured correctly for PowerPoint 2007.

The "Determine whether to force encrypted macros to be scanned in Microsoft PowerPoint Open XML presentations" setting should be configured correctly for PowerPoint 2007.

2007 CCE-1649

enabled/disabled

2007 CCE-1279

enabled/disabled

2007 CCE-1451

enabled/disabled

2007 CCE-1204

enabled/disabled

2007 CCE-1107

enabled/disabled

2007 CCE-743

enabled/disabled

2007 CCE-747

enabled/disabled

2007 CCE-782

enabled/disabled

The "Run Programs (disable (don't run any programs) | enable (prompt user before running) | enable all (run without prompting))" setting should be configured correctly for PowerPoint 2007.

The "Make hidden markup visible" setting should be configured correctly for PowerPoint 2007.

The "Unblock automatic download of linked images" setting should be configured correctly for PowerPoint 2007.

The "Disable all application add-ins" setting should be configured correctly for PowerPoint 2007.

The "Require that application add-ins are signed by Trusted Publisher" setting should be configured correctly for PowerPoint 2007.

The "Disable Trust Bar Notification for unsigned application add-ins" setting should be configured correctly for PowerPoint 2007.

The "Allow Trusted Locations not on the computer" setting should be configured correctly for PowerPoint 2007.

The "Disable all trusted locations" setting should be configured correctly for PowerPoint 2007.

2007 CCE-1327

enabled/disabled

2007 CCE-1723

enabled/disabled

2007 CCE-1366

enabled/disabled

2007 CCE-1679

enabled/disabled

2007 CCE-1173

enabled/disabled

2007 CCE-1714

enabled/disabled

2007 CCE-1485

enabled/disabled

2007 CCE-1687

enabled/disabled

The "Disable commands" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Web Page Preview" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Office Button | Send | Email" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Insert | Links | Hyperlink" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Review | Proofing | Language" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - View | Macros | Macros" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Developer | Code | Macros" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Developer | Code | Macro Security" setting should be configured correctly for PowerPoint 2007.

2007 CCE-1709

enabled/disabled

2007 CCE-1463

enabled/disabled

2007 CCE-1467

enabled/disabled

2007 CCE-1740

enabled/disabled

2007 CCE-1780

enabled/disabled

2007 CCE-1661

enabled/disabled

2007 CCE-1688

enabled/disabled

2007 CCE-1701

enabled/disabled

The "Disable commands - Developer | Code | Visual Basic" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Document Location" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Disable shortcut keys" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Ctrl+K (Insert | Links | Hyperlink)" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Alt+F8 (Developer | Code | Macros)" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Alt+F11 (Developer | Code | Visual Basic)" setting should be configured correctly for PowerPoint 2007.

The "Block opening of pre-release versions of file formats new to PowerPoint 2007" setting should be configured correctly for PowerPoint 2007.

The "Block opening of Open Xml files types" setting should be configured correctly for PowerPoint 2007.

2007 CCE-1348

enabled/disabled

2007 CCE-1644

enabled/disabled

2007 CCE-1194

enabled/disabled

2007 CCE-1216

enabled/disabled

2007 CCE-1506

enabled/disabled

2007 CCE-1136

enabled/disabled

2007 CCE-1766

enabled/disabled

2007 CCE-1180

enabled/disabled

2007 CCE-1722

enabled/disabled

2007 CCE-1731

enabled/disabled

The "Block opening of Binary file types" setting should be configured correctly for PowerPoint 2007.

The "Block opening of Html file types" setting should be configured correctly for PowerPoint 2007.

The "Block opening of Outlines" setting should be configured correctly for PowerPoint 2007.

The "Block opening of Converters" setting should be configured correctly for PowerPoint 2007.

The "Block saving of Open Xml file types" setting should be configured correctly for PowerPoint 2007.

The "Block saving of Binary file types" setting should be configured correctly for PowerPoint 2007.

The "Block saving of Html file types" setting should be configured correctly for PowerPoint 2007.

The "Block saving of Outlines" setting should be configured correctly for PowerPoint 2007.

The "Block saving of GraphicFilters" setting should be configured correctly for PowerPoint 2007.

The "Disable Slide Update" setting should be configured correctly for PowerPoint 2007.

2007 CCE-885

enabled/disabled

2007 CCE-1656

enabled/disabled

2007 CCE-1537

enabled/disabled

2007 CCE-1249

enabled/disabled

2007 CCE-1509

enabled/disabled

The "Hidden text" setting should be configured correctly for Word 2007.

The "Save files in this format (Word document (*.docx) | Single Files Web Page (*.mht) | Web Page (*.htm; *.html) | Web Page, Filtered (*.htm, *.html) | Rich Text Format (*.rtf) | Plain Text (*.txt) | Word 6.0/95 (*.doc) | Word 6.0/95 - Chinese (Simplified) (*.doc) | Word 6.0/95 - Chinese (Traditional) (*.doc) | Word 6.0/95 - Japanese (*.doc) | Word 6.0/95 - Korean (*.doc) | Word 97-2002 & 6.0/95 - RTF | Word 5.1 for Macintosh (*.mcw) | Word 5.0 for Macintosh (*.mcw) | Word 2.x for Windows (*.doc) | Works 4.0 for Windows (*.wps) | WordPerfect 5.x for Windows (*.doc) | WordPerfect 5.1 for DOS (*.doc) | Word 2007 Macro Enabled Document (*.docm) | Word 2007 Macro Free Template (*.dotx) | Word 2007 Macro Enabled Template (*.dotm) | Word 97 - 2003 Document (*.doc) | Word 97 - 2003 Template (*.dot) | Flat XML Document (*.xml))" setting should be configured correctly for The "Number of documents in the Recent Documents list (0-50)" setting should be configured correctly for Word 2007.

The "Update automatic links at Open" setting should be configured correctly for Word 2007.

The "Save smart tags in e-mail" setting should be configured correctly for Word 2007.

2007 CCE-1280

enabled/disabled

2007 CCE-1681

enabled/disabled

2007 CCE-1562

enabled/disabled

2007 CCE-1333

enabled/disabled

2007 CCE-1355

enabled/disabled

2007 CCE-1637

enabled/disabled

2007 CCE-1659

enabled/disabled

2007 CCE-1329

enabled/disabled

The "Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents" setting should be configured correctly for Word 2007.

The "Disable all application add-ins" setting should be configured correctly for Word 2007.

The "Require that application add-ins are signed by Trusted Publisher" setting should be configured correctly for Word 2007.

The "Disable Trust Bar Notification for unsigned application add-ins" setting should be configured correctly for Word 2007.

The "Allow Trusted Locations not on the computer" setting should be configured correctly for Word 2007.

The "Disable all trusted locations" setting should be configured correctly for Word 2007.

The "Disable commands" setting should be configured correctly for Word 2007.

The "Disable commands - Office Button | Word Options | Customize | All Commands | Save As Web Page" setting should be configured correctly for Word 2007.

2007 CCE-1632

enabled/disabled

2007 CCE-1425

enabled/disabled

2007 CCE-1196

enabled/disabled

2007 CCE-936

enabled/disabled

2007 CCE-1354

enabled/disabled

2007 CCE-1125

enabled/disabled

2007 CCE-1742

enabled/disabled

2007 CCE-1782

enabled/disabled

The "Disable commands - Office Button | Word Options | Customize | All Commands | Web Page Preview" setting should be configured correctly for Word 2007.

The "Disable commands - Office Button | Send | Email" setting should be configured correctly for Word 2007.

The "Disable commands - Insert | Links | Hyperlink" setting should be configured correctly for Word 2007.

The "Disable commands - Review | Protect | Protect Document" setting should be configured correctly for Word 2007.

The "Disable commands - View | Macros | Macros" setting should be configured correctly for Word 2007.

The "Disable commands - Developer | Code | Macros" setting should be configured correctly for Word 2007.

The "Disable commands - Developer | Code | Record Macro" setting should be configured correctly for Word 2007.

The "Disable commands - Developer | Code | Macro Security" setting should be configured correctly for Word 2007.

2007 CCE-1306

enabled/disabled

2007 CCE-1548

enabled/disabled

2007 CCE-1716

enabled/disabled

2007 CCE-1597

enabled/disabled

2007 CCE-1689

enabled/disabled

2007 CCE-1570

enabled/disabled

2007 CCE-1720

enabled/disabled

2007 CCE-1746

enabled/disabled

The "Disable commands - Developer | Code | Visual Basic" setting should be configured correctly for Word 2007.

The "Disable commands - Developer | Templates | Document Template" setting should be configured correctly for Word 2007.

The "Disable shortcut keys" setting should be configured correctly for Word 2007.

The "Disable shortcut keys - Ctrl+F (Home | Editing | Find)" setting should be configured correctly for Word 2007.

The "Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink)" setting should be configured correctly for Word 2007.

The "Disable shortcut keys - Alt+F8 (Developer | Code | Macros)" setting should be configured correctly for Word 2007.

The "Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic)" setting should be configured correctly for Word 2007.

The "Block opening of pre-release versions of file formats new to Word 2007" setting should be configured correctly for Word 2007.

2007 CCE-1504

enabled/disabled

2007 CCE-1654

enabled/disabled

2007 CCE-1160

enabled/disabled

2007 CCE-958

enabled/disabled

2007 CCE-1579

enabled/disabled

2007 CCE-984

enabled/disabled

2007 CCE-1072

enabled/disabled

2007 CCE-1503

enabled/disabled

2007 CCE-1371

enabled/disabled

2007 CCE-1019

enabled/disabled

The "Block opening of Open XML file types" setting should be configured correctly for Word 2007.

The "Block opening of Binary file types" setting should be configured correctly for Word 2007.

The "Block opening of HTML file types" setting should be configured correctly for Word 2007.

The "Block opening of Word 2003 XML file types" setting should be configured correctly for Word 2007.

The "Block opening of RTF file types" setting should be configured correctly for Word 2007.

The "Block open Converters" setting should be configured correctly for Word 2007.

The "Block opening of Text file types" setting should be configured correctly for Word 2007.

The "Block opening of Internal file types" setting should be configured correctly for Word 2007.

The "Block opening of files before version" setting should be configured correctly for Word 2007.

The "Block saving of Open XML file types" setting should be configured correctly for Word 2007.

2007 CCE-1684

enabled/disabled

2007 CCE-1675

enabled/disabled

2007 CCE-1200

enabled/disabled

2007 CCE-1741

enabled/disabled

2007 CCE-1231

enabled/disabled

2007 CCE-1755

enabled/disabled

2007 CCE-1169

enabled/disabled

2007 CCE-1735

enabled/disabled

The "Block saving of Binary file types" setting should be configured correctly for Word 2007.

The "Block saving of HTML file types" setting should be configured correctly for Word 2007.

The "Block saving of Word 2003 XML file types" setting should be configured correctly for Word 2007.

The "Block saving of RTF file types" setting should be configured correctly for Word 2007.

The "Block saving of Converters" setting should be configured correctly for Word 2007.

The "Block saving of Text file types" setting should be configured correctly for Word 2007.

ms computer config

The InfoPath APTCA Assembly Whitelist setting should be configured correctly.

The Windows Internet Explorer Feature Control Opt-In (None | InfoPath.exe, Document Information Panel and Workflow forms | InfoPath.exe, Document Information Panel, Workflow forms and 3rd Party Hosting) setting should be configured correctly.

2007 CCE-1739

enabled/disabled

2007 CCE-933

enabled/disabled

2007 CCE-1563

enabled/disabled

2007 CCE-1215

enabled/disabled

2007 CCE-1484

enabled/disabled

2007 CCE-1629

enabled/disabled

2007 CCE-1762

enabled/disabled

The InfoPath APTCA Assembly Whitelist Enforcement setting should be configured correctly.

The Disable Package Repair setting should be configured correctly.

The Disable user name and password setting should be configured correctly.

The Disable user name and password - excel.exe setting should be configured correctly.

The Disable user name and password - powerpnt.exe setting should be configured correctly.

The Disable user name and password - pptview.exe setting should be configured correctly.

The Disable user name and password - winword.exe setting should be configured correctly.

2007 CCE-1660

enabled/disabled

2007 CCE-1057

enabled/disabled

2007 CCE-1285

enabled/disabled

2007 CCE-1669

enabled/disabled

2007 CCE-1691

enabled/disabled

2007 CCE-1338

enabled/disabled

2007 CCE-1717

enabled/disabled

2007 CCE-1488

enabled/disabled

The Disable user name and password - outlook.exe setting should be configured correctly.

The Disable user name and password - spDesign.exe setting should be configured correctly.

The Disable user name and password - msaccess.exe setting should be configured correctly.

The Bind to object setting should be configured correctly.

The Bind to object - excel.exe setting should be configured correctly.

The Bind to object - powerpnt.exe setting should be configured correctly.

The Bind to object - pptview.exe setting should be configured correctly.

The Bind to object - winword.exe setting should be configured correctly.

2007 CCE-1638

enabled/disabled

2007 CCE-1647

enabled/disabled

2007 CCE-1294

enabled/disabled

2007 CCE-1193

enabled/disabled

2007 CCE-1352

enabled/disabled

2007 CCE-928

enabled/disabled

2007 CCE-1576

enabled/disabled

2007 CCE-1100

enabled/disabled

The Bind to object - outlook.exe setting should be configured correctly.

The Bind to object - spDesign.exe setting should be configured correctly.

The Bind to object - msaccess.exe setting should be configured correctly.

The Saved from URL setting should be configured correctly.

The Saved from URL - excel.exe setting should be configured correctly.

The Saved from URL - powerpnt.exe setting should be configured correctly.

The Saved from URL - pptview.exe setting should be configured correctly.

The Saved from URL - pptview.exe setting should be configured correctly.

2007 CCE-1232

enabled/disabled

2007 CCE-1774

enabled/disabled

2007 CCE-906

enabled/disabled

2007 CCE-1034

enabled/disabled

2007 CCE-1435

enabled/disabled

2007 CCE-1708

enabled/disabled

2007 CCE-808

enabled/disabled

2007 CCE-1650

enabled/disabled

The Saved from URL - outlook.exe setting should be configured correctly.

The Saved from URL - spDesign.exe setting should be configured correctly.

The Saved from URL - msaccess.exe setting should be configured correctly.

The Navigate URL setting should be configured correctly.

The Navigate URL - excel.exe setting should be configured correctly.

The Navigate URL - powerpnt.exe setting should be configured correctly.

The Navigate URL - pptview.exe setting should be configured correctly.

The Navigate URL - winword.exe setting should be configured correctly.

2007 CCE-1223

enabled/disabled

2007 CCE-1764

enabled/disabled

2007 CCE-1769

enabled/disabled

2007 CCE-1152

enabled/disabled

2007 CCE-1566

enabled/disabled

2007 CCE-1077

enabled/disabled

2007 CCE-1606

enabled/disabled

2007 CCE-1738

enabled/disabled

The Navigate URL - outlook.exe setting should be configured correctly.

The Navigate URL - spDesign.exe setting should be configured correctly.

The Navigate URL - msaccess.exe setting should be configured correctly.

The Block popups setting should be configured correctly.

The Block popups - excel.exe setting should be configured correctly.

The Block popups - powerpnt.exe setting should be configured correctly.

The Block popups - pptview.exe setting should be configured correctly.

The Block popups - winword.exe setting should be configured correctly.

2007 CCE-1262

enabled/disabled

2007 CCE-1663

enabled/disabled

2007 CCE-1544

enabled/disabled

new NIST

2007 CCE-1443 1 = Enabled

2003 CCE-1161

2003 CCE-1421

The Block popups - outlook.exe setting should be configured correctly.

The Block popups - spDesign.exe setting should be configured correctly.

The Block popups - msaccess.exe setting should be configured correctly.

The "Prevent users from customizing attachment security settings" setting should be configured correctly.

The "Access: Macro Security Level" setting should be configured correctly.

1 = Enabled - Low | 2 = Enabled - Medium | 3 = Enabled - High

The "Access: Trust all installed add – ins and templates" setting should be configured correctly.

0 = Enabled | 1 = Disabled

2003 CCE-1571

2003 CCE-1721

2003 CCE-1602

2003 CCE-1624

2003 CCE-1522

The "Excel: Macro Security Level" setting should be configured correctly.


The "Excel: Trust all installed add – ins and templates" setting should be configured correctly.


The "Outlook: Macro Security Level" setting should be configured correctly.


The "Outlook: Trust all installed add-ins and templates" setting should be configured correctly.


The "Outlook virus security settings" setting should be configured correctly.

0 = Uses default administrative settings | 1 = Look in the Outlook Security Settings folder | 2 = Look in the Outlook 10 Security Settings folder

2003 CCE-1183

2003 CCE-1611

2003 CCE-1633

2003 CCE-822

2003 CCE-1734

2003 CCE-1628

The "S/MIME receipt requests" setting should be configured correctly.

0 = Open message if receipt can't be sent | 1 = Always prompt before sending receipt | 2 = Never send S/MIME receipts | 3 = Don't open message if receipt can't be sent

The "PowerPoint: Macro Security Level" setting should be configured correctly.


The "PowerPoint: Trust all installed add – ins and templates" setting should be configured correctly.


The "Publisher: Macro Security Level" setting should be configured correctly.


The "Publisher: Trust all installed add–ins and templates" setting should be configured correctly.


The "Word: Macro Security Level" setting should be configured correctly.


2003 CCE-1761

2003 CCE-1302

2003 CCE-1307

CCE-5

CCE-119

The "Word: Trust all installed add–ins and templates" setting should be configured correctly.


The "Store random number to improve merge accuracy" setting should be configured correctly.


The "Prevent Users from Changing Office Encryption Settings" setting should be configured correctly.

0 = Disabled | 1 = Enabled

Internet Explorer

The "Security Zones: Use Only Machine Settings" setting should be configured correctly.


Internet Explorer Processes (Restrict ActiveX Install)


CCE-146

CCE-212

CCE-270


The "Security Zones: Do Not Allow Users to Add/Delete Sites" setting should be configured correctly.


The "Disable Periodic Check For Internet Explorer Software Updates" setting should be configured correctly.



Internet Explorer Processes (Zone Elevation Protection)



CCE-498

CCE-591

The "Internet Explorer Processes (Consistent MIME Handling)" setting should be configured correctly.

The "Allow Software to Run or Install Even if the Signature is Invalid" setting should be configured correctly.DEPRECATED in favor of CCE-212.

The "Internet Explorer Processes (MK Protocol)" setting should be configured correctly.


CCE-622


CCE-684

CCE-693

The "Disable Software Update Shell Notifications on Program Launch" setting should be configured correctly.


The "Internet Explorer Processes (Restrict File Download)" setting should be configured correctly.

The "Disable Automatic Install of Internet Explorer Components" setting should be configured correctly.


The "Make Proxy Settings Per-Machine (Rather Then Per-User)" setting should be configured correctly.

(1) number of proxy settings




CCE-833

The "Do Not Allow Users to enable or Disable Add-Ons" setting should be configured correctly.

The "Turn Off Crash Detection" setting should be configured correctly.

The "Internet Explorer Processes (Scripted Window Security Restrictions)" setting should be configured correctly.

The "Security Zones: Do Not Allow Users to Change Policies" setting should be configured correctly.








The "Internet Explorer Processes (MIME Sniffing)" setting should be configured correctly.

The "Check for Signature on Downloaded Programs" setting should be configured correctly.

The "Do Not Allow Resetting Internet Explorer Settings" setting should be configured correctly.

The "Allow cut, copy, or paste operations from the clipboard via script" setting should be configured correctly for the Internet Zone.

The "Turn Off First- Run Opt-In" setting should be configured correctly for the Internet Zone.

The "Web Browser Applications" setting should be configured correctly for the Internet Zone.









The "Allow cut, copy, or paste operations from the clipboard via script" setting should be configured correctly for the Restricted Sites Zone.

The "Turn Off First- Run Opt-In" setting should be configured correctly for the Restricted Sites Zone.

The "Web Browser Applications" setting should be configured correctly for the Restricted Sites Zone.

The "Intranet Sites: Include all network paths (UNCs)" setting should be configured correctly.

The "Disable the Advanced Page" setting should be configured correctly.

The "Disable the Privacy Page" setting should be configured correctly.

The "Disable the Security Page" setting should be configured correctly.

The "Prevent Ignoing Certificate Errors" setting should be configured correctly.








The "Turn Off changing the URL to be displayed for checking updates to Internet Explorer and Internet Tools" setting should be configured correctly.

The "Turn Off Configuring the Update Check Interval (In Days)" setting should be configured correctly.

The "Add-on List" setting should be configured correctly.

The "Deny all add-ons unless specifically allowed in the Add-on List" setting should be configured correctly.

The "Disable "Configuring History"" setting should be configured correctly.

The "Disable Changing Automatic Configuration Settings" setting should be configured correctly.

The "Disable Changing Connection Settings" setting should be configured correctly.










The "Disable Changing Proxy Settings" setting should be configured correctly.

The "Disable Showing the Splash Screen" setting should be configured correctly.

The "Prevent "Fix settings" Functionality" setting should be configured correctly.

The "Prevent participation in the Customer Experience Improvement Programs" setting should be configured correctly.

The "Prevent performance of First Run Customize settings" setting should be configured correctly.

The "Prevent the deletation of temporary internet files and cookies" setting should be configured correctly.

The "Turn off "Delete Browsing History" functionality" setting should be configured correctly.

The "Turn off Managing Phishing Filter" setting should be configured correctly.

The "Turn off the Security Settings Check feature" setting should be configured correctly.





CCE-47

CCE-685

CCE-491

CCE-355

The "Allow Active Content from CD's to Run on User Machine" setting should be configured correctly.

The "Enable third-party browser extensions" setting should be configured correctly.

The "Automatically Check for Internet Explorer Updates" setting should be configured correctly.

The "Check for Server Certificate Revocation" setting should be configured correctly.

The "Access data sources across domains" setting should be configured correctly for the Internet Zone.

enabled/disabled/prompt

The "Drag and drop or copy and paste files" setting should be configured correctly for the Internet Zone.


The "Font download" setting should be configured correctly for the Internet Zone.


The "Installation of desktop items" setting should be configured correctly for the Internet Zone.



CCE-439



CCE-1013

CCE-176

The "Allow script-initiated windows without size or position constraints" setting should be configured correctly for the Internet Zone.

The "Allow Scriptlets" setting should be configured correctly for the Internet Zone.


The "Allow status bar updates via script" setting should be configured correctly for the Internet Zone.

The "Automatic prompting for file downloads" setting should be configured correctly for the Internet Zone.

The "Download signed ActiveX controls" setting should be configured correctly for the Internet Zone.


The "Download unsigned ActiveX controls" setting should be configured correctly for the Internet Zone.


CCE-586

CCE-132

CCE-689

CCE-720

CCE-126

The "Initialize and script ActiveX controls not marked as safe for scripting" setting should be configured correctly for the Internet Zone.


The "Java permissions" setting should be configured correctly for the Internet Zone.

Custom/Disable Java/High safety/Low safety/Medium safety

The "Launching programs and files in an IFRAME" setting should be configured correctly for the Internet Zone.


The "Logon" setting should be configured correctly for the Internet Zone.

Anonymous logon/Automatic logon only in Intranet zone/Automatic logon with current user name and password/Prompt for user name and password

The "Loose XAML" setting should be configured correctly for the Internet Zone.


CCE-245


CCE-359



CCE-724

CCE-1015

The "Navigate sub-frames across different domains" setting should be configured correctly for the Internet Zone.


The "Open files based on content, not file extension" setting should be configured correctly for the Internet Zone.

The "Software channel permissions" setting should be configured correctly for the Internet Zone.

High safety/low safety/medium safety

The "Use Pop-up Blocker" setting should be configured correctly for the Internet Zone.

The "Userdata persistence" setting should be configured correctly for the Internet Zone.

The "Web sites in less privileged Web content zones can navigate into this zone" setting should be configured correctly for the Internet Zone.


The "XPS documents" setting should be configured correctly for the Internet Zone.


CCE-878

CCE-288

CCE-552

CCE-473

CCE-239

CCE-636

CCE-292

The "Display mixed content" setting should be configured correctly for the Internet Zone.


The "Display mixed content" setting should be configured correctly for the Intranet Zone.


The "Display mixed content" setting should be configured correctly for the Locked Down Intranet Zone.


The "Display mixed content" setting should be configured correctly for the Local Machine Zone.


The "Display mixed content" setting should be configured correctly for the Locked Down Local Machine Zone.


The "Access data sources across domains" setting should be configured correctly for the Restricted Sites Zone.


The "Active scripting" setting should be configured correctly for the Restricted Sites Zone.


CCE-178

CCE-41


CCE-882

CCE-763


The "Binary and script behaviors" setting should be configured correctly for the Restricted Sites Zone.

Administrator approved/enabled/disabled

The "Drag and drop or copy and paste files" setting should be configured correctly for the Restricted Sites Zone.


The "File download" setting should be configured correctly for the Restricted Sites Zone.

The "Font download" setting should be configured correctly for the Restricted Sites Zone.


The "Installation of desktop items" setting should be configured correctly for the Restricted Sites Zone.


The "Allow META REFRESH" setting should be configured correctly for the Restricted Sites Zone.


CCE-838



CCE-52

CCE-1012

The "Allow script-initiated windows without size or position constraints" setting should be configured correctly for the Restricted Sites Zone.

The "Allow Scriptlets" setting should be configured correctly for the Restricted Sites Zone.


The "Allow status bar updates via script" setting should be configured correctly for the Restricted Sites Zone.

The "Automatic prompting for file downloads" setting should be configured correctly for the Restricted Sites Zone.

The "Download signed ActiveX controls" setting should be configured correctly for the Restricted Sites Zone.


The "Download unsigned ActiveX controls" setting should be configured correctly for the Restricted Sites Zone.


CCE-26

CCE-925

CCE-339

CCE-128

CCE-639

CCE-995

The "Initialize and script ActiveX controls not marked as safe for scripting" setting should be configured correctly for the Restricted Sites Zone.


The "Java permissions" setting should be configured correctly for the Restricted Sites Zone.


The "Launching programs and files in an IFRAME" setting should be configured correctly for the Restricted Sites Zone.


The "Logon" setting should be configured correctly for the Restricted Sites Zone.

Anonymous logon/Automatic logon only in Intranet zone/Automatic logon with current user name and password/Prompt for user name and password

The "Loose XAML" setting should be configured correctly for the Restricted Sites Zone.


The "Navigate sub-frames across different domains" setting should be configured correctly for the Restricted Sites Zone.



CCE-678

CCE-563

CCE-841

CCE-973

The "Open files based on content, not file extension" setting should be configured correctly for the Restricted Sites Zone.

The "Run components not signed with Authenticode" setting should be configured correctly for the Restricted Sites Zone.


The "Run components signed with Authenticode" setting should be configured correctly for the Restricted Sites Zone.


The "Run ActiveX controls and plugins" setting should be configured correctly for the Restricted Sites Zone.

Administrator approved/enabled/disabled/prompt

The "Script ActiveX controls marked safe for scripting" setting should be configured correctly for the Restricted Sites Zone.


CCE-1000

CCE-520



CCE-698

CCE-460

The "Scripting of Java applets" setting should be configured correctly for the Restricted Sites Zone.


The "Software channel permissions" setting should be configured correctly for the Restricted Sites Zone.

High safety/low safety/medium safety

The "Use Pop-up Blocker" setting should be configured correctly for the Restricted Sites Zone.

The "Userdata persistence" setting should be configured correctly for the Restricted Sites Zone.

The "Web sites in less privileged Web content zones can navigate into this zone" setting should be configured correctly for the Restricted Sites Zone.


The "XPS documents" setting should be configured correctly for the Restricted Sites Zone.


CCE-30

CCE-31

CCE-666








The "Display mixed content" setting should be configured correctly for the Restricted Sites Zone.


The "Display mixed content" setting should be configured correctly for the Trusted Sites Zone.


The "Display mixed content" setting should be configured correctly for the Locked Down Trusted Sites Zone.


The "Enable Native XMLHttp Support" setting should be configured correctly.

The "Turn on the auto-complete feature for user names and passwords on form" setting should be configured correctly.

The "Allow Install On Demand (Internet Explorer)" setting should be configured correctly.

The "Turn off page transitions" setting should be configured correctly.

The "Disable AutoComplete for forms" setting should be configured correctly.

The "Disable Save this program to disk option" setting should be configured correctly.

The "Disable changing certificate settings" setting should be configured correctly.














The "Disable external branding of Internet Explorer" setting should be configured correctly.The "Configure Outlook Express" setting should be configured correctly

The "Turn on the Internet Connection Wizard Auto Detect" setting should be configured correctly.

The "Disable Internet Connection wizard" setting should be configured correctly.

The "Disable the Reset Web Settings feature" should be configured correctly.

The "Disable Downloading Of Site Subscription Content" setting should be configured correctly.

The "Disable Adding Schedules For Offline Pages" setting should be configured correctly.The "Disable Adding Channels" setting should be configured correctly.

The "Disable Editing And Creating Of Schedule Groups" setting should be configured correctly.

The "Disable All Scheduled Offline Pages" setting should be configured correctly.

The "Disable Editing Schedules For Offline Pages" setting should be configured correctly.

The "Disable Channel User Interface Completely" setting should be configured correctly.The "Disable Removing Channels" setting should be configured correctly.



CCE-1027

CCE-1067

CCE-1063




CCE-494


The "Disable Removing Schedules For Offline Pages" setting should be configured correctly.

The "Disable Offline Page Hit Logging" setting should be configured correctly.

The "Increase a Process Working Set" setting should be configured correctly.

Set of users or groups

The "Behavior of the elevation prompt for standard users" setting should be configured correctly.

Prompt for credentials/Automatically deny

The "Behavior of the elevation prompt for administrators in Admin Approval Mode" setting should be configured correctly.

Prompt for consent/Prompt for credentials/Automatically deny

The "Remove CD Burning features" setting should be configured correctly.The "Remove Security tab" setting should be configured correctly.

The "Empty Temporary Internet Files folder when browser is closed" setting should be configured correctly.

The "Disable changing Temporary Internet files settings" setting should be configured correctly.

The "Internet Explorer Maintenance Policy Processing - Allow processing across a slow network connection" setting should be configured correctly.









CCE-320

The "Internet Explorer Maintenance Policy Processing - Do not apply during periodic background processing" setting should be configured correctly.

The "Internet Explorer Maintenance Policy Processing - Process even if the Group Policy objects have not changed" setting should be configured correctly.

The "Turn on Mapper I/O (LLTDIO) driver" setting should be configured correctly for the domain profile.

The "Turn on Mapper I/O (LLTDIO) driver" setting should be configured correctly for the public profile.

The "Turn on Mapper I/O (LLTDIO) driver" setting should be configured correctly for the private profile.

The "Turn on Responder (RSPNDR) driver" setting should be configured correctly for the domain profile.

The "Turn on Responder (RSPNDR) driver" setting should be configured correctly for the public profile.

The "Turn on Responder (RSPNDR) driver" setting should be configured correctly for the private profile.

The "Java permissions" setting should be configured correctly for the Locked Down Intranet Zone.


CCE-138

CCE-1045

CCE-1088

CCE-675

CCE-140



The "Java permissions" setting should be configured correctly for the Local Machine Zone.


The "Java permissions" setting should be configured correctly for the Locked Down Local Machine Zone.


The "Java permissions" setting should be configured correctly for the Locked Down Restricted Sites Zone.


The "Java permissions" setting should be configured correctly for the Trusted Sites Zone.


The "Java permissions" setting should be configured correctly for the Locked Down Trusted Sites Zone.


The "Configuration of wireless settings using Windows Connect Now" setting should be configured correctly for Wireless Connect Now over Ethernet (UPnP).

The "Configuration of wireless settings using Windows Connect Now" setting should be configured correctly for USB flash drives.












The "Configuration of wireless settings using Windows Connect Now" setting should be configured correctly for the Windows Portable Device API.

The 'Approved Installation Sites for ActiveX Controls' security mechanism should be enabled or disabled as appropriate.The "Disable Logging" setting should be configured correctly.

The "Disable Windows Error Reporting" setting should be configured correctly.

The "Do not send additional data" setting should be configured correctly.

The "Configure Corporate Windows Error Reporting" setting should be configured correctly.

The "Remove Default Programs link from the Start menu" setting should be configured correctly.

The "Turn off Help Experience Improvement Program" setting should be configured correctly.

The "Turn off Help Ratings" setting should be configured correctly.

The "Turn off Windows Online" setting should be configured correctly.

The "Prevent users from sharing files within their profile" setting should be configured correctly.

CCE-389 list of accounts




CCE-1185 set of paths





The "Access Credential Manager as a trusted caller" user right should be assigned to the appropriate accounts.

The "Change the time zone" user right should be assigned to the appropriate accounts.

The "Create Symbolic Links" user right should be assigned to the appropriate accounts.

The "Modify an object label" user right should be assigned to the appropriate accounts.

The "Remotely accessible registry paths and subpaths" policy should be set correctly.

The "User Account Control: Admin Approval Mode for the Built-in Administrator account" setting should be configured correctly.

The "User Account Control: Detect application installations and prompt for elevation" setting should be configured correctly.

The "User Account Control: Only elevate executables that are signed and validated" setting should be configured correctly.

The "User Account Control: Only elevate UIAccess applications that are installed in secure locations" setting should be configured correctly.




CCE-1225

CCE-957




CCE-1005

The "User Account Control: Run all administrators in Admin Approval Mode" setting should be configured correctly.

The "User Account Control: Switch to the secure desktop when prompting for elevation" setting should be configured correctly.

The "User Account Control: Virtualize file and registry write failures to per-user locations" setting should be configured correctly.

The required permissions for the file %SystemRoot%\System32\mshta.exe should be assigned.


The required permissions for the WLAN AutoConfig service should be assigned.


The "Prohibit use of Internet Connection Firewall on your DNS domain network" setting should be configured correctly.

The "Display Error Notification" setting should be configured correctly.The setup log maximum size should be configured correctly.

Computer-wide, rather than per-user, assignment of sites to zones for Internet Explorer should be enabled or disabled as appropriate.

enabled, disabled, or not configured


CCE-308



CCE-312



CCE-1047

The "Turn on Protected Mode" setting should be configured correctly for the Internet Zone.

The "Download signed ActiveX controls" setting should be configured correctly for the Locked-Down Internet Zone.


The "Allow status bar updates via script" setting should be configured correctly for the Locked-Down Trusted Sites Zone.

The "Turn on Protected Mode" setting should be configured correctly for the Restricted Sites Zone.

Computer-wide, rather than per-user, use of Microsoft Spynet Reporting for Windows Defender should be enabled or disabled as appropriate.

enabled, disabled, or not configured

The "Do Not Show First Use Dialog Boxes" setting for Windows Media Player should be configured correctly.

The "Prevent Desktop Shortcut Creation" setting for Windows Media Player should be configured correctly.

User notifications when a program is blocked from receiving inbound connections by Windows Firewall should be enabled or disabled as appropriate for the Domain Profile.



CCE-327 enable/disabled




The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Private Profile.

The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Private Profile.

The log file path and name for the Windows Firewall should be configured correctly for the Private Profile.

The log file size limit for the Windows Firewall should be configured correctly for the Private Profile.

The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Public Profile.

CCE-534 enable/disabled







The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Public Profile.

The log file path and name for the Windows Firewall should be configured correctly for the Public Profile.

The log file size limit for the Windows Firewall should be configured correctly for the Public Profile.

The ISATAP tunneling protocol for IPv6 should be enabled or disabled as appropriate.

The 6to4 tunneling protocol for IPv6 should be enabled or disabled as appropriate.

The Teredo tunneling protocol for IPv6 should be enabled or disabled as appropriate.

Auditing of "System: Security System Extension" events on success should be enabled or disabled as appropriate.











Auditing of "System: Security System Extension" events on failure should be enabled or disabled as appropriate.

Auditing of "System: System Integrity" events on success should be enabled or disabled as appropriate.

Auditing of "System: System Integrity" events on failure should be enabled or disabled as appropriate.

Auditing of "System: Ipsec Driver" events on success should be enabled or disabled as appropriate.

Auditing of "System: Ipsec Driver" events on failure should be enabled or disabled as appropriate.

Auditing of "System: Other System Events" events on success should be enabled or disabled as appropriate.

Auditing of "System: Other System Events" events on failure should be enabled or disabled as appropriate.

Auditing of "System: Security State Change" events on success should be enabled or disabled as appropriate.

Auditing of "System: Security State Change" events on failure should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: Logon" events on success should be enabled or disabled as appropriate.










Auditing of "Logon/Logoff: Logon" events on failure should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: Logoff" events on success should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: Logoff" events on failure should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: Account Lockout" events on success should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: Account Lockout" events on failure should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: IPsec Main Mode" events on success should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: IPsec Main Mode" events on failure should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: IPsec Quick Mode" events on success should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: IPsec Quick Mode" events on failure should be enabled or disabled as appropriate.










Auditing of "Logon/Logoff: IPsec Extended Mode" events on success should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: IPsec Extended Mode" events on failure should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: Special Logon" events on success should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: Special Logon" events on failure should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: Other Logon/Logoff Events" events on success should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: Other Logon/Logoff Events" events on failure should be enabled or disabled as appropriate.

Auditing of "Object Access: File System" events on success should be enabled or disabled as appropriate.

Auditing of "Object Access: File System" events on failure should be enabled or disabled as appropriate.

Auditing of "Object Access: Registry" events on success should be enabled or disabled as appropriate.










Auditing of "Object Access: Registry" events on failure should be enabled or disabled as appropriate.

Auditing of "Object Access: Kernel Object" events on success should be enabled or disabled as appropriate.

Auditing of "Object Access: Kernel Object" events on failure should be enabled or disabled as appropriate.

Auditing of "Object Access: SAM" events on success should be enabled or disabled as appropriate.

Auditing of "Object Access: SAM" events on failure should be enabled or disabled as appropriate.

Auditing of "Object Access: Certification Services" events on success should be enabled or disabled as appropriate.

Auditing of "Object Access: Certification Services" events on failure should be enabled or disabled as appropriate.

Auditing of "Object Access: Application Generated" events on success should be enabled or disabled as appropriate.

Auditing of "Object Access: Application Generated" events on failure should be enabled or disabled as appropriate.









Auditing of "Object Access: Handle Manipulation" events on success should be enabled or disabled as appropriate.

Auditing of "Object Access: Handle Manipulation" events on failure should be enabled or disabled as appropriate.

Auditing of "Object Access: File Share" events on success should be enabled or disabled as appropriate.

Auditing of "Object Access: File Share" events on failure should be enabled or disabled as appropriate.

Auditing of "Object Access: Filtering Platform Packet Drop" events on success should be enabled or disabled as appropriate.

Auditing of "Object Access: Filtering Platform Packet Drop" events on failure should be enabled or disabled as appropriate.

Auditing of "Object Access: Filtering Platform Connection" events on success should be enabled or disabled as appropriate.

Auditing of "Object Access: Filtering Platform Connection" events on failure should be enabled or disabled as appropriate.









Auditing of "Object Access: Other Object Access Events" events on success should be enabled or disabled as appropriate.

Auditing of "Object Access: Other Object Access Events" events on failure should be enabled or disabled as appropriate.

Auditing of "Privilege Use: Sensitive Privilege Use" events on success should be enabled or disabled as appropriate.

Auditing of "Privilege Use: Sensitive Privilege Use" events on failure should be enabled or disabled as appropriate.

Auditing of "Privilege Use: Non Sensitive Privilege Use" events on success should be enabled or disabled as appropriate.

Auditing of "Privilege Use: Non Sensitive Privilege Use" events on failure should be enabled or disabled as appropriate.

Auditing of "Privilege Use: Other Privilege Use Events" events on success should be enabled or disabled as appropriate.

Auditing of "Privilege Use: Privilege Use: Other Privilege Use Events" events on failure should be enabled or disabled as appropriate.










Auditing of "Detailed Tracking: Process Termination" events on success should be enabled or disabled as appropriate.

Auditing of "Detailed Tracking: Process Termination" events on failure should be enabled or disabled as appropriate.

Auditing of "Detailed Tracking: DPAPI Activity" events on success should be enabled or disabled as appropriate.

Auditing of "Detailed Tracking: DPAPI Activity" events on failure should be enabled or disabled as appropriate.

Auditing of "Detailed Tracking: RPC Events" events on success should be enabled or disabled as appropriate.

Auditing of "Detailed Tracking: RPC Events" events on failure should be enabled or disabled as appropriate.

Auditing of "Detailed Tracking: Process Creation" events on success should be enabled or disabled as appropriate.

Auditing of "Detailed Tracking: Process Creation" events on failure should be enabled or disabled as appropriate.

Auditing of "Policy Change: Audit Policy Change" events on success should be enabled or disabled as appropriate.









Auditing of "Policy Change: Audit Policy Change" events on failure should be enabled or disabled as appropriate.

Auditing of "Policy Change: Authentication Policy Change" events on success should be enabled or disabled as appropriate.

Auditing of "Policy Change: Authentication Policy Change" events on failure should be enabled or disabled as appropriate.

Auditing of "Policy Change: Authorization Policy Change" events on success should be enabled or disabled as appropriate.

Auditing of "Policy Change: Authorization Policy Change" events on failure should be enabled or disabled as appropriate.

Auditing of "Policy Change: MPSSVC Rule-Level Policy Change" events on success should be enabled or disabled as appropriate.

Auditing of "Policy Change: MPSSVC Rule-Level Policy Change" events on failure should be enabled or disabled as appropriate.

Auditing of "Policy Change: Filtering Platform Policy Change" events on success should be enabled or disabled as appropriate.









Auditing of "Policy Change: Filtering Platform Policy Change" events on failure should be enabled or disabled as appropriate.

Auditing of "Policy Change: Other Policy Change Events" events on success should be enabled or disabled as appropriate.

Auditing of "Policy Change: Other Policy Change Events" events on failure should be enabled or disabled as appropriate.

Auditing of "Account Management: User Account Management" events on success should be enabled or disabled as appropriate.

Auditing of "Account Management: User Account Management" events on failure should be enabled or disabled as appropriate.

Auditing of "Account Management: Computer Account Management" events on success should be enabled or disabled as appropriate.

Auditing of "Account Management: Computer Account Management" events on failure should be enabled or disabled as appropriate.

Auditing of "Account Management: Security Group Management" events on success should be enabled or disabled as appropriate.








Auditing of "Account Management: Security Group Management" events on failure should be enabled or disabled as appropriate.

Auditing of "Account Management: Distribution Group Management" events on success should be enabled or disabled as appropriate.

Auditing of "Account Management: Distribution Group Management" events on failure should be enabled or disabled as appropriate.

Auditing of "Account Management: Application Group Management" events on success should be enabled or disabled as appropriate.

Auditing of "Account Management: Application Group Management" events on failure should be enabled or disabled as appropriate.

Auditing of "Account Management: Other Account Management Events" events on success should be enabled or disabled as appropriate.

Auditing of "Account Management: Other Account Management Events" events on failure should be enabled or disabled as appropriate.









Auditing of "DS Access: Directory Service Changes" events on success should be enabled or disabled as appropriate.

Auditing of "DS Access: Directory Service Changes" events on failure should be enabled or disabled as appropriate.

Auditing of "DS Access: Directory Service Replication" events on success should be enabled or disabled as appropriate.

Auditing of "DS Access: Directory Service Replication" events on failure should be enabled or disabled as appropriate.

Auditing of "DS Access: Detailed Directory Service Replication" events on success should be enabled or disabled as appropriate.

Auditing of "DS Access: Detailed Directory Service Replication" events on failure should be enabled or disabled as appropriate.

Auditing of "DS Access: Directory Service Access" events on success should be enabled or disabled as appropriate.

Auditing of "DS Access: Directory Service Access" events on failure should be enabled or disabled as appropriate.







Auditing of "Account Logon: Kerberos Ticket Events" events on success should be enabled or disabled as appropriate.

Auditing of "Account Logon: Kerberos Ticket Events" events on failure should be enabled or disabled as appropriate.

Auditing of "Account Logon: Other Account Logon Events" events on success should be enabled or disabled as appropriate.

Auditing of "Account Logon: Other Account Logon Events" events on failure should be enabled or disabled as appropriate.

Auditing of "Account Logon: Credential Validation" events on success should be enabled or disabled as appropriate.

Auditing of "Account Logon: Credential Validation" events on failure should be enabled or disabled as appropriate.

CCE Technical Mechanisms

(1) defined by the object's SACL

?



(1) defined by the object's DACL



CIS W2K Server Level 2

Benchmark v2.2.1

DISA Gold Disk Check Name for

W2K (golddisk.win2k.ecve.txt)

4.4.3.1 %System Drive% - Everyone: Failures (this folder, propagate inheritable permissions to all subfolders and files)

4.4.3.2 HKLM\Software – Everyone: Failures (this key, propagate inheritable permission to all subkeys)

Reg Auditing Local Machine

4.4.3.3 HKLM\System – Everyone: Failures (this key, propagate inheritable permission to all subkeys)

Reg Auditing Local Machine














SystemDrive ACL


Autoexec.bat ACL

(1) defined by the object's DACL BOOT.INI ACL


CONFIG.SYS ACL

4.4.1.15 %ProgramFiles% - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List

Program Files ACL

4.4.1.16 %Program Files%\Resource Kit – Administrators: Full; System: Full

Resource Kit ACL Servers and DCs

4.4.1.17 %Program Files%\Resource Pro Kit – Administrators: Full; System: Full

Resource Kit ACL Workstation

4.4.1.1 %SystemDrive%\ - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List

4.4.1.2 %SystemDrive%\autoexec.bat - Administrator: Full; System: Full

4.4.1.3 %SystemDrive%\boot.ini – Administrators: Full; System: Full4.4.1.4 %SystemDrive%\config.sys - Administrators: Full; System: Full




(1) defined by the object's DACL DrWatson ACL


?

4.4.1.10 %SystemDrive%\Documents and Settings - Administrators: Full; System: Full; Users: Read and Execute, List

Documents and Settings ACL

4.4.1.11 %SystemDrive%\Documents and Settings\Administrator - Administrators: Full; System: Full Documents and

Settings\Administrator ACL

4.4.1.12 %SystemDrive%\Documents and Settings\All Users – Administrators: Full; System: Full; Users: Read and Execute, List

Documents and Settings\All Users ACL

4.4.1.13 %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson – Administrators: Full; System: Full;Creator Owner: Full; Users: Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions (This folder, subfolders, and files); Users: Traverse Folder/Execute Files, CreateFiles/Write Data, Create Folder/Append Data (Subfolders and files only)

DrWatson Log ACL


Default User ACL


IO.SYS ACL


MSDOS.SYS ACL



(1) defined by the object's DACL NTLDR ACL


?

Temp ACL


?


4.4.1.14 %SystemDrive%\Documents and Settings\Default User - Administrators: Full; System: Full; Users: Read and Execute, List

4.4.1.5 %SystemDrive%\io.sys - Administrators: Full; System: Full

4.4.1.6 %SystemDrive%\msdos.sys - Administrators: Full; System: Full

4.4.1.7 %SystemDrive%\ntbootdd.sys - Administrators: Full; System: Full

NTBOOTDD.SYS ACL

4.4.1.8 %SystemDrive%\ntdetect.com – Administrators: Full; System: Full

NTDETECT.COM ACL

4.4.1.9 %SystemDrive%\ntldr - Administrators: Full; System: Full

My Download ACL

4.4.1.47 %SystemDrive%\System Volume Information – (Do not allow permissions on this folder to be replaced)

(1) defined by the object's DACL System Root ACL

(1) defined by the object's DACL Driver.cab ACL

(1) defined by the object's DACL System Root ACL


(1) defined by the object's DACL ?

(1) defined by the object's DACL CSC ACL

(1) defined by the object's DACL Debug ACL

4.4.1.18 %SystemRoot% – Administrators: Full; System: Full; Creator Onwer: Full; Users: Read and Execute, List

4.4.1.18 %SystemRoot% – Administrators: Full; System: Full; Creator Onwer: Full; Users: Read and Execute, List

4.4.1.19 %SystemRoot%\$NtServicePackUninstall$ – Administrators: Full; System: Full

%SystemRoot%\$NtServicePackUninstall$

NT SP Uninstall ACL

4.4.1.20 %SystemRoot%\CSC – Administrators: Full; System: Full

4.4.1.21 %SystemRoot%\Debug - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List






(1) defined by the object's DACL regedit.exe ACL


?

NTDS ACL


4.4.1.22 %SystemRoot%\Debug\UserMode - Administrators: Full; System: Full; Users: Traverse Folder/Execute File, Listfolder/Read data, Create files/Write data (This folder, only); Create files/Write data, Create folders/Append data(Files only)

UserMode Directory ACL

4.4.1.31 %SystemRoot%\regedit.exe – Administrators: Full; System: Full

4.4.1.23 %SystemRoot%\Offline Web Pages – Ignore Parent Permission Changes

(1) defined by the object's DACL Registration ACL


(1) defined by the object's DACL Repair ACL

(1) defined by the object's DACL Security ACL


?

SYSVOL ACL


?


?

Temp ACL

(1) defined by the object's DACL System32 ACL

(1) defined by the object's DACL appmgmt ACL

4.4.1.24 %SystemRoot%\Registration - Administrators: Full; System: Full; Users: Read

4.4.1.25 %SystemRoot%\repair - Administrators: Full; System: Full

4.4.1.26 %SystemRoot%\security - Administrators: Full; System: Full; Creator Owner: Full

%SystemRoot%\SYSVOL\domain\Policies

4.4.1.27 %SystemRoot%\system32 - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List4.4.1.36 %SystemRoot%\system32\appmgmt – Administrators: Full; System: Full; Users: Read and Execute, List

(1) defined by the object's DACL at.exe ACL






(1) defined by the object's DACL CONFIG ACL


?


?


4.4.1.28 %SystemRoot%\system32\at.exe – Administrators: Full; System: Full

4.4.1.37 %SystemRoot%\system32\config – Administrators: Full; System: Full

%SystemRoot%\System32\CONFIG\AppEvent.evt

%SystemRoot%\System32\CONFIG\SecEvent.evt




(1) defined by the object's DACL dllcache ACL







4.4.1.38 %SystemRoot%\system32\dllcache – Administrators: Full; System: Full; Creator Owner: Full





(1) defined by the object's DACL GroupPolicy ACL

(1) defined by the object's DACL ias ACL



4.4.1.39 %SystemRoot%\system32\DTCLog - Administrators: Full; System: Full; Creator Owner: Full; Users: Read andExecute, List

4.4.1.40 %SystemRoot%\system32\Group Policy - Administrators: Full; System: Full; Authenticated Users: Read andExecute, List

4.4.1.41 %SystemRoot%\system32\ias - Administrators: Full; System: Full; Creator Owner: Full








(1) defined by the object's DACL NTMSData ACL


4.4.1.29 %SystemRoot%\system32\Ntbackup.exe – Administrators: Full; System: Full

NTbackup.exe ACL

4.4.1.42 %SystemRoot%\system32\NTMSData – Administrators: Full; System: Full



(1) defined by the object's DACL Rcp.exe ACL






(1) defined by the object's DACL Rexec.exe ACL

4.4.1.30 %SystemRoot%\system32\rcp.exe – Administrators: Full; System: Full

4.4.1.32 %SystemRoot%\system32\regedt32.exe – Administrators: Full; System: Full

Regedt32.exe ACL

4.4.1.43 %SystemRoot%\system32\reinstallbackups – Administrators: Full; System: Full; Creator Owner: Full; PowerUsers: Read and Execute, List

4.4.1.33 %SystemRoot%\system32\rexec.exe – Administrators: Full; System: Full


(1) defined by the object's DACL Rsh.exe ACL





?



(1) defined by the object's DACL Setup ACL

4.4.1.34 %SystemRoot%\system32\rsh.exe – Administrators: Full; System: Full

4.4.1.35 %SystemRoot%\system32\secedit.exe – Administrators: Full; System: Full

4.4.1.44 %SystemRoot%\system32\Setup – Administrators: Full; System: Full; Users: Read and Execute, List


?

repl ACL


?

Export ACL


?

Import ACL






4.4.1.45 %SystemRoot%\system32\spool\printers – Administrators: Full; System: Full; Creator Owner: Full; Users:Traverse Folder, Execute File, Read, Read Extended Attributes, Create folders, Append Data

Spool\Printers ACL




?


?

MQSeries ACL


?

(1) defined by the object's DACL 269

(1) defined by the object's DACL SECEDIT.SDB ACL


?

4.4.1.46 %SystemRoot%\Tasks - (Do not allow permissions on this folder to be replaced)

MQSeries Queue ACL

Registry ACL Check CLASSES_ROOT


? ?



?


?




4.4.2.2 HKLM\Software – Administrators Full; System: Full; Creator Owner: Full; Users: Read

Registry ACL Check Software

4.4.2.1 HKLM\Software\Classes - Administrators: Full; System: Full; Creator Owner: Full; Users: Read

\SOFTWARE\Classes\Regfile\Shell\Open\Command






4.4.2.3 HKLM\Software\Microsoft\Net DDE – Administrators: Full; System: Full

Reg ACL NetDDE Check test

4.4.2.4 HKLM\Software\Microsoft\OS/2 Subsystem for NT – Administrators: Full; System: Full; Creator Owner: Full

Reg ACL OS2 Check test

4.4.2.5 HKLM\Software\Microsoft\Windows NT\CurrentVersion\AsrCommands – Administrators: Full; System: Full;Creator Owner: Full; Users: Read; Backup Operators: Query Value, Set Value, Create Subkey, EnumerateSubkeys, Notify, Delete, Read (this key and subkeys)

Reg ACL Check AsrCommands

4.4.2.6 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib – Administrators: Full; System: Full; CreatorOwner: Full; Interactive: Read (this key and subkeys)

Registry ACL Check Perflib







4.4.2.7 HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy - Administrators: Full; System: Full;Authenticated Users: Read

Reg ACL Check Group Policy

4.4.2.8 HKLM\Software\Microsoft\Windows\CurrentVersion\Installer - Administrators Full; System: Full; Users: Read

Reg ACL Check Installer

4.4.2.9 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies - Administrators: Full; System: Full; AuthenticatedUsers: Read

Reg ACL Check Policies








4.4.2.10 HKLM\System - Administrators Full; System: Full; Creator Owner: Full; Users: Read

Registry ACL Check SYSTEM

4.4.2.11 HKLM\System\Clone – Allow inheritable permissions to propagate to this object

4.4.2.12 HKLM\System\ControlSet001 - Administrators Full; System: Full; Creator Owner: Full; Users: Read

Registry ACL Check controlset001

4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read

























(1) defined by the object's DACL Winreg ACL


? ?





4.4.2.14 HKLM\System\CurrentControlSet\Control\SecurePipeServers\WinReg – Administrators: Full

4.4.2.15 HKLM\System\CurrentControlSet\Control\WMI\Security – Administrators: Full; System: Full; Creator Owner: Full(this key and subkeys)

Registry ACL Check Security

4.4.2.16 HKLM\System\CurrentControlSet\Enum - (Do not allow permissions on this key to be replaced)

4.4.2.17 HKLM\System\CurrentControlSet\Hardware Profiles – Administrators Full; System: Full; Creator Owner: Full;Users: Read

Registry ACL Check Hardware Profiles



















4.4.2.18 HKLM\System\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers - Administrators Full; System: Full;Creator Owner: Full

Registry ACL Check Permitted Managers

4.4.2.19 HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities - Administrators Full; System: Full;Creator Owner: Full

Registry ACL Check ValidCommunities








4.4.2.20 HKU\.Default - Administrators Full; System: Full; Creator Owner: Full; Users: Read

Registry ACL Check Default

4.4.2.21 HKU\.Default\Software\Microsoft\NetDDE - Administrators Full; System: Full

Registry ACL Check NetDDE

4.4.2.22 HKU\.Default\Software\Microsoft\Protected Storage System Provider – No entries


?


Registry ACL Check CLASSES_ROOT

(1) defined by the SeDenyNetworkLogonRight setting in Local or Group Policy

4.2.11 Deny access to this computer from the network: Guests

User Right Check deny access from network

(1) defined by the SeNetworkLogonRight setting in Local or Group Policy

4.2.1 Access this computer from the network: Users, Administrators (or none)

User Right Check Network Logon

(1) defined the SeTcbPrivilege setting in by Local or Group Policy

4.2.2 Act as part of the operating system: None

User Right Check Act as OS

(1) defined the SeBackupPrivilege setting in by Local or Group Policy

4.2.4 Back up files and directories: Administrators

User Right Check Backup

(1) defined the SeChangeNotifyPrivilege setting in by Local or Group Policy

4.2.5 Bypass traverse checking: Users

User Right Check Bypass Traverse checking

(1) defined the SeSystemTimePrivilege setting in by Local or Group Policy

4.2.6 Change the system time: Administrators

User Right Check change system time

(1) defined the SeCreatePagefilePrivilege setting in by Local or Group Policy

4.2.7 Create a pagefile: Administrators

User Right Check create pagefile

(1) defined the SeCreateTokenPrivilege setting in by Local or Group Policy

4.2.8 Create a token object: None

User Right Check create token object

(1) defined the SeCreatePermanentPrivilege setting in by Local or Group Policy

4.2.9 Create permanent shared objects: None

User Right Check create permanent shared objects

(1) defined the SeDebugPrivilege setting in by Local or Group Policy

4.2.10 Debug Programs: None

User Right Check debug programs

(1) defined the SeRemoteShutdownPrivilege setting in by Local or Group Policy

4.2.16 Force shutdown from a remote system: Administrators

User Right Check remote shutdown

(1) defined the SeAuditPrivilege setting in by Local or Group Policy

4.2.17 Generate security audits: None

User Right Check generate security audits

(1) defined the SeIncreaseQuotaPrivilege setting in by Local or Group Policy

4.2.18 Increase quotas: Administrators

User Right Check increase quotas

(1) defined the SeIncreaseBasePriorityPrivilege setting in by Local or Group Policy

4.2.19 Increase scheduling priority: Administrators

User Right Check increase scheduling priority

(1) defined the SeLoadDriverPrivilege setting in by Local or Group Policy

4.2.20 Load and unload device drivers: Administrators

User Right Check load and unload device drivers

(1) defined the SeLockMemoryPrivilege setting in by Local or Group Policy

4.2.21 Lock pages in memory: None

User Right Check lock pages in memory

(1) defined the SeBatchLogonRight setting in by Local or Group Policy

4.2.22 Log on as a batch job: None

User Right Check log on as a batch job

(1) defined the SeServiceLogonRight setting in by Local or Group Policy

4.2.23 Log on as a service: None

User Right Check log on as a service job

(1) defined the SeInteractiveLogonRight setting in by Local or Group Policy

4.2.24 Log on locally: Users, Administrators (further restriction allowable)

User Right Check log on locally

(1) defined the SeSecurityPrivilege setting in by Local or Group Policy

4.2.25 Manage auditing and security log: Administrators

Manage Auditing and Security Logs on a Member Server

(1) defined the SeSystemEnvironmentPrivilege setting in by Local or Group Policy

4.2.26 Modify firmware environment values: Administrators

User Right Check modify firmware

User Right restore

(1) defined the SeProfileSingleProcessPrivilege setting in by Local or Group Policy

4.2.27 Profile single process: Administrators

User Right Check Profile single process

(1) defined the SeSystemProfilePrivilege setting in by Local or Group Policy

4.2.28 Profile system performance: Administrators

User Right Check Profile system performance

(1) defined the SeUndockPrivilege setting in by Local or Group Policy

4.2.29 Remove computer from docking station: Users, Administrators

User Right Check undock

(1) defined the SeAssignPrimaryTokenPrivilege setting in by Local or Group Policy

4.2.30 Replace a process level token: None

User Right replace process token

(1) defined the SeRestorePrivilege setting in by Local or Group Policy

4.2.31 Restore files and directories: Administrators

(1) defined the SeShutdownPrivilege setting in by Local or Group Policy

4.2.32 Shut down the system: Users, Administrators

User Right shut down

(1) defined the SeTakeOwnershipPrivilege setting in by Local or Group Policy

4.2.34 Take ownership of file or other objects: Administrators

User Right take ownership

(1) defined the SeSynchAgentPrivilege setting in by Local or Group Policy

4.2.33 Synchronize directory service data: Not Applicable

User Right synch directory

(1) defined the SeDenyInteractiveLogonRight setting in by Local or Group Policy

4.2.14 Deny logon locally: None by default (others allowable as appropriate)

User Right Check deny logon locally

(1) defined the SeEnableDelegationPrivilege setting in by Local or Group Policy

4.2.15 Enable computer and user accounts to be trusted for delegation: Not Applicable

User Right Check allow trust for delegation

(1) defined the SeMachineAccountPrivilege setting in by Local or Group Policy

4.2.3 Add workstations to domain: Not applicable

User Right Check Add wkstn to domain

(1) defined the SeRemoteInteractiveLogonRight setting in by Local or Group Policy

(1) defined the SeDenyBatchLogonRight setting in by Local or Group Policy

(1) defined the SeDenyServiceLogonRight setting in by Local or Group Policy

(1) defined by Local or Group Policy




(1) defined the SeDenyRemoteInteractiveLogonRight setting in by Local or Group Policy

(1) defined the SeManageVolumePrivilege setting in by Local or Group Policy

Reset Account Lockout After: 15 Minutes (minimum)

Lockout Reset (15)

Account Lockout Duration: 15 Minutes (minimum)

Lockout Duration (15)

Account Lockout Threshold: 3 Bad Login Attempts (maximum)

Lockout Count (3)

Audit Account Logon Events: Success and Failure

Account logon auditing





? ?


? ?

(1) defined by Local or Group Policy logon auditing

(1) defined by Local or Group Policy logon auditing

Audit Account Logon Events: Success and Failure

Account logon auditing

Audit Account Management: Success and Failure

Account management auditing

Audit Account Management: Success and Failure

Account management auditing

Audit Logon Events: Success and Failure

Audit Logon Events: Success and Failure





(1) defined by Local or Group Policy priv use auditing

(1) defined by Local or Group Policy priv use auditing


?


?

Audit Object Access: Failure (minimum)

object access auditing

Audit Object Access: Failure (minimum)

object access auditing

Audit Policy Change: Failure (minimum)

policy change auditing

Audit Policy Change: Failure (minimum)

policy change auditing

Audit Privilege Use: Failure (minimum)

Audit Privilege Use: Failure (minimum)

Audit Process Tracking: Not Defined

Audit Process Tracking: Not Defined




?


?

? ?

? ?

Audit System Events: Success and Failure

System Event auditing

Audit System Events: Success and Failure

System Event auditing

Allow System to be Shut Down Without Having to Log On

Decoy Admin, Account Exists

(1) In Windows Explorer: Tools->Folder Options->File Types->[file type]->Advanced

(1) `REGSVR32 "C:\Windows\System\Scrrun.dll"` (2) `UNREGSVR32 "C:\Windows\System\Scrrun.dll"`

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\RestrictGuestAccess (2) defined by Group Policy

Application Log: Restrict Guest Access to Logs: Enabled

Anonymous Access to the Application Event Log value

(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\MaxSize

Application Log: Maximum Event Log Size: 80 Mb (minimum)

Application Event Log size key value

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy

Application Log: Log Retention Method: “Overwrite Events As Needed”

Application Event Log retention key value

Application Event Log retention key value

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\RestrictGuestAccess (2) defined by Group Policy

Security Log: Restrict Guest Access to Logs: Enabled

Anonymous Access to the Security Event Log value

(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\MaxSize

Security Log: Maximum Event Log Size: 80 Mb (minimum)

Security Event Log size key value


Security Log: Log Retention Method: “Overwrite Events As Needed”

Security Event Log retention key value

Security Event Log retention key value

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\RestrictGuestAccess (2) defined by Group Policy

System Log: Restrict Guest Access to Logs: Enabled

Anonymous Access to the System Event Log value

(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\MaxSize

System Log: Maximum Event Log Size: 80 Mb (minimum)

System Event Log size key value


System Log: Log Retention Method: “Overwrite Events As Needed”

System Event Log retention key value




(1) determined by the local filesystem

?

(1) defined by Local or Group Policy EnPasFlt Check



System Event Log retention key value

All passwords are no more than 90 days old (maximum).

Maximum Password Age (90)

Minimum Password Age: 1 day

Minimum Password Age

All passwords are at least 8 characters long (minimum).

Password Length (8)

Check for Enpasflt.dll

Password Complexity: Enabled

Password History: 24 Passwords Remembered

Password History (24)

Store Passwords using Reversible Encryption: Disabled

Reversible Pwd Encryption

4.1.1 Alerter – Disabled

?

4.1.2 Clipbook – Disabled

?

s

?

?

?

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate (2) defined by the Services Administrative Tool (3) definied by Group Policy

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

4.1.3 Computer Browser – Disabled

Computer Browser Disabled

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

4.1.4 Fax Service – Disabled

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

4.1.5 FTP Publishing Service – Disabled

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

4.1.6 IIS Admin Service – Disabled

?

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

4.1.8 Messenger – Disabled

(1) defined by the Services Administrative Tool (2) definied by Group Policy

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

4.1.9 NetMeeting Remote Desktop Sharing – Disabled

NetMeeting Remote Desktop Sharing Disabled



(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

?

?

?

?

?

?

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

4.1.7 Internet Connection Sharing – Disabled

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

4.1.10 Remote Registry Service – Disabled

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

4.1.11 Routing and Remote Access – Disabled

Remote Access Auto Connection Manager Disabled

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RshSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Remote Shell Service

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SIMPTCP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Simple TCP/IP Service

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

4.1.12 Simple Mail Transfer Protocol (SMTP) – Disabled

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

4.1.13 Simple Network Management Protocol (SNMP) Service – Disabled

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMPTRAP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

4.1.14 Simple Network Management Protocol (SNMP) Trap – Disabled

4.1.15 Telnet – Disabled Telnet Disabled

?


(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

4.1.16 World Wide Web Publishing Services – Disabled

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate (2) defined by the Services Administrative Tool (3) definied by Group Policy

4.1.17 Automatic Updates – Not Defined

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

4.1.18 Background Intelligent Transfer Service – Not Defined


Print Services for UNIX

? ?

? ?

? ?

? ?

? ?

? ?

(1) set via Security Templates (2) definied by Group Policy










? ?

? ?

Printer Permissions

? ?

? ?

? ?

? ?











? ?

?

? ?

? ?

(1) defined by Local or Group Policy ?



"Schedule" service is run as the system account.





Additional Restrictions for Anonymous Connections: “No Access Without Explicit Anonymous Permissions”

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous (2) defined by Local or Group Policy

Restrict Anonymous value

?

(1) Local Users and Groups MMC

?

(1) Local Users and Groups MMC

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AnonymousNameLookup (2) defined by Local or Group

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security

Anonymous access to the event logs is not restricted.

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg

Anonymous access to the Registry is not restricted.

Guest Account Disabled

?

?

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption (2) defined by Local or Group Policy

Message Title for Users Attempting to Log On: “Warning:” or custom title.

Legal notice is not configured to display before console logon.

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText (2) defined by Local or Group Policy

Message Text for Users Attempting to Log On: Custom Message or “This

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks

Remove administrative shares on workstation (Professional): HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks

(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug\Auto

Disable Automatic Execution of the System Debugger: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\AEDebug\Auto (REG_DWORD) 0

CIS: Automatic Execution of the System Debugger value

(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon

Disable Automatic Logon: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon(REG_DWORD) 0

Admin Autologon Value

Autoplay value?

?

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot

Disable automatic reboots after a Blue Screen of Death: HKLM\System\CurrentControlSet\Control\CrashControl\AutoReboot (REG_DWORD) 0

CIS: Disable Reboot After Crash value

(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun

Disable autoplay from any disk type, regardless of application: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun (REG_DWORD) 255

(1) HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun

Disable autoplay for current user: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun (REG_DWORD) 255

(1) HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun

Disable autoplay for new users by default: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun (REG_DWORD) Not Defined

CIS: Disable Media Autoplay (HKU-.Default hive)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDrom\Autorun

Disable CD Autorun: HKLM\System\CurrentControlSet\Services\CDrom\Autorun (REG_DWORD) 0

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MrxSmb\Parameters\RefuseReset

Protect against Computer Browser Spoofing Attacks: HKLM\System\CurrentControlSet\Services\MrxSmb\Parameters\RefuseReset (REG_DWORD) 1

Computer Browser Spoofing Attacks

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesTcpip\Parameters\EnableICMPRedirect

Ensure ICMP Routing via shortest path first: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect (REG_DWORD) 0

Disable ICMP Redirect

?

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting

Protect against source-routing spoofing: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting (REG_DWORD) 2

Disable IP Source Routing

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery

Ensure Router Discovery is Disabled: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery (REG_DWORD) 0

Disable Router Discovery

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt

Enable IPSec to protect Kerberos RSVP Traffic: HKLM\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt

CIS: Enable IPSec security for Kerberos RSVP Traffic value

(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DrWatson\CreateCrashDump

Suppress Dr. Watson Crash Dumps: HKLM\Software\Microsoft\DrWatson\CreateCrashDump

CIS: Allow Dr. Watson Crash Dumps value

(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName

Don’t display username of last successful logon at the logon screen: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName (REG_SZ) Not Defined; 3.2.1.15 Do Not Display Last User Name in Logon Screen: Enabled

(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable

Enable the File System Checker and Disable Popups: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable (REG_DWORD) Not Defined

(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan

Enable the System File Checker to verify all operating system files at boot time: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan (REG_DWORD) Not DefinedNote: Due to the processor-intensive nature of the System File Checker, it is no longer required on startup.

(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCShowProgress

Do not show the System File Checker progress meter: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCShowProgress (REG_DWORD) Not Defined

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden

3.2.2.24 Do not announce this computer to domain master browsers: HKLM\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden (REG_DWORD) 1

CIS: Hide computer Name from other domain controllers value

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect

Protect the Default Gateway network setting: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect (REG_DWORD) 0

Disable Dead Gateway Detection

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime

Manage Keep-alive times: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime(REG_DWORD) 300000

TCP Connection Keep-Alive Time

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen

SYN Attack protection – Manage TCP Maximum half-open sockets: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen (REG_DWORD) 100

Half-open TCP Sockets

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried

SYN Attack protection – Manage TCP Maximum half-open retired sockets: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetired (REG_DWORD) 80

Half-open retired TCP Sockets

?

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand

Protect Against Malicious Name-Release Attacks: HKLM\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand (REG_DWORD) 1

Name-Release Attacks

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery

Help protect against packet fragmentation: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery (REG_DWORD) 0

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect

Protect against SYN Flood attacks: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect (REG_DWORD) 2

SYN Attack Protection

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\EnhancedSecurityLevel

Protect Kernel object attributes

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security\WarningLevel

Audit Log Warning Level

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\DisableSavePassword

Disable saving of dial up password

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel (2) defined by Local or Group Policy

Encrypt Secure Channel Traffic Value

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel (2) defined by Local or Group Policy

Sign Secure Channel Traffic Value

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Session Manager\SafeDllSearchMode

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon\SyncForegroundPolicy

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\DeleteRoamingCache

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system\LogonType

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Policies\system\DisableBkGndGroupPolicy

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA


?



?

?

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\KMPrintersAreBlocked

Allow Server Operators to Schedule Tasks: Not Applicable

Rename Administrator Account: Any value other than ‘Administrator’

Administrator Account Renamed

Rename Guest Account: Any value other than ‘Guest’

Guest Account Renamed

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect (2) defined by Local or Group Policy

Amount of Idle Time Required Before Disconnecting Session: 30 Minutes (minimum)

Amount of idle time before disconnecting value (<= 15)

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects (2) defined by Local or Group Policy

Audit the access of global system objects: Not Defined

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing (2) defined by Local or Group Policy

Audit the use of backup and restore privilege: Not Defined

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD (2) defined by Local or Group Policy

Disable CTRL+ALT+Delete Requirement for Logon: Disabled

Ctrl+Alt+Del security attention sequence is Disabled.

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel (2) defined by Local or Group Policy

LAN Manager Authentication Level: “Send NTLMv2 response only” (minimum)

LMCompatibility Value

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LMCompatibilityLevel Paramenters: (1) level

The Send download LanMan compatible password option is not set to "Send LM and NTLM - Use NTLMv2 if Negotiated."

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers (2) defined by Local or Group Policy

Prevent Users from Installing Printer Drivers: Enabled

Print Driver Installation value

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel (2) defined by Local or Group Policy

Recovery Console: Allow Automatic Administrative Logon: Disabled

Recovery Console Autologon value

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand (2) defined by Local or Group Policy

Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders: Disabled

Recovery Console Full Access Value

?

?


(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms (2) defined by Local or Group Policy

Restrict CD-ROM Access to Locally Logged-On User Only: Enabled

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies (2) defined by Local or Group Policy

Restrict Floppy Access to Locally Logged-On User Only: Enabled

Floppy Allocation

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode (2) defined by Local or Group Policy

Strengthen Default Permissions of Global System Objects (e.g. Symbolic Links): Enabled

Strength permissions on GSO value

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey (2) defined by Local or Group Policy

Secure Channel: Require Strong (Windows 2000 or later) Session Key: Not Defined

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword (2) defined by Local or Group Policy

Send Unencrypted Password to Connect to Third-Party SMB Servers: Disabled

Send unencrypted password to 3rd party SMB value

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Driver Signing\Policy (2) defined by Local or Group Policy

Unsigned Driver Installation Behavior: “Warn, but allow installation” (minimum) or “Do Not Allow Installation”.

Unsigned Driver Behavior Value

Unsigned Non-Driver Installation Behavior: “Warn, but allow installation” (minimum) or “Do Not Allow Installation”

Unsigned Non-Driver Behavior Value

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning (2) defined by Local or Group Policy

Prompt User to Change Password Before Expiration: 14 Days (minimum)

Password Expiration value


?

?

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail (2) defined by Local or Group Policy

Shut Down system immediately if unable to log security audits: Not Defined

Crash on audit fail Value

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon (2) defined by Local or Group Policy

Allow System to be Shut Down Without Having to Log On: Disabled

The system allows shutdown from the logon dialog box

Automatically Log Off Users When Logon Time Expires (local): Enabled

Logon Time Enforcement (0)

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown (2) defined by Local or Group Policy

Clear Virtual Memory Pagefile When System Shuts Down: Enabled

Clear Pagefile value

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature (2) defined by Local or Group Policy

Digitally Sign Client Communication (Always): Not Defined

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature (2) defined by Local or Group Policy

Digitally Sign Client Communication (When Possible): Enabled

Enable Security Signature Value

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature (2) defined by Local or Group Policy

Digitally Sign Server Communication (Always): Not Defined

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature (2) defined by Local or Group Policy

Digitally Sign Server Communication (When Possible): Enabled

SMB Server Packet Signing Value

?

?

?

(1) defined in %Systemroot%\boot.ini ? ?

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount (2) defined by Local or Group Policy

Number of Previous Logons to Cache: 1 (maximum)

Logon Caching value (<= 2)

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD (2) defined by Local or Group Policy

Allowed to Eject Removable NTFS Media: Administrators

NTFS Media Ejection value

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal (2) defined by Local or Group Policy

Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always): Not Defined

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel (2) defined by Local or Group Policy

Secure Channel: Digitally Encrypt Secure Channel Data (When Possible): Enabled

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel (2) defined by Local or Group Policy

Secure Channel: Digitally Sign Secure Channel Data (When Possible): Enabled

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption (2) defined by Local or Group Policy

Smart Card Removal Behavior: “Lock Workstation” (minimum)

Smart Card Removal Behavior Value

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange (2) defined by Local or Group Policy

Prevent System Maintenance of Computer Account Password: Disabled

Disable password change Value


(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon (2) defined by Local or Group Policy


(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogoff (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPathsHKLM (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest (2) defined by Local or Group Policy


(1) Disk Management MMC

(1) ? ?

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec (2) defined by Local or Group Policy

4.3.1 Ensure all disk volumes are using the NTFS file system

Non-NTFS Partition

Unused USB ports are not disabled.

?

?

?

?

(1) HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE

current user scrnsave.exe

(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut

Current user screensaver timeout

(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure

Current user screensaver secure

(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive

Current user screensaver active

(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\SCRNSAVE.EXE

(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaveTimeOut

(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaverIsSecure

(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaveActive

(1) HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE

(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut

(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure

(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive

GPO path: User Configuration\Administrative Templates\Control Panel\Display\Hide Screen Saver tab

GPO path: User Configuration\Administrative Templates\Control Panel\Display\Password protect the screen saver

GPO path: User Configuration\Administrative Templates\Control Panel\Display\Screen saver

GPO path: User Configuration\Administrative Templates\Control Panel\Display\Screen Saver executable name

GPO path: User Configuration\Administrative Templates\Control Panel\Display\Screen Saver timeout

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

Always Install with Elevated Privileges

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\SafeForScripting\

Disable IE Security Prompt for Windows Installer Scripts

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableUserControl

Enable User Control Over Installs

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownBrowse

Enable User to Browse for Source While Elevated

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownMedia

Enable User to Use Media Source While Elevated

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableAdminTSRemote

Allow Admin to Install from Terminal Services Session

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownPatch

Enable User to Patch Elevated Products

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\TransformSecure

Cache Transforms in Secure Location on Workstation

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer\DisableAutoupdate

(1) HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer\PreventCodecDownload

?

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\{9b017612-c9f1-11d2-8d9f-0000f875c541}\Disabled (2) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MessengerService

Windows Messenger Internet Access

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventRun

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventAutoRun

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Property Pages

Hide Property Pages

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Task Creation

Prohibit New Task Creation

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fSingleSessionPerUser

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxInstanceCount

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fWritableTSCCPermTab

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\Shadow

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\PerSessionTempDir

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\DeleteTempDirsOnExit

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fReconnectSame

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fResetBroken

-1

-1

-1

-1

-1

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\KeepAliveEnable

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\ErrorReporting\DoReport

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions

`

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC\EnableAuthEpResolution

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC\RestrictRemoteClients

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewallHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptionsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\AllowUserPrefMerge

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Enabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\FileAndPrint\Enabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\RemoteDesktop\Enabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\UPnPFramework\Enabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogDroppedPackets (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log Dropped Packets

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogFilePath (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log file path and name (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile Tab\Logging\Name

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogFileSize (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Size limit (KB)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogSuccessfulConnections (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log successful connections

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableUnicastResponsesToMulticastBroadcastHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\AllowUserPrefMerge

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewallHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\AllowUserPrefMerge

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop\Enabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ICMPSettings\*

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop\Enabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\UPnPFramework\Enabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogDroppedPackets (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile\Windows Firewall: Allow Logging - Log Dropped Packets

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogFilePath

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogFileSize

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogSuccessfulConnections

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableUnicastResponsesToMulticastBroadcast

?

POSIX.EXE, "PSXSS.EXE" or "PSXDLL.DLL" exist

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\AllowUserPrefMerge

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxPortsExhausted

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Subsystems\Optional,HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Subsystems\Os2,HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Os2LibPath

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Subsystems\posix

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\NukeOnDelete

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\SCForceOption

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Inbound Connections Tab\(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultInboundAction

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultOutboundAction

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalPolicyMerge

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalIPsecPolicyMerge

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultInboundAction

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultOutboundAction

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableNotifications

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableUnicastResponsesToMulticastBroadcast

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\AllowLocalPolicyMerge

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\AllowLocalIPsecPolicyMerge

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultInboundAction

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultOutboundAction

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableNotifications

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableUnicastResponsesToMulticastBroadcast

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalPolicyMerge

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalIPsecPolicyMerge

(1) Computer Configuration\Administrative Templates\System\Logon (2)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableLocalMachineRun

(1) Computer Configuration\Administrative Templates\System\Logon (2)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableLocalMachineRunOnce

(1) Computer Configuration\Administrative Templates\System\Group Policy (2)HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}!NoBackgroundPolicy, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}!NoGPOListChanges

(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWebServices

(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Messenger\Client!CEIP

(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\SearchCompanion!DisableContentFileUpdates

(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableHTTPPrinting

(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload

(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DontSearchWindowsUpdate

(1) Computer Configuration\Administrative Templates\System\Credential User Interface (2)HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators

(1) Computer Configuration\Administrative Templates\System\Credential User Interface (2)HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnableSecureCredentialPrompting

(1) Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management (2)HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!RestrictToList

(1) Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management (2)HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!ListBox_Support_CLSID

(1) Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Remote Desktop Connection (2)HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DisablePasswordSaving

(1) Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Device and Resource Redirection (2)HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCdm(1) User Configuration\Administrative Templates\System (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools

(1) User Configuration\Administrative Templates\System\Power Mangement (2)HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Power\PromptPasswordOnResume

(1) User Configuration\Administrative Templates\System\Attachment Manager (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation

(1) User Configuration\Administrative Templates\System\Attachment Manager (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\HideZoneInfoOnProperties

(1) User Configuration\Administrative Templates\System\Attachment Manager (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus

(1) User Configuration\Administrative Templates\Windows Components\Internet Explorer (2)HKEY_CURRENT_USER\Software\Microsoft\Outlook Express\BlockExeAttachments

(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options (2)HKEY_LOCAL_MACHINE\System\Currentcontrolset\Control\Lsa\SCENoApplyLegacyAuditPolicy

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup\ChannelAccess

(2)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Windows Search Service\Start

(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet\Disabled

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI\DisableWcnUi

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings\AllowRemoteRPC

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings\DisableSystemRestore

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings\DisableSendGenericDriverNotFoundToWER

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EventViewer\MicrosoftEventVwrDisableLinks

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports\PreventHandwritingErrorReports

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\HelpSvc\Headlines

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\HelpSvc\MicrosoftKBSearchs

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Internet Connection Wizard\ExitOnMSICW

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Registration Wizard Control\NoRegistration

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoOnlinePrintsWizard

(2)[HKEY_LOCAL_MACHINE | HKEY_CURRENT_USER] \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPublishingWizard

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\CodecDownload

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\WebHelp

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\WebPublish

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWelcomeScreen

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableStartupSound

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\DCSettingIndex

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ACSettingIndex

(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\CreateEncryptedOnlyTickets

(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\UseCustomMessages

(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\UseBandwidthOptimization

(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\LoggingEnabled

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\IIS\PreventIISInstall

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Assistance\Client\1.0\NoActiveHelp

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Assistance\Client\1.0\NoUntrustedContent

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload

(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems

(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search\PreventIndexingUncachedExchangeFolders

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\TurnOffWinCal

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\CorporateSQMURL

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer\NoHeapTerminationOnCorruption

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\DisableLUAPatching

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ReportControllerMissing

(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Mail\DisableCommunities

(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Mail\ManualLaunchAllowed

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WMDRM\DisableOnline

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Collaboration\TurnOffWindowsCollaboration

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Collaboration\TurnOnWindowsCollaborationAuditing

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffUnsignedGadgets

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\OverrideMoreGadgetsLink

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffUserInstalledGadgets

Computer Configuration\Administrative Templates\Windows Components\Digital Locker

Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Components\Game Explorer

Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Outbound Rules

Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Outbound Rules

2007: GPO Settings:Computer Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 System / Security Settings , Registry Keys: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\12.0\Common\VbaOff 2003: (1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Disable VBA for Office applications (2) HKLM\Software\Policies\Microsoft\Office\11.0\Common - VbaOff (3) User Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Disable VBA for Office applications (4) HKCU\Software\Policies\Microsoft\Office\11.0\Common - VbaOff

2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 system / Security /ActiveX Control InitializationSettings , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\Common\Security\UFIControls 2003: (1) User Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\ActiveX Control Initialization (2) HKCU\Software\Policies\Microsoft\Office\Common\Security - UFIControls

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 / Privacy / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Common\QMEnable

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 / Privacy / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Common\UpdateReliabilityData

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 system / Tools / Options / General / Service Options / Online Content , Registry Keys: HKEY_CURRENT_USER\Softtware\Polices\Microsoft\Office\12.0\Common\Internet\UseOnlineContent

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Access 2007 / Application Settings / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Access\Security\VBAWarnings

2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Excel 2007 / Excel Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\VBAWarnings

2007GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Excel 2007 / Excel Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\AccessVBOM 2003: (1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Excel: Trust access to Visual Basic Project (2) HKLM\Software\Policies\Microsoft\Office\11.0\Excel\Security - AccessVBOM (3) User Configuration\Administrative Templates\Microsoft Office Excel 2003\Tools\Macros\Security\Trust access to Visual Basic Project (4) HKCU\Software\Policies\Microsoft\Office\11.0\Excel\Security - AccessVBOM

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office PowerPoint 2007 / PowerPoint Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\VBAWarnings

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office PowerPoint 2007 / PowerPoint Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\AccessVBOM

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\EnableRememberPwd

2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\AddinTrust 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Configure Add-In Trust Level (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - AddinTrust

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\EnableRememberPwd

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\MinEncKey

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\SupressNameChecks

2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\ClearSign 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Send all signed messages as clear signed messages (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - ClearSign

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\RequestSecureReceipt

2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\PublishToGalDisabled 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Disable 'Publish to GAL' button (2) HKCU\Software\Policies\Microsoft\office\11.0\outlook\Security - PublishToGalDisabled

2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\WarnAboutInvalid 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Signature Warning (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - WarnAboutInvalid

2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\ConvertSMIMEBlobSignedIcons 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Enable cryptography icons (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - ConvertSMIMEBlobSignedIcons

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography / Signature Status Dialog Box , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\UseCRLChasing

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Word 2007 / Word Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\VBAWarnings

2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Word 2007 / Word Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Policies\Microsoft\Office\12.0\Word\Security\AccessVBOM 2003: (1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Word: Trust access to Visual Basic Project (2) HKLM\Software\Policies\Microsoft\Office\11.0\Word\Security - AccessVBOM (3) User Configuration\Administrative Templates\Microsoft Office Word 2003\Tools\Macro\Security\Trust access to Visual Basic Project (4) HKCU\Software\Policies\Microsoft\Office\11.0\Word\Security - AccessVBOM

2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Word 2007 / Word Options / Security , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Options\vpref\fWarnRevisions_1805_1 2003: (1) User Configuration\Administrative Templates\Microsoft Office Word 2003\Tools\Options\Security\Warn before printing or saving or sending a file that contains tracked changes or comments (2) HKCU\Software\Policies\Microsoft\Office\11.0\Word\Options\vpre

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 / Miscellaneous , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\Common\OfficeUpdate\BlockUpdates

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Web Options\General\Underline hyperlinks (2) Software\Policies\Microsoft\Office\12.0\Access\Internet

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\General\General\Number of documents in the Recent Documents list (0-9) (2) Software\Policies\Microsoft\Office\12.0\Access\Settings

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins (2) Software\Policies\Microsoft\Office\12.0\Access\Security

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Disable all application add-ins (2) Software\Policies\Microsoft\Office\12.0\Access\Security

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher (2) Software\Policies\Microsoft\Office\12.0\Access\Security

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted LocationsDisable all trusted locations (2) Software\Policies\Microsoft\Office\12.0\Access\Security\Trusted Locations

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted Locations\Allow Trusted Locations not on the computer (2) Software\Policies\Microsoft\Office\12.0\Access\Security\Trusted Locations

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted Locations\Modal Trust Decision Only (2) Software\Policies\Microsoft\Office\12.0\Access\Security\Trusted Locations

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Office Button | E-Mail (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Access Options | Customize | All Commands | Insert Hyperlink (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Database Tools | Encrypt with Password (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permission | User and Group Permissions (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permissions | User and Group Accounts (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permission | User-Level Security Wizard... (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Database Tools | Encode/Decode Database (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Macro | Visual Basic (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Macro | Run Macro (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Database Tools | Macro | Convert Macros to Visual Basic (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Database Tools | Macro | Create Shortcut Menu from Macro (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable shortcut keys (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Ctrl+K (Office Button | Access Options | Customize | All Commands | Insert Hyperlinks) (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Alt+F11 (Database Tools | Macro | Visual Basic) (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Miscellaneous\Default file format (Access 2007 | Access 2002-2003) (2) Software\Policies\Microsoft\Office\12.0\Access\Settings

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Miscellaneous\Do not prompt to convert older databases (2) Software\Policies\Microsoft\Office\12.0\Access\Settings

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Proofing\Autocorrect Options\Internet and network paths as hyperlinks (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\Save Excel files as (Excel Workbook (*.xlsx) | Excel Macro-Enabled Workbook (*.xlsm) | Excel Binary Workbook (*.xlsb) | Web Page (*.htm; *.html) | Excel 97-2003 Workbook (*.xls) | Excel 5.0/95 Workbook (*.xls)) (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\Disable AutoRepublish (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\AutoRepublish Warning Alert (Always show the alert before publishing | Never show the alert before publishing) (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Determine whether to force encrypted macros to be scanned in Microsoft Excel Open XML workbooks (2) Software\Policies\Microsoft\Office\12.0\Excel\Security

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Force file extension to match file type (Allow different | Allow different, but warn | Always match file type) (2) Software\Policies\Microsoft\Office\12.0\Excel\Security

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Store macro in Personal Macro Workbook by default (2) Software\Policies\Microsoft\Office\12.0\Excel\Security

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Disable all application add-ins (2) Software\Policies\Microsoft\Office\12.0\Excel\Security

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher (2) Software\Policies\Microsoft\Office\12.0\Excel\Security

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins (2) Software\Policies\Microsoft\Office\12.0\Excel\Security

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\Trusted Locations

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Trusted LocationsDisable all trusted locations (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\Trusted Locations

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Ignore other applications (2) Software\Policies\Microsoft\Office\12.0\Excel\Options\BinaryOptions

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Ask to update automatic links (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Number of documents in the Recent Documents list (0-17) (2) Software\Policies\Microsoft\Office\12.0\Excel\File MRU

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Web Options…\GeneralSave any additional data necessary to maintain formulas (2) Software\Policies\Microsoft\Office\12.0\Excel\Internet

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Web Options…\GeneralLoad pictures from Web pages not created in Excel (2) Software\Policies\Microsoft\Office\12.0\Excel\Internet

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Do not show data extraction options when opening corrupt workbooks (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Assume structured storage format of workbook is intact when recovering data (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Corrupt formula conversion (Convert unrecoverable references to: values | #REF or #NAME) (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Access Security\Connection File Locations (2) Software\Policies\Microsoft\Office\Common\Server Links\Published

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Access Security\Automatic Query Refresh (Prompt for all workbooks | Do not prompt; do not allow auto refresh | Do not prompt; allow auto refresh) (2) Software\Policies\Microsoft\Office\Common\Server Links\Published

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Save as Web Page (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Web Page Preview (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect Sheet (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect Workbook (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect and Share Workbook (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Record Macro (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Document Location (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink) (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F8 (Developer | Code | Macros) (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic) (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to Excel 2007 (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Open XML file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Binary 12 file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Binary file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Html and Xmlss files types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Xml file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of DIF and SYLK file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Text file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Xll file type (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Open Xml file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Binary12 file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Binary file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Html and Xmlss file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving Xml file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving DIF and SYLK file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Text file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Locally cache network file storages (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Locally cache PivotTable reports (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\OLAP PivotTable User Defined Function (UDF) security setting (Allow ALL UDFs | Allow safe UDFs only | Allow NO UDFs) (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Recognize SmartTags (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Tools | Options\General\Number of documents in the Recent Documents list (0 - 9) (2) Software\Policies\Microsoft\Office\12.0\InfoPath

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Tools | Options\Advanced\Offline\Offline Mode status (Disabled | Enabled, InfoPath in Offline Mode | Enabled, InfoPath not in Offline Mode) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Editor\Offline

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Print (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Send to Mail Recipient (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Open from SharePoint Site (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Print Preview (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Page Setup (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Insert | Hyperlinks... (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Set Language (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Customize... (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Options... (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Help | Microsoft Office Online (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Office Diagnostics (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Help | Activate Product... (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Print Default (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys - Print Shortcut (Ctrl+P) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys - Insert Hyperlink Shortcut (Ctrl+K) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior for Windows SharePoint Services gradual upgrade (Allow redirections to any location | Allow redirections to Intranet only | Block all redirections) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Disable opening of solutions from the Internet security zone (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Disable fully trusted solutions full access to computer (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Allow the use of ActiveX Custom Controls in InfoPath forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Run forms in restricted mode if they do not specify a publish location and use only features introduced before InfoPath 2003 SP1 (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Allow file types as attachments to forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Block specific file types as attachments to forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Prevent users from allowing unsafe file types to be attached to forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Display a warning that a form is digitally signed (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Internet security zone (Block | Prompt | Allow) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Open Behaviors

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Intranet security zone (Block | Prompt | Allow) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Open Behaviors

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Local Machine security zone (Block | Prompt | Allow) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Open Behaviors

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Trusted Site security zone (Block | Prompt | Allow) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Open Behaviors

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Beaconing UI for forms opened in InfoPath (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Beaconing UI for forms opened in InfoPath Editor ActiveX (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Disable all application add-ins (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Control behavior when opening InfoPath e-mail forms containing code or script (Run without prompting | Prompt before running | Never run) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable sending form template with e-mail forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Deployment

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable dynamic caching of the form template in InfoPath e-mail forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Deployment

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable sending InfoPath 2003 Forms as e-mail forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms running in restricted security level (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Internet security zone (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Intranet security zone (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Full Trust security zone (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable InfoPath e-mail forms in Outlook (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Restricted Features\Information Rights Management (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Designer\RestrictedFeatures

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Restricted Features\Custom code (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Designer\RestrictedFeatures

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Miscellaneous\Email Forms Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Word (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Excel (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in PowerPoint (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Access (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Outlook (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Word (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Excel (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in PowerPoint (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Access (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Outlook (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Word (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Excel (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in PowerPoint (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Access (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Outlook (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | AutoCorrect Options... (Excel, Word, PowerPoint and Access)\Recognize smart tags in Excel (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable Clip Art and Media downloads from the client and from Office Online website (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable template downloads from the client and from Office Online website (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable access to updates, add-ins, and patches on the Office Online website (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Prevents users from uploading document templates to the Office Online community. (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable training practice downloads from the Office Online website (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable customer-submitted templates downloads from Office Online (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Files\Open Office documents as read/write while browsing (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Browsers\Rely on VML for displaying graphics in browsers (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Browsers\Allow PNG as an output format (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | Spelling\Proofing Data Collection\Improve Proofing Tools (2) Software\Policies\Microsoft\Office\12.0\Common\PTWatson

(1) User Configuration\Administrative Templates\Classic Administrative Templates\Microsoft Office 2007\Privacy \Trust Center\Disable Opt-in Wizard on first run (2) HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Common\QMEnable(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Help\Microsoft Office Online (2) Software\Policies\Microsoft\Office\12.0\Common\Internet(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable Password Caching (2) Software\Policies\Microsoft\Office\12.0\Common\Security

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable all Trust Bar notifications for security issues (2) Software\Policies\Microsoft\Office\12.0\Common\TrustCenter

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Protect document metadata for rights managed Office Open XML Files (2) Software\Policies\Microsoft\Office\12.0\Common\Security

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Protect document metadata for password protected files. (2) Software\Policies\Microsoft\Office\12.0\Common\Security

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Encryption type for password protected Office Open XML files (2) Software\Policies\Microsoft\Office\12.0\Common\Security

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Encryption type for password protected Office 97-2003 files (2) Software\Policies\Microsoft\Office\12.0\Common\Security

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Load Controls in Forms3 (1 | 2 | 3 | 4) (2) Software\Policies\Microsoft\VBA\Security

2007: (1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Automation Security (Disable macros by default | Use application macro security level | Macros enabled) (2) Software\Policies\Microsoft\Office\Common\Security 2003: (1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Automation Security (2) HKLM\Software\Policies\Microsoft\Office\11.0\Common\Security - AutomationSecurity

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Prevent Word and Excel from loading managed code extensions (2) Software\Policies\Microsoft\Office\Common\Smart Tag

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable hyperlink warnings (2) Software\Policies\Microsoft\Office\12.0\Common\Security

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable password to open UI (2) Software\Policies\Microsoft\Office\12.0\Common\Security

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Download Office Controls (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable All ActiveX (2) Software\Policies\Microsoft\Office\Common\Security

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Trust Center\Allow mix of policy and user locations (2) Software\Policies\Microsoft\Office\12.0\Common\Security\Trusted Locations

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Smart Documents (Word, Excel)\Disable Smart Document's use of manifests (2) Software\Policies\Microsoft\Office\Common\Smart Tag

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Smart Documents (Word, Excel)\Completely disable the Smart Documents feature in Word and Excel (2) Software\Policies\Microsoft\Office\Common\Smart Tag

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Services\Fax\Disable Internet Fax feature (2) Software\Policies\Microsoft\Office\12.0\Common\Services\Fax

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Prevent users from changing permissions on rights managed content (2) Software\Policies\Microsoft\Office\12.0\Common\DRM

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Allow users with earlier versions of Office to read with browsers... (2) Software\Policies\Microsoft\Office\12.0\Common\DRM

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Always require users to connect to verify permission (2) Software\Policies\Microsoft\Office\12.0\Common\DRM

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Always expand groups in Office when restricting permission for documents (2) Software\Policies\Microsoft\Office\12.0\Common\DRM\AutoExpandDls

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Never allow users to specify groups when restricting permission for documents (2) Software\Policies\Microsoft\Office\12.0\Common\DRM

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Disable Microsoft Passport service for content with restricted permission (2) Software\Policies\Microsoft\Office\12.0\Common\DRM

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Do not allow users to upgrade Information Rights Management configuration (2) Software\Policies\Microsoft\Office\12.0\Common\DRM

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Key Usage Filtering (2) Software\Policies\Microsoft\Office\12.0\Common\General(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\EKU filtering (2) Software\Policies\Microsoft\Office\12.0\Common\Signatures

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Legacy format signatures (2) Software\Policies\Microsoft\Office\12.0\Common\Signatures

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Suppress Office Signing Providers (Enable Western and East Asian | Suppress default Western | Suppress default East Asian | Suppress both Western and East Asian) (2) Software\Policies\Microsoft\Office\12.0\Common\Signatures

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Suppress external signature services menu item (2) Software\Policies\Microsoft\Office\12.0\Common\Signatures

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Office Diagnostics\Disable Check For Solutions (2) Software\Policies\Microsoft\Office\Common\OffDiag

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Microsoft Save As PDF and XPS add-ins\Disable inclusion of document properties in PDF and XPS output (2) Software\Policies\Microsoft\Office\12.0\Common\FixedFormat

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Document Information Panel\Disable Document Information Panel (2) Software\Policies\Microsoft\Office\12.0\Common\DocumentInformationPanel

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Document Information Panel\Document Information Panel Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone) (2) Software\Policies\Microsoft\Office\12.0\Common\DocumentInformationPanel

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Server Settings\Disable the Office client from polling the Office server for published links (2) Software\Policies\Microsoft\Office\12.0\Common\Portal

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to Word 2007 through the Compatibility Pack for the 2007 Office system and Word 2007 Open XML/Word 97-2003 Format Converter (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to Excel 2007 through the Compatibility Pack for the 2007 Office system and Excel 2007 Converter (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to PowerPoint 2007 through the Compatibility Pack for the 2007 Office system and PowerPoint 2007 Converter (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Control Blogging (Enabled | Only SharePoint blogs allowed | All blogging disabled) (2) Software\Policies\Microsoft\Office\12.0\Common\Blog

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Enable Smart Resume (2) Software\Policies\Microsoft\Office\12.0\Common\Restore Workspace

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Do not upload media files (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Disable hyperlinks to web templates in File | New and task panes (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Prevent access to Web-based file storage (2) Software\Policies\Microsoft\Office\12.0\Common\WebServices

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Do not allow attachment previewing in Outlook (2) Software\Policies\Microsoft\Office\12.0\Outlook\Preferences

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Read e-mail as plain text (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Read signed e-mail as plain text (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServicePrevent publishing to Office Online (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServicePrevent publishing to a DAV server (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceRestrict level of calendar details users can publish (All options are available | Disables 'Full details' | Disables 'Full details' and 'Limited details') (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceAccess to published calendars (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceRestrict upload method (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Hide Junk Mail UI (2) Software\Policies\Microsoft\Office\12.0\Outlook

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Junk E-mail protection level (No Protection, Low, High, Trusted Lists Only) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Trust E-mail from Contacts (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Add e-mail recipients to users' Safe Senders Lists (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Warn before switching dial-up connection (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Hang up when finished sending, receiving, or updating (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Automatically dial during a background Send/Receive (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Do not allow creating, replying, or forwarding signatures for e-mail messages (2) Software\Policies\Microsoft\Office\12.0\Common\MailSettings

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Send copy of pictures with HTML messages instead of reference to Internet location (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Outlook Rich Text options (Convert to HTML | Convert to Plain Text format | Send Using Outlook Rich Text format) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Plain text options (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Plain text options - Encode attachments in UUENCODE format when sending a plain text message (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Message FormatSet message format (HTML | Rich Text | Plain Text) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Make Outlook the default program for E-mail, Contacts, and Calendar (2) software\policies\microsoft\office\12.0\outlook\options\general

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow folders in non-default stores to be set as folder home pages (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Use Unicode format when dragging e-mail message to file system (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\General

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow Outlook object model scripts to run for shared folders (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow Outlook object model scripts to run for public folders (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Set maximum level of online status on a person name (Do not allow | Allow everywhere except To and CC field | Allow everywhere) (2) Software\Policies\Microsoft\Office\12.0\Outlook\IM

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Display online status on a person name (Never | Everywhere except To and CC field | Everywhere) (2) Software\Policies\Microsoft\Office\12.0\Outlook\IM

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Turn off Enable the Person Names Smart Tag option (2) Software\Policies\Microsoft\Office\12.0\Outlook\IM

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Outlook Security Mode (Outlook Default Security | Use Security Form from 'Outlook Security Settings' Public Folder | Use Security Form from 'Outlook 10 Security Settings' Public Folder | Use Outlook Security Group Policy) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Display Level 1 attachments (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Allow users to demote attachments to Level 2 (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Do not prompt about Level 1 attachments when sending an item (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Do not prompt about Level 1 attachments when closing an item (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Allow in-place activation of embedded OLE objects (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Display OLE package objects (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Add file extensions to block as Level 1 (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Remove file extensions blocked as Level 1 (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Add file extensions to block as Level 2 (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Remove file extensions blocked as Level 2 (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Allow scripts in one-off Outlook forms (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Set Outlook object model Custom Actions execution prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Set control ItemProperty prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when sending mail (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when accessing an address book (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when reading address information (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when responding to meeting and task requests (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when executing Save As (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt When accessing the Formula property of a UserProperty object (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when accessing address information via UserProperties.Find (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Required Certificate Authority (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME interoperability with external clients: (Handle internally | Handle externally | Handle if possible) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Always use Rich Text formatting in S/MIME messages (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings (2) Software\Policies\Microsoft\Cryptography\Defaults\Provider\Microsoft Exchange Cryptographic Provider v1.0

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings - Default S/MIME password time (minutes): (0 - 2147483647) (2) Software\Policies\Microsoft\Cryptography\Defaults\Provider\Microsoft Exchange Cryptographic Provider v1.0

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings - Maximum S/MIME password time (minutes): (0 - 2147483647) (2) Software\Policies\Microsoft\Cryptography\Defaults\Provider\Microsoft Exchange Cryptographic Provider v1.0

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Message Formats (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Message Formats - Support the following message formats: (S/MIME | Exchange | Fortezza | S/MIME and Exchange | S/MIME and Fortezza | Exchange and Fortezza | S/MIME, Exchange, and Fortezza) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

2007: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Do not provide Continue option on Encryption warning dialog boxes (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Disable Continue button on all Encryption warning dialogs (2) HKCU\Software\Policies\Microsoft\office\11.0\outlook\Security - DisableContinue

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Run in FIPS compliant mode (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

2007: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Encrypt all e-mail messages (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Encrypt all e-mail messages (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - AlwaysEncrypt

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Sign all e-mail messages (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\URL for S/MIME certificates (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Ensure all S/MIME signed messages have a label (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME receipt requests (Open message if receipt can't be sent | Don't open message if receipt can't be sent | Always prompt before sending receipt | Never send S/MIME ) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Fortezza certificate policies (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Require SuiteB algorithms for S/MIME operations (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing CRLs (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing CRLs - Indicate a missing CRL as a(n): (warning | error) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing root certificates (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing root certificates - Indicate a missing root certificate as a(n): (neither error nor warning | warning | error) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Promote Level 2 errors as errors, not warnings (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Attachment Secure Temporary Folder (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Display pictures and external content in HTML e-mail (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Do not permit download of content from safe zones (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Block Trusted Zones (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Include Internet in Safe Zones for Automatic Picture Download (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Include Intranet in Safe Zones for Automatic Picture Download (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Security setting for macros (Always warn | Never warn, disable all | Warn for signed, disable unsigned | No security check) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Enable links in e-mail messages (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Apply macro security settings to macros, add-ins, and SmartTags (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Automatically configure profile based on Active Directory Primary SMTP address (2) Software\Policies\Microsoft\Office\12.0\Outlook\AutoDiscover

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Do not allow users to change permissions on folders (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Folders

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Enable RPC encryption (2) Software\Policies\Microsoft\Office\12.0\Outlook\RPC

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Authentication with Exchange Server (Kerberos/NTLM Password Authentication | Kerberos Password Authentication | NTLM Password Authentication) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Synchronize Outlook RSS Feeds with Common Feed List (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Turn off RSS feature (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Automatically download enclosures (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Download full text of articles as HTML attachments (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Internet Calendars\Automatically download attachments (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\WebCal

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Internet Calendars\Do not include Internet Calendar integration in Outlook (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\WebCal

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Meeting Workspace\Disable user entries to server list (Publish default, allow others | Publish default, disallow others) (2) Software\Policies\Microsoft\Office\12.0\Meetings\Profile

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Miscellaneous\Do not expand distribution lists (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Save\Save files in this format (PowerPoint Presentation (*.pptx) | PowerPoint Macro-Enabled Presentation (*.pptm) | PowerPoint 97-2003 Presentation (*.ppt)) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Options

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Advanced\Number of documents in the Recent Documents list (0 - 50) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\File MRU

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Determine whether to force encrypted macros to be scanned in Microsoft PowerPoint Open XML presentations (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Run Programs (disable (don't run any programs) | enable (prompt user before running) | enable all (run without prompting)) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Make hidden markup visible (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Unblock automatic download of linked images (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Disable all application add-ins (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Trusted Locations

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Trusted LocationsDisable all trusted locations (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Trusted Locations

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Web Page Preview (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Review | Proofing | Language (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Document Location (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Disable shortcut keys (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Ctrl+K (Insert | Links | Hyperlink) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Alt+F8 (Developer | Code | Macros) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Alt+F11 (Developer | Code | Visual Basic) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to PowerPoint 2007 (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Open Xml files types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Binary file types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Html file types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Outlines (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Converters (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Open Xml file types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Binary file types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Html file types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Outlines (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of GraphicFilters (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Miscellaneous\Disable Slide Update (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\slide libraries

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Display\Hidden text (2) Software\Policies\Microsoft\Office\12.0\Word\Options\vpref

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Save\Save files in this format (Word document (*.docx) | Single Files Web Page (*.mht) | Web Page (*.htm; *.html) | Web Page, Filtered (*.htm, *.html) | Rich Text Format (*.rtf) | Plain Text (*.txt) | Word 6.0/95 (*.doc) | Word 6.0/95 - Chinese (Simplified) (*.doc) | Word 6.0/95 - Chinese (Traditional) (*.doc) | Word 6.0/95 - Japanese (*.doc) | Word 6.0/95 - Korean (*.doc) | Word 97-2002 & 6.0/95 - RTF | Word 5.1 for Macintosh (*.mcw) | Word 5.0 for Macintosh (*.mcw) | Word 2.x for Windows (*.doc) | Works 4.0 for Windows (*.wps) | WordPerfect 5.x for Windows (*.doc) | WordPerfect 5.1 for DOS (*.doc) | Word 2007 Macro Enabled Document (*.docm) | Word 2007 Macro Free Template (*.dotx) | Word 2007 Macro Enabled Template (*.dotm) | Word 97 - 2003 Document (*.doc) | Word 97 - 2003 Template (*.dot) | Flat XML Document (*.xml)) (2) Software\Policies\Microsoft\Office\12.0\Word\Options

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\Number of documents in the Recent Documents list (0-50) (2) Software\Policies\Microsoft\Office\12.0\Word\File MRU

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\Update automatic links at Open (2) Software\Policies\Microsoft\Office\12.0\Word\Options

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\E-mail Options\Save smart tags in e-mail (2) Software\Policies\Microsoft\Office\12.0\Word\Options\vpref

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents (2) Software\Policies\Microsoft\Office\12.0\Word\Security

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Disable all application add-ins (2) Software\Policies\Microsoft\Office\12.0\Word\Security

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher (2) Software\Policies\Microsoft\Office\12.0\Word\Security

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins (2) Software\Policies\Microsoft\Office\12.0\Word\Security

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer (2) Software\Policies\Microsoft\Office\12.0\Word\Security\Trusted Locations

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Trusted LocationsDisable all trusted locations (2) Software\Policies\Microsoft\Office\12.0\Word\Security\Trusted Locations

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Word Options | Customize | All Commands | Save As Web Page (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Word Options | Customize | All Commands | Web Page Preview (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Review | Protect | Protect Document (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Record Macro (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Templates | Document Template (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+F (Home | Editing | Find) (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink) (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F8 (Developer | Code | Macros) (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic) (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to Word 2007 (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Open XML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Binary file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of HTML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Word 2003 XML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of RTF file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block open Converters (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Text file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Internal file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of files before version (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Open XML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Binary file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of HTML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Word 2003 XML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of RTF file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Converters (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Text file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock

(1) Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\InfoPath APTCA Assembly Whitelist (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security\APTCA

(1) Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\Windows Internet Explorer Feature Control Opt-In (None | InfoPath.exe, Document Information Panel and Workflow forms | InfoPath.exe, Document Information Panel, Workflow forms and 3rd Party Hosting) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\InfoPath APTCA Assembly Whitelist Enforcement (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\Disable Package Repair (2) Software\Policies\Microsoft\Office\12.0\Common\OpenXMLFormat

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - excel.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - powerpnt.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - pptview.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - winword.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - outlook.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - spDesign.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - msaccess.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - excel.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - powerpnt.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - pptview.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - winword.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - outlook.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - spDesign.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - msaccess.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - excel.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - powerpnt.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - pptview.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - winword.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - outlook.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - spDesign.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - msaccess.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - excel.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - powerpnt.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - pptview.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - winword.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - outlook.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - spDesign.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - msaccess.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - excel.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - powerpnt.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - pptview.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - winword.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - outlook.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - spDesign.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - msaccess.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Prevent users from customizing attachment security settings (2) HKCU\Software\Policies\Microsoft\Office\12.0\Outlook - DisallowAttachmentCustomization

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Access: Macro Security Leve (2) HKLM\Software\Policies\Microsoft\Office\11.0\Access\Security - Level (3) User Configuration\Administrative Templates\Microsoft Office Access 2003\Tools\Macros\Security\Security level (4) HKCU\Software\Policies\Microsoft\Office\11.0\Access\Security - Level

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Access: Trust all installed add – ins and templates (2) HKLM\Software\Policies\Microsoft\Office\11.0\Access\Security - DontTrustInstalledFiles (3) User Configuration\Administrative Templates\Microsoft Office Access 2003\Tools\Macros\Security\Trust all installed add-ins and templates (4) HKCU\Software\Policies\Microsoft\Office\11.0\Access\Security - DontTrustInstalledFiles

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Excel: Macro Security Level (2) HKLM\Software\Policies\Microsoft\Office\11.0\Excel\Security - Level(3) User Configuration\Administrative Templates\Microsoft Office Excel 2003\Tools\Macros\Security\Security level (4) HKCU\Software\Policies\Microsoft\Office\11.0\Excel\Security - Level

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Excel: Trust all installed add – ins and templates (2) HKLM\Software\Policies\Microsoft\Office\11.0\Excel\Security - DontTrustInstalledFiles (3) User Configuration\Administrative Templates\Microsoft Office Excel 2003\Tools\Macros\Security\Trust all installed add-ins and templates (4) HKCU\Software\Policies\Microsoft\Office\11.0\Excel\Security - DontTrustInstalledFiles

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Outlook: Macro Security Level (2) HKLM\Software\Policies\Microsoft\Office\11.0\Outlook\Security - Level (3) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Macros\Security\Security Level (4) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook - Security\Level

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Macros\Security\Outlook: Trust all installed add-ins and templates (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - DontTrustInstalledFiles

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Outlook virus security settings (2) HKCU\Software\Policies\Microsoft\Security - CheckAdminSettings

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\S/MIME receipt requests (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - RespondToReceiptRequests

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\PowerPoint: Macro Security Level (2) HKLM\Software\Policies\Microsoft\Office\11.0\PowerPoint\Security - Level (3) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2003\Tools\Macro\Security\Security Level (4) HKCU\Software\Policies\Microsoft\Office\11.0\PowerPoint - Security\Level

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\PowerPoint: Trust all installed add – ins and templates (2) HKLM\Software\Policies\Microsoft\Office\11.0\PowerPoint\Security - DontTrustInstalledFiles (3) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2003\Tools\Macro\Security\Trust all installed add – ins and templates (4) HKCU\Software\Policies\Microsoft\Office\11.0\PowerPoint\Security - DontTrustInstalledFiles

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Publisher: Macro Security Level (2) HKLM\Software\Policies\Microsoft\Office\11.0\Publisher\Security - Level

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Publisher: Trust all installed add–ins and templates (2) HKLM\Software\Policies\Microsoft\Office\11.0\Publisher\Security - DontTrustInstalledFiles

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Word: Macro Security Level (2) HKLM\Software\Policies\Microsoft\Office\11.0\Word\Security - Level (3) User Configuration\Administrative Templates\Microsoft Office Word 2003\Tools\Macro\Security\Security Level (4) HKCU\Software\Policies\Microsoft\Office\11.0\Word - Security\Level

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Word: Trust all installed add–ins and templates (2) HKLM\Software\Policies\Microsoft\Office\11.0\Word\Security - DontTrustInstalledFiles (3) User Configuration\Administrative Templates\Microsoft Office Word 2003\Tools\Macro\Security\Trust all installed add – ins and templates (4) HKCU\Software\Policies\Microsoft\Office\11.0\Word\Security - DontTrustInstalledFiles

(1) User Configuration\Administrative Templates\Microsoft Office Word 2003\Tools\Options\Security\Store random number to improve merge accuracy (2) HKCU\Software\Policies\Microsoft\Office\11.0\Word\Options\vpref - fDontSaveRSID_1804_1

(1) User Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Prevent Users from Changing Office Encryption Settings (2) HKCU\Software\Policies\Microsoft\Office\11.0\Common\Security - DisableCustomEncryption

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Use_HKLM_only Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only

Security Zones: Use Only Machine Settings

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL!explorer.exe, HKLM\Software\Policies\Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict ActiveX Install, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\iexplore.exe

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_Zones_Map_Edit Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_zones_map_edit

Security Zones: Do Not Allow Users to Add/Delete Sites

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoUpdateCheck Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoUpdateCheck

Disable Periodic Check for Internet Explorer Software Updates

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!explorer.exe, HKLM\Software\Policies\Microsoft\Internet,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Protection From Zone Elevation, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\iexplore.exe

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!explorer.exe, HKLM\Software\Policies\Microsoft\Internet E,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Binary Behavior Security Restriction, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\iexplore.exe

HKLM\Software\Policies\Microsoft\Internet Explorer\Download!RunInvalidSignatures,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Download\RunInvalidSignatures

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL!explorer.exe, HKLM\Software\Policies\Microsoft,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/MK Protocol Security Restriction, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\iexplore.exe

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoMSAppLogo5ChannelNotify,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict File Download, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\iexplore.exe

Disable Software Update Shell Notifications on Program Launch

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD!explorer.exe, Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict File Download, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\iexplore.exe

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoJITSetup,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoJITSetup

Disable Automatic Install of Internet Explorer Components

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser

Make Proxy Settings Per Machine

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoExtensionManagement

HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoCrashDetection,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoCrashDetection

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS!explorer.exe, Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Scripted Window Security Restrictions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\iexplore.exe

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit

Security Zones: Do Not Allow Users to Change Policies

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!explorer.exe, Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Mime Sniffing Safety Feature, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\iexplore.exe

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Download\CheckExeSignatures

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\DisableRIED

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1407



Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1407



Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\AdvancedTab

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\PrivacyTab

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\PreventIgnoreCertErrors

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Internet Settings/Component Updates/Periodic Check for Updates to Internet Explorer and Internet Tools, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\Update_Check_Page

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Internet Settings/Component Updates/Periodic Check for Updates to Internet Explorer and Internet Tools, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\Update_Check_Interval

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Add-on Management, Registry Keys:[HKLM | HKCU]\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\ListBox_Support_CLSID

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Add-on Management, Registry Keys:[HKLM | HKCU]\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\RestrictToList

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\History, [HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\DaysToKeep

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Autoconfig

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Connection Settings, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Connwiz Admin Lock

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Proxy

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoSplash

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Security\DisableFixSecuritySettings

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\SQM\DisableCustomerImprovementProgram

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Settings

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\DisableDeleteBrowsingHistory

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\PhishingFilter\Enabled

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCAL

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\Enable Browser Extensions

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\NoUpdateCheck

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation












Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1C00


Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A00




Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1E05





Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1609

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1609

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1609
















Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1C00


Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1A00









Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1E05





Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1609

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1609

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\XMLHTTP

HKCU\Software\Policies\Microsoft\Internet Explorer\Main!FormSuggest Passwords, HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\FormSuggest Passwords

HKCU\Software\Policies\Microsoft\Internet Explorer\Main!NoJITSetup

HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Page_Transitions

HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Use FormSuggest, HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!FormSuggest

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoSelectDownloadDir

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Certificates

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoExternalBranding

HKCU\Software\Microsoft\Outlook Express!BlockExeAttachments

HKCU\Software\Policies\Microsoft\Internet Connection Wizard!DisableICW

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Connwiz Admin Lock

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!ResetWebSettings

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoSubscriptionContent

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoAddingSubscriptions

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoAddingChannels

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoEditingScheduleGroups

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoScheduledUpdates

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoEditingSubscriptions

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoChannelUI

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoRemovingChannels

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoRemovingSubscriptions

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoChannelLogging

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Increase a process working set

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for standard users

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

GPO Setting: User Configuration\Administrative Templates\Windows Components\Windows Explorer\Remove CD Burning features

GPO Setting: User Configuration\Administrative Templates\Windows Components\Windows Explorer\Remove Security tab

GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page\Empty Temporary Internet Files folder when browser is closed

GPO Setting: User Configuration\Administrative Templates\Windows Components\Internet Explorer\Disable changing Temporary Internet files settings

GPO Setting: Computer Configuration\Administrative Templates\System\Group Policy\Internet Explorer Maintenance Policy Processing



GPO Setting: Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) driver



GPO Setting: Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) driver



Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1C00

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1C00

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1C00

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1C00

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1C00

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1C00

GPO Setting: Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now



GPO Setting: Computer Configuration\Administrative Templates\Windows Components\ActiveX Installer Service\Approved Installation Sites for ActiveX ControlsGPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Disable Logging

GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Disable Windows Error Reporting

GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Do not send additional data

GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Advanced Error Reporting Settings\Configure Corporate Windows Error Reporting

GPO Setting: User Configuration\Administrative Templates\Start Menu and Taskbar\Remove Default Programs link from the Start menu; Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMConfigurePrograms

GPO Setting: User Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Help Experience Improvement Program

GPO Setting: User Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Help Ratings

GPO Setting: User Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Windows Online

GPO Setting: User Configuration\Administrative Templates\Windows Components\Network Sharing\Prevent users from sharing files within their profiles

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access Credential Manager as a trusted caller

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the time zone

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create Symbolic Links

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify an object label

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths and subpaths

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Admin Approval Mode for the Built-in Administrator account

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate executables that are signed and validated

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate UIAccess applications that are installed in secure locations


GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Run all administrators in Admin Approval Mode

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Switch to the secure desktop when prompting for elevation

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Virtualize file and registry write failures to per-user locations

(1) defined by the object's DACL (2) defined through group policy

GPO Setting: Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network

GPO Settings: Computer Configuration\Administrative Templates\System\Error Reporting\Display Error Notification, Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Display Error NotificationGPO Setting: Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Setup\Maximum Log Size (KB)

GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List

GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\Turn on Protected Mode

GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone\Download signed ActiveX controls

GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone\Allow status bar updates via script

(1) GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Turn on Protected Mode (2) Registry Keys:[HKLM|HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500

GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Configure Microsoft Spynet Reporting

GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Do Not Show First Use Dialog Boxes

GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Prevent Desktop Shortcut CreationGPO Setting: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile Tab\Settings\Firewall settings\Display a notification

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging\LogDroppedPackets (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Private Profile\Windows Firewall: Allow Logging - Log Dropped Packets

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging\LogSuccessfulConnections (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Private Profile\Windows Firewall: Allow Logging - Log successful connections (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile Tab\Logging\Logged successful connections

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging\LogFilePath (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Private Profile\Windows Firewall: Allow Logging - Log file path and name (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile Tab\Logging\Name

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging\LogFileSize (2) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile Tab\Logging\Size limit (KB)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging\LogDroppedPackets (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Public Profile\Windows Firewall: Allow Logging - Log Dropped Packets

(1) via auditpol

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging\LogSuccessfulConnections (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Public Profile\Windows Firewall: Allow Logging - Log successful connections (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile Tab\Logging\Logged successful connections

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging\LogFilePath (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Public Profile\Windows Firewall: Allow Logging - Log file path and name (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile Tab\Logging\Name

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging\LogFileSize (2) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile Tab\Logging\Size limit (KB)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\DisableComponents



(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

? ?

4.4.3.1 %SystemDrive%? ?

? ?

?

?

%AllUsersProfile%?

DISA Gold Disk for WXP

NSA Security Guide for WXP (NSA-XP-C44-

026-02.pdf)

CIS WXP Pro Benchmark v1.3

CIS WXP Pro Benchmark

v2.01 (CIS_WindowsXP_Benchmark_

v2.01.pdf)

4.4.3.2 HKEY_LOCAL_MACHINE\Software

4.4.3.3 HKEY_LOCAL_MACHINE\System

File Auditing - Must Have ACE (CID:269)

%AllUsersProfile%\Application Data

?

?

?

?

?

?

?

%AllUsersProfile%\Application Data\Microsoft

%AllUsersProfile%\Application Data\Microsoft\Crypto\DSSHKLMKeys

%AllUsersProfile%\Application Data\Microsoft\Crypto\RSAHKLMKeys

%AllUsersProfile%\Application Data\Microsoft\Dr Watson

%AllUsersProfile%\Application Data\Microsoft\Dr Watson\drwtsn32.log

%AllUsersProfile%\Application Data\Microsoft\HTML Help

%AllUsersProfile%\Application Data\Microsoft\Media Index

?

?

?

%ProgramFiles%

%SystemDrive% 4.4.1.1 %SystemDrive%?

?

%AllUsersProfile%\Documents\desktop.ini

%AllUsersProfile%\DRM

System Drive ACL (CID:2000)

%SystemDrive%\autoexec.bat

%SystemDrive%\config.sys

?

?

%SystemDrive%\Documents and Settings

%SystemDrive%\Documents and Settings\Administrator

?

?

?

?

?

?

?

%SystemDrive%\Documents and Settings\Default User

%SystemDrive%\io.sys

%SystemDrive%\msdos.sys

%SystemDrive%\ntbootdd.sys

%SystemDrive%\ntdetect.com

%SystemDrive%\ntldr

%SystemDrive%\System Volume Information

?

%SystemRoot%

Driver.cab ACL (CID:4083)

?

?

?

?

%SystemRoot%\$NtServicePackUninstall$

%SystemRoot%\CSC

%SystemRoot%\Debug

?

? ?

?

?

?

%SystemRoot%\Debug\UserMode

%SystemRoot%\Debug\UserMode\userenv.log

%SystemRoot%\Installer

%SystemRoot%\Offline Web Pages

%SystemRoot%\Prefetch

regedit.exe ACL (CID:2001)

%SystemRoot%\regedit.exe

4.4.1.17 %SystemRoot%\regedit.exe

?

?

?

?

?

arp.exe ACL (CID:2002)

%SystemRoot%\Registration

%SystemRoot%\Registration\CRMLog

%SystemRoot%\repair

%SystemRoot%\security

%SystemRoot%\Temp

%SystemRoot%\system32

%SystemRoot%\system32\arp.exe

at.exe ACL (CID:2003)

attrib.exe ACL (CID:2004)

?

cacls.exe ACL (CID:2005)

?

?

?

?

?

Eventlog ACL (CID:225)

?

debug.exe ACL (CID:2006)

?

?

%SystemRoot%\system32\at.exe

4.4.1.2 %SystemRoot%\system32\at.exe

4.4.1.3 %SystemRoot%\system32\attrib.exe

4.4.1.4 %SystemRoot%\system32\cacls.exe

%SystemRoot%\system32\ciadv.msc

%SystemRoot%\system32\Com\comexp.msc

%SystemRoot%\system32\compmgmt.msc

%SystemRoot%\system32\config

4.4.1.5 %SystemRoot%\system32\debug.exe

%SystemRoot%\system32\devmgmt.msc

?

?

?

? ?

? ?

edlin.exe ACL (CID:2007)

?

?

?

?

?

%SystemRoot%\system32\dfrg.msc

%SystemRoot%\system32\diskmgmt.msc

%SystemRoot%\system32\dllcache

4.4.1.6 %SystemRoot%\system32\drwatson.exe

4.4.1.7 %SystemRoot%\system32\drwtsn32.exe

4.4.1.8 %SystemRoot%\system32\edlin.exe

eventcreate.exe ACL (CID:2008)

4.4.1.9 %SystemRoot%\system32\eventcreate.exe

eventtriggers.exe ACL (CID:2009)

4.4.1.10 %SystemRoot%\system32\eventtriggers.exe

%SystemRoot%\system32\eventvwr.msc

%SystemRoot%\system32\fsmgmt.msc

ftp.exe ACL (CID:2010)

?

?

?

?

?

?

?

4.4.1.11 %SystemRoot%\system32\ftp.exe

%SystemRoot%\system32\gpedit.msc

%SystemRoot%\system32\Group Policy

%SystemRoot%\system32\ias

%SystemRoot%\system32\lusrmgr.msg

%SystemRoot%\system32\MSDTC

%SystemRoot%\system32\nbstat.exe

?

net.exe ACL (CID:2012)

?

net1.exe ACL (CID:2013)

?

netsh.exe ACL (CID:2014)

?

?

nbtstat.exe ACL (CID:2011)

4.4.1.12 %SystemRoot%\system32\net.exe

4.4.1.13 %SystemRoot%\system32\net1.exe

%SystemRoot%\system32\netsh.exe

4.4.1.14 %SystemRoot%\system32\netsh.exe

netstat.exe ACL (CID:2015)

%SystemRoot%\system32\netstat.exe

nslookup.exe ACL (CID:2016)

%SystemRoot%\system32\nslookup.exe

ntbackup.exe ACL (CID:2017)

%SystemRoot%\system32\Ntbackup.exe

%SystemRoot%\system32\NTMSData

%SystemRoot%\system32\ntmsoprq.msc

?

?

rcp.exe ACL (CID:2018)

reg.exe ACL (CID:2019)

regini.exe ACL (CID:2021)?

rexec.exe ACL (CID:2023)

%SystemRoot%\system32\ntmsmgr.msc

%SystemRoot%\system32\perfmon.msc

%SystemRoot%\system32\rcp.exe

4.4.1.15 %SystemRoot%\system32\rcp.exe

%SystemRoot%\system32\reg.exe

4.4.1.16 %SystemRoot%\system32\reg.exe

regedt32.exe ACL (CID:2020)

%SystemRoot%\system32\regedt32.exe

4.4.1.18 %SystemRoot%\system32\regedt32.exe

%SystemRoot%\system32\regini.exe

regsvr32.exe ACL (CID:2022)

4.4.1.19 %SystemRoot%\system32\regsvr32.exe

%SystemRoot%\system32\rexec.exe

4.4.1.20 %SystemRoot%\system32\rexec.exe

route.exe ACL (CID:2024)

rsh.exe ACL (CID:2025)?

? ?

sc.exe ACL (CID:2026)

?

?

?

?

%SystemRoot%\system32\route.exe

%SystemRoot%\system32\rsh.exe

4.4.1.21 %SystemRoot%\system32\rsh.exe

%SystemRoot%\system32\RSoP.msc

4.4.1.22 %SystemRoot%\system32\runas.exe

4.4.1.23 %SystemRoot%\system32\sc.exe

secedit.exe ACL (CID:2027)

%SystemRoot%\system32\secedit.exe

%SystemRoot%\system32\secpol.msc

%SystemRoot%\system32\services.msc

%SystemRoot%\system32\Setup

?

subst.exe ACL (CID:2028)

?

telnet.exe ACL (CID:2030)

?

tftp.exe ACL (CID:2031)

%SystemRoot%\system32\spool\Printers

4.4.1.24 %SystemRoot%\system32\subst.exe

systeminfo.exe ACL (CID:2029)

%SystemRoot%\system32\systeminfo.exe

4.4.1.25 %SystemRoot%\system32\telnet.exe

%SystemRoot%\system32\tftp.exe

4.4.1.26 %SystemRoot%\system32\tftp.exe

tlntsvr.exe ACL (CID:2032)

?

?

?

? ?

4.4.1.27 %SystemRoot%\system32\tlntsvr.exe

%SystemRoot%\system32\wmimgmt.msc

%SystemRoot%\Tasks

?

4.4.2.1 HKLM\Software

?

?

?

HKEY_LOCAL_MACHINE\SOFTWARE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC

4.4.2.9 HKLM\Software\Microsoft\MSDTC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\Security\XAKey

?

?

?

?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetDDE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Asr\Commands

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib

?

?

?

?

?

?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit

4.4.2.11 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer

4.4.2.2 HKLM\Software\Microsoft\Windows\CurrentVersion\Installer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies

4.4.2.3 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings

4.4.2.8 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony

?

4.4.2.4 HKLM\System?

HKEY_LOCAL_MACHINE\SYSTEM

HKEY_LOCAL_MACHINE\SYSTEM\clone

?

?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network

Winreg ACL (CID:237)

? ??

?

?

?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Wmi\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum

4.4.2.5 HKLM\System\CurrentControlSet\Enum

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security

?

?

?

?

?

?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ersvc\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRENUM\Security

?

?

?

?

?

?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netdde\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netddedsdm\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rpcss\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security

?

?

?

?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scarddrv\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scardsvr\Security

SNMP - Permitted Managers (CID:1033)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers

4.4.2.6 HKLM\System\CurrentControlSet\Services\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers

SNMP Communities (CID:4046)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities

4.4.2.7 HKLM\System\CurrentControlSet\Services\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Stisvc\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries

?

?

?

?

?

?

?

?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tapisrv\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32time\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi\Security

HKEY_USER\.DEFAULT

HKEY_USER\.DEFAULT\Software\Microsoft\NetDDE

? ??

4.2.7 Bypass traverse checking

HKEY_USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\ProtectedRoots

4.4.2.10 HKEY_USER\.Default\Software\Microsoft\SystemCertificates\Root\ProtectedRoots

User Right Check deny access from network (CID:162)

Deny access to this computer from the network: Not Defined

4.2.13 Deny access to this computer from the network

User Right Check Logon on network (CID:152)

Access this computer from a network: Administrators, Users

4.2.1 Access this computer from the network

User Right Check act as OS (CID:153)

Act as part of the operating system

4.2.2 Act as part of the operating system

User Right Check Backup (CID:155)

Back up files and directories: Administrators

4.2.6 Back up files and directories

User Right Check Bypass Traverse Checking (CID:156)

Bypass traverse checking: Users

4.2.8 Change the system time

4.2.9 Create a pagefile

4.2.10 Create a token object

4.2.12 Debug Programs

4.2.20 Generate security audits

User Right Check change system time (CID:157)

Change the system time: Administrators

User Right Check create pagefile (CID:158)

Create a pagefile: Administrators

User Right Check create token object (CID:159)

Create a token object: No One

User Right Check create permanent shared objects (CID:160)

Create permanent shared objects: No One

4.2.11 Create permanent shared objects

User Right Check debug programs (CID:161)

Debug programs: No One

User Right Check remote shutdown (CID:165)

Force shutdown from a remote system: Administrators

4.2.19 Force shutdown from a remote system

User Right Check generate security audits (CID:173)

Generate security audits: LOCAL SERVICE, NETWORK SERVICE

User Right Check increase quotas (CID:166)

Adjust memory quotas for a process: Administrators,NETWORK SERVICE, LOCAL SERVICE

4.2.4 Adjust memory quotas for a process

4.2.23 Lock pages in memory

4.2.24 Log on as a batch job

4.2.25 Log on as a service

4.2.26 Log on locally?

User Right Check increase scheduling priority (CID:167)

Increase scheduling priority: Administrators

4.2.21 Increase scheduling priority

User Right Check load and unload device drivers (CID:168)

Load and unload device drivers: Administrators

4.2.22 Load and unload device drivers

User Right Check lock pages in memory (CID:169)

Lock pages in memory: No One

User Right Check log on as a batch job (CID:170)

Log on as a batch job: No One

User Right Check log on as a service job (CID:171)

Log on as a service: Network Service

User Right Check log on locally (CID:172)

Log on locally: Administrators, Users

Manage auditing and security log: Administrators

4.2.27 Manage auditing and security log

User Right Check modify firmware (CID:174)

Modify firmware environment variables: Administrators

4.2.28 Modify firmware environment values

4.2.30 Profile single process

4.2.35 Shut down the system

User Right Check Profile single process (CID:175)

Profile single process: Administrators

User Right Check Profile system performance (CID:176)

Profile system performance: Administrators

4.2.31 Profile system performance

User Right Check undock (CID:177)

Remove computer from docking station: Administrators, Users

4.2.32 Remove computer from docking station

User Right replace process token (CID:178)

Replace a process level token: LOCAL SERVICE, NETWORK SERVICE

4.2.33 Replace a process level token

User Right restore (CID:179)

Restore files and directories: Administrators

4.2.34 Restore files and directories

User Right shut down (CID:180)

Shut down the system: Administrators, Users

User Right take ownership (CID:182)

Take ownership of files or other objects: Administrators

4.2.37 Take ownership of file or other objects

4.2.16 Deny logon locally

?

?

4.2.15 Deny logon as a service

User Right synch directory (CID:181)

Synchronize directory service data: No One

4.2.36 Synchronize directory service data

User Right Check deny logon locally (CID:163)

Deny logon locally: Not Defined

User Right Check allow trust for delegation (CID:164)

Enable computer and user accounts to be trusted for delegation: No One

4.2.18 Enable computer and user accounts to be trusted for delegation

User Right Check Add wkstn to domain (CID:154)

Add workstations to domain

4.2.3 Add workstations to domain

User Right allow logon terminal service (CID:737)

Allow logon through Terminal Services: No One

4.2.5 Allow logon through terminal services

Deny logon as a batch job: No One

4.2.14 Deny logon as a batch job

Deny logon as a service: No One

Lockout Reset (CID:45)

Lockout Duration (CID:44)

Lockout Count (CID:43)

User Right deny logon terminal service (CID:738)

Deny logon through Terminal Services: Everyone

4.2.17 Deny logon through Terminal Service

User Right perform volume maintenance (CID:739)

Perform volume maintenance tasks: Administrators

4.2.29 Perform volume maintenance tasks

Reset account lockout counter after (15 min.)

2.2.3.3 Reset Account Lockout After

Account lockout duration (15 minutes)

2.2.3.1 Account Lockout Duration

Account lockout threshold (3 invalid attempts)

2.2.3.2 Account Lockout Threshold

Account logon auditing (CID:49)

Audit account logon events (Success, Failure)

2.2.1.1 Audit Account Logon Events

?

?

logon auditing (CID:53) 2.2.1.4 Audit Logon Events

logon auditing (CID:53) 2.2.1.4 Audit Logon Events

Account logon auditing (CID:49)

Audit account logon events (Success, Failure)

2.2.1.1 Audit Account Logon Events

Account management auditing (CID:51)

Audit account management (Success, Failure)

2.2.1.2 Audit Account Management

Account management auditing (CID:51)

Audit account management (Success, Failure)

2.2.1.2 Audit Account Management

Audit directory service access (No auditing)

2.2.1.3 Audit Directory Service Access

Audit directory service access (No auditing)

2.2.1.3 Audit Directory Service Access

Audit logon events (Success, Failure)

Audit logon events (Success, Failure)

2.2.1.5 Audit Object Access

2.2.1.5 Audit Object Access

2.2.1.6 Audit Policy Change

2.2.1.6 Audit Policy Change

priv use auditing (CID:58) 2.2.1.7 Audit Privilege Use

priv use auditing (CID:58) 2.2.1.7 Audit Privilege Use

?

2.2.1.8 Audit Process Tracking?

2.2.1.8 Audit Process Tracking

object access auditing (CID:55)

Audit object access (Failure)

object access auditing (CID:55)

Audit object access (Failure)

policy change auditing (CID:56)

Audit policy change (Success, Failure)

policy change auditing (CID:56)

Audit policy change (Success, Failure)

Audit privilege use (Failure)

Audit privilege use (Failure)

Audit process tracking (No Auditing)

Audit process tracking (No Auditing)

2.2.1.9 Audit System Events

2.2.1.9 Audit System Events

2.2.4.1.2 Restrict Guest Access

2.2.4.1.3 Log Retention Method

system event auditing (CID:59)

Audit system events (Success, Failure)

system event auditing (CID:59)

Audit system events (Success, Failure)

Anonymous Access to the Security Event Log value (CID:479)

Restrict guest access to application Log

Application log size (CID:82)

Maximum application log size

2.2.4.1.1 Maximum Event Log Size

Application log retention (CID:85)

Retention method for application Log

2.2.4.1.4 Log Retention


Security log size (CID:80)


Retain security log 2.2.4.2.4 Log Retention


System log size (CID:81)


Retain application log


Restrict guest access to security Log

Maximum security log size


Security log retention (CID:83)

Retention method for security log


Restrict guest access to system Log

Maximum system log size


System log retention (CID:84)

Retention method for system log

Retain system log 2.2.4.3.4 Log Retention

2.2.2.1 Minimum Password Age

Password Length (CID:39)

?

2.2.2.4 Password Complexity

Password History (CID:42) 2.2.2.5 Password History

Maximum Password Age (CID:40)

Maximum Password Age (90)

2.1.2 Maximum Password Age, 2.2.2.2 Maximum Password Age

Minimum Password Age (CID:41)

Minimum Password Age (1)

Minimum Password Length (12)

2.1.1 Minimum Password Length, 2.2.2.3 Minimum Password Length

Passwords must meet complexity requirements (Enabled)

Enforce password history (24 passwords)

Reversible Pwd Encryption (CID:232)

Store password using reversible encryption for all users in the domain (Disabled)

2.2.2.6 Store Passwords using Reversible Encryption

? ?

4.1.1 Alerter? ?

4.1.2 Automatic Updates? ?

? ?

4.1.4 Clipbook

?

4.1.5 Computer Browser?

4.1.6 Fax Service? ?

? ?

4.1.7 FTP Publishing Service?

4.1.8 IIS Admin Service

4.1.3 Background Intelligent Transfer Service

Computer Browser Disabled (CID:22)

Fast User Swithcing Compatibility Disabled (CID:729)

Internet Information System Installed - IIS Admin (CIS:4066)

? ?

4.1.9 Indexing Service?

4.1.10 Messenger?

? ?

4.1.11 Net Logon?

?

?

?

Windows Messenger Internet Access (CIS:4036)

.NET Framework service (CIS:4035)

NetMeeting Romote Desktop Sharing Disabled (CIS:730)

4.1.12 NetMeeting Remote Desktop Sharing

Print Services for Unix Service (CIS:4031)

Remote Access Auto Connection Manager Disabled (CIS:731)

Remote Desktop Help Session Manager Disabled (CIS:732)

4.1.13 Remote Desktop Help Session Manager

? ?

4.1.14 Remote Registry Service?

?

?

? ?

?

?

Routing and Remote Access Disabled (CIS:733)

4.1.15 Routing and Remote Access

Remote Shell Service (CIS:24)

Simple TCP/IP Service (CIS:25)

4.1.16 Simple Mail Transfer Protocol (SMTP)

Management and Monitoring Tools Installed - SNMP Service (CIS:4071)

4.1.17 Simple Network Management Protocol (SNMP) Service

Management and Monitoring Tools Installed - SNMP Trap (CIS:4072)

4.1.18 Simple Network Management Protocol (SNMP) Trap

?

?

4.1.19 Task Scheduler?

4.1.20 Telnet?

4.1.21 Terminal Services? ?

?

SSDP Discovery Service Disabled (CIS:734)

Task Scheduler Check (CIS:28)

23 - Telnet Disabled (CIS:23)

Terminal Services Disabled (CIS:735)

4.1.22 Universal Plug and Play Device Host

Internet Information Sytem Installed - World Wide Web Publishing (CIS:4067)

4.1.23 World Wide Web Publishing Services

? ?

? ?

? ?

? ?

? ?

? ?

File Shares (CIS:230)

?

? ?

? ?

? ?

4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)









? ?

? ?

? ?

Printer ACL (CIS:229)

?

? ?

? ?

? ?

? ?

? ?

? ?









? ?

? ?

? ?

? ?

? ?

? ?







Restrict Anonymous value (CIS:97)

Network access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled

3.1.3 Network Access: Do not allow Anonymous Enumeration of SAM Accounts and Shares

?

?

?

?

?

?

Network access: Do not allow anonymous enumeration of SAM accounts: Enabled

3.1.2 Network Access: Do not allow Anonymous Enumeration of SAM Accounts

Network access: Allow anonymous SID/Name translation: Disabled

3.1.1 Network Access: Allow Anonymous SID/Name Translation

Anon Access to Application log (CIS:78)

Anon Access to Security log (CIS:79)

Anon Access to System log (CIS:77)

Guest Account Disabled (CIS:29)

Accounts: Guest account status: Disabled

3.2.1.2 Accounts: Guest Account Status

Accounts: Administrator account status: Enabled

3.2.1.1 Accounts: Administrator Account Status

?

?

? ?

?

3.2.2.6 Disable Automatic Logon

Interactive logon: Message title for users attempting to log on

3.2.1.27 Interactive Logon: Message Title for Users Attempting to Log On

Interactive logon: Message test for users attempting to log on: <Configure Locally>

3.2.1.26 Interactive Logon: Message Text for Users Attempting to Log On

3.2.2.9 Remove administrative shares on workstation (Professional)

CIS: Automatic Execution of the System Debugger value (CIS:749)

3.2.2.2 Disable Automatic Execution of the System Debugger

Admin Autologon password values not exist: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword; Admin Autologon Value: HKEY_LOCAL_MACHINE\*\AutoAdminLogon (CIS:188, 189)

Interactive logon: Allow Automatic Administator Logon - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon = 0

?

Autoplay value (CID:103)

?

? ?

?

? ?

? ?

? ?

CIS: Disable Reboot After Crash value (CID:755)

3.2.2.7 Disable automatic reboots after a Blue Screen of Death

3.2.2.3 Disable autoplay from any disk type, regardless of application

3.2.2.4 Disable autoplay for current user

Disable Media Autoplay (HKEY_USER-.Default hive) Value (CID:752)

3.2.2.5 Disable autoplay for the default profile3.2.2.8 Disable CD Autorun: HKLM\System\CurrentControlSet\Services\Cdrom\Autorun (REG_DWORD)

3.2.2.10 Protect against Computer Browser Spoofing Attacks

3.2.2.13 Ensure ICMP Routing via shortest path first

? ?

? ?

?

?

?

3.2.2.11 Protect against source-routing spoofing

3.2.2.17 Ensure Router Discovery is Disabled

CIS: Enable IPSec secuiryt for Kerberos RSVP Traffic value (CID:758)

3.2.2.21 Enable IPSec to protect Kerberos RSVP Traffic

CIS: Allow Dr. Watson Crash Dumps value (CID:746)

3.2.2.1 Suppress Dr. Watson Crash Dumps

Interactive logon: Do no display last user name - Enabled

3.2.1.24 Interactive Logon: Do Not Display Last User Name

?

? ?

? ?

? ?

? ?

CIS: Hide computer Name from other domain controllers value (CID:761)

3.2.2.22 Hide workstation from Network Browser listing: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden

3.2.2.12 Protect the Default Gateway network setting: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect

3.2.2.15 Manage Keep-alive times: HKEY_LOCAL_MACHINE\System\CurrentControlSEt\Services\Tcpip\Parameters\KeepAliveTime

3.2.2.19 SYN Attack protection – Manage TCP Maximum half-open sockets: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen

3.2.2.20 SYN Attack protection – Manage TCP Maximum half-open retired sockets: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried

? ?

? ?

? ?

3.2.2.16 Protect Against Malicious Name-Release Attacks: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand

3.2.2.14 Help protect against packet fragmentation: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery

3.2.2.18 Protect against SYN Flood attacks: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect

Disable saving of dial up password (CID:105)

?

?

?

?

?

?

Safe DLL Search Mode value (CID:774)

System objects: Set safe search path for DLLs

3.2.2.23 Enable Safe DLL Search Mode: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode

Always Wait for the Network at Computer Startup and Logon (CID:927)

Cached Profiles value (CID:93)

Always Use Classic Logon (CID:924)

Turn Off Background Refresh of Group Policy (CID:930)

Internet Connection Sharing (CID:942)

Prohibit Installation and Configuration of Network Bridge on the DNS Domain Network (CID:945)

?

?

?

?

Disallow Installation of Printers Using Kernel-mode Drivers (CID:948)

Domain controller: Allow server operators to schedule tasks: Not Defined

3.2.1.15 Domain Controller: Allow Server Operators to Schedule Tasks

Administrator Account Renamed (CID:30)

Accounts: Rename administrator account: Administrator

3.2.1.4 Accounts: Rename Administrator Account

Guest Account Renamed (CID:31)

Accounts: Rename guest account: <Configure locally>

3.2.1.5 Accounts: Rename Guest Account

Amount of idle time before disconnecting value (CID:213)

Microsoft network server: Amount of idle time required before suspending session

3.2.1.35 Microsoft Network Server: Amount of Idle Time Required Before Disconnecting Session

Audit: Audit the access of global system objects: Not Defined

3.2.1.6 Audit: Audit the access of global system objects

Audit: Audit the use of Backup and Restore privilege: Not Defined

3.2.1.7 Audit: Audit the use of backup and restore privilege

?

Interactive logon: Do not require CTRL+ALT+DEL: Disabled

3.2.1.25 Interactive Logon: Do not require CTRL+ALT+DEL

LMCompatibility Value (CID:123)

Network security: LAN Manager authentication level: Send LM & NTLM - use NTLMv2 session security if negotiated

3.2.1.47 Network Security: LAN Manager Authentication Level

Print Driver Installation value (CID:99)

Devices: Prevent users from installing printer drivers: Enabled

3.2.1.11 Devices: Prevent users from installing printer drivers

Recovery Console Autologon value (CID:117)

Recovery console: Allow automatic administrative logon: Disabled

3.2.1.51 Recovery Console: Allow Automatic Administrative Logon

Recovery Console Full Access Value (CID:119)

Recovery console: Allow floppy copy and access to all drives and all folders: Disabled

3.2.1.52 Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders

?

Floppy Allocation (CID:89)

Devices: Restrict CD-ROM access to locally logged-on user only: Enabled

3.2.1.12 Devices: Restrict CD-ROM Access to Locally Logged-On User Only

Devices: Restrict floppy access to locally logged-on user only: Enabled

3.2.1.13 Devices: Restrict Floppy Access to Locally Logged-On User Only

Strength permissions on GSO value (CID:204)

System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links): Enabled

3.2.1.58 System objects: Strengthen default permissions of internal system objects

Domain member: Require strong (Windows 2000 or later) session key value (CID:770)

Domain member: Require strong (Windows 2000 or later) session key: Enabled

3.2.1.23 Domain Member: Require Strong (Windows 2000 or later) Session Key

Send unencrypted password to 3rd party SMB value (CID:207)

Microsoft network client: Send unencrypted password to third-party SMB servers

3.2.1.34 Microsoft Network Client: Send Unencrypted Password to Connect to Third-Party SMB Server

Unsigned Driver Behavior Value (CID:127)

Devices: Unsigned driver installation behavior: Warn but allow installation

3.2.1.14 Devices: Unsigned Driver Installation Behavior

Password Expiration value (CID:199)

Interactive logon: Prompt user to change password before expiration: 14 days

3.2.1.29 Interactive Logon: Prompt User to Change Password Before Expiration

? ?

?

?

?

Crash on audit fail Value (CID:121)

Audit: Shut down system immediately if unable to log security audits: Disabled

3.2.1.8 Audit: Shut Down system immediately if unable to log security alerts

Shutdown before logon Check (CID:217)

Shutdown: Allow system to be shut down without having to log on: Enabled

3.2.1.53 Shutdown: Allow System to be Shut Down Without Having to Log On

Clear Pagefile value (CID:101)

Shutdown: Clear virtual memory pagefile: Disabled

3.2.1.54 Shutdown: Clear Virtual Memory Pagefile

Microsoft network client: Digitally sign communications (always)

3.2.1.32 Microsoft Network Client: Digitally sign communications (always)

Enable Security Signature Value (CID:113)

Microsoft network client: Digitally sign communications (if server agrees)

3.2.1.33 Microsoft Network Client: Digitally sign communications (if server agrees)

Microsoft network server: Digitally sign communications (always)

3.2.1.36 Microsoft Network Server: Digitally sign communications (always)

Microsoft network server: Digitally sign communications (if client agrees): Enabled

3.2.1.37 Microsoft Network Server: Digitally sign communications (if client agrees)

Logon Caching value (CID:91)

Interactive logon: Number of previous logons to cache (in case domain controller is not available): 0 logons

3.2.1.28 Interactive Logon: Number of Previous Logons to Cache

NTFS Media Ejection value (CID:2010)

Devices: Allowed to format and eject removable media: Administrators

3.2.1.10 Devices: Allowed to format and eject removable media

Digitally encrypt or sign secure channel data (always) value (CID:743)

Domain member: Digitally encrypt or sign secure channel data (always): Not Defined

3.2.1.18 Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always)

Sign Secure Channel Traffic Value (CID:109)

Domain member: Digitally encrypt secure channel data (when possible): Enabled

3.2.1.19 Domain Member: Digitally Encrypt Secure Channel Data (When Possible)

Sign Secure Channel Traffic Value (CID:107)

Domain member: Digitally sign secure channel data (when possible): Enabled

3.2.1.20 Domain Member: Digitally Sign Secure Channel Data (When Possible)

Smart Card Removal Behavior Value (CID:125)

Interactive logon: Smart card removal behavior: Lock Workstation

3.2.1.31 Interactive Logon: Smart Card Removal Behavior

Disable password change Value (CID:111)

Domain member: Disable machine account password changes:Disabled

3.2.1.21 Domain Member: Disable Machine Account Password Changes

?

?

Use FIPS compliant algorithms for encryption, hashing, and signing (CID:804)

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Enabled

3.2.1.55 System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

Default owner for objects created by members of the Administrators group (CID:807)

System objects: Default owner for objects created by members of the Administrators group: Object Creator

3.2.1.56 System objects: Default owner for objects created by members of the Administrators group

System Object: Require Case Insensitivity for Non-Windows Subsystems (CID:810)

System objects: Require case insensitivity for non-Windows subsystems: Enabled

3.2.1.57 System objects: Require case insensitivity for non-Windows subsystems

Limit Blank Passwords value (CID:764)

Accounts: Limit local account user of blank passwords to console logon only: Enabled

3.2.1.3 Accounts: Limit local account use of blank passwords to console logon only

Devices: Allow undock without having to log on: Disabled

3.2.1.9 Devices: Allow undock without having to log on

Domain controller: LDAP server signing requirements: Not Defined

3.2.1.16 Domain Controller: LDAP Server Signing Requirements

?

LDAP client signing requirements (CID:795)

Network security: LDAP client signing requirements

3.2.1.48 Network Security: LDAP client signing requirements

Domain controller: Refuse machine account password changes: Not Defined

3.2.1.19(note: different enumeration) Domain Controller: Refuse machine account password changes

Accounts: Maximum machine account password age value (CID:767)

Domain member: Maximum machine account password age: 7 Days

3.2.1.22 Domain Member: Maximum Machine Account Password Age

Domain Controller Authentication to Unlock Workstation Value (CID:777)

Interactive logon: Require Domain Controller authentication to unlock workstation: Enabled

3.2.1.30 Interactive Logon: Require Domain Controller authentication to unlock workstation

Automatically log off user when logon time expires value (CID:210)

Microsoft network server: Disconnect clients when logon hours expire: Enabled

3.2.1.38 Microsoft Network Server: Disconnect clients when logon hours expire

Do not allow storage of credentials or .NET Passports for network authentication value (CID:780)

Network access: Do not allow storage of credentials or .NET Passports: Enabled

3.2.1.39 Network Access: Do not allow storage of credentials or .NET passports for network authentication

?

?

?

Let Everyone permissions apply to anonymous users Value (CID:783)

Network access: Let Everyone permissions apply to anonymous users: Disabled

3.2.1.40 Network Access: Let Everyone permissions apply to anonymous users

Network access: Named Pipes that can be accessed anonymously: Not Defined

3.2.1.41 Network Access: Named pipes that can be accessed anonymously

Network access: Remotely accessible registry paths: Classic - local users authenticate as themselves

3.2.1.42 Network Access: Remotely accessible registry paths

Network access: Shares that can be accessed anonymously: Not Defined

3.2.1.43 Network Access: Shares that can be accessed anonymously

Sharing and security model for local accounts Value (CID:786)

Network access: Sharing and security model for local accounts: Classic - local users authenticate as themselves

3.2.1.44 Network Access: Sharing and security model for local accounts

Do not store LAN Manager hash value on next password change (CID:789)

Network security: Do not store LAN Manager hash value on next password change: Enabled

3.2.1.45 Network Security: Do not store LAN Manager password hash value on next password change

Logon Time Enforcement (CID:46)

Network security: Force logoff when logon hours expire: Enabled

3.2.1.46 Network Security: Force logoff when logon hours expire

Minimum session security for NTLM SSP based clients (CID:798)

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients: Require NTLMv2 session security, Require 128-bit encryption

3.2.1.49 Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients

Minimum session security for NTLM SSP based servers (CID:801)

Network security: Minimum session security for NTLM SSP based (including secure RPC) servers: Require NTLMv2 session security, Require 128-bit encryption

3.2.1.50 Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers

Non-NTFS Partition (CID:10)

Chapter 10: Modifying File System Security Settings with Security Templates

4.3.1 Ensure volumes are using the NTFS file system

?

?

?

?

?

Default user scrnsave.exe (CID:67)

Default user screensaver timeout (CID:68, 71)

Default user screensaver secure (CID:69)

Default user screensaver active (CID:70)

Current user scrnsave.exe (CID:76)

?

?

?

Current user screensaver timeout (CID:74)

Current user screensaver secure (CID:72)

Current user screensaver active (CID:73)

Always Install with Elevated Privileges (CID:888)

?

?

Disable IE Security Prompt for Windows Installer Scripts (CID:891)

Enable User Control Over Installs (CID:894)

Enable User to Use Media Source While Elevated (CID:900)

Allow Admin to Install from Terminal Services Session (CID:906)

Enable User to Patch Elevated Products (CID:903)

Cache Transforms in Secure Location on Workstation (CID:908)

Disable Media Player for XP automatic Updates (CID:912)

951 - Prevent Codec Download

?

?

?

Do Not Allow Windows Messenger to be Run (CID:915)

918 - Do Not Automatically Start Windows Messenger Initially

Prohibit New Task Creation (CID:843)

Limit Users to One Remote Session (CID:849)

Limit users to one remote session

Limit Number of Connections (CID:852)

Limit number of connections

Do Not Allow New Client Connections (CID:855)

Do not allow new client connections

Do Not Allow Local Administrators to Customize (CID:858)

Do not allow local administrator to customize permissions

Remote Control Settings (CID:861)

Remote control settings

Always Prompt Client for Password upon Connection (CID:864)

Always prompt client for password upon connection

Set Client Connection Encryption (CID:867)

Set client connection encryption level

Do Not Use Temp Folders per Session (CID:870)

Do not use temp folders per session

Do Not Delete Temp Folder upon Exit (CID:873)

Do not delete temp folder upon exit

Set Time Limit for Disconnected Sessions (CID:876)

Set time limit for disconnected sessions

Set Time Limit for Idle Sessions (CID:879)

Set time limit for idle sessions

Allow Reconnection from Original Client Only (CID:882)

Allow reconnection from original client only

Terminate Session When Time Limits are Reached (CID:885)

Terminate session when time limits are reached

?

?

?

Report Errors (CID:939)

?

?

?

?

?

?

Keep-Alive Messages (CID:846)

Solicited Remote Assistance (CID:933)

Unsolicited Remote Assistance (CID:936)

Enforce user logon restrictions (Enabled)

Maximum lifetime for service ticket (600 minutes)

Maximum lifetime for user ticket (10 hours)Maximum lifetime for user ticket renewal (7 days)

Maximum tolerance for computer clock synchronization (5 minutes)

5.1.1.1 RPC Endpiont Mapper Client Authentication (SP2 only)

5.1.1.2 Restrictions for Unauthenticated RPC clients (SP2 only)

5.2.1.1.1.1 Protect all network connections (SP2 only)

5.2.1.1.1.2 Do not allow exceptions (SP2 only)5.2.1.1.1.3 Allow local program exceptions

5.2.1.1.1.4 Allow remote administration

5.2.1.1.1.5 Allow file and printer sharing exception (SP2 only)

5.2.1.1.1.6 Allow ICMP exceptions (SP2 only)5.2.1.1.1.7 Allow Remote Desktop exception (SP2 only)

5.2.1.1.1.8 Allow UPnP framework exception (SP2 only)

5.2.1.1.1.9 Prohibit notifications

5.2.1.1.1.10 Log dropped packets (SP2 only)

5.2.1.1.1.11 Log file path and name (SP2 only)

5.2.1.1.1.12 Log file size limit (SP2 only)

5.2.1.1.1.13 Log successful connections (SP2 only)

5.2.1.1.1.14 Prohibit unicast response to multicast or broadcast (SP2 only)

5.2.1.1.1.15 Define port exceptions (SP2 only)5.2.1.1.16 Allow local port exceptions (SP2 only)

5.2.1.1.2.1 Protect all network connections (SP2 only)

5.2.1.1.2.2 Do not allow exceptions (SP2 only)5.2.1.1.2.3 Allow local program exceptions (SP2 only)

5.2.1.1.2.4 Allow remote administration exception (SP2 only)

5.2.1.1.2.4 Allow file and printer sharing exception (SP2 only)

5.2.1.1.2.6 Allow ICMP exceptions (SP2 only)

5.2.1.1.2.7 Allow Remote Desktop exception (SP2 only)

5.2.1.1.2.8 Allow UPnP framework exception (SP2 only)

5.2.1.1.2.9 Prohibit notifications (SP2 only)

5.2.1.1.2.10 Log Dropped Packets (SP2 only)

5.2.1.1.2.11 Log file path and name (SP2 only)

5.2.1.1.2.12 Log file size limit (SP2 only)

5.2.1.1.2.13 Log Successful Connections (SP2 only)

5.2.1.1.2.14 Prohibit unicast response to multicast or broadcast (SP2 only)

5.2.1.1.2.15 Define port exceptions (SP2 only)5.2.1.1.2.16 Allow local port exceptions (SP2 only)

5.2.1.1. Windows Firewall

Disable Periodic Check for Internet Explorer Software Updates (CID:834)

Disable Automatic Install of Internet Explorer Components (CID:831)

CIS WXP Pro Benchmark v2.01 OVAL (cis-winxp-oval.xml)

NIST 800-68 Windows XPPDF

(SP800-68-20051102.pdf)

NIST 800-68 Windows XP

XCCDF (NIST-800-68-53-

WinXPPro_XCCDF_10102006.xml)

NIST 800-68 Windows XP OVAL

(NIST-800-68-53-WinXPPro_OVAL_

10102006.xml)

regedit.exePermissions oval:gov.nist.1:def:146

%SystemRoot%\system32\regedit.exe Table: 9.19 Value: Administrators: Full System: Full

arp.exePermissions oval:gov.nist.1:def:128

%SystemRoot%\system32\arp.exe Table: 9.1 Value: Administrators: Full System: Full

at.exePermissions oval:gov.nist.1:def:129

attrib.exePermissions oval:gov.nist.1:def:130

cacls.exePermissions oval:gov.nist.1:def:131

oval:gov.nist.1:def:132 debug.exePermissions

%SystemRoot%\system32\at.exe Table: 9.2 Value: Administrators: Full System: Full%SystemRoot%\system32\attrib.exe Table: 9.3 Value: Administrators: Full

%SystemRoot%\System32\cacls.exe Table: 9.4 Value: Administrators: Full System: Full

%SystemRoot%\System32\debug.exe Table: 9.5 Value: Administrators: Full System: Full

edlin.exePermissions oval:gov.nist.1:def:133

oval:gov.nist.1:def:134


%SystemRoot%\system32\edlin.exe Table: 9.6 Value: Administrators: Full System: Full

%SystemRoot%\system32\eventcreate.exe Table: 9.7 Value: Administrators: Full System: Full

eventcreate.exePermissions

%SystemRoot%\System32\eventtriggers.exe Table: 9.8 Value: 9.8

eventtriggers.exePermissions


%SystemRoot%\system32\ftp.exe Table: 9.9 Value: Administrators: Full System: Full ftp.exePermissions

ftp://ftp.exepermissions/

nbtstat.exePermissions oval:gov.nist.1:def:137

net.exePermissions oval:gov.nist.1:def:138

net1.exePermissions oval:gov.nist.1:def:139

netsh.exePermissions oval:gov.nist.1:def:140

netstat.exePermissions oval:gov.nist.1:def:141

nslookup.exePermissions oval:gov.nist.1:def:142

ntbackup.exePermissions oval:gov.nist.1:def:143

%SystemRoot%\system32\nbtstat.exe Table: 9.10 Value: Administrators: Full System: Full

%SystemRoot%\system32\net.exe Table: 9.11 Value: Administrators: Full System: Full

%SystemRoot%\system32\net1.exe Table: 9.12 Value: Administrators: Full System: Full

%SystemRoot%\system32\netsh.exe Table: 9.13 Value: Administrators: Full System: Full

%SystemRoot%\system32\netstat.exe Table: 9.14 Value: Administrators: Full System: Full

%SystemRoot%\system32\nslookup.exe Table: 9.15 Value: Administrators: Full System: Full

%SystemRoot%\system32\Ntbackup.exe Table: 9.16 Value: Administrators: Full System: Full

rcp.exePermissions oval:gov.nist.1:def:144

reg.exePermissions oval:gov.nist.1:def:145

regedt32.exePermissions oval:gov.nist.1:def:147

regini.exePermissions oval:gov.nist.1:def:148

regsvr32.exePermissions oval:gov.nist.1:def:149

rexec.exePermissions oval:gov.nist.1:def:150

%SystemRoot%\system32\rcp.exe Table: 9.17 Value: Administrators: Full System: Full

%SystemRoot%\system32\reg.exe Table: 9.18 Value: Administrators: Full System: Full

%SystemRoot%\system32\Regedt32.exe Table: 9.20 Value: Administrators: Full System: Full

%SystemRoot%\system32\regini.exe Table: 9.21 Value: Administrators: Full System: Full

%SystemRoot%\system32\regsvr32.exe Table: 9.22 Value: Administrators: Full System: Full

%SystemRoot%\system32\rexec.exe Table: 9.23 Value: Administrators: Full System: Full

route.exePermissions oval:gov.nist.1:def:151

rsh.exePermissions oval:gov.nist.1:def:152

sc.exePermissions oval:gov.nist.1:def:153

secedit.exePermissions oval:gov.nist.1:def:154

%SystemRoot%\system32\route.exe Table: 9.24 Value: Administrators: Full System: Full

%SystemRoot%\system32\rsh.exe Table: 9.25 Value: Administrators: Full System: Full

%SystemRoot%\system32\sc.exe Table: 9.26 Value: Administrators: Full System: Full

%SystemRoot%\system32\secedit.exe Table: 9.27 Value: Administrators: Full System: Full

subst.exePermissions oval:gov.nist.1:def:155

systeminfo.exePermissions oval:gov.nist.1:def:156

telnet.exePermissions oval:gov.nist.1:def:157

tftp.exePermissions oval:gov.nist.1:def:158

%SystemRoot%\system32\subst.exe Table: 9.28 Value: Administrators: Full System: Full

%SystemRoot%\system32\systeminfo.exe Table: 9.29 Value: Administrators: Full System: Full

%SystemRoot%\system32\telnet.exe Table: 9.30 Value: Administrators: Full System: Full

%SystemRoot%\system32\tftp.exe Table: 9.31 Value: Administrators: Full System: Full

tlntsvr.exePermissions oval:gov.nist.1:def:159

%SystemRoot%\system32\tlntsvr.exe Table: 9.32 Value: Administrators: Full System: Full

DenyAccessFromNetwork oval:gov.nist.1:def:175


BypassTraverseChecking oval:gov.nist.1:def:168

Deny access to this computer from the network Table: 4.15 Value: Guests, SUPPORT

Access this computer from the network Table: 4.1 Value: Administrators, not defined

AccessComputerFromNetwork, AccessComputerFromNetworkUsers

oval:gov.nist.1:def:161, oval:gov.nist.1:def:231

Act as part of the operating system Table:

4.2 Value: noneActAsPartOfOperatingSystem

Back up files and directories Table: 4.7 Value: Administrators, not defined

BackUpFilesAndDirectories, BackUpFilesAndDirectoriesOperators


Bypass traverse checking Table: 4.8 Value: Administrators, Users, not defined

ChangeSystemTime oval:gov.nist.1:def:169

CreatePagefile oval:gov.nist.1:def:170

CreateTokenObject oval:gov.nist.1:def:171


DebugPrograms oval:gov.nist.1:def:173


GenerateSecurityAudits oval:gov.nist.1:def:181

AdjustMemoryQuotas oval:gov.nist.1:def:164

Change the system time Table: 4.9 Value: Administrators

Create pagefile Table: 4.10 Value: Administrators

Create a token object Table: 4.11 Value: None, not defined

Create permanent share objects Table: 4.13 Value: None, not defined

CreatePermanentSharedObjects

Debug programs Table: 4.14 value: None, Administrators

Force shutdown from a remote system Table: 4.21 Value: Administrators

ShutdownFromRemoteSystem

Generate security audits Table: 4.22 Value: LOCAL SERVICE, NETWORK SERVICE

Adjust memory quotas for a process Table: 4.4 Value: Administrators, LOCAL SERVICE, NETWORK SERVICE

IncreaseSchedulingPriority oval:gov.nist.1:def:182


LockPagesInMemory oval:gov.nist.1:def:184

LogOnAsBatchJob oval:gov.nist.1:def:185

LogOnAsService oval:gov.nist.1:def:186


Increase scheduling priority Table: 4.24 Value: Administrators

Load and unload device drivers Table: 4.25 Value: Administrators

LoadAndUnloadDeviceDrivers

Lock pages in memory Table: 4.26 Value: none

Log on as a batch job Table: 4.27 Value: none, not defined

Log on as a service Table: 4.28 Value: LOCAL SERVICE, NETWORK SERVICE

Allow log on locally Table: 4.5 Value: Users, Administrators

AllowLogOnLocally, AllowLogOnLocallyAuthenticatedUsers


Manage auditing and security log Table: 4.29 Value: Administrators

ManageAuditingAndSecurityLog, ManageAuditingAndSecurityLogNone


Modify firmware environment values Table: 4.30 Value: Administrators

ModifyFirmwareEnvironmentValues

ProfileSingleProcess oval:gov.nist.1:def:190

ProfileSystemPerformance oval:gov.nist.1:def:191



ShutDownSystem oval:gov.nist.1:def:195

TakeOwnershipOfFiles oval:gov.nist.1:def:196

Profile single process Table: 4.32 Value: Administrators

Profile system performance Table: 4.33 Value: Administrators

Remove computer from docking station Table: 4.34 Value: Users, Administrators

RemoveComputerFromDockingStation, RemoveComputerFromDockingStationNone


Replace a process-level token Table: 4.35 Value: LOCAL SERVICE, NETWORK SERVICE

ReplaceProcessLevelToken

Restore files and directories Table: 4.36 Value: Administrators

RestoreFilesAndDirectories

Shut down the system Table: 4.37 Value: Users, Administrators

Take ownership of files and other objects Table: 4.39 Value: Administrators


DenyLogonLocally oval:gov.nist.1:def:177



DenyLogonAsBatchJob oval:gov.nist.1:def:176

*** ***

Syncronize directory service data Table: 4.38 Value: not defined

SynchronizeDirectoryServiceData

Deny logon locally Table: 4.18 Value: Guests, SUPPORT_388945a0, any service accounts

Enable computer and user accounts to be trusted for delegation Table: 4.20 Value: none, not defined

AccountsTrustedForDelegation

Add workstations to domain Table: 4.3 Value: Administrators

AddWorkstationsToDomain, AddWorkstationsToDomainNone


Allow logon through Terminal Services Table: 4.6 Value: none, not defined

AllowLogOnThroughTerminalServices

Deny logon as a batch job Table: 4.16 Value: Guests, SUPPORT_388945a0

Deny logon as a service Table: 4.17 Value: not defined



AccountLockoutReset oval:gov.nist.1:def:26

AccountLockoutDuration oval:gov.nist.1:def:23

AccountLockoutThreshold oval:gov.nist.1:def:24

AuditAccountLogin oval:gov.nist.1:def:27

Deny logon through Terminal Services Table: 4.19 Value: Everyone, not defined

DenyLogonThroughTerminalServices

Profile volume maintenance tasks Table: 4.31 Value: Administrators

PerformVolumeMaintenanceTasks

Reset account lockout counter after Table: 2.3 value: 15

Account lockout duration Table: 2.1 Value: 15

Account lockout threshold Table: 2.2 Value: 10, 50

Audit account logon events Table: 3.1 Value: success, success and failure

AuditAccountLogin oval:gov.nist.1:def:27

AuditAccountManagement oval:gov.nist.1:def:29

AuditAccountManagement oval:gov.nist.1:def:29

Not applicable Not applicable

Not applicable Not applicable

AuditLogonEvents oval:gov.nist.1:def:32

AuditLogonEvents oval:gov.nist.1:def:32

Audit account logon events Table: 3.1 Value: success, success and failure

Audit account management Table: 3.2 Value success, failure

Audit account management Table: 3.2 Value success, failure

Audit directory service acces Table: 3.3 Value: not defined

Audit directory service acces Table: 3.3 Value: not defined

Audit logon events Table: 3.4 Value: success, success and failure

Audit logon events Table: 3.4 Value: success, success and failure

AuditObjectAccess oval:gov.nist.1:def:34

AuditObjectAccess oval:gov.nist.1:def:34



AuditPrivilegeUse oval:gov.nist.1:def:36

AuditPrivilegeUse oval:gov.nist.1:def:36

AuditProcessTracking oval:gov.nist.1:def:40

AuditProcessTracking oval:gov.nist.1:def:40

Audit object access Table: 3.5 Value: failure, no auditing

Audit object access Table: 3.5 Value: failure, no auditing

Audit policy change Table: 3.6 Value: success

AuditPolicyChangesSuccessOnly

Audit policy change Table: 3.6 Value: success

AuditPolicyChangesSuccessOnly

Audit privilege use Table: 3.7 Value: failure, no auditing

Audit privilege use Table: 3.7 Value: failure, no auditing

Audit process tracking Table: 3.8 Value: no auditing

Audit process tracking Table: 3.8 Value: no auditing





Audit system events Table: 3.9 Value: success

AuditSystemEventsSuccessOnly

Audit system events Table: 3.9 Value: success

AuditSystemEventsSuccessOnly

Prevent local guestsgroup from accessingapplication log Table: 6.4 Value: enabled

PreventGuestApplicationLogAccess

Maximum Application log size Table: 6.1 Value: 16384 kilobytes

MaximumApplicationLogSize

Retain application log Table: 6.7 Value: not defined



MaximumSecurityLogSize oval:gov.nist.1:def:198



MaximumSystemLogSize oval:gov.nist.1:def:199

Retention method for application log Table: 6.10 Value: as needed

ApplicationLogRetentionMethod

Prevent local guestsgroup from accessingsecurity log Table: 6.5 Value: enabled

PreventGuestSecurityLogAccess

Maxium security log size Table: 6.2 Value: 81920 kilobytes

Retain security log Table: 6.8 Value: not defined

Retention method forsystem log Table: 6.11 Value: as needed

SecurityLogRetentionMethod

Prevent local guestsgroup from accessingsystem log Table: 6.6 Value: enabled

PreventGuestSystemLogAccess

Maximum system log size Table: 6.3 Value: 16384 kilobytes

Retain system log Table: 6.9 Value: not defined


MaximumPasswordAge oval:gov.nist.1:def:17

MinimumPasswordAge oval:gov.nist.1:def:18

MinimumPasswordLength oval:gov.nist.1:def:19

PasswordComplexity oval:gov.nist.1:def:21



Retention method for system log Table: 6.12 Value: not defined

SystemLogRetentionMethod

Maximum password age Table: 1.2 Value: 90

Minimum password age Table: 1.3 Value: 1

Minimum password length Table: 1.4 Value: 12, 8

Password must meet complexity requirements Table: 1.5 Value: enabled

Enforce password history Table: 1.1 Value: 24

PasswordHistoryEnforcement

Store passwrd using reversible encryptin for all users in the domain Table: 1.6 Value: disabled

PasswordStorageReversibleEncryption

AlerterService oval:gov.nist.1:def:209

*** ***

*** ***

ClipBookService oval:gov.nist.1:def:210

BrowserService oval:gov.nist.1:def:211

FaxService oval:gov.nist.1:def:212

FTPPublishingService oval:gov.nist.1:def:213

IISAdminService oval:gov.nist.1:def:214

Alerter Service Table: 8.1 Value: disabled

Automatic update service Table: 8.4 Value: not defined

Background Intelligent Transfer Service Table: 8.5 Value: not defined

ClipBook service Table: 8.6 Value: disabled

Computer Browswer Service Table: 8.9 Value: disabled

Fast User SwitchingCompatibility Table: 8.17 Value: not defined

Fax Servce Table: 8.18 Value: disabled

FTP Publishing Service Table: 8.19 Value: disabled

IIS Admin service Table: 8.22 Value: disabled

IndexingService oval:gov.nist.1:def:215

MessengerService oval:gov.nist.1:def:216



Indexing Service Table: 8.24 Value: disabled

Messenger service Table: 8.30 Value: disabled

Net Logon service Table: 8.32 Value: not defined

Net meeting Remote Desktop Sharing Table: 8.33 Value: disabled

NetMeetingRemoteDesktopSharingService

Remote Access Auto Connection Manager Table: 8.45 Value: not defined

Remote Desktop Help Session Manager Table: 8.47 Value: disabled

RemoteDesktopHelpSessionManagerService


SMTPService oval:gov.nist.1:def:220

SNMPService oval:gov.nist.1:def:221

SNMPTrap oval:gov.nist.1:def:222

Internet ConnectionFirewall (ICF)/InternetConnection Sharing(ICS) Table: 8.26 Value: not defined

Remote Registery service Table: 8.50 Value: not defined

Routing and Remote Access service Table: 8.52 Value: disabled

RoutingAndRemoteAccessService

Simple Mail TransferProtocol (SMTP) Table: 8.59 Value: disabled

Simple NetworkManagement Protocol(SNMP) Service Table: 8.60 Value: disabled

Simple NetworkManagement Protocol(SNMP) Trap Table: 8.61 Value: disabled

SSDPService oval:gov.nist.1:def:223

TaskSchedulerService oval:gov.nist.1:def:224

TelnetService oval:gov.nist.1:def:225

TerminalServicesService oval:gov.nist.1:def:226



Simple ServiceDiscovery Protocol(SSDP) DiscoveryService Table: 8.62 Value: disabled

Task Scheduler service Table: 8.65 Value: disabled

Telnet service Table: 8.68 Value: disabled

Terminal Services service Table: 8.69 Value: disabled

Universal Plug and Play Device Host Disabled Table: 8.73 Value: Not defined

UniversalPlugAndPlayDeviceHostService

World Wide Web Publishing Services Table: 8.85 Value: Disabled

WWWPublishingServicesService

Print Spooler service Table: 8.42 Value: not defined


Plug and Play service Table: 8.40 Value: not defined

Network access: Do notallow anonymousenumeration of SAMaccounts and shares Table: 5.45 Value: enabled

AnonymousEnumerationOfAccountsAndShares


GuestAccountStatus oval:gov.nist.1:def:243


Network access: Do notallow anonymousenumeration of SAMaccounts Table: 5.44 Value: enabled

AnonymousEnumerationOfAccounts

Network access: Allowanonymous SID/Nametranslation Table: 5.43 Value: disabled

Accounts: Guestaccount status Table: 5.2 Value: disabled

Accounts: Administratoraccount status Table: 5.1 Value: enabled

AdministratorAccountStatus

LogonMessageTitle oval:gov.nist.1:def:71

LogonMessageText oval:gov.nist.1:def:70

AutomaticLogonDisabled oval:gov.nist.1:def:110

Interactive logon: Messagetitle for users attempting tolog on Table: 5.30 Value: <DoJ Approved>

Interactive logon: Messagetext for users attempting tolog on Table: 5.29 Value: <DoJ approved>

MSS: (AutoShareWks)Enable AdministrativeShares Table: 5.72 Value: not defined

MSS: (AutoAdminLogon)Enable Automatic Logon Table: 5.70 Value: disabled


MSS: (AutoReboot) AllowWindows to automaticallyrestart after a system crash Table: 5.71 Value: not defined

MSS:(NoDriveTypeAutoRun)Disable Autorun for alldrives Table: 5.80 Value: 255

DisableAutorunForAllDrives

MSS:(EnableICMPRedirect)Allow ICMP redirects tooverride OSPF generatedroutes Table: 5.76 Value: disabled

AllowICMPRedirectsDisabled


RouterDiscovery oval:gov.nist.1:def:121




MSS:(DisableIPSourceRouting)IP source routing protectionlevel Table: 5.73 Value: Highestprotection,source routingis completelydisabled

IPSourceRoutingProtectionLevel

MSS:(PerformRouterDiscovery)Allow IRDP to detect andconfigure DefaultGatewayaddresses Table: 5.83 Value: enabledMSS: (NoDefaultExempt)Enable NoDefaultExemptfor IPSec Filtering Table: 5.79 Value: Multicast, broadcast, and ISAKMP

NoDefaultExemptForIPSecFiltering

Interactive logon: Do notdisplay last user name Table: 5.27 Value: enabled

LastUserNameNotDisplayedForLogon

HideFromBrowseList oval:gov.nist.1:def:114


KeepAliveTime oval:gov.nist.1:def:115

MSS: (Hidden) HideComputer From the BrowseList Table: 5.77 Value: enabled

MSS:(EnableDeadGWDetect)Allow automatic detectionof dead network gateways Table: 5.75 Value: disabled

AutomaticDetectionOfDeadGWs

MSS: (KeepAliveTime)How often keep-alivepackets are sent inmilliseconds Table: 5.78 Value: 300,000ms (5 minutes)

NameReleaseRequests oval:gov.nist.1:def:118

SynAttackProtectionLevel oval:gov.nist.1:def:124


MSS:(NoNameReleaseOnDemand) Allow the computer toignore NetBIOS namerelease requests exceptfrom WINS servers Table: 5.81 Value: enabled

MSS: (SynAttackProtect) Syn attact protection level Table: 5.86 Value: Connections time out sooner if attack is detected (1)

MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Table: 5.89 Value: 90

EventLogThresholdWarning

MSS:(DisableSavePassword)Prevent the dial-uppassword from being saved Table: 5.74 Value: not defined

SafeDLLSearchMode oval:gov.nist.1:def:122

MSS: (SafeDllSearchMode)Enable Safe DLL searchmode Table: 5.84 value: enabled

SessionTimeout oval:gov.nist.1:def:83



Domain controller: Allow server operators to schedule tasks Table: 5.17 Value: not defined

Accounts: Rename administrator account Table: 5.4 Value: not defined

Accounts: Rename guest account Table: 5.5 Value: not defined

Microsoft network server:Amount of idle timerequired before suspendingsession Table: 5.39 Value: 15 minutes

Audit: Audit the access of global system objects Table: 5.6 Value: disabled

AuditAccessToGlobalObjects

Audit: Audit the use of backup and restore privilege Table: 5.7 Value: disabled

AuditBackupAndRestorePrivilegeDisabled

RequireCTRL_ALT_DEL oval:gov.nist.1:def:69




Interactive logon: Do notrequire CTRL+ALT+DEL Table: 5.28 Value: diabled

Network security: LANManager authenticationlevel Table: 5.55 Value: Send NTLMv2responseonly\refuse LM& NTLM or Send NTLMv2 response only\refuse LM

LANManagerAuthenticationRefuseLM, LANManagerAuthenticationRefuseLM_NTLM


Devices: Prevent users from installing priter drivers Table: 5.13 Value: enabled or disabled

PreventUsersFromInstallingPrinterDrivers

Recovery console: Allowautomatic administrativelogon Table: 5.59 Value: disabled

RecoveryConsoleAutoLogon

Recovery console: Allowfloppy copy and access toall drives and all folders Table: 5.60 Value: disabled

RecoveryConsoleFullSystemAccess




RequireStrongSessionKey oval:gov.nist.1:def:66



PasswordExpirationPrompt oval:gov.nist.1:def:74

Devices: Restrict CD-ROM access to locally logged-on user only Table: 5.14 Value: disabled

RecoveryConsoleFullSystemAccess

Devices: Restrict floppy access to locally logged-on user only Table: 5.15 Value: disabled

RestrictFloppyAccessDisabled

System objects: Strengthendefault permissions ofinternal system objects(e.g. Symbolic Links) Table: 5.67 Value: enabled

InternalSystemObjectsPermissions

Domain member: Requirestrong (Windows 2000 orlater) session key Table: 5.25 Value: enabled

Microsoft network client:Send unencryptedpassword to third-partySMB servers Table: 5.38 Value: disabled

UnencryptedSMBPasswords

Devices: Unsigned driver installation behavior Table: 5.16 Value: warn but allow isntallation

UnsignedDriverInstallationWarning

Interactive logon: Promptuser to change passwordbefore expiration Table: 5.32 Value: 14 days

ShutdownWithoutLogon oval:gov.nist.1:def:103

ClearPagefileOnShutdown oval:gov.nist.1:def:104





Audit: Shut down system immediately if unable to log security audits Table: 5.8 Value: not defined

Shutdown: Allow system tobe shut down withouthaving to log on Table: 5.61 Value: disabled

Shutdown: Clear virtualmemory pagefile Table: 5.62 Value: enabled

Microsoft network client:Digitally signcommunications (always) Table: 5.36 Value: enabled

ClientAlwaysSignCommunications

Microsoft network client:Digitally signcommunications (if serveragrees) Table: 5.37 Value: enabled

SignCommunicationsIfServerAgrees

Microsoft network server:Digitally signcommunications (always) Table: 5.40 Value: enabled

ServerAlwaysSignCommunications

Microsoft network server:Digitally signcommunications (if clientagrees) Table: 5.41 Value: enabled

SignCommunicationsIfClientAgrees

PreviousLogonsCached oval:gov.nist.1:def:72




SmartCardRemoval oval:gov.nist.1:def:78


Interactive logon: Numberof previous logons to cache(in case domain controlleris not available) Table: 5.31 Value: 0 logons or 2 logons

Devices: Allowed to format and eject removeable media Table: 5.12 Value: Administrators or Administrators and interactive users

RestrictAccessToFormatAndEjectRemovableMediaAdministrators, RestrictAccessToFormatAndEjectRemovableMedia


Domain member: Digitallyencrypt or sign securechannel data (always) Table: 5.20 Value: enabled

AlwaysDigitallyEncryptSecureChannelData

Domain member: Digitallyencrypt secure channeldata (when possible) Table: 5.21 Value: enabled

WhenPossibleDigitallyEncryptSecureChannelData

Domain member: Digitallysign secure channel data(when possible) Table: 5.22 Value: enabled

WhenPossibleDigitallySignSecureChannelData

Interactive logon: Smart card removal behavior Table: 5.35 Value: lock workstation

Domain member: Disablemachine account passwordchanges Table: 5.23 Value: disabled

MachineAccountPasswordChanges

FIPSCompliantEncryption oval:gov.nist.1:def:105


RequireCaseInsensitivity oval:gov.nist.1:def:107

LimitBlankPasswordUse oval:gov.nist.1:def:42


System cryptography: UseFIPS compliant algorithmsfor encryption, hashing,and signing Table: 5.64 Value enabled

System objects: Defaultowner for objects createdby members of theAdministrators group Table: 5.65 Value: Object creator

AdministratorsGroupObjectCreatorOwner

System objects: Requirecase insensitivity for non-Windows subsystems Table: 5.66 Value: enabled

Accounts: Limit local account use of blank passwords to console logon only Table: 5.3 Value: enabled

Devices: Allow undock without having to logon Table: 5.11 Value: disabled

AllowUndockWithoutLoginDisabled

Domain controller: LDAP server signin requirements Table: 5.18 Value: not defined




LogonTimeExpiration oval:gov.nist.1:def:86

CredentialsStorage oval:gov.nist.1:def:89

Network security: LDAPclient signing requirements Table: 5.56 Value: Negotiate signing

LDAPClientSigningRequirements

Domain controller: Refuse machine account password changes Table: 5.19 Value: not defined

Domain member: Maximummachine account passwordage Table: 5.24 Value:30 days

MaximumMachineAccountPasswordAge

Interactive logon: RequireDomain Controllerauthentication to unlockworkstation Table: 5.33 Value: enabled or disabled

DomainControllerAuthenticationRequired

Microsoft network server:Disconnect clients whenlogon hours expire Table: 5.42 Value: enabled

Network access: Do notallow storage of credentialsor .NET Passports fornetwork authentication Table: 5.46 Value: enabled






Network access: LetEveryone permissionsapply to anonymous users Table: 5.47 Value: disabled

AnonymousUsersPermissions

Network access: NamedPipes that can be accessedanonymously Table: 5.48 Value: COMNAPCOMNODESQL\QUERYSPOOLSSLLSRPCbrowser

AnonymouslyAccessedNamedPipes

Network access: Remotelyaccessible registry paths Table: 5.49 Value: System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Control\Server Applications, System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,

RemotelyAccessibleRegistryPaths

Network access: Sharesthat can be accessedanonymously Table: 5.51 Value: COMCFGDFS$

AnonymouslyAccessedShares

Network access: Sharingand security model for localaccounts Table: 5.52 Value: Classic - local users authenticate as themselves

LocalAccountsSecurityModel

LANManagerHashStorage oval:gov.nist.1:def:95

ForceLogoff oval:gov.nist.1:def:244



Network security: Do notstore LAN Manager hashvalue on next passwordchange Table: 5.53 Value: enabled`

Network security: Forcelogoff when logon hoursexpire Table: 5.54 Value: enabled

Network security: Minimumsession security for NTLMSSP based (includingsecure RPC) clients Table: 5.57 Value: Require message integrityRequire message confidentialityRequire NTLMv2 session securityRequire 128-bit encryption

NTLM_SSP_BasedClientsSessionSecurity

Network security: Minimumsession security for NTLMSSP based (includingsecure RPC) servers Table: 5.58 Value: Require message integrityRequire message confidentialityRequire NTLMv2 session securityRequire 128-bit encryption

NTLM_SSP_BasedServersSessionSecurity


MSS:(ScreenSaverGracePeriod)The time in seconds beforethe screen saver graceperiod expires Table: 5.85 Value: 0

ScreenSaverGracePeriod

Create global objects Table: 4.12 Value: not defined

Impersonate a client after authentication Table: 4.23 Value: not defined

DCOM: Machine access of the global system objects Table: 5.9 Value: disabled

DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax Table: 5.10 Value: not defined

Interactive logon: Display user information when the session is locked Table: 5.26 Value: not defined

Interactive logon: Requre smart card Table: 5.34 Value: not defined



BackupOperators oval:gov.nist.1:def:206

PowerUsers oval:gov.nist.1:def:207

RemoteDesktopUsers oval:gov.nist.1:def:208

Network access: Restrict anonymous access to named pipes and shares Table: 5.50 Value: not defined

System cryptography: Force strong key protection for user keys stored on the computer Table: 5.63 Value: not defined

System settings: optional subsystems Table: 5.68 Value: not defined

System settings: Use Certificate Rules on Windows Executables for Software Restriction Polices Table: 5.69 Value: not definedMSS:(TCPMaxConnectResponseRetransmission) SYN-ACK retansmissions when a connection request is not acknowledged Table: 5.87 Value: 3 and 6 sec, half open connections dropped after 21 sec

TCPConnectionResponses

MSS:(TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted Table: 5.88 Value: 3

TCPMaxDataRetransmissions

Backup Operators Table: 7.1 Value: nonePower Users Table: 7.2 Value: none

Remote Desktop Users Table: 7.3 Value: none

Application Layer Gateway Service Table: 8.2 Value: not defined

Application Management Table: 8.3 Value: not definedCryptographic Services Table: 8.10 Value: not defined

DHCP Client Table: 8.11 Value: not defined

Distributed Link Tracking Client Table: 8.12 Value: not defined

Distributed Transaction Coordinator Table: 8.13 Value: not defined

DNS Client Table: 8.14 Value: not definedError Reporting Service Table: 8.15 Value: not definedEvent Log Table: 8.16 Value: not definedHelp and Support Table: 8.20 Value: not defined

Human Interface Device Access Table: 8.21 Value: not defined

IMAPI CD-Burning COM Service Table: 8.23 Value: not defined

Infrared Monitor Table: 8.25 Value: not defined

IPSEC Services Table: 8.27 Value: not definedLogical Disk Manager Table: 8.28 Value: not defined

Logical Disk Manager Administrative Service Table: 8.29 Value: not defined

DDEService oval:gov.nist.1:def:245

DDEdsdmService oval:gov.nist.1:def:246

RasManService oval:gov.nist.1:def:247

MS Software Shadow Copy Provider Table: 8.31 Value: not definedNetwork Connections Table: 8.34 Value: not defined

Network Dynamic Data Exchange (DDE) Table: 8.35 Value: not defined

Network DDE DDE Share Database Manager (DSDM) Table: 8.36 Value: not defined

Network Location Awareness (NLA) Table: 8.37 Value: not defined

NT LM Security Support Provider Table: 8.38 Value: not definedPerformance Logs and Alerts Table: 8.39 Value: not defined

Portable Media Serial Number Service Table: 8.41 Value: not definedProtected Storage Table: 8.43 Value: not defined

QoS RSVP Table: 8.44 Value: not defined

Remote Access Connection Manager Table: 8.46 Value: not definedRemote Procedure Call (RPC) Table: 8.48 Value: not defined

Remote Procedure Call (RPC) Locator Table: 8.49 Value: not definedRemovable Storage Table: 8.51 Value: not defined

Secondary Logon Table: 8.53 Value: not definedSecurity Accounts Manager Table: 8.54 Value: not definedServer Table: 8.55 Value: not defined

Smart Card Table: 8.57 Value: not definedSmart Card Helper Table: 8.58 Value: not defined

System Event Notification Table: 8.63 Value: not definedSystem Restore Service Table: 8.64 Value: not definedTCP/IP NetBIOS Helper Table: 8.66 Value: not definedTelephony Table: 8.67 Value: not definedThemes Table: 8.70 Value: not definedUninterruptable Power Supply Table: 8.71 Value: not defined

Upload Manager Table: 8.72 Value: not definedVolume Shadow Copy Table: 8.74 Value: not definedWebclient Table: 8.75 Value: not defined

Windows Audio Table: 8.76 Value: not defined

Windows Image Acquisition (WIA) Table: 8.77 Value: not definedWindows Installer Table: 8.78 Value: not defined


Windows Management Instrumentation Table: 8.79 Value: not defined

Windows Management Instrumentation Driver Extensions Table: 8.80 Value: not defined

Windows Time Table: 8.81 Value: not defined

Wireless Zero Configuration Table: 8.82 Value: not definedWMI Performance Adapter Table: 8.83 Value: not defined

Workstation Table: 8.84 Value: not defined

MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames. Table: 5.82 Value: enabled

Disable8Dot3NameCreation

5.2.1.1.2.4 Allow remote administration exception (SP2 only)

5.2.1.1.2.7 Allow Remote Desktop exception (SP2 only)

OVAL10088

OVAL10219

Microsoft Security Guide for

Windows Server 2003

Center for Internet Security Windows

Server 2003DISA Stig for

Windows 2003

NIST SCAP Windows Vista XCCDF (SCAP-

WinVista-XCCDF.xml rev 2007-02-06)

….

…. ….

…. ….

Table 3.28 Deny access to this computer from the network: ANONYMOUS LOGON; Built-in Administrator, Guests; Support_388945a0; Guest; all NON-Operating System service accounts (Legacy Client, Enterprise Client, and High Security)

4.2.15 Deny access to this computer from the network (minimum): Not Defined

Table 4.2 Access this computer from the network: Administrators, Authenticated Users, Enterprise Domain Controllers (High Security); Legacy Client and Enterprise Client are not defined

4.2.1 Access this computer from the network: Not Defined; Administrators, Authenticated Users, Enterprise Domain Controllers (Specialized Security)

5.1 User Rights: (4.015: CAT I) Built-in Guest account, Everyone group, guests group, and Domain Guests group DO NOT have the right to "access this computer from the network"

Table 3.21 Act as part of the operating system: Not defined (Legacy Client and Enterprise Client); revoke all security groups and accounts (High Security)

4.2.2 Act as part of the operating system: none

5.1 User Rights: (4.009: CAT I) Individual and group accounts DO NOT have the right to "act as part of the operating system"

4.2.36 Backup files and directories: Administrators (Specialized Security)

4.2.8 Bypass traverse checking: Not Defined

….

…. ….

…. ….

…. ….

….

….

….

….

Table 3.26 Change the system time: Administrators and Power Users (default); Administrators (High Security); Legacy client and Enterprise Client are not defined

4.2.9 Change the system time: Administrators

4.2.10 Create a pagefile: Administrators (Specialized Security)

4.2.11 Create a token object: None

4.2.13 Create permanent shared objects: None

Table 3.27 Debug programs: Administrators (default); Revoke all security groups and accounts (Legacy Client, Enterprise client and High Security)

4.2.14 Debug Programs: None

Table 3.32 Force shutdown from a remote system: Administrators (High Security): Legacy client and Enterprise Client are not defined

4.2.21 Force shutdown from a remote system: Administrators (Specialized Security)

Table 3.33 Generate security audits: Network Service, Local Service (High Security): Legacy Client and Enterprise Client are not defined

4.2.22 Generate security audits: Local Service, Network Service (Specialized Security)

Table 3.23 Adjust memory quotas for a process: Administrators, Network Service, Local Service (High Security); Legacy client and Enterprise Client are not defined

4.2.4 Adjust memory quotas for a process: Network Service, Local Service, Administrators (Specialized Security)

….

….

….

….

…. ….

….

….

Table 3.35 Increase scheduling priority: Administrators (High Security): Legacy Client and Enterprise Client are not defined

4.2.24 Increase scheduling priority: Administrators (Specialized Security)

Table 3.36 Load and unload device drivers: Administrators (High Security): Legacy Client and Enterprise Client are not defined

4.2.25 Load and unload device drivers: Administrators

Table 3.37 Lock pages in memory: Administrators (High Security): Legacy Client and Enterprise Client are not defined

4.2.26 Lock pages in memory: Administrators (Specialized Security)

Table 3.38 Log on as a batch job: Support_388945a0, Local Service (Default); Revoke all security groups and accounts (High Security); Legacy Client and Enterprise Client are not defined

4.2.27 Log on as a batch job: None

4.2.28 Log on as a service: Not Defined

Table 4.4 Allow log on locally: Administrators (Legacy client, Enterprise Client, and High Security)

4.2.5 Allow log on locally: Administrators

5.1 User rights: (4.026: CAT II) Built-in Guest account, guests group, and Domain guests group, HelpAssistant, and Suppor_388945a0 are assigned the right to DENY log on locally

Table 3.39 Manage auditing and security log: Administrators (High Security); Legacy Client and Enterprise Client are not defined

4.2.29 Manage auditing and security log: Administrators (Specialized Security)

Table 3.40 Modify firmware environment values: Administrators (High Security); Legacy client and Enterprise Client are not defined

4.2.30 Modify firmware environment values: Administrators (Specialized Security)

….

….

….

….

….

….

….

Table 3.42 Profile single process: Administrators (High Security); Legacy Client and Enterprise Client are not defined

4.2.32 Profile single process: Administrators (Specialized Security)

Table 3.43 Profile system performance: Administrators (High Security); Legacy client and Enterprise Client are not defined

4.2.33 Profile system performance: Administrators (Specialized Security)

Table 3.44 Remove computer from docking station: Administrators, Power Users (Default)/Administrators (High Security); Legacy client and Enterprise Client are not defined

4.2.34 Remove computer from docking station: Administrators (Specialized Security)

Table 3.45 Replace a process level token: Local Service, Network Service (High Security); Legacy Client and Enterprise Client are not defined

4.2.35 Replace a process level token: Network Service, Local Service

Table 3.46 Restore files and directories: Administrators and Backup Operators (Default)/Administrators (High Security); Legacy Client and Enterprise Client are not defined

4.2.36 Restore files and directories: Administrators (Specialized Security)

Table 3.47 Shut down the system: Backup Operators, Power Users and Administrators (Default)/Administrators (High Security); Legacy Client and Enterprise Client are not defined

4.2.37 Shut down the system: Administrators (Enterprise, Specialized Security)

Table 3.49 Take ownership of files or other objects: Administrators (High Security); Legacy Client and Enterprise Client are not defined

4.2.39 Take ownership of file or other objects: Administrators

….

….

….

….

….

…. ….

Table 3.48 Synchronize directory service data: Revoke all security groups and accounts (High Security); legacy client and Enterprise Client are not defined

4.2.38 Synchronize directory service data: None

4.2.18 Deny logon locally: Not Defined

5.1 User rights: (4.026: CAT II) Built-in Guest account, guests group, and Domain guests group, HelpAssistant, and Suppor_388945a0 are assigned the right to DENY log on locally

Table 4.7 Enable computer and user accounts to be trusted for delegation: Administrators (High Security); Legacy client and Enterprise Client are not defined

4.2.20 enable computer and user accounts to be trusted for delegation: None

Table 3.22 Add workstations to domain: Administrators (High Security); Legacy Client and Enterprise Client are not defined

4.2.3 Add workstations to domain: Not Defined; None (Specialized Security)

Table 3.25 Allow log on through Terminal Services: Administrators (High Security); Administrators and Remote Desktop Users (Legacy Client and Enterprise Client)

4.2.6 Allow logon through terminal services: Administrators

5.1 User Rights: (4.040: CAT I) No one has the right to allow logn through Terminal Services unless the machine is performing the role of a Terminal Server

Table 4.18 Deny log on as a batch job: Support_388945a0 and Guest (Legacy Client, Enterprise Client, and High Security)

4.2.16 Deny logon as a batch job: Not Defined

4.2.17 Deny logon as a service: Not Defined

reset-account-lockout-counter

account-lockout-duration

account-lockout-threshold

…. audit-account-logon-events

Table 4.18 Deny log on through Terminal Services: Built-in Administrator; all NON-operating system service accounts (Legacy Client, Enterprise Client, and High Security)

4.2.19 Deny logon through Terminal Services: Not Defined

5.1 User Rights: (4.041: CAT II) The Everyone group is assigned the right to deny logon through Terminal Services unless the machine is performing the roale of a Terminal Server, then the Guests group is assigned

Table 3.41 Perform volume maintenance tasks: Administrators (High Security); Legacy client and Enterprise Client are not defined

4.2.31 Perform volume maintenance tasks: Administrators (Specialized Security)

5.4.5.1 [AP] User Rights Assignments: Perform Volume Maintenance Tasks: Administrators

Table 2.11 Reset account lockout counter after: 30 minutes; 15 minutes (High Security); 30 minutes (Legacy Client and Enterprise Client)

2.2.3.3 Reset Account Lockout After: 15 minutes

5.4.2.2 [A] Bad Logon Counter Reset: 15 minutes

Table 2.9 Account lockout duration: 15 minutes (High Security); 30 minutes (Legacy Client and Enterprise Client)

2.2.3.1 Account Lockout Duration: 15 minutes

4.5.3 Password Policy (4.004: CAT II) The Account Lockout duration set to 15 minutes or more

Table 2.10 Account lockout threshold: 50 invalid login attempts (Legacy Client and Enterprise Client); 10 invalid login attempts (High Security)

2.2.3.2 Account Lockout Threshold: 15 attempts; 10 attempts (Specialized Security)

4.5.3 Password Policy (4.002: CAT II) The Account Lockout Threshold will be set to 3 or less

Table 3.2 Audit account logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security)

2.2.1.1 Audit Account Logon Events: Success/Failure

…. audit-account-logon-events

…. audit-account-management

…. audit-account-management

audit-directory-services-access

audit-directory-services-access

audit-logon-events

audit-logon-events

Table 3.2 Audit account logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security)

2.2.1.1 Audit Account Logon Events: Success/Failure

Table 3.4 Audit account management: Success/Failure (Legacy Client, Enterprise Client, and High Security)

2.2.1.2 Audit Account Management: Success/Failure

Table 3.4 Audit account management: Success/Failure (Legacy Client, Enterprise Client, and High Security)

2.2.1.2 Audit Account Management: Success/Failure

Table 3.6 Audit directory service access: Success/Failure (Legacy Client, Enterprise Client, and High Security)

2.2.1.3 Audit Directory Service Access: Not Defined

6.4 System Audit Settings: Audit directory service access: Not Defined

Table 3.6 Audit directory service access: Success/Failure (Legacy Client, Enterprise Client, and High Security)

2.2.1.3 Audit Directory Service Access: Not Defined

6.4 System Audit Settings: Audit directory service access: Not Defined

Table 3.8 Audit logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security)

2.2.1.4 Audit Logon Events: Success and Failure

6.4 System Audit Settings: Audit logon events: Success, Failure

Table 3.8 Audit logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security)

2.2.1.4 Audit Logon Events: Success and Failure

6.4 System Audit Settings: Audit logon events: Success, Failure

…. audit-object-access

…. audit-object-access

audit-policy-change

audit-policy-change

audit-privilege-use

audit-privilege-use….

…. …. audit-process-tracking

…. …. audit-process-tracking

Table 3.10 Audit object access: Success/Failure (Legacy Client, Enterprise Client, and High Security)

2.2.1.5 Audit Object Access: Success/Failure

Table 3.10 Audit object access: Success/Failure (Legacy Client, Enterprise Client, and High Security)

2.2.1.5 Audit Object Access: Success/Failure

Table 3.12 Audit policy change: Success (legacy client, Enterprise Client, and High Security)

2.2.1.6 Audit Policy Change: Success

6.4 System Audit Settings: Audit policy change: Success, Failure

Table 3.12 Audit policy change: Success (legacy client, Enterprise Client, and High Security)

2.2.1.6 Audit Policy Change: Success

6.4 System Audit Settings: Audit policy change: Success, Failure

Table 3.14 Audit privilege use: Success/Failure (High Security); No Auditing (Legacy Client); Failure (Enterprise Client)

2.2.1.7 Audit Privilege Use: Not Defined

6.4 System Audit Settings: Audit privilege use: Failure

Table 3.14 Audit privilege use: Success/Failure (High Security); No Auditing (Legacy Client); Failure (Enterprise Client)

2.2.1.7 Audit Privilege Use: Not Defined

6.4 System Audit Settings: Audit privilege use: Failure

6.4 System Audit Settings: Audit process tracking: Not Defined

6.4 System Audit Settings: Audit process tracking: Not Defined

audit-system-events

audit-system-events

…. ….

…. …. ….

…. …. ….

…. …. ….

…. ….

Maximum-Application-Log-Size

…. ….

Table 3.18 Audit system events: Success (Legacy Client, Enterprise Client, and High Security)

2.2.1.9 Audit System Events: Success

6.4 System Audit Settings: Audit system events: Success, Failure

Table 3.18 Audit system events: Success (Legacy Client, Enterprise Client, and High Security)

2.2.1.9 Audit System Events: Success

6.4 System Audit Settings: Audit system events: Success, Failure

Table 3.102 Shutdown: Allow system to be shut down without having to log on: Disabled (Legacy Client, Enterprise Client, and High Security)

2.2.4.1.2 Restrict Guest Access: Enabled

Prevent-Guest-Application-Log-Access

Table 3.110 Maximum application log size: 16,384 KB (Legacy Client, Enterprise Client, and High Security)

2.2.4.1.1 Maximum Event Log Size: 16MB

5.4.7.1 [A] Event Log Sizes: Maximum application log size: 16384 kilobytes

Retention-Method-For-Application-Log

…. Prevent-Guest-Security-Log-Access

Maximum-Security-Log-Size

…. Retention-Method-For-Security-Log

….

Prevent-Guest-System-Log-Access

Maximum-System-Log-Size

…. Retention-Method-For-System-Log

Table 3.116 Retention method for application log: As needed (Legacy Client, Enterprise Client, and High Security)

2.2.4.1.3 Log Retention Method: Not Defined

5.4.7.3 [AP] Preserving Security Events: Retention method for application log: Do not overwrite events (clear log manually)


3.5 [M] Access to Security Event Log: Auditors

Table 3.111 Maximum security log size: 81,920 KB (Legacy Client, Enterprise Client, and High Security)

5.4.7.1 [A] Event Log Sizes: Maximum security log size: 16384 kilobytes

6.2 Audit Log Requirements: (5.002: CAT II) minimum of 81920KB

Table 3.117 Retention method for security log: As needed (Legacy Client, Enterprise Client, and High Security)

2.2.4.2.3 Log Retention Method: Not Defined


5.4.7.2 [A] Restrict Event Log Access Over Network: Prevent local guests group from accessing security log: Enabled

Table 3.112 Maximum system log size: 16,384 KB (Legacy Client, Enterprise Client, and High Security)

2.2.4.3.1 Maximum Event Log Size: 16MB

5.4.7.1 [A] Even Log Sizes: Maximum system log size: 16384 kilobytes

6.2 Audit Log Requirements: (5.002: CAT II) minimum of 81920KB

…. ….

maximum-password-age

minimum-password-age

minimum-password-length

…. …. ….

password-complexity

enforce-password-history

reversible-password-encryption

3.118 Retention method for system log: As needed (Legacy Client, Enterprise Client, and High Security)

Table 2.4 Maximum password age: 42 days (Legacy Client, Enterprise Client, and High Security)

2.1.2 Maximum Password Age: 90 Days

4.5.3 Password Policy: (4.011: CAT II) Maximum password age is set to 90 days or less

Table 2.5 Minimum password age: 2 days (Legacy Client, Enterprise Client, and High Security)

2.2.2.1 Minimum Password Age: 1 day

4.5.3 Password Policy: (4.012: CAT II) Minimum password age is set to 1 day or more

Table 2.6 Minimum password length: 12 characters (High Security); 8 characters (Legacy Client and Enterprise Client)

2.2.2.3 Minimum Password Length: 8 characters; 12 characters (Specialized Security)

5.4.1.3 [AP] Minimum Password Length: 8 characters

Table 2.7 Password must meet complexity requirements: Enabled (Legacy Client, Enterprise Client, and High Security)

2.2.2.4 Password Complexity: Enabled

5.4.1.5 [M] Enable strong Password Filtering: Password must meet complexity requirements: Enabled

Table 2.3 Enforce password history: 24 passwords remembered (Legacy Client, Enterprise Client, and High Security)

2.2.2.5 Password History: 24 passwords remembered

5.4.1.4 [A] Password Uniqueness: Enforce password history: 24 passwords

Table 2.8 Store password using reversible encryption: Disabled (Legacy Client, Enterprise Client, and High Security)

2.2.2.6 Store Passwords Using Reversible Encryption: Disabled

5.4.1.6 [M] Disable Reversible Password Encryption: Disabled

4.1.1 Alerter: Disabled ….

….

….

4.1.3 Clipbook: Disabled ….

…. ….

…. …. ….

….

….

Table 3.119 Alerter Service: Disabled (Legacy Client, Enterprise Client, and High Security)

Table 3.123 Automatic updates service: Automatic (Legacy Client, Enterprise Client, and High Security)

7.6.1 Automatic Updates Service: Disable if not needed

Table 3.124 Background Intelligent Transfer Service: Manual (Legacy Client, Enterprise Client, and High Security)

7.6.2 Background Intelligent Transfer Service (BITs): Disable if not needed

Table 3.127 Clipbook service: Disabled (Legacy Client, Enterprise Client, and High Security)

Table 10.5 Computer Browser service: Automatic (default); Disabled (Enterprise)

Table 3.143 Fax Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)

4.1.4 Fax Service: Disabled

Table 3.146 FTP Publishing Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)

4.1.7 FTP Publishing Service: Disabled

7.6.3 FTP Service: Disabled

Table 3.151 IIS Admin Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)

4.1.10 IIS Admin Service: Disabled

….

….

…. …. ….

Disable-remote-Desktop-Sharing

…. ….

Table 3.153 Indexing Service: Disabled (Legacy Client, Enterprise Client, and High Security)

4.1.11 Indexing Service: Disabled

Table 3.167 Messenger Service: Disabled (Legacy Client, Enterprise Client, and High Security)

4.1.13 Messenger: Disabled

8.3.4 Windows Messenger: Disabled

Do-not-allow-Windows-Messenger-to-be-run

Table 3.172 .NET Framework Support Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)

8.4.3 .NET Framework: (5.069: CAT II) the .NET Framwork is not active on the system unless it only supports locally developed .NET applications

Table 3.174 NetMeeting Remote Desktop Sharing: Disabled (Legacy Client, Enterprise Client, and High Security)

4.1.15 NetMeeting Remote Desktop Sharing: Disabled

7.6.4 NetMeeting Remote Desktop Sharing Service: (5.063: CAT II) Disabled

7.6.5 Print Services for Unix: (5.026: CAT II) Remove if not required

Table 3.187 Remote Access Auto Connection Manager: Manual (default); Disabled (Legacy Client, Enterprise Client, and High Security)

4.1.20 Remote Access Auto Connection Manager: Disabled

7.6.7 Remote Access Auto Connection Manager Service: (5.064: CAT II) Disabled

Table 3.190 Remote Desktop Help Session Manager: Manual (default); Disabled (Legacy Client, Enterprise Client, and High Security)

4.1.23 Remote Desktop Help Session Manager: Disabled

7.6.8 Remote Desktop Help Session Manager: (5.065: CAT II) Disabled

…. ….

….

…. ….

….

….

….

8.3.9.1 Internet Connection Sharing: (3.085: CAT II) Prohibit use of Internet Connection Sharing on your DNS domain networks is Enabled

Table 3.194 Remote Registry Service: Automatic (Legacy Client, Enterprise Client, and High Security)

4.1.26 Remote Registry Service: Disabled (Specialized Security)

7.6.9 Remote Registry Service: Disabled

Table 3.201 Routing and Remote Access Service: Disabled (Legacy Client, Enterprise Client, and High Security)

7.6.11 Routing and Remote Access Service: (5.067: CAT II) Disabled if not required

7.6.10 Remote Shell Service: (5.008: CAT II) Service is removed by typing instsrv rshsvc remove at the command prompt

Table 3.208 Simple TCP/IP Services: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)

7.6.16 Telnet Servers: (5.010: CAT II) Simple TCP/IP services are disabled

Table 3.207 Simple Mail Transport Protocol (SMTP): Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)

4.1.31 Simple Mail Transfer Protocol: Disabled

Table 3.211 SNMP Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)

4.1.32 Simple Network Management Protocol Service: Disabled

7.6.13 SNMP Service: (5.026: CAT II) SNMP is disabled if not required

Table 3.212 SNMP Trap Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)

4.1.33 Simple Network Management Protocol Trap: Disabled

…. ….

….

4.1.35 Telnet: Disabled ….

…. ….

….

….

….

…. ….

7.6.14 Simple Service Discovery Protocol (SSDP) Service: 5.019: CAT I) Disabled

Table 3.216 Task Scheduler: Automatic (default); Disabled (Legacy Client, Enterprise Client, and High Security)

7.6.15 Task Scheduler Service: (5.009: CAT II) Disabled

Table 3.220 Telnet Service: Disabled (Legacy Client, Enterprise Client, and High Security)

Table 3.221 Terminal Services: Manual (default); Automatic (Legacy Client, Enterprise Client, and High Security)

4.1.36 Terminal Services: Disabled (Specialized Security)

7.6.17 Terminal Services: (5.020: CAT I) Disabled on machines that are not performing as Terminal Servers

Table 3.182 Plug and Play: Automatic (Legacy Client, Enterprise Client, and High Security)

Table 3.245 World Wide Web Publishing Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)

4.1.39 World Wide Web Publishing Services: Disabled

Table 11.3 Automatic Update Service: Disabled

7.6.1 Automatic Updates Service: Disable if not needed

Table 11.4 Background Intelligent Transfer Service: Disabled

7.6.2 Background Intelligent Transfer Service (BITs): Disable if not needed

7.6.5 Print Services for Unix: (5.026: CAT II) Remove if not required

4.1.1. Alerter: Disabled ….

…. ….

…. …. ….

…. 4.1.3 Clipbook: Disabled ….

…. …. ….

…. ….

…. …. ….

…. ….

…. ….

…. ….

Table 3.119 Alerter Service: Disabled (Legacy Client, Enterprise Client, and High Security)

Table 3.123 Automatic Updates Service: Automatic (Legacy Client, Enterprise Client, and High Security)

4.1.4 Fax Service: Disabled

4.1.7 FTP Publishing Service: Disabled

4.1.10 IIS Admin Service: Disabled

4.1.11 Indexing Service: Disabled

…. ….

…. …. ….

…. ….

…. ….

….

…. ….

…. ….

…. …. ….

…. ….

…. ….


4.1.15 NetMeeting Remote Desktop Sharing: Disabled

4.1.19 Print Spooler: Disabled (Specialized Security)

4.1.20 Remote Access Auto Connection Manager: Disabled

7.6.7 Remote Access Auto Connection Manager Service: (5.064: CAT II) Disabled

4.1.23 Remote Desktop Help Session Manager: Disabled

4.1.26 Remote Registry Service: Disabled (Specialized Security)

4.1.31 Simple Mail Transfer Protocol: Disabled

4.1.32 Simple Network Management Protocol Service: Disabled

…. ….

…. …. ….

…. 4.1.35 Telnet: Disabled ….

…. ….

…. …. ….

…. ….

…. …. ….

4.1.33 Simple Network Management Protocol Trap: Disabled

4.1.36 Terminal Services: Disabled (Specialized Security)

4.1.39 World Wide Web Publishing Services: Disabled

3.86 Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled (Legacy Client, Enterprise Client, and High Security)

3.1.3 Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled (Enterprise and Specialized Security)

5.4.6.53 [AP] Restrict Anonymous Network Shares: Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled

do-not-allow-anonymous-enumeration-sam-accounts-shares

…. ….

Anonymous-SID-Name-Translation

…. …. ….

…. …. ….

…. ….

…. …. ….

…. …. guest-account-status

…. …. …. administrator-account-status

3.85 Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled (Legacy Client, Enterprise Client, and High Security)

do-not-allow-anonymous-enumeration-sam

Table 2.13 Network Access: Allow anonymous SID/NAME translation: Disabled

3.1.1 Network Access: Allow Anonymous SID/Name Translation: Disabled (Specialized Security)

5/4/6/52 Network Access: Allow anonymous SID/Name translation: Disabled

3.5 [M] Access to Security Event Log: Auditors

5.2 Windows Server 2003 Built-in Accounts: (4.048: CAT II) Disabled

message-title-users-attempting-logon

message-text-users-attempting-logon

…. …. ….

…. …. ….

…. …. enable-automatic-logon

Table 3.73 Interactive logon: Message title for users attempting to log on: "It is an offense to continue without proper authorization" (Legacy Client, Enterprise Client, and High Security)

3.2.1.27 Interactive Logon: Message Title for Users Attmpting to Log On: <Custom or DoJ Approved>

5.4.6.22 [AP] Display Legal Notice: Interactive Logon: Message title for users attempting to log on: US Deparment of Defense Warning Statement

Table 3.72 Interactive logon: Message text for users attempting to log on: "This system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted. If unauthorized, terminate access now! Clicking on OK indicates your acceptance of the information in the background. (Legacy Client, Enterprise Client, and High Security)

3.2.1.26 Interactive Logon: Message Text for Users Attempting to Log On: <Custom or DoJ Approved>

5.4.6.22 Interactive Logon: Message text for users attempting to log on

5.4.6.38 [A] Disable Administrator Automatic Logon: Disabled

…. …. ….

…. ….

…. …. ….

…. ….

…. …. ….

…. …. ….

…. …. enable-icmp-redirect

5.4.6.47 [A] Disable Media Autoplay: MSS: Disable Autorun on all drives: 255, disable Autorun for all drives

Turn-off-Autoplay, no-drive-type-auto-run

5.4.6.41 [A] ICMP Redirects: MSS: (EnablEICMPRedirect) Allow ICMP redirects to override OSPF generated routes: Disabled

…. disable-ip-source-routing

…. …. perform-router-discovery

…. …. ….

…. …. ….

…. do-not-display-last-user-name

…. …. ….

…. …. ….

3.2.1.69 MSS: IP Source Routing protection level: Highest Protection, source routing is automatically disabled

5.4.6.39 MISS: DisableIPSourceRouting, IP source routing packet spoofing: Highest protection, source routing is completely disabled

3.2.1.74 MSS: Allow IRDP to detect and configure DefaultGateway addresses: Disabled

Table 3.70 Interactive logon: Do not display last user name: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.24 Interactive Logon: Do Not Display Last User Name: Enabled

…. …. ….

…. …. …. hide-system-from-browse-list

enable-dead-gw-detect

keep-alive-time

…. …. ….

…. …. ….

Table. 3.246 Security Consideration for Network Attack: EnableDeadGWDetect = 0 (Legacy Client, Enterprise Client, and High Security)

3.2.1.70 MSS: Allow automatic detection of dead network gateways: Disabled

5.4.6.40 [A] Detection of Dead Gateways: MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways: Disabled

Table 3.246 Security Consideration for Network Attacks: KeepAliveTime = 300,000 (Legacy Client, Enterprise Client, and High Security)

3.2.1.82 MSS: How often keepalive packets are sent in milliseconds: 300000

5.4.6.49 MSS: How often keepalive packets are sent in milliseconds: 300000

no-name-release-on-demand

….

syn-attack-protect

…. …. ….

…. …. …. warning-level

…. ….

Table 3.248 Configure NetBIOS Name Release Security: Allow the computer to ignore NetBIOS name release requests except from WINS server: NoNameReleaseOnDemand = 1 (Legacy Client, Enterprise Client, and High Security)

3.2.1.73 MSS: Allow the computer to ignore NetBIOS name release requestions except from WINS servers: Enabled

5.4.6.42 [A] NetBIOS Name Release: MSS: (NoNameReleaseOnDemand) Allow computer to ignore NetBIOS name release requests except from WINS Servers: Enabled

Table 3.246 Security Consideration for Network Attacks: EnablePMTUDiscovery = 0 (Legacy Client, Enterprise Client, and High Security)

3.2.1.72 MSS: EnablePMTUDiscovery, Allow automatic detection of MTU size: Enabled (Specialized Security)

Table 3.246 Security Consideration for Network Attacks: SynAttackProtect = 1 (Legacy Client, Enterprise Client, and High Security)

5.4.6.44 MSS (SynAttackProtect) Syn attack protection level: Connections time out sooner if a SYN attack is detected

5.4.6.6 ConGp: Prevent the dial-up password from being saved: Enabled

Table 3.64 Domain member: Digitally encrypt or sign secure channel data (always): Enabled (High Security); Disabled (Legacy Client and Enterprise Client)

3.2.1.19 Domain Member: Digitally Encrypt Secure Channel Data (When Possible): Enabled

5.4.6.16 [A] Encryption of Secure Channel Traffic: Domain Member: Digitally encrypt secure channel data (when possible): Enabled

safe-dll-search-mode

…. ….

…. …. ….

…. …. ….

…. ….

…. …. ….

…. ….

Table 3.65 Domain member: Digitally encrypt or sign secure channel data (when possible): Enabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.20 Domain Member: Digitally Sign Secure Channel Data (When Possible): Enabled

5.4.6.17: [A] Signing of Secure Channel Traffic: Domain Membore: Digitally sign secure channel data (when possible): Enabled

Table 3.253 Enable Safe DLL Search Order: Enable Safe DLL search mode (recommended): SafeDllSearchMode = 1 (Legacy Client, Enterprise Client, and High Security)

3.2.1.80 MSS: Enable Safe DLL search mode: Enabled

5.4.6.48 [A] Safe DLL Search Mode: MSS: Enable Safe DLL search mode: Enabled

8.3.5 Always wait for the network at computer startup: Enabled

8.3.6 Group Policy: (3.080: CAT II) Turn off backroung refresh of Group Policy is set to Disabled

8.3.9.2 Network Bridge: (3.086: CAT II) The setting Prohibit installation and configuration of network Bridge on your DNS doman network is set to Enabled

…. ….

…. ….

…. …. rename-administrator

…. …. rename-guest

`

audit-access-global-system-objects

…. audit-use-backup-restore-privilege

8.3.10 Installation of Printers Using Kernel-mode Drivers: (3.087: CAT II) the setting Disallow installation of printers using kernel-mode drivers is set to Enabled

Table 3.61 Domain controller: Allow server operators to schedule tasks: Not Defined (default); Disabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.15 Domain Controller: Allow Server Operators to Schedule Tasks: Disabled

5.4.6.12 [A] Server Operators Scheduling Tasks: Domain Controller: Allo server operators to schedule tasks: Disabled

5.4.6.3 Accounts: Rename administrator account: Should not be Administrator

5.4.6.4 Account: Rename guest account: Any value other than ‘Guest’

Table 3.81 Microsoft network server: Amount of idle time required before suspending session: 15 minutes (Legacy Client, Enterprise Client, and High Security)

5.4.6.30[A] Idle Time Before Suspending a Session: Microsoft Network Server: Amount of idle time required before suspending a session: 15 minutes

amount-of-idle-time-required-before-suspending-session

Table 3.52 Audit: Audit the access of global system objects: Disabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.6 Audit: Audit the access of global system objects: Not Defined

5.4.7.76 [A] Global System Object Permission Strength: System objects: Strengthen default permissions of internal system objects: Enabled

Table 3.53 Audit: Audit the use of backup and restore privilege: Disabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.7 Audit: Audit the use of backup and restore privilege: Not Defined

…. do-not-require-ctrlaltdel

…. …. ….

prevent-users-installing-printers

Table 3.71 Interactive logon: Do not require CRTL+ALT+DEL: Disabled (Legacy Client, Enterprise Client, and High Security)

5.4.6.21 [A] CTRL+ALT+DEL Security Attention Sequence: Interactive Logon: Do not require CTRL+ALT+DEL: Disabled

Table 3.96 Network security: LAN Manager authentication level: Send NTLM response only (default); Send NTLMv2 response only\refuse LM & NTLM (High Security); Send NTLMv2 responses only (Legacy Client and Enterprise Client)

3.2.1.50 Network Security: LAN Manager Authentication Level: Send NTLMv2 (Legacy), Send NTLMv2, refuse LM (Enterprise), Send NTLMv2, refuse LM and NTLM (Specialized Security)

5.4.6.64 [AP] LanMan Compatible Password Option Not Properly Set: Network Security: LAN Manager authentication level: Send NTLMv2 response only/refuse LM & NTLM

Table 3.57 Devices: Prevent users from installing printer drivers: Enabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.11 Devices: Prevent users from installing printer drivers: Enabled

5.4.6.9 [A] Secure Print Driver Installation: Devices: Prevent users from installing printer drivers: Enabled

Table 3.100 Recovery console: Allow automatic administrative logon: Disabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.54 Recovery Console: Allow Automatic Administrative Logon: Disabled

5.4.6.68 [A] Recovery Console - Automatic Logon: Allow automatic administrative logon: Disabled

Table 3.101 Recovery console: Allow floppy copy and access to all drives and all folders: Disabled (High Security); Enabled (Legacy Client and Enterprise Client)

3.2.1.55 Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders: Not Defined

5.4.6.69 [A] Recovery Console - Set Command: Recovery console: Allow floppy copy and access to all drives and folders: Disabled

…. ….

require-strong-session-key

….

…. …. ….

3.2.1.12 Devices: Restrict CD-ROM Access to Locally Logged-On User Only: Not Defined

restrict-cdrom-access-local-users-only

Table 10.2 Devices: Restrict floppy access to locally logged-on user only: Enabled (Enterprise Client)

3.2.1.13 Devices: Restrict Floppy Access to Locally Logged-On User only: Not Defined

5.4.6.10 [A] Secure Removable Media: Devices: Restrict floppy access to locally logged-on user only: Enabled

restrict-floppy-access-local-users-only

Table 3.108 System ojects: Strengthen default permissions of internal system objects: Enabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.62 System Objects: Strengthen default permissions of internal system objects: Enabled

5.4.6.76 [A] Global System Object Permission Strength: System Objects: Strengthen default permissions of internal system objects: Enabled

Table 3.69 Domain member: Require strong (W2K or later) session key: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.23 Domain Member: Require Strong (Windows 2000 or later) Session Key: Not Defined

5.4.6.20 [AP] Strong Session Key (WIN2K/W2K3 Native Domains): Domain Member: Require Strong (Windows 2000 or later) Session Key: Enabled

Table 3.80 Microsoft network client: Send unencrypted password to third-party SMB servers: Disabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.35 Microsoft Network Client: Send Unencrypted Password to Connect to Third-Party SMB Server: Disabled

5.4.6.29 [A] Unencrypted Passwords to 3rd party SMB Servers: Disabled

send-unencrypted-password-to-third-party-smb-servers

3.2.1.14 Devices: Unsigned driver installation behavior: "Warn, but allow . . . "

5.4.6.11 [AP] Unsigned Driver installation Behavior: Warn but allow installation

Table 3.75 Interactive logon: Prompt user to change password before expiration: 14 days (Legacy Client, Enterprise Client, and High Security)

3.2.1.29 Interactive Logon: Prompt User to Change Password Before Expiration: 14 days

5.4.6.24 [A] Password Expiration Warning: Interactive Logon: Prompt user to change password before expiration: 14 days

prompt-user-to-change-password-before-expiration

shutdown-system-unable-log-audits

….

…. …. ….

….

…. …. ….

….

….

Table 3.54 Audit: Shut down system immediately if unable to log security audits: Disabled (Legacy Client and Enterprise Client); Enabled (High Security)

3.2.1.8 Audit: Shut down system immediately if unable to log security alerts: Enabled (Specialized Security)

5.4.6.5 [AP] Halt on Audit Failure: Audit: Shut down system immediately if unable to log security audits: Enabled

Table 3.102 Shutdown: Allow system to be shut down without having to log on: Disabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.56 Shutdown: Allow system to be shut down without having to log on: Disabled

Table 3.103 Shutdown: Clear virtual memory page file: Disabled (Legacy Client and Enterprise Client); Enabled (High Security)

3.2.1.57 Shutdown: Clear virtual memory pagefule: Not Defined

5.4.6.71 [AP] Clear System Page File During Shutdown: Shutdown: Clear virtual memory pagefile: Enabled

3.2.1.33 Microsoft Network Client: Digitally sign communications (always): Enabled (Specialized Security)

5.4.6.27 [A] SMB Client Packet Signing (Always): Microsoft Network Client: Digitally sign communications (always): Enabled

digitally-sign-communications-client-always

digitally-sign-communications-client-server-agrees

3.2.1.37 Microsoft Network Server: Digitally sign communications (always): Not Defined

5.4.6.31 [A] SMB Server Packet Signing (Always): Microsoft Network Server: Digitally sign communications (always): Enabled

digitally-sign-communications-server-always

Microsoft network server: Digitally sign communications (if client agrees): Disabled

5.4.6.32 Microsoft Network Server: digitally sign server communications (if client agrees): Enabled

digitally-sign-communications-server-client-agrees

number-of-previous-logons-to-cache

allow-format-eject-removable-media

smart-card-removal-behaviour

…. …. ….

…. …. ….

Table 3.74 Interactive logon: Number of previous logons to cache: 1 (Legacy Client); 0 (Enterprise Client and High Security)

3.2.1.28 Interactive Logon: Number of Previous Logons to Cache: Not Defined

5.4.6.23 Interactive Logon: Number of previous logons to cache (in case Domain Controller is unavailable): 0 logons or 1 logon

Table 3.56 Devices: Allowed to format and eject removable media: Administrators (Legacy Client, Enterprise Client, and High Security)

3.2.1.10 Devices: Allowed to format and eject removable media: Administrators

5.4.6.8 [A] Format and Eject Removable Media: Devices: Allowed to Format and Eject Removable Media: Administrators

Table 3.64 Domain member: Digitally encrypt or sign secure channel data: Enabled (High Security); disabled (Legacy Client and Enterprise Client)

3.2.1.18 Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always): Not Defined

5.4.6.15 [A] Encrypting and Signing of Secure Channel Traffic: Domain Member: Digitally encrypt or sign secure channel data (always): Enabled

digitally-encrypt-or-sign-secure-channel-data-always

Table 3.65 Domain member: Digitally encrypt secure channel data (when possible): Enabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.19 Domain Member: Digitally Encrypt Secure Channel Data (When Possible): Enabled

5.4.6.16 [A] Encryption of Secure Channel Traffic: Domain Member: Digitally encrypt secure channel data (when possible): Enabled

digitally-encrypt-secure-channel-data-when-possible

Table 3.66 Domain member: Digitally sign secure channel data (when possible): Enabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.20 Domain Member: Digitally Sign Secure Channel Data (When Possible): Enabled

5.4.6.17 [A] Signing of Secure Channel Traffic: Domain Member: Digitally sign secure channel data (when possible): Enabled

digitally-sign-secure-channel-data-when-possible

Table 3.77 Interactive logon: Smart card removal behavior: Lock Workstation (Enterprise Client and High Security); Legacy Client is not defined

3.2.1.32 Interactive Logon: Smart Card Removale Behavior: Lock Workstation

5.4.6.26 [A] Smart Card Removal Option: interactive Logon: Smart card removal behavior: Lock Workstation or Force Logoff

disable-machine-account-password-changes

limit-blank-password-use

allow-undock-no-logon

Table 3.105 System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Disabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.59 System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Not Defined

5.4.6.73 [A] FIPS compliant algorithms: System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Enabled

Table 3.106 System objects: Default owner for objects created by members of the Administrators group: Administrators group (default); Object creator (Legacy Client, Enterprise Client, and High Security)

3.2.1.60 System Objects: Default owner for objects created by members of the Administrators group: Object Creator

5.4.6.74 [A] Object Created by members of the Administrators Group: System ojects: Default owner for object created by members of the Administrators groups: Object creator

Table 3.107 System objects: Require case insensitivity for non-Windows subsystems: Enabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.61 System objects: Require case insensitivity for non-Windows subsystems: Not Defined

5.4.6.75 [A] Case Insensitivity for Non-Windows Subsystems: System object: Require Case Insensitivity for non-Windows Subsystems: Enabled

Table 3.51 Accounts: Limit local account use of blank passwords to console logon only: Enabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.3 Accounts: Limit local account use of blank passwords to console logon only: Enabled

5.4.6.2 [A] Limit Blank Passwords: Accounts: Limit local account use of blank passwords to console logon only: Enabled

Table 3.55 Devices: Allow undock without having to log on: Enabled (default); Disabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.9 Devices: Allow undock without having to log on: Enabled (Specialized Security)

5.4.6.7 [A] Undock Without Loggon On: Devices: Allow Undock Without Having to Log On: Disabled

Table 3.62 Domain controller: LDAP server signing requirements: Not Defined (Legacy Client and Enterprise Client); Require signing (High Security)

3.2.1.16 Domain Controller: LDAP Server Signing Requirements: Require Signing (Specialized Security)

5.4.6.13 [A] LDA Signing Requirements (Domain Controller): Domain controller: LDAP Server signing requirements: Require signing

Table 3.97 Network security: LDAP client signing requirements: Negotiate signing (Legacy Client, Enterprise Client, and High Security)

3.2.1.51 Network Security: LDAP client signing requirements: Negotiate Signing or Require Signing

5.4.6.65 [A] LDAP Client Signing: Network security: LDAP client signing requirements: Negotiate signing

Table 3.63 Domain controller: Refuse machine account password changes: Not Defined (default); Disabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.17 Domain Controller: Refuse machine account password changes: Disabled

5.4.6.14 [A] computer Account Password change Requests: Domain Controller: Refuse machine account password changes: Disabled

Table 3.68 Domain member: Maximum machine account password age: 30 days (Legacy Client, Enterprise Client, and High Security)

3.2.1.22 Domain Member: Maximum Machine Account Password Age: 30 days

5.4.6.19 [A] Maximum Machine Account Password Age: Domain Member: Maximum Machine Account Password Age: 30

maximum-machine-account-password-age

Table 3.76 Interactive logon: Require domain controller authentication to unlock workstation: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.30 Interactive Logon: Require Domain Controller authentication to unlock workstation: Not Applicable

5.4.6.25 [A] Domain Controller Authentication to Unlock Workstation: Interactive logon: Require domain controller authentication to unlock workstation: Enabled

require-domain-controller-authentication-to-unlock

Table 3.84 Microsoft network server: Disconnect clients when logon hours expire: Enabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.30 Microsoft Network Server: Disconnect clients when logon hours expire: Enabled

5.4.6.33 [A] forcibly disconnect when logon hours expire: Microsoft network Server: Disconnect clients when logon hours expire: Enabled

disconnect-client-when-logon-hours-expire

Table 3.87 Network access: Do not allow storage of credentials or .NET Passports for network authentications: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.40 Network Access: Do not allow storage of credentials or .NET passports for network authentication: Enabled (Specialized Security)

5.4.6.54 [A] Storage of credentials or .NET passports: Network Access: Do not allow storage of credentials or .NET passports for network authentication: Enabled

do-not-allow-storage-credentials-net-passports-network-authn

named-pipes-accessed-anonymously

Table 3.88 Network access: Let Everyone permissions apply to anonymous users: Disabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.41 Network Access: Let Everyone permissions apply to anonymous users: Disabled

5.4.6.55 [AP] Everyone Permissions Apply to Anonymous Users: Network Access: Let everyone permissions apply to anonymous users: Disabled

let-everyone-permissions-apply-to-anonymous-users

Table 3.89 Network access: Named Pipes that can be accessed anonymously: None (Legacy Client, Enterprise Client, and High Security)

3.2.1.42 Network Access: Named pipes that can be accessed anonymously: None

5.4.6.56 [MA] Anonymous Access to Named Pipes: Network Access: Named pipes that can be accessed anonymously: COMNAP, COMNODE, SQL\QUERY, SPOOLSS, EPMAPPER, LOCATOR, TrkWks, and TrkSvr

Table 3.90 Network access: Remotely accessible registry paths: System\currentControlSet\Control\Products Options; System\CurrentControlSet\Control\server Applications; Software\Microsoft\Windows NT\CurrentVersion (Legacy Client, Enterprise Client, and High Security)

3.2.1.43 Network Access: Remotely accessible registry paths: System\CurrentControlSet\Control\Product Options, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\WindowsNT\CurrentVersion

5.4.6.57 [MA] Remotely Accessible Registry Paths: Network Access: Remotely accessible registry paths: System\currentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion

Remotely-accessible-registry-paths, Remotely-accessible-registry-paths-and-sub-paths

Table 3.93 Network Access: Shares that can be accessed anonymously: None (Legacy Client, Enterprise Client, and High Security)

3.2.1.46 Network Access: Shares that can be accessed anonymously: None

5.4.6.60 [MA] Anonymous Access to Network Shares: Network Access: Shares that can be accessed anonymously: <should be blank>

Shares-that-can-be-accessed-anonymously -- NOTE: COMMENTED OUT

Table 3.94 Network Access: Sharing and security model for local accounts: Classic - local users authenticate as themselves (Legacy Client, Enterprise Client, and High Security)

3.2.1.47 Network Access: Sharing and security model for local accounts: Classic

5.4.6.61 [A] Sharing and Security Model for Local Accounts: Network Access: Sharing and security model for local accounts: "Classis - local users authenticate as themselves"

Sharing-and-security-model-for-local-accounts

…. …. ….

…. …. ….

Table 3.95 Network Security: Do not store LAN Manager hash value on next password change: Enabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.48 Network Security:Do not store LAN Manager password hash value on next password change: Enabled (Specialized Security)

5.4.6.62 [AP] LAN Manager Hash Value: network security: Do not store LAN Manager hash value on next password change: Enabled

Do-not-store-LAN-Manager-hash-value-on-next-password-change

Table 2.14 Network Security: Force Logoff when logon hours expire: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)

3.2.1.49 Network Security: Force logoff when logon hours expire: Not Defined

5.4.6.63 [A] force Logoff when Logon Hours Expire: Enabled

Force-logoff-when-logon-hours-expire

Table 3.98 Network Security: Minimum session security for NTLM SSP based clients: No minimum (Legacy Client); Enabled all settings (Enterprise Client and High Security)

3.2.1.52 Network Security: Minimum session security for NTLM SSP based clients: Require Message Integrity, Message Confidentiality, NTLMv2 Session Security, 128-bit Encryption (Specialized Security)

5.4.6.66 [A] Minimum Session Security for NTLM SSP-based Clients: "Require NTLMv2 session security", "Require 128-bit encryption", "Require Message Integrity", and "Require Message Confidentiality"

Table 3.99 Network Security: Minimum session security for NTLM SSP based servers: No minimum (Legacy Client); Enabled all settings (Enterprise Client and High Security)

3.2.1.52 Network Security: Minimum session security for NTLM SSP based clients: Require Message Integrity, Message Confidentiality, NTLMv2 Session Security, 128-bit Encryption (Specialized Security)

5.4.6.67 [A] Minimum Session Security for NTLM SSP-based servers: "Require NTLMv2 session security", Require 128-bit encryption", Require Message Integrity", and "Require Message Confidentiality"

…. ….

…. screen-saver-grace-period

…. ….

…. ….

…. …. ….

…. ….

…. ….

…. ….

…. ….

5.5.1 [AP] Password Protected Screen Savers: Passwords are required

3.2.1.84 MSS: The time in seconds before the screen saver grace period expires: 0

7.5.1 Configuring Default User Screensaver Options: ScreenSaveTimeout: 900 Seconds (15 minutes)

7.5.1 Configuring Default User Screensaver Options: ScreenSaverIsSecure: 1

7.5.1 Configuring Default User Screensaver Options: ScreenSaveActive: 1





….

…. ….

…. ….

…. …. ….

….

…. …. ….

…. …. ….

….

…. ….





Table 3.251 Make screensaver password protection immediate: the time in seconds before the screen saver grace period expires: 0 (Legacy Client, Enterprise Client, and High Security)




8.3.3.1 Always Install with Elevated Privileges: (4.037: CAT II) Disabled

…. …. ….

…. ….

…. ….

…. ….

…. ….

…. ….

…. ….

…. ….

…. ….

8.3.3.3 Enable User Control Over Installs: (5.051: CAT II) Disabled

8.3.3.4 Enable User to Browse for Source While Elevated: (5.052: CAT II) Disabled

8.3.3.5 Enable User to Use Media Source While Elevated: (5.053: CAT II) Disabled

8.3.3.7 Allow Admin to Install from Terminal Services Session: (5.055: CAT II) Disabled

8.3.3.6 Enable User to Patch Elevated Products: (5.054: CAT II) Disabled

8.3.3.8 Cache Transforms in Secure Location on Workstation: (5.056: CAT II) Enabled

5.6.4.1 [A] Media Player - Disabling Media Player for Automatic Updates: Enabled

8.3.11 Media Player - Automatic Downloads: (5.061: CAT II) Prevent Codec Download is set to Enabled

…. ….

…. ….

…. ….

….

…. ….

…. ….

…. ….

…. ….

5.6.5.3 [A] Windows Messenger - internet Access Blocked: 1

Table 3.167 Messenger: Disabled (Legacy Client, Enterprise Client, and High Security)


8.3.4.1 Do Not Allow Windows Messenger to be Run: (5.017: CAT I) Enabled

8.3.4.2 Do Not Automatically Start Windows Messenger Intially: (5.029: CAT I) Enabled

7.6.15 Task Scheduler Service: (5.035: CAT III) Hide Property Page is Enabled

7.6.15 Task Scheduler Service: (5.036: CAT III) Prohibit New Task Creation is Enabled

8.3.2.2 Limit User to One Remote Session: (5.038: CAT II) Enabled

8.3.2.3 Limit Number of Connections: (5.039: CAT II) Enabled

8.3.2.4 Do Not Allow New Client Connections: (5.040: CAT II) Enabled

Allow-users-to-connect-remotely-using-Terminal-Services

5.6.3.3 [A] Terminal Services - Do Not Allow Local Administrators to Customize Permissions: Enabled

…. ….

…. ….

….

…. ….

…. ….

…. ….

…. ….

…. …..

…. ….

5.6.3.4 [A] Terminal Services - Remote Control Settings: "Set rules for remote control of Terminal Services user settings: Enabled

5.6.3.5 [A] Terminal Services - Always prompt client for password upon connections: Enabled

Always-prompt-client-for-password-upon-connection

Table 3.255 Set client connection encryption level: High (Legacy Client, Enterprise Client, and High Security)

5.6.3.6 [A] Terminal Services - Set Client Connection Encryption Level: Enabled

Set-client-connection-encryption-level

8.3.2.5 Do Not Use Temp Folders per Session: (5.044: CAT II) Disabled

8.3.2.6 Do Not Delete Temp Folder upon Exit: (5.045: CAT II) Disabled

5.6.3.10 [A] Terminal Services - Set time Limit for Disconnected Sessions: Enabled ("End a disconnected session" is set to "1")

8.3.2.7 Set Time Limit for Idle Sessions: (5.047: CAT II) Enabled and set to no more than 15 minutes

5.6.3.12 [A] Terminal Services - Allow Reconnection from Original Client Only: Enabled

8.3.2.8 Terminate Session When Time Limits are Reached: (5.049: CAT II) Enabled

…. ….

…. …. Solicited-Remote-Assistance

…. …. Offer-Remote-Assistance

….

…. ….

…. ….

…. ….

…. …. ….

…. ….

…. …. ….

8.3.2.1 Keep-Alive Messages: (5.037: CAT III) Enabled

5.6.8.1 [A] Remote Assistance - Solicited Remote Assistance: Disabled

5.6.8.2 [A] Remote Assistance - Offer Remote Assistance: Disabled

Table 3.257 Error Reporting: Disabled (Legacy Client, Enterprise Client, and High Security)

5.6.9.1 Report Errors: Disabled

5.4.3.1 [M] User Logon Restrictions: Enforce user logon restrictions: Enabled

5.4.3.2 [M] Service Ticket Lifetime: Maximum lifetime for service ticket: 600 minutes

5.4.3.3 [M] User Ticket Lifetime: Maximum lifetime for user ticket: 10 hours

5.4.3.5 [M] Computer Clock Synchronization: Maximum tolerance for computer clock synchronizations: 5 minutes

…. …. ….

…. …. ….

…. …. ….

…. …. ….

…. …. ….

…. …. ….

…. ….

…. ….

…. …. ….

…. …. ….

…. …. ….

Table 3.199 Removale Storage: Disabled (Legacy Client, Enterprise Client, and High Security)

…. ….

…. ….

…. …. Configure-Automatic-Updates

…. …. ….

…. …. ….

…. …. ….

…. …. ….

…. ….

…. …. ….

…. ….

…. ….

…. …. ….

Table 11.3 Automatic Updates: Disabled



Do-not-adjust-default-option-to-Install-Updates-and-Shut-Down

Do-not-display-Install-Updates-and-Shut-Down


No-auto-restart-for-scheduled-Automatic-Updates-installations


Reschedule-Automatic-Updates-scheduled-installations

2.2.2 Microsoft Software Updates Services: Specify intranet Microsoft update service location: enabled

…. …. ….

…. …. ….

…. …. ….

…. …. ….

MachineAccessRestrictions

MachineLaunchRestrictions

Require-Smart-Card

tcp-max-data-retransmissions

Restrict-anonymous-access-to-Named-Pipes-and-Shares

tcp-max-connect-response-retransmissions

ntfs-disable-8dot3-name-creation

RPC-Endpoint-Mapper-Client-Authentication

Restrictions-for-Unauthenticated-RPC-clients

Domain-Profile-Firewall-Protect-All-Network-Connections, Domain-Profile-Firewall-State

Domain-Profile-Firewall-Do-Not-Allow-Exceptions

Domain-Profile-Firewall-Allow-Local-Program-Exceptions

Domain-Profile-Firewall-Allow-Inbound-Remote-Administration-Exception

Domain-Profile-Firewall-Allow-Inbound-File-And-Printer-Sharing-Exception

Domain-Profile-Firewall-Allow-Inbound-Remote-Desktop-Exceptions

Domain-Profile-Firewall-Allow-Inbound-UPnP-Framework-Exceptions

Domain-Profile-Firewall-Prohibit-Notifications, Domain-Profile-Display-Notification

Domain-Profile-Firewall-Prohibit-Unicast-Response, Domain-Profile-Allow-Unicast-Response

Domain-Profile-Firewall-Define-Inbound-Port-Exceptions

Domain-Profile-Firewall-Allow-Local-Port-Exceptions

Standard-Profile-Firewall-Protect-All-Network-Connections

Standard-Profile-Firewall-Do-Not-Allow-Exceptions

Standard-Profile-Firewall-Define-Inbound-Program-Exceptions

Standard-Profile-Firewall-Allow-Inbound-Remote-Administration-Exception

Standard-Profile-Firewall-Allow-Inbound-File-And-Printer-Sharing-Exception,Standard-Profile-Firewall-Allow-Inbound-File-And-Printer-Sharing-Exceptions

Standard-Profile-Firewall-Allow-Inbound-Remote-Desktop-Exceptions

Standard-Profile-Firewall-Allow-Inbound-UPnP-Framework-Exceptions

Standard-Profile-Firewall-Prohibit-Notifications

Standard-Profile-Firewall-Prohibit-Unicast-Response

Standard-Profile-Firewall-Define-Inbound-Port-Exceptions

Standard-Profile-Firewall-Allow-Local-Port-Exceptions

3.2.1.78 MSS: TCPMaxPortsExhausted, How many dropped connect requests to initiate SYN attack protection: 5

Private-Profile-Firewall-State

Domain-Profile-Inbound-Connections

Domain-Profile-Outbound-Connections

Domain-Profile-Apply-Local-Firewall-Rules

Domain-Profile-Apply-Local-Connection-Security-Rules

Private-Profile-Inbound-Connections

Private-Profile-Outbound-Connections

Public-Profile-Firewall-State

Private-Profile-Display-Notification

Private-Profile-Allow-Unicast-Response

Private-Profile-Apply-Local-Firewall-Rules

Private-Profile-Apply-Local-Connection-Security-Rules

Public-Profile-Inbound-Connections

Public-Profile-Outbound-Connections

Public-Profile-Display-Notification

Do-Not-Process-Legacy-Run-List

Do-Not-Process-Run-Once-List

Registry-Policy-Processing

Public-Profile-Allow-Unicast-Response

Public-Profile-Apply-Local-Firewall-Rules

Public-Profile-Apply-Local-Connection-Security-Rules

Turn-off-Internet-download-for-Web-publishing-and-online-ordering-wizards

Turn-off-printing-over-HTTP

Do-not-allow-drive-redirection

Turn-off-the-Windows-Messenger-Customer-Experience-Improvement-Program

Turn-off-Search-Companion-content-file-updates

Turn-off-downloading-of-print-drivers-over-HTTP

Turn-off-Windows-Update-device-driver-searching

Enumerate-administrator-accounts-on-elevation

Require-trusted-path-for-credential-entry

Deny-all-add-ons-unless-specifically-allowed-in-the-Add-on-List

Do-not-allow-passwords-to-be-saved

override-audit-policy-settings

Log-Access-For-Setup-Log

Windows-Search

Prompt-for-password-on-resume-from-hibernate-suspend

Do-not-preserve-zone-information-in-file-attachments

Hide-mechanisms-to-remove-zone-information

Notify-antivirus-programs-when-opening-attachments

Turn-Off-Microsoft-Peer-to-Peer-Networking-Services

Prohibit-Access-of-the-Windows-Connect-Now-Wizards

Allow-remote-access-to-the-PnP-interface

Do-not-create-system-restore-point-when-new-device-driver-installed

Do-not-send-Windows-Error-Report-when-generic-driver-is-installed-on-device

Turn-Off-Access-to-All-Windows-Update-Feature

Turn-Off-Automatic-Root-Certificates-Update

Turn-Off-Event-Views-Events.asp-Links

Turn-Off-Handwriting-Reconition-Error-Reporting

Turn-Off-Help-and-Support-Center-Did-you-Know-Content

Turn-Off-Help-and-Support-Center-Microsoft-Knowledge-Base-Search

Turn-Off-Internet-Connection-Wizard-if-URL-Connection-is-Referring-to-Microsoft.com

Turn-Off-Internet-File-Association-Service

Turn-Off-Registration-if-URL-Connection-is-Referring-to-Microsoft.com

Turn-Off-the-Order-Prints-Picture-Task

Turn-off-the-Publish-to-Web-task-for-files-and-folders

Turn-Off-Windows-Movies-Maker-Automatic-Codec-Downloads

Turn-Off-Windows-Movie-Maker-Online-Web-Links

Turn-Off-Windows-Movie-Maker-Saving-to-Online-Video-Hosting-Provider

Do-Not-Display-the-Getting-Started-Welcome-Screen-at-Logon

Turn-off-Windows-Startup-Sound

Require-a-Password-when-a-Computer-Wakes-On-Battery

Require-a-Password-when-a-Computer-Wakes-Plugged

Turn-on-session-logging

Prevent-IIS-Installation

Turn-Off-Active-Help

Turn-Off-Untrusted-Content

Turn-off-Windows-Calendar

Turn-off-Windows-Defender

Allow-only-Vista-or-later-connections

Customization-Warning-Messages

Turn-on-bandwidth-optimization

Turn-off-downloading-enclosures

Allow-indexing-of-encrypted-files

Prevent-indexing-uncached-Exchange-folders

Allow-Corporate-Redirection-Customer-Experience-Improvement-Program-Uploads

Turn-off-windows-mail-app

Override-more-gadgets-Lnk

Turn-off-heap-termination-corruption

Turn-off-shell-protocol-protected-mode

Prohibit-Non-Administrators-applying-vendorpatches

Report-logon-server-not-available-during-user-logon

Turn-off-communication-features

Prevent-Windows-Media-DRM-Internet-Access

Turn-off-windows-meeting-space

Turn-on-windows-meeting-space-auditing

Disable-unpacking-installation-gadgets-not-digitally-signed

ipv6_block_protocols_41

ipv6_block_udp_3544

Turn-off-user-installed-windows-sidebar-gidgets

do_not_allow_digital_locker_to_run_var

turn_off_downloading_of_game_information

…. ….

8.3.1.1 Security Zones: Use Only Machine Settings: (5.028: CAT II) Enabled

Security-Zones-Use-only-machine-settings

Internet-Explorer-Processes-Restrict-ActiveX-Install

…. ….

…. ….

8.3.1.3 Security Zones: Do Not Allow Users to Add/Delete Sites: (5.030: CAT II) Enabled

Security-Zones-Do-not-allow-users-to-add-delete-sites

8.3.1.6 Disable Peridoic Check for Internet Explorer Software Updates: (5.033: CAT II) Enabled

Disable-Periodic-Check-for-Internet-Explorer-software-updates

Internet-Explorer-Processes-Zone-Elevation-Protection

….

Internet-Explorer-Processes-Consistent-MIME-Handling

Allow-software-to-run-or-install-even-if-the-signature-is-invalid

Internet-Explorer-Processes-MK-Protocol

…. ….

…. ….

…. …. Make-proxy-settings-per-machine

8.3.1.7 Disable Software Update Shell Notificiations on Program Launch: (5.034: CAT II) Disabled

Disable-software-update-shell-notifications-on-program-launch

Internet-Explorer-Processes-Restrict-File-Download

8.3.1.5 Disable Automatic Install of Internet Explorer Components: (5.032: CAT II) Enabled

Disable-Automatic-Install-of-Internet-Explorer-components

8.3.1.4 Make Proxy Settings Per Machine: (5.031: CAT II) Enabled

Turn-off-Crash-Detection

…. ….

Do-not-allow-users-to-enable-or-disable-add-ons

Internet-Explorer-Processes-Scripted-Window-Security-Restrictions

8.3.1.2 Security Zones: Do Not Allow Users to Change Policies: (5.029: CAT II) Enabled

Security-Zones-Do-not-allow-users-to-change-policies

Internet-Explorer-Processes-MIME-Sniffing

Remove-CD-Burning-features

Remove-Security-tab

Internet-Explorer-Maintenance-Policy-Processing-Enabled



Turn-on-Mapper-IO-LLTDIO-driver



Turn-on-Responder-RSPNDR-driver



Configuration-of-Wireless-Settings-Using-Windows-Connect-Now


Disable-Logging

Do-Not-Send-Additional-Data

Turn-off-Help-Ratings

Turn-off-Windows-Online


Approved-Installation-Sites-for-ActiveX-Controls

Disable-Windows-Error-Reporting

Configure-Corporate-Windows-Error-Reporting

Remove-Default-Programs-Link-from-the-Start-Menu

Turn-off-Help-Experience-Improvement-Program

Prevent-users-from-sharing-files-within-their-profile

NIST SCAP Windows Vista OVAL (SCAP-WinVista-

OVAL.xml rev 2007-02-06)NIST Office 2007

Recommendations placeholder

oval:com.secure-elements.oval:def:6009













































oval:com.secure-elements.oval:def:6574, oval:com.secure-elements.oval:def:6060












































oval:com.secure-elements.oval:def:6075oval:com.secure-elements.oval:def:6076





































oval:com.secure-elements.oval:def:6548,oval:com.secure-elements.oval:def:6553































































































oval:gov.nist.fdcc.vista:def:6698

oval:gov.nist.fdcc.vista:def:6703

placeholder

placeholder


oval:gov.nist.fdcc.vistafirewall:def:6491

oval:gov.nist.fdcc.vistafirewall:def:6492

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder

placeholder










































Microsoft Office 2007 Recommendations (Security

Settings for Office 2007 Applications.xlsx)

NIST SCAP Microsoft Office 2007 OVAL (SCAP-Office2007-OVAL-Beta-

v1.xml)

NIST SCAP Microsoft Office

2007 XCCDF (SCAP-Office2007-

XCCDF-Beta-v1.xml )

oval:org.mitre.oval:def:771


User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable VBA for Office applications, Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\Disable VBA for Office applications

DisableVBAForOfficeApplications

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\ActiveX Control Initialization (1 | 2 | 3 | 4 | 5 | 6)

ActiveXControlInitialization



oval:org.mitre.oval:def:1302 OnlineContentOptions



User Configuration\Administrative Templates\Microsoft Office 2007 system\Privacy\Trust Center\Enable Customer Experience Improvement Program

EnableCustomerExperienceImprovementProgram

User Configuration\Administrative Templates\Microsoft Office 2007 system\Privacy\Trust Center\Automatically receive small updates to improve reliability

AutomaticallyReceiveSmallUpdatesToImproveReliability

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Service Options...\Online Content\Online content options (Never show online content or entry points | Search only offline content whenever available | Search online content whenever available)

User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\VBA Macro Warning Settings (Trust Bar warning for all macros | Trust Bar warning for digitally signed macros only (unsigned macros will be disabled) | No Warnings for all macros but disable all macros | No Security checks for macros (Not recommended, code in all documents can run))

VBAMacroWarningSettings-Access

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\VBA Macro Warning Settings (Trust Bar warning for all macros | Trust Bar warning for digitally signed macros only (unsigned macros will be disabled) | No Warnings for all macros but disable all macros | No Security checks for macros (Not recommended, code in all documents can run))

VBAMacroWarningSettings-Excel






User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Trust access to Visual Basic Project

TrustAccessToVisualBasicProject-Excel

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\VBA Macro Warning Settings (Trust Bar warning for all macros | Trust Bar warning for digitally signed macros only (unsigned macros will be disabled) | No Warnings for all macros but disable all macros | No Security checks for macros (Not recommended, code in all documents can run))

VBAMacroWarningSettings-PowerPoint

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Trust access to Visual Basic Project TrustAccessToVisualBasi

cProject-PowerPoint

DisableRememberPassword

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Trusted Add-insConfigure trusted add-ins

ConfigureAddInTrustLevel







DisableRememberPasswordForInternetEmailAccounts

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Minimum encryption settings

MinimumEncryptionSettings

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Do not check e-mail address against address of certificates being used DoNotCheckEmailAddres

sAgainstAddressOfCertificatesBeingUsed

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Send all signed messages as clear signed messages

SendAllSignedMessagesAsClearSignedMessages

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Request an S/MIME receipt for all S/MIME signed messages RequestAnSMIMEReceip

tForAllSMIMESignedMessages

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Do not display 'Publish to GAL' button

DoNotDisplayPublishToGALButton

oval:org.mitre.oval:def:756 SignatureWarning

oval:org.mitre.oval:def:1716 EnableCryptographyIcons

oval:org.mitre.oval:def:1700 RetrievingCRLs


User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Warning (Let user decide if they want to be warned | Always warn about invalid signatures | Never warn about invalid signatures)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Enable Cryptography Icons

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Retrieving CRLs (Certificate Revocation Lists) (Use system Default | When online always retreive the CRL | Never retreive the CRL)

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\VBA Macro Warning Settings (Trust Bar warning for all macros | Trust Bar warning for digitally signed macros only (unsigned macros will be disabled) | No Warnings for all macros but disable all macros | No )

VBMacroWarningSettings-Word




User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Trust access to Visual Basic Project

TrustAccessToVisualBasicProject-Word

WarnBeforePrintingSavingOrSendingAFileThatContainsTrackedChangesOrComments

User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Block updates from the Office Update Site from applying

BlockUpdatesFromTheOfficeUpdateSiteFromApplying

User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Web Options\General\Underline hyperlinks

User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\General\General\Number of documents in the Recent Documents list (0-9)

User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins

User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Disable all application add-ins

User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher

User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted Locations\Disable all trusted locations

User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted Locations\Allow Trusted Locations not on the computer

User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted Locations\Modal Trust Decision Only

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Office Button | E-Mail

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Access Options | Customize | All Commands | Insert Hyperlink

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Database Tools | Encrypt with Password

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permission | User and Group Permissions

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permissions | User and Group Accounts

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permission | User-Level Security Wizard...

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Database Tools | Encode/Decode Database

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Macro | Visual Basic

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Macro | Run Macro

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Database Tools | Macro | Convert Macros to Visual Basic

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Database Tools | Macro | Create Shortcut Menu from Macro

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable shortcut keys

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Ctrl+K (Office Button | Access Options | Customize | All Commands | Insert Hyperlinks)

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Alt+F11 (Database Tools | Macro | Visual Basic)

User Configuration\Administrative Templates\Microsoft Office Access 2007\Miscellaneous\Default file format (Access 2007 | Access 2002-2003)

User Configuration\Administrative Templates\Microsoft Office Access 2007\Miscellaneous\Do not prompt to convert older databases

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Proofing\Autocorrect Options\Internet and network paths as hyperlinks

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\Save Excel files as (Excel Workbook (*.xlsx) | Excel Macro-Enabled Workbook (*.xlsm) | Excel Binary Workbook (*.xlsb) | Web Page (*.htm; *.html) | Excel 97-2003 Workbook (*.xls) | Excel 5.0/95 Workbook (*.xls))

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\Disable AutoRepublish

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\AutoRepublish Warning Alert (Always show the alert before publishing | Never show the alert before publishing)

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Determine whether to force encrypted macros to be scanned in Microsoft Excel Open XML workbooks

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Force file extension to match file type (Allow different | Allow different, but warn | Always match file type)

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Store macro in Personal Macro Workbook by default

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Disable all application add-ins

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Trusted LocationsDisable all trusted locations

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Ignore other applications

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Ask to update automatic links

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Number of documents in the Recent Documents list (0-17)

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Web Options…\GeneralSave any additional data necessary to maintain formulas

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Web Options…\GeneralLoad pictures from Web pages not created in Excel

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Do not show data extraction options when opening corrupt workbooks

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Assume structured storage format of workbook is intact when recovering data

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Corrupt formula conversion (Convert unrecoverable references to: values | #REF or #NAME)

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Access Security\Connection File Locations

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Access Security\Automatic Query Refresh (Prompt for all workbooks | Do not prompt; do not allow auto refresh | Do not prompt; allow auto refresh)

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Save as Web Page

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Web Page Preview

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect Sheet

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect Workbook

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect and Share Workbook

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Record Macro

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Document Location

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink)

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F8 (Developer | Code | Macros)

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic)

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to Excel 2007

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Open XML file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Binary 12 file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Binary file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Html and Xmlss files types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Xml file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of DIF and SYLK file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Text file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Xll file type

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Open Xml file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Binary12 file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Binary file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Html and Xmlss file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving Xml file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving DIF and SYLK file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Text file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Locally cache network file storages

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Locally cache PivotTable reports

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\OLAP PivotTable User Defined Function (UDF) security setting (Allow ALL UDFs | Allow safe UDFs only | Allow NO UDFs)

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Recognize SmartTags

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Tools | Options\General\Number of documents in the Recent Documents list (0 - 9)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Tools | Options\Advanced\Offline\Offline Mode status (Disabled | Enabled, InfoPath in Offline Mode | Enabled, InfoPath not in Offline Mode)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Print

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Send to Mail Recipient

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Open from SharePoint Site

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Print Preview

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Page Setup

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Insert | Hyperlinks...

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Set Language

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Customize...

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Options...

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Help | Microsoft Office Online

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Office Diagnostics

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Help | Activate Product...

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Print Default

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys - Print Shortcut (Ctrl+P)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys - Insert Hyperlink Shortcut (Ctrl+K)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior for Windows SharePoint Services gradual upgrade (Allow redirections to any location | Allow redirections to Intranet only | Block all redirections)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Disable opening of solutions from the Internet security zone

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Disable fully trusted solutions full access to computer

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Allow the use of ActiveX Custom Controls in InfoPath forms

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Run forms in restricted mode if they do not specify a publish location and use only features introduced before InfoPath 2003 SP1

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Allow file types as attachments to forms

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Block specific file types as attachments to forms

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Prevent users from allowing unsafe file types to be attached to forms

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Display a warning that a form is digitally signed

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Internet security zone (Block | Prompt | Allow)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Intranet security zone (Block | Prompt | Allow)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Local Machine security zone (Block | Prompt | Allow)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Trusted Site security zone (Block | Prompt | Allow)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Beaconing UI for forms opened in InfoPath (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Beaconing UI for forms opened in InfoPath Editor ActiveX (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Disable all application add-ins

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Control behavior when opening InfoPath e-mail forms containing code or script (Run without prompting | Prompt before running | Never run)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable sending form template with e-mail forms

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable dynamic caching of the form template in InfoPath e-mail forms

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable sending InfoPath 2003 Forms as e-mail forms

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms running in restricted security level

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Internet security zone

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Intranet security zone

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Full Trust security zone

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable InfoPath e-mail forms in Outlook

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Restricted Features\Information Rights Management

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Restricted Features\Custom code

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Miscellaneous\Email Forms Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone)

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Word

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Excel

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in PowerPoint

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Access

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Outlook

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Word

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Excel

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in PowerPoint

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Access

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Outlook

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Word

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Excel

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in PowerPoint

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Access

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Outlook

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | AutoCorrect Options... (Excel, Word, PowerPoint and Access)\Recognize smart tags in Excel

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable Clip Art and Media downloads from the client and from Office Online website

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable template downloads from the client and from Office Online website

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable access to updates, add-ins, and patches on the Office Online website

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Prevents users from uploading document templates to the Office Online community.

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable training practice downloads from the Office Online website

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable customer-submitted templates downloads from Office Online

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Files\Open Office documents as read/write while browsing

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Browsers\Rely on VML for displaying graphics in browsers

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Browsers\Allow PNG as an output format

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | Spelling\Proofing Data Collection\Improve Proofing Tools

User Configuration\Administrative Templates\Microsoft Office 2007 system\Privacy\Trust Center\Disable Opt-in Wizard on first run

User Configuration\Administrative Templates\Microsoft Office 2007 system\Help\Microsoft Office OnlineUser Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable Password Caching

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable all Trust Bar notifications for security issues

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Protect document metadata for rights managed Office Open XML Files

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Protect document metadata for password protected files.

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Encryption type for password protected Office Open XML files

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Encryption type for password protected Office 97-2003 files

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Load Controls in Forms3 (1 | 2 | 3 | 4)

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Automation Security (Disable macros by default | Use application macro security level | Macros enabled)

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Prevent Word and Excel from loading managed code extensions

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable hyperlink warnings

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable password to open UI

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Download Office Controls

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable All ActiveX

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Trust Center\Allow mix of policy and user locations

User Configuration\Administrative Templates\Microsoft Office 2007 system\Smart Documents (Word, Excel)\Disable Smart Document's use of manifests

User Configuration\Administrative Templates\Microsoft Office 2007 system\Smart Documents (Word, Excel)\Completely disable the Smart Documents feature in Word and Excel

User Configuration\Administrative Templates\Microsoft Office 2007 system\Services\Fax\Disable Internet Fax feature

User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Prevent users from changing permissions on rights managed content

User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Allow users with earlier versions of Office to read with browsers...

User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Always require users to connect to verify permission

User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Always expand groups in Office when restricting permission for documents

User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Never allow users to specify groups when restricting permission for documents

User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Disable Microsoft Passport service for content with restricted permission

User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Do not allow users to upgrade Information Rights Management configuration

User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Key Usage FilteringUser Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\EKU filtering

User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Legacy format signatures

User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Suppress Office Signing Providers (Enable Western and East Asian | Suppress default Western | Suppress default East Asian | Suppress both Western and East Asian)

User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Suppress external signature services menu item

User Configuration\Administrative Templates\Microsoft Office 2007 system\Office Diagnostics\Disable Check For Solutions

User Configuration\Administrative Templates\Microsoft Office 2007 system\Microsoft Save As PDF and XPS add-ins\Disable inclusion of document properties in PDF and XPS output

User Configuration\Administrative Templates\Microsoft Office 2007 system\Document Information Panel\Disable Document Information Panel

User Configuration\Administrative Templates\Microsoft Office 2007 system\Document Information Panel\Document Information Panel Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone)

User Configuration\Administrative Templates\Microsoft Office 2007 system\Server Settings\Disable the Office client from polling the Office server for published links

User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to Word 2007 through the Compatibility Pack for the 2007 Office system and Word 2007 Open XML/Word 97-2003 Format Converter

User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to Excel 2007 through the Compatibility Pack for the 2007 Office system and Excel 2007 Converter

User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to PowerPoint 2007 through the Compatibility Pack for the 2007 Office system and PowerPoint 2007 Converter

User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Control Blogging (Enabled | Only SharePoint blogs allowed | All blogging disabled)

User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Enable Smart Resume

User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Do not upload media files

User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Disable hyperlinks to web templates in File | New and task panes

User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Prevent access to Web-based file storage

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Do not allow attachment previewing in Outlook

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Read e-mail as plain text

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Read signed e-mail as plain text

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServicePrevent publishing to Office Online

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServicePrevent publishing to a DAV server

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceRestrict level of calendar details users can publish (All options are available | Disables 'Full details' | Disables 'Full details' and 'Limited details')

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceAccess to published calendars

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceRestrict upload method

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Hide Junk Mail UI

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Junk E-mail protection level (No Protection, Low, High, Trusted Lists Only)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Trust E-mail from Contacts

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Add e-mail recipients to users' Safe Senders Lists

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Warn before switching dial-up connection

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Hang up when finished sending, receiving, or updating

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Automatically dial during a background Send/Receive

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Do not allow creating, replying, or forwarding signatures for e-mail messages

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Send copy of pictures with HTML messages instead of reference to Internet location

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Outlook Rich Text options (Convert to HTML | Convert to Plain Text format | Send Using Outlook Rich Text format)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Plain text options

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Plain text options - Encode attachments in UUENCODE format when sending a plain text message

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Message FormatSet message format (HTML | Rich Text | Plain Text)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Make Outlook the default program for E-mail, Contacts, and Calendar

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow folders in non-default stores to be set as folder home pages

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Use Unicode format when dragging e-mail message to file system

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow Outlook object model scripts to run for shared folders

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow Outlook object model scripts to run for public folders

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Set maximum level of online status on a person name (Do not allow | Allow everywhere except To and CC field | Allow everywhere)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Display online status on a person name (Never | Everywhere except To and CC field | Everywhere)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Turn off Enable the Person Names Smart Tag option

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Outlook Security Mode (Outlook Default Security | Use Security Form from 'Outlook Security Settings' Public Folder | Use Security Form from 'Outlook 10 Security Settings' Public Folder | Use Outlook Security Group Policy)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Display Level 1 attachments

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Allow users to demote attachments to Level 2

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Do not prompt about Level 1 attachments when sending an item

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Do not prompt about Level 1 attachments when closing an item

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Allow in-place activation of embedded OLE objects

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Display OLE package objects

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Add file extensions to block as Level 1

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Remove file extensions blocked as Level 1

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Add file extensions to block as Level 2

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Remove file extensions blocked as Level 2

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Allow scripts in one-off Outlook forms

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Set Outlook object model Custom Actions execution prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Set control ItemProperty prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when sending mail (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when accessing an address book (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when reading address information (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when responding to meeting and task requests (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when executing Save As (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt When accessing the Formula property of a UserProperty object (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when accessing address information via UserProperties.Find (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Required Certificate Authority

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME interoperability with external clients: (Handle internally | Handle externally | Handle if possible)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Always use Rich Text formatting in S/MIME messages

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings - Default S/MIME password time (minutes): (0 - 2147483647)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings - Maximum S/MIME password time (minutes): (0 - 2147483647)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Message Formats

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Message Formats - Support the following message formats: (S/MIME | Exchange | Fortezza | S/MIME and Exchange | S/MIME and Fortezza | Exchange and Fortezza | S/MIME, Exchange, and Fortezza)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Do not provide Continue option on Encryption warning dialog boxes

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Run in FIPS compliant mode

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Encrypt all e-mail messages

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Sign all e-mail messages

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\URL for S/MIME certificates

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Ensure all S/MIME signed messages have a label

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME receipt requests (Open message if receipt can't be sent | Don't open message if receipt can't be sent | Always prompt before sending receipt | Never send S/MIME )

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Fortezza certificate policies

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Require SuiteB algorithms for S/MIME operations

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing CRLs

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing CRLs - Indicate a missing CRL as a(n): (warning | error)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing root certificates

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing root certificates - Indicate a missing root certificate as a(n): (neither error nor warning | warning | error)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Promote Level 2 errors as errors, not warnings

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Attachment Secure Temporary Folder

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Display pictures and external content in HTML e-mail

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Do not permit download of content from safe zones

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Block Trusted Zones

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Include Internet in Safe Zones for Automatic Picture Download

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Include Intranet in Safe Zones for Automatic Picture Download

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Security setting for macros (Always warn | Never warn, disable all | Warn for signed, disable unsigned | No security check)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Enable links in e-mail messages

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Apply macro security settings to macros, add-ins, and SmartTags

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Automatically configure profile based on Active Directory Primary SMTP address

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Do not allow users to change permissions on folders

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Enable RPC encryption

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Authentication with Exchange Server (Kerberos/NTLM Password Authentication | Kerberos Password Authentication | NTLM Password Authentication)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Synchronize Outlook RSS Feeds with Common Feed List

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Turn off RSS feature

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Automatically download enclosures

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Download full text of articles as HTML attachments

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Internet Calendars\Automatically download attachments

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Internet Calendars\Do not include Internet Calendar integration in Outlook

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Meeting Workspace\Disable user entries to server list (Publish default, allow others | Publish default, disallow others)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Miscellaneous\Do not expand distribution lists

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Save\Save files in this format (PowerPoint Presentation (*.pptx) | PowerPoint Macro-Enabled Presentation (*.pptm) | PowerPoint 97-2003 Presentation (*.ppt))

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Advanced\Number of documents in the Recent Documents list (0 - 50)

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Determine whether to force encrypted macros to be scanned in Microsoft PowerPoint Open XML presentations

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Run Programs (disable (don't run any programs) | enable (prompt user before running) | enable all (run without prompting))

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Make hidden markup visible

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Unblock automatic download of linked images

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Disable all application add-ins

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Trusted LocationsDisable all trusted locations

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Web Page Preview

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Review | Proofing | Language

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Document Location

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Disable shortcut keys

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Ctrl+K (Insert | Links | Hyperlink)

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Alt+F8 (Developer | Code | Macros)

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Alt+F11 (Developer | Code | Visual Basic)

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to PowerPoint 2007

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Open Xml files types

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Binary file types

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Html file types

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Outlines

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Converters

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Open Xml file types

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Binary file types

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Html file types

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Outlines

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of GraphicFilters

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Miscellaneous\Disable Slide Update

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Display\Hidden text

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Save\Save files in this format (Word document (*.docx) | Single Files Web Page (*.mht) | Web Page (*.htm; *.html) | Web Page, Filtered (*.htm, *.html) | Rich Text Format (*.rtf) | Plain Text (*.txt) | Word 6.0/95 (*.doc) | Word 6.0/95 - Chinese (Simplified) (*.doc) | Word 6.0/95 - Chinese (Traditional) (*.doc) | Word 6.0/95 - Japanese (*.doc) | Word 6.0/95 - Korean (*.doc) | Word 97-2002 & 6.0/95 - RTF | Word 5.1 for Macintosh (*.mcw) | Word 5.0 for Macintosh (*.mcw) | Word 2.x for Windows (*.doc) | Works 4.0 for Windows (*.wps) | WordPerfect 5.x for Windows (*.doc) | WordPerfect 5.1 for DOS (*.doc) | Word 2007 Macro Enabled Document (*.docm) | Word 2007 Macro Free Template (*.dotx) | Word 2007 Macro Enabled Template (*.dotm) | Word 97 - 2003 Document (*.doc) | Word 97 - 2003 Template (*.dot) | Flat XML Document (*.xml))

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\Number of documents in the Recent Documents list (0-50)

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\Update automatic links at Open

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\E-mail Options\Save smart tags in e-mail

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Disable all application add-ins

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Trusted LocationsDisable all trusted locations

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Word Options | Customize | All Commands | Save As Web Page

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Word Options | Customize | All Commands | Web Page Preview

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Review | Protect | Protect Document

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Record Macro

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Templates | Document Template

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+F (Home | Editing | Find)

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink)

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F8 (Developer | Code | Macros)

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic)

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to Word 2007

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Open XML file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Binary file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of HTML file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Word 2003 XML file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of RTF file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block open Converters

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Text file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Internal file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of files before version

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Open XML file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Binary file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of HTML file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Word 2003 XML file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of RTF file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Converters

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Text file types

Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\InfoPath APTCA Assembly Whitelist

Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\Windows Internet Explorer Feature Control Opt-In (None | InfoPath.exe, Document Information Panel and Workflow forms | InfoPath.exe, Document Information Panel, Workflow forms and 3rd Party Hosting)

Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\InfoPath APTCA Assembly Whitelist Enforcement

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\Disable Package Repair

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - excel.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - powerpnt.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - pptview.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - winword.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - outlook.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - spDesign.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - msaccess.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - excel.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - powerpnt.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - pptview.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - winword.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - outlook.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - spDesign.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - msaccess.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - excel.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - powerpnt.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - pptview.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - winword.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - outlook.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - spDesign.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - msaccess.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - excel.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - powerpnt.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - pptview.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - winword.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - outlook.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - spDesign.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - msaccess.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - excel.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - powerpnt.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - pptview.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - winword.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - outlook.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - spDesign.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - msaccess.exe

NIST SCAP Microsoft Internet Explorer Version 7.0 OVAL(SCAP-IE7-OVAL-Beta-

v3.xml)

NIST SCAP Microsoft Internet

Explorer Version 7.0 XCCDF (SCAP-IE7-XCCDF-Beta-v3.xml

oval:org.mitre.oval:def:1277, oval:org.mitre.oval:def:2050

UseOnlyMachineSettings-LocalComputer, UseOnlyMachineSettings-LocalComputer-Disabled


IEProcesses-RestrictActiveXInstall-LocalComputer


DoNotAllowUsersAddDeleteSites-LocalComputer


DisablePeriodicCheckForIESoftwareUpdates-LocalComputer



IEProcesses-ConsistentMimeHandling-LocalComputer


AllowSoftwareRunInstallSignatureInvalid-LocalComputer, AllowSoftwareToRununOrInstallEvenIfSignatureInvalid-LocalUser


IEProcesses-MKProtocolSecurityRestriction-LocalComputer


DisableSoftwareUpdateShellNotifications-LocalComputer


IEProcesses-RestrictFileDownload-LocalComputer


DisableAutomaticInstallOfIEComponents-LocalComputer


MakeProxySettingsPerMachine-LocalComputer

oval:org.mitre.oval:def:1380, oval:org.mitre.oval:def:1358, oval:org.mitre.oval:def:1694

DoNotAllowUsersEnableDisableAddOns-LocalComputer, DoNotAllowUsersEnableDisableAddOns-LocalUser


TurnOffCrashDetection-LocalComputer


IEProcesses-ScriptedWindowSecurityRestrictions-LocalComputer


DoNotAllowUsersChangePolicies-LocalComputer


IEProcesses-MimeSniffingSafetyFeature-LocalComputer


CheckSignatureDownloadedPrograms-LocalComputer


DoNotAllowResettingIESettings-LocalComputer


AllowCutCopyPasteOperationsFromClipboardViaScript-InternetZone-LocalComputer, AllowCutCopyPasteOperationsFromClipboardViaScript-InternetZone-LocalUser


TurnOffFirst-RunOpt-In-InternetZone-LocalComputer


WebBrowserApplications-InternetZone-LocalComputer


AllowCutCopyPasteOperationsFromClipboardViaScript-RestrictedSitesZone-LocalComputer, AllowCutCopyPasteOperationsFromClipboardViaScript-RestrictedSitesZone-LocalUser


TurnOffFirst-RunOpt-In-RestrictedSitesZone-LocalComputer


WebBrowserApplications-RestrictedSitesZone-LocalComputer


IncludeAllNetworkPaths-LocalComputer, IncludeAllNetworkPaths-LocalUser


DisableTheAdvancedPage-LocalComputer, DisableTheAdvancedPage-LocalUser


DisableThePrivacyPage-LocalComputer


DisableTheSecurityPage-LocalComputer, DisableTheSecurityPage-LocalUser


PreventIgnoingCertificateErrors-LocalComputer, PreventIgnoingCertificateErrors-LocalUser


TurnOffChangingURLDisplay-LocalComputer


TurnOffConfiguringUpdateCheckInterval-LocalComputer


AddOnList-LocalComputer


DenyAllAddOns-LocalComputer


DisableConfiguringHistory-LocalComputer, DisableConfiguringHistory-LocalUser


DisableChangingAutomaticConfigurationSettings-LocalComputer, DisableChangingAutomaticConfigurationSettings-LocalUser


DisableChangingConnectionSettings-LocalComputer, DisableChangingConnectionSettings-LocalUser


DisableChangingProxySettings-LocalComputer, DisableChangingProxySettings-LocalUser


DisableShowingSplashScreen-LocalComputer


PreventFixSettingsFunctionality-LocalComputer, PreventFixSettingsFunctionality-LocalUser


PreventParticipationInCustomerExperienceImprovementPrograms-LocalComputer, PreventParticipationInCustomerExperienceImprovementPrograms-LocalUser


PreventPerformanceOfFirstRunCustomizeSettings-LocalComputer


PerventDeletationOfTempInternetFiles-LocalComputer, PerventDeletationOfTempInternetFiles-LocalUser


TurnOffDeleteBrowsingHistoryFunctionality-LocalComputer, TurnOffDeleteBrowsingHistoryFunctionality-LocalUser


TurnOffManagingPhishingFilter-LocalComputer


TurnOffSecuritySettingsCheckFeature-LocalComputer, TurnOffSecuritySettingsCheckFeature-LocalUser


AllowActiveContentFromCD-LocalComputer


AllowThird-PartyBrowserExtensions-LocalComputer


AutomaticallyCheckIEUpdates-LocalComputer, AutomaticallyCheckForIEUpdates-LocalUser


CheckServerCertificateRevocation-LocalComputer, CheckForServerCertificateRevocation-LocalUser


AccessDataSourcesAcrossDomains-InternetZone-LocalComputer, AccessDataSourcesAcrossDomains-InternetZone-LocalUser


AllowDragDropOrCopyPasteFiles-InternetZone-LocalComputer, AllowDragDropOrCopyPasteFiles-InternetZone-LocalUser


AllowFontDownloads-InternetZone-LocalComputer, AllowFontDownloads-InternetZone-LocalUser


AllowInstallationOfDesktopItems-InternetZone-LocalComputer, AllowInstallationOfDesktopItems-InternetZone-LocalUser


AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints-InternetZone-LocalComputer, AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints-InternetZone-LocalUser


AllowScriptlets-InternetZone-LocalComputer


AllowStatusBarUpdatesViaScript-InternetZone-LocalComputer, AllowStatusBarUpdatesViaScript-InternetZone-LocalUser


AutomaticPromptingFileDownloads-InternetZone-LocalComputer, AutomaticPromptingFileDownloads-InternetZone-LocalUser


DownloadSignedActiveXControls-InternetZone-LocalComputer, DownloadSignedActiveXControls-InternetZone-LocalUser


DownloadUnsignedActiveXControls-InternetZone-LocalComputer, DownloadUnsignedActiveXControls-InternetZone-LocalUser


InitializeScriptActiveXControlsNotMarkedAsSafe-InternetZone-LocalComputer, JavaPermissions-InternetZone-LocalComputer, InitializeScriptActiveXControlsNotMarkedAsSafe-InternetZone-LocalUser


JavaPermissions-InternetZone-LocalUser


LaunchingApplicationsAndFilesInIFRAME-InternetZone-LocalComputer, LaunchingApplicationsAndFilesInIFRAME-InternetZone-LocalUser


LogonOptions-InternetZone-LocalComputer, LogonOptions-InternetZone-LocalUser


LooseXAMLFiles-InternetZone-LocalComputer


NavigateSub-framesAcrossDifferentDomains-InternetZone-LocalComputer, NavigateSub-framesAcrossDifferentDomains-InternetZone-LocalUser


OpenFilesBasedOnContent-InternetZone-LocalComputer, OpenFilesBasedOnContent-InternetZone-LocalUser


SoftwareChannelPermissions-InternetZone-LocalComputer, SoftwareChannelPermissions-InternetZone-LocalUser


UsePop-upBlocker-InternetZone-LocalComputer, UsePop-upBlocker-InternetZone-LocalUser


UserdataPersistence-InternetZone-LocalComputer


WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone-InternetZone-LocalComputer, WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone-InternetZone-LocalUser


XPSFiles-InternetZone-LocalComputer


DisplayMixedContent-LockedDownInternetZone-LocalComputer


DisplayMixedContent-IntranetZone-LocalComputer


DisplayMixedContent-LockedDownIntranetZone-LocalComputer


DisplayMixedContent-LocalMachineZone-LocalComputer


DisplayMixedContent-LockedDownLocalMachineZone-LocalComputer


AccessDataSourcesAcrossDomains-RestrictedSitesZone-LocalComputer, AccessDataSourcesAcrossDomains-RestrictedSitesZone-LocalUser


AllowActiveScripting-RestrictedSitesZone-LocalComputer, AllowActiveScripting-RestrictedSitesZone-LocalUser


AllowBinaryAndScriptBehaviors-RestrictedSitesZone-LocalComputer, AllowBinaryAndScriptBehaviors-RestrictedSitesZone-LocalUser


AllowDragDropOrCopyPasteFiles-RestrictedSitesZone-LocalComputer, AllowDragDropOrCopyPasteFiles-RestrictedSitesZone-LocalUser


AllowFileDownloads-RestrictedSitesZone-LocalComputer, AllowFileDownloads-RestrictedSitesZone-LocalUser


AllowFontDownloads-RestrictedSitesZone-LocalComputer, AllowFontDownloads-RestrictedSitesZone-LocalUser


AllowInstallationOfDesktopItems-RestrictedSitesZone-LocalComputer, AllowInstallationOfDesktopItems-RestrictedSitesZone-LocalUser


AllowMETAREFRESH-RestrictedSitesZone-LocalComputer, AllowMETAREFRESH-RestrictedSitesZone-LocalUser


AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints-RestrictedSitesZone-LocalComputer, AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints-RestrictedSitesZone-LocalUser


AllowScriptlets-RestrictedSitesZone-LocalComputer


AllowStatusBarUpdatesViaScript-RestrictedSitesZone-LocalComputer, AllowStatusBarUpdatesViaScript-RestrictedSitesZone-LocalUser


AutomaticPromptingFileDownloads-RestrictedSitesZone-LocalComputer, AutomaticPromptingFileDownloads-RestrictedSitesZone-LocalUser


DownloadSignedActiveXControls-RestrictedSitesZone-LocalComputer, DownloadSignedActiveXControls-RestrictedSitesZone-LocalUser


DownloadUnsignedActiveXControls-RestrictedSitesZone-LocalComputer, DownloadUnsignedActiveXControls-RestrictedSitesZone-LocalUser


InitializeScriptActiveXControlsNotMarkedAsSafe-RestrictedSitesZone-LocalComputer, InitializeScriptActiveXControlsNotMarkedAsSafe-RestrictedSitesZone-LocalUser


JavaPermissions-RestrictedSitesZone-LocalComputer, JavaPermissions-RestrictedSitesZone-LocalUser


LaunchingApplicationsAndFilesInIFRAME-RestrictedSitesZone-LocalComputer, LaunchingApplicationsAndFilesInIFRAME-RestrictedSitesZone-LocalUser


LogonOptions-RestrictedSitesZone-LocalComputer, LogonOptions-RestrictedSitesZone-LocalUser


LooseXAMLFiles-RestrictedSitesZone-LocalComputer


NavigateSub-framesAcrossDifferentDomains-RestrictedSitesZone-LocalComputer, NavigateSub-framesAcrossDifferentDomains-RestrictedSitesZone-LocalUser


OpenFilesBasedOnContent-RestrictedSitesZone-LocalComputer, OpenFilesBasedOnContent-RestrictedSitesZone-LocalUser


RunNETFrameworkReliantComponentsNotSignedWithAuthenticode-RestrictedSitesZone-LocalComputer, RunNETFrameworkReliantComponentsNotSignedWithAuthenticode-RestrictedSitesZone-LocalUser


RunNETFrameworkReliantComponentsSignedWithAuthenticode-RestrictedSitesZone-LocalComputer, RunNETFrameworkReliantComponentsSignedWithAuthenticode-RestrictedSitesZone-LocalUser


RunActiveXControlsAndPlugins-RestrictedSitesZone-LocalComputer, RunActiveXControlsAndPlugins-RestrictedSitesZone-LocalUser


ScriptActiveXControlsMarkedSafeForScripting-RestrictedSitesZone-LocalComputer, ScriptActiveXControlsMarkedSafeForScripting-RestrictedSitesZone-LocalUser


ScriptingOfJavaApplets-RestrictedSitesZone-LocalComputer, ScriptingOfJavaApplets-RestrictedSitesZone-LocalUser


SoftwareChannelPermissions-RestrictedSitesZone-LocalComputer, SoftwareChannelPermissions-RestrictedSitesZone-LocalUser


UsePop-upBlocker-RestrictedSitesZone-LocalComputer, UsePop-upBlocker-RestrictedSitesZone-LocalUser


UserdataPersistence-RestrictedSitesZone-LocalComputer


WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone-RestrictedSitesZone-LocalComputer, WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone-RestrictedSitesZone-LocalUser


XPSFiles-RestrictedSitesZone-LocalComputer


DisplayMixedContent-LockedDownRestrictedSitesZone-LocalComputer


DisplayMixedContent-TrustedSitesZone-LocalComputer


DisplayMixedContent-LockedDownTrustedSitesZone-LocalComputer


EnableNativeXMLHttpSupport-LocalComputer


DisableSaveThisProgramToDiskOption-LocalUser


AllowInstallOnDemandIE-LocalUser


TurnOffPageTransitions-LocalUser


DisableAutoCompleteForForms-LocalUser


AllowInstallOnDemandIE-LocalUser


DisableChangingCertificateSettings-LocalUser


DisableExternalBrandingOfIE-LocalUser


ConfigureOutlookExpress-LocalUser


InternetConnectionWizardSettings-LocalUser


DisableInternetConnectionWizard-LocalUser


DisableResetWebSettingsFeature-LocalUser


DisableDownloadingOfSiteSubscriptionContent-LocalUser


DisableAddingSchedulesForOfflinePages-LocalUser


DisableAddingChannels-LocalUser


DisableEditingAndCreatingOfScheduleGroups-LocalUser


DisableAllScheduledOfflinePages-LocalUser


DisableEditingSchedulesForOfflinePages-LocalUser


DisableChannelUserInterfaceCompletely-LocalUser


DisableRemovingChannels-LocalUser


DisableRemovingSchedulesForOfflinePages-LocalUser


DisableOfflinePageHitLogging-LocalUser


JavaPermissions-LockedDownIntranetZone-LocalComputer


JavaPermissions-LocalMachineZone-LocalComputer


JavaPermissions-LockedDownLocalMachineZone-LocalComputer


JavaPermissions-LockedDownRestrictedSitesZone-LocalComputer


JavaPermissions-TrustedSitesZone-LocalComputer


JavaPermissions-LockedDownTrustedSitesZone-LocalComputer