Res.BaselineWindowsServer2008R2.xml (DeployableResource)
Element properties:
Source Code:
<DeployableResource ID="Res.BaselineWindowsServer2008R2.xml" Accessibility="Public" FileName="BaselineWindowsServer2008R2.xml"/>
File Content: BaselineWindowsServer2008R2.xml
<?xml version="1.0" encoding="utf-8"?>
<ArrayOfBaselineRuleset xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<BaselineRuleset>
<Rules>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>0da2c6a3-0fd6-4ebd-b88a-fea98be1f7d4</Id>
<OriginalId>71d6ee80-22f8-44e3-99ad-cbc707218ff8</OriginalId>
<CceId>CCE-10637-7</CceId>
<Name>Devices: Allowed to format and eject removable media</Name>
<Type>Registry</Type>
<ExpectedValue>2</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>String</RegValueType>
<KeyPath>Software\Microsoft\Windows NT\CurrentVersion\Winlogon</KeyPath>
<ValueName>AllocateDASD</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>f9020046-6340-451d-9548-3c45d765d06d</Id>
<OriginalId>0f319931-aa36-4313-9320-86311c0fa623</OriginalId>
<CceId>CCE-10940-5</CceId>
<Name>Network access: Restrict anonymous access to Named Pipes and Shares</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Services\LanManServer\Parameters</KeyPath>
<ValueName>restrictnullsessaccess</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>3964d9dc-6c52-449f-af2f-9ca6ddb954bc</Id>
<OriginalId>c4f13e60-0fae-4766-bba1-00b4c33d54b7</OriginalId>
<CceId>CCE-10027-1</CceId>
<Name>Network access: Do not allow anonymous enumeration of SAM accounts</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Control\Lsa</KeyPath>
<ValueName>RestrictAnonymousSAM</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>b4f312f2-a243-407a-9fe5-50ce6586edb3</Id>
<OriginalId>c8c43367-6343-4ae7-9387-c4f24303b90d</OriginalId>
<CceId>CCE-11049-4</CceId>
<Name>Shutdown: Clear virtual memory pagefile</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Control\Session Manager\Memory Management</KeyPath>
<ValueName>ClearPageFileAtShutdown</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>c31c407b-9bd1-45e2-9e8a-7342c4b0faf2</Id>
<OriginalId>c836e4ce-c2f0-410c-bbf2-2550e8d24ba8</OriginalId>
<CceId>CCE-10772-2</CceId>
<Name>MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>SYSTEM\CurrentControlSet\Control\Session Manager</KeyPath>
<ValueName>SafeDllSearchMode</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>dae42326-42e3-4346-8e7f-f57193fb24a1</Id>
<OriginalId>fbfb6cc4-d294-4884-bc3d-7f74deeb6462</OriginalId>
<CceId>CCE-10557-7</CceId>
<Name>Network access: Do not allow anonymous enumeration of SAM accounts and shares</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Control\Lsa</KeyPath>
<ValueName>RestrictAnonymous</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>f6102fdb-7fed-4752-8020-e5712c61bb65</Id>
<OriginalId>1b4d4248-73f1-4950-be5c-8c2fd6d47002</OriginalId>
<CceId>CCE-10370-5</CceId>
<Name>Recovery console: Allow automatic administrative logon</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole</KeyPath>
<ValueName>securitylevel</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>d2bd9daf-9be4-4cda-b4ec-dab3af8c3bbd</Id>
<OriginalId>7ab41c58-8c4a-4781-9cdd-a6dc5c40fc66</OriginalId>
<CceId>CCE-10986-8</CceId>
<Name>System objects: Require case insensitivity for non-Windows subsystems</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Control\Session Manager\Kernel</KeyPath>
<ValueName>ObCaseInsensitive</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>0bc851ea-f8e2-4b32-958c-937f17ec4237</Id>
<OriginalId>e44bb6b6-6bf3-417b-a329-cb9604cde378</OriginalId>
<CceId>CCE-10643-5</CceId>
<Name>Recovery console: Allow floppy copy and access to all drives and all folders</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole</KeyPath>
<ValueName>setcommand</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>f4890421-efe5-4a9d-8001-03aa751879ca</Id>
<OriginalId>8ae83b84-b0fd-4b08-85a5-ff3f897a2db2</OriginalId>
<CceId>CCE-10810-0</CceId>
<Name>Interactive logon: Do not require CTRL+ALT+DEL</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Microsoft\Windows\CurrentVersion\Policies\System</KeyPath>
<ValueName>DisableCAD</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>8ddb2efd-157c-48cc-98cc-1ce4ee691f80</Id>
<OriginalId>c067da7d-80a9-4b00-9414-d98d37139490</OriginalId>
<CceId>CCE-10821-7</CceId>
<Name>Network access: Shares that can be accessed anonymously</Name>
<Type>Registry</Type>
<ExpectedValue />
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>MultipleString</RegValueType>
<KeyPath>System\CurrentControlSet\Services\LanManServer\Parameters</KeyPath>
<ValueName>NullSessionShares</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>17c5d41c-b621-4e4d-bb6f-29e363647afe</Id>
<OriginalId>d5d37567-6f6c-4b86-a13a-d10b708432dc</OriginalId>
<CceId>CCE-10883-7</CceId>
<Name>Devices: Allow undock without having to log on</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Informational</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Microsoft\Windows\CurrentVersion\Policies\System</KeyPath>
<ValueName>undockwithoutlogon</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>44f67abb-1219-4131-88a3-3ad33f684b2c</Id>
<OriginalId>6e47e304-7197-4791-b16d-9a6ad3306ad4</OriginalId>
<CceId>CCE-10900-9</CceId>
<Name>System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers</KeyPath>
<ValueName>AuthenticodeEnabled</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>748fc154-6cc5-4ca4-92f8-34146a9a6a89</Id>
<OriginalId>7c6c01fd-5c0d-4398-9de0-0a8855c4cd95</OriginalId>
<CceId>CCE-10825-8</CceId>
<Name>Network access: Sharing and security model for local accounts</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Control\Lsa</KeyPath>
<ValueName>ForceGuest</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>4172ff2d-fb97-4bd5-b612-2d2ebb5cbcfa</Id>
<OriginalId>b1d27dc2-b5e3-4dc5-9d3b-d634e7a25353</OriginalId>
<CceId>CCE-10745-8</CceId>
<Name>MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Informational</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>String</RegValueType>
<KeyPath>Software\Microsoft\Windows NT\CurrentVersion\Winlogon</KeyPath>
<ValueName>AutoAdminLogon</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>c34eb46f-522c-4fc6-8296-33f372e23614</Id>
<OriginalId>3849d4a1-188c-43d8-ad75-c73a82a8e0fe</OriginalId>
<CceId>CCE-10419-0</CceId>
<Name>Shutdown: Allow system to be shut down without having to log on</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Microsoft\Windows\CurrentVersion\Policies\System</KeyPath>
<ValueName>ShutdownWithoutLogon</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>d2f05f50-8392-4f5f-9a42-880362257b6f</Id>
<OriginalId>68c3ff44-f8a7-4059-81d7-56749f60665b</OriginalId>
<CceId>CCE-10983-5</CceId>
<Name>Microsoft network server: Disconnect clients when logon hours expire</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Services\LanManServer\Parameters</KeyPath>
<ValueName>enableforcedlogoff</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>9b2c0c3a-59a7-4b6a-b39e-41ebbd94cc88</Id>
<OriginalId>d3fe2010-6fe1-401c-81e8-a635d540af09</OriginalId>
<CceId>CCE-10019-8</CceId>
<Name>MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>String</RegValueType>
<KeyPath>Software\Microsoft\Windows NT\CurrentVersion\Winlogon</KeyPath>
<ValueName>ScreenSaverGracePeriod</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>40442e25-a39b-473b-a798-1cec1c0f3bf9</Id>
<OriginalId>402dc351-392a-4816-a26a-65a7bcc94087</OriginalId>
<CceId>CCE-10573-4</CceId>
<Name>Interactive logon: Smart card removal behavior</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>String</RegValueType>
<KeyPath>Software\Microsoft\Windows NT\CurrentVersion\Winlogon</KeyPath>
<ValueName>scremoveoption</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>9a4bfb19-30a0-4c6d-819b-3ba9a06e3219</Id>
<OriginalId>6b285a31-21ae-4b0c-813c-a8cc812c694d</OriginalId>
<CceId>CCE-10788-8</CceId>
<Name>Interactive logon: Do not display last user name</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Microsoft\Windows\CurrentVersion\Policies\System</KeyPath>
<ValueName>DontDisplayLastUserName</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>2235fb37-c2e7-47e7-9b1d-1e942b9d9273</Id>
<OriginalId>9969a7db-5fd1-4713-9a26-9862c15359e9</OriginalId>
<CceId>CCE-10035-4</CceId>
<Name>Network security: Minimum session security for NTLM SSP based (including secure RPC) clients</Name>
<Type>Registry</Type>
<ExpectedValue>537395200</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Control\Lsa\MSV1_0</KeyPath>
<ValueName>NTLMMinClientSec</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>6ea16893-bd87-4b70-b6ba-9ff6d5b7c159</Id>
<OriginalId>502cd61a-fec9-42f0-a096-1ac097bbdf73</OriginalId>
<CceId>CCE-10992-6</CceId>
<Name>Microsoft network server: Digitally sign communications (always)</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Services\LanManServer\Parameters</KeyPath>
<ValueName>requiresecuritysignature</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>96673c32-da84-43ed-b369-037e75326657</Id>
<OriginalId>17463ab9-ffc1-40ab-8b09-e8054ba4504c</OriginalId>
<CceId>CCE-10040-4</CceId>
<Name>Network security: Minimum session security for NTLM SSP based (including secure RPC) servers</Name>
<Type>Registry</Type>
<ExpectedValue>537395200</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Control\Lsa\MSV1_0</KeyPath>
<ValueName>NTLMMinServerSec</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>09513492-f112-452c-9419-1433dd0889a4</Id>
<OriginalId>7ab7ae06-f9bd-4252-a282-8fd3a06a73df</OriginalId>
<CceId>CCE-10009-9</CceId>
<Name>Domain member: Digitally sign secure channel data (when possible)</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Services\Netlogon\Parameters</KeyPath>
<ValueName>signsecurechannel</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>54d7e0ca-0d4b-41ef-97ce-b3c6f0e4fbf8</Id>
<OriginalId>ed734c3b-b27f-4515-9154-9f6f414e6564</OriginalId>
<CceId>CCE-10970-2</CceId>
<Name>Microsoft network client: Digitally sign communications (always)</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Services\LanmanWorkstation\Parameters</KeyPath>
<ValueName>RequireSecuritySignature</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>1d3d4bc9-2644-4600-8b7b-7ebc40d1fe2b</Id>
<OriginalId>04b278da-3245-43ec-9d5a-a5a68805027b</OriginalId>
<CceId>CCE-10871-2</CceId>
<Name>Domain member: Digitally encrypt or sign secure channel data (always)</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Services\Netlogon\Parameters</KeyPath>
<ValueName>requiresignorseal</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>84842d7a-c0e6-4b77-a083-95e0cd837f8d</Id>
<OriginalId>1c96e719-94c8-4333-9165-6efb6a9c6210</OriginalId>
<CceId>CCE-10978-5</CceId>
<Name>Microsoft network server: Digitally sign communications (if client agrees)</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Services\LanManServer\Parameters</KeyPath>
<ValueName>enablesecuritysignature</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>6f033922-02cc-40d7-a04a-67cc8f315e53</Id>
<OriginalId>b106bcb1-2b74-4287-8587-6cd92d337be8</OriginalId>
<CceId>CCE-10875-3</CceId>
<Name>Domain member: Digitally encrypt secure channel data (when possible)</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Services\Netlogon\Parameters</KeyPath>
<ValueName>sealsecurechannel</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>054f06de-4354-4755-9998-50dbca61195c</Id>
<OriginalId>b1b4a762-3114-438b-92cf-90f021714790</OriginalId>
<CceId>CCE-10838-1</CceId>
<Name>Microsoft network client: Send unencrypted password to third-party SMB servers</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Services\LanmanWorkstation\Parameters</KeyPath>
<ValueName>EnablePlainTextPassword</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>27c608ac-19c6-48cb-adee-b8fd1e3bec30</Id>
<OriginalId>858dc11d-40ae-4b37-a5ae-afa241029c55</OriginalId>
<CceId>NOT_ASSIGNED</CceId>
<Name>Disable SMB v1 client</Name>
<Type>Registry</Type>
<ExpectedValue>Bowser|#|MRxSmb20|#|NSI</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>MultipleString</RegValueType>
<KeyPath>System\CurrentControlSet\Services\LanmanWorkstation</KeyPath>
<ValueName>DependOnService</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>a0a37e75-16a0-4416-9285-4991dd173270</Id>
<OriginalId>1cfea2df-ad4f-44a5-8d8f-60f3092ff2a5</OriginalId>
<CceId>NOT_ASSIGNED</CceId>
<Name>Disable SMB v1 server</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Services\LanmanServer\Parameters</KeyPath>
<ValueName>SMB1</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>900b0cb5-68e7-4827-baa4-e4e7dc121992</Id>
<OriginalId>b1b4a762-3114-438b-92cf-90f021714790</OriginalId>
<CceId>NOT_ASSIGNED</CceId>
<Name>Set SMB v1 client (MRxSMB10) to disabled'</Name>
<Type>Registry</Type>
<ExpectedValue>4</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>SYSTEM\CurrentControlSet\Services\mrxsmb10</KeyPath>
<ValueName>Start</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>79503de0-b3e0-4e11-b1ea-7412e96a6a00</Id>
<OriginalId>817b2f4e-1f03-4bcc-927b-816ddd4777f9</OriginalId>
<CceId>CCE-10974-4</CceId>
<Name>Microsoft network client: Digitally sign communications (if server agrees)</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Services\LanmanWorkstation\Parameters</KeyPath>
<ValueName>EnableSecuritySignature</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>bcb59cfd-a5fd-494f-ac0a-3194aea606db</Id>
<OriginalId>c6c11e09-fbc2-408d-af70-3b47f2d2d1b8</OriginalId>
<CceId>CCE-10789-6</CceId>
<Name>System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy</KeyPath>
<ValueName>Enabled</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>69e6cfd8-adb4-4115-9862-98d06669b259</Id>
<OriginalId>577a19bc-6d69-45f1-9806-b413d522b05a</OriginalId>
<CceId>CCE-10541-1</CceId>
<Name>Domain member: Require strong (Windows 2000 or later) session key</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Services\Netlogon\Parameters</KeyPath>
<ValueName>requirestrongkey</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>3c3923bb-a8a8-42e8-a867-9e509b35bd22</Id>
<OriginalId>92b9d876-9d87-460c-82ea-9e8bd94c21ad</OriginalId>
<CceId>CCE-11010-6</CceId>
<Name>System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Control\Session Manager</KeyPath>
<ValueName>ProtectionMode</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>d79aa516-f80c-4006-ae71-91861badb647</Id>
<OriginalId>74870acb-ad3d-4bec-a067-1b1895ce2621</OriginalId>
<CceId>CCE-10930-6</CceId>
<Name>Interactive logon: Prompt user to change password before expiration</Name>
<Type>Registry</Type>
<ExpectedValue>14</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Microsoft\Windows NT\CurrentVersion\Winlogon</KeyPath>
<ValueName>passwordexpirywarning</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>05d8a84f-3b09-4b23-9331-49696b5faa07</Id>
<OriginalId>794f9728-56e1-4e5e-b697-7079757f4ac3</OriginalId>
<CceId>CCE-10830-8</CceId>
<Name>Network security: Do not store LAN Manager hash value on next password change</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Control\Lsa</KeyPath>
<ValueName>NoLMHash</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>df5dcbe6-98d9-4057-bf66-ff25ae315091</Id>
<OriginalId>051cdac6-2234-4eb7-85eb-db391c469557</OriginalId>
<CceId>CCE-9992-9</CceId>
<Name>Accounts: Limit local account use of blank passwords to console logon only</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Control\Lsa</KeyPath>
<ValueName>LimitBlankPasswordUse</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>22f901b2-6bf3-4389-bde4-c1ea89688767</Id>
<OriginalId>b44fadd3-f7c2-45dc-98dd-5e9ba179d89d</OriginalId>
<CceId>CCE-10775-5</CceId>
<Name>Domain member: Disable machine account password changes</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Services\Netlogon\Parameters</KeyPath>
<ValueName>disablepasswordchange</ValueName>
</BaselineRegistryRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>574355e3-1590-4aee-ba35-3afc4527c80e</Id>
<OriginalId>6630b24b-754a-49a5-9750-188ae53c13b9</OriginalId>
<CceId>CCE-10726-8</CceId>
<Name>Manage auditing and security log</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>Administrators</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeSecurityPrivilege</SettingName>
</BaselineSecurityPolicyRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>9101cc88-82e7-4791-9e9d-ca4067264d8f</Id>
<OriginalId>567434c1-c73f-4a24-8553-eaf1fd70fc90</OriginalId>
<CceId>CCE-11041-1</CceId>
<Name>Windows Firewall: Domain: Allow unicast response</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Policies\Microsoft\WindowsFirewall\DomainProfile</KeyPath>
<ValueName>DisableUnicastResponsesToMulticastBroadcast</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>6bd2cc58-fce9-4ece-9a1e-c2f2aa5ca2b5</Id>
<OriginalId>21e5ee29-51b2-4719-b979-af03e47a128e</OriginalId>
<CceId>CCE-10732-6</CceId>
<Name>MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)</Name>
<Type>Registry</Type>
<ExpectedValue>2</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Services\Tcpip\Parameters</KeyPath>
<ValueName>DisableIPSourceRouting</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>84ba2ade-827c-4eb3-89bd-7c1035047f6d</Id>
<OriginalId>691c581a-3b42-408b-abbe-f0bea9de3156</OriginalId>
<CceId>CCE-10123-8</CceId>
<Name>Windows Firewall: Private: Outbound connections</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Policies\Microsoft\WindowsFirewall\PrivateProfile</KeyPath>
<ValueName>DefaultOutboundAction</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>97c2f3dc-6305-42b7-97a5-1f1fd47457e2</Id>
<OriginalId>3fe3c052-d096-4bc2-8d03-7ddb03f3b1f6</OriginalId>
<CceId>CCE-10127-9</CceId>
<Name>Windows Firewall: Private: Allow unicast response</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Policies\Microsoft\WindowsFirewall\PrivateProfile</KeyPath>
<ValueName>DisableUnicastResponsesToMulticastBroadcast</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>76dd5075-f8e0-4452-955e-42a394fe1534</Id>
<OriginalId>75208064-559a-4412-8ca6-5da2d0e10cfd</OriginalId>
<CceId>CCE-10481-0</CceId>
<Name>Windows Firewall: Public: Outbound connections</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Policies\Microsoft\WindowsFirewall\PublicProfile</KeyPath>
<ValueName>DefaultOutboundAction</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>a80259e9-f850-4ed6-a864-9e1ed9843646</Id>
<OriginalId>21d226de-3201-414e-a16a-b626b6d0cc26</OriginalId>
<CceId>CCE-10888-6</CceId>
<Name>MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)</Name>
<Type>Registry</Type>
<ExpectedValue>2</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Services\Tcpip6\Parameters</KeyPath>
<ValueName>DisableIPSourceRouting</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>bc814576-04c6-4c38-aa2e-2707692bb324</Id>
<OriginalId>27abca4f-4873-490c-87b6-e84d2533ba13</OriginalId>
<CceId>CCE-11019-7</CceId>
<Name>Windows Firewall: Domain: Display a notification</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Policies\Microsoft\WindowsFirewall\DomainProfile</KeyPath>
<ValueName>DisableNotifications</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>d174be42-6884-4d57-a6ed-5722805c2033</Id>
<OriginalId>2e65a105-5cb1-473d-b0ca-c933415d91be</OriginalId>
<CceId>CCE-10482-8</CceId>
<Name>Windows Firewall: Domain: Firewall state</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Policies\Microsoft\WindowsFirewall\DomainProfile</KeyPath>
<ValueName>EnableFirewall</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>a46dcd33-c3e4-485b-94a0-c3848f88099d</Id>
<OriginalId>968787a1-6a19-4c96-82dd-ca531f84666d</OriginalId>
<CceId>CCE-10188-1</CceId>
<Name>Windows Firewall: Public: Apply local firewall rules</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Policies\Microsoft\WindowsFirewall\PublicProfile</KeyPath>
<ValueName>AllowLocalPolicyMerge</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>90962192-fb24-4278-a348-83adff73172f</Id>
<OriginalId>62c711b9-cd72-4fd2-8596-bb90387278da</OriginalId>
<CceId>CCE-10113-9</CceId>
<Name>Windows Firewall: Domain: Outbound connections</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Policies\Microsoft\WindowsFirewall\DomainProfile</KeyPath>
<ValueName>DefaultOutboundAction</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>bc41ad1f-cd82-4ce6-9c20-d012bd267dbd</Id>
<OriginalId>0a80cfc2-0dcd-4566-b4be-6d8224961f83</OriginalId>
<CceId>CCE-10798-7</CceId>
<Name>Windows Firewall: Domain: Apply local firewall rules</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Policies\Microsoft\WindowsFirewall\DomainProfile</KeyPath>
<ValueName>AllowLocalPolicyMerge</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>0e48f17d-c5ca-4153-bb5c-56d1cad7be5a</Id>
<OriginalId>0091ec7e-714b-4bb3-9a36-a73412c6c1f9</OriginalId>
<CceId>CCE-10631-0</CceId>
<Name>Windows Firewall: Private: Display a notification</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Policies\Microsoft\WindowsFirewall\PrivateProfile</KeyPath>
<ValueName>DisableNotifications</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>fc0f8c5f-eac2-49d8-b3cb-240d6941b92e</Id>
<OriginalId>f5513338-0fa1-484e-83fb-9a5bd3954d44</OriginalId>
<CceId>CCE-10921-5</CceId>
<Name>Windows Firewall: Private: Apply local connection security rules</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Policies\Microsoft\WindowsFirewall\PrivateProfile</KeyPath>
<ValueName>AllowLocalIPsecPolicyMerge</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>799554d2-a741-4c94-a604-d46e71622cd9</Id>
<OriginalId>856f9866-0378-4952-a164-4d524770bb2a</OriginalId>
<CceId>CCE-11050-2</CceId>
<Name>Windows Firewall: Public: Firewall state</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Policies\Microsoft\WindowsFirewall\PublicProfile</KeyPath>
<ValueName>EnableFirewall</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>815b596a-8f4f-4bec-94ff-012a6ba560ca</Id>
<OriginalId>902a957b-c9b3-4302-883a-394555087509</OriginalId>
<CceId>CCE-11120-3</CceId>
<Name>Windows Firewall: Public: Display a notification</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Policies\Microsoft\WindowsFirewall\PublicProfile</KeyPath>
<ValueName>DisableNotifications</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>f6dbea60-19b5-4d43-ab5c-1beef35003f0</Id>
<OriginalId>533bf252-df1b-4b5a-9320-8da18b19bcd2</OriginalId>
<CceId>CCE-10131-1</CceId>
<Name>Windows Firewall: Private: Apply local firewall rules</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Policies\Microsoft\WindowsFirewall\PrivateProfile</KeyPath>
<ValueName>AllowLocalPolicyMerge</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>23d86c72-180a-4f3f-b409-d896ae0fa96d</Id>
<OriginalId>01cfd956-48cc-4ad6-94ff-b8f7ca488a91</OriginalId>
<CceId>CCE-10873-8</CceId>
<Name>Windows Firewall: Public: Allow unicast response</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Policies\Microsoft\WindowsFirewall\PublicProfile</KeyPath>
<ValueName>DisableUnicastResponsesToMulticastBroadcast</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>a3f12627-74b8-4fc2-ba0e-a897da2e5a83</Id>
<OriginalId>849952c3-4163-4e4d-9320-138c4af87134</OriginalId>
<CceId>CCE-10529-6</CceId>
<Name>Windows Firewall: Public: Apply local connection security rules</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Policies\Microsoft\WindowsFirewall\PublicProfile</KeyPath>
<ValueName>AllowLocalIPsecPolicyMerge</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>c1004963-60d1-41f3-a38b-1322ae2ab452</Id>
<OriginalId>d493f92b-2fe2-4489-a4e6-03fd2e3710cd</OriginalId>
<CceId>CCE-11103-9</CceId>
<Name>Windows Firewall: Private: Firewall state</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Policies\Microsoft\WindowsFirewall\PrivateProfile</KeyPath>
<ValueName>EnableFirewall</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>e99502cd-9e47-4aff-801b-7af3c92a4f29</Id>
<OriginalId>db12a482-5822-44ba-b35d-e944d3ddd528</OriginalId>
<CceId>CCE-11036-1</CceId>
<Name>Windows Firewall: Domain: Apply local connection security rules</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Policies\Microsoft\WindowsFirewall\DomainProfile</KeyPath>
<ValueName>AllowLocalIPsecPolicyMerge</ValueName>
</BaselineRegistryRule>
<BaselineAuditPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>37745508-95fb-44ec-ab0f-644ec0b16995</Id>
<OriginalId>2ea0de1a-c71d-46c8-8350-a7dd4d447895</OriginalId>
<CceId>CCE-11001-5</CceId>
<Name>Audit Policy: Account Management: Other Account Management Events</Name>
<Type>AuditPolicy</Type>
<ExpectedValue>Success and Failure</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<AuditPolicyId>0cce923a-69ae-11d9-bed3-505054503030</AuditPolicyId>
</BaselineAuditPolicyRule>
<BaselineAuditPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>29a1a319-5a5c-406f-8511-21859a30e879</Id>
<OriginalId>e54d7bef-4406-4689-813c-ba14b3fd3ef8</OriginalId>
<CceId>CCE-11007-2</CceId>
<Name>Audit Policy: System: Security State Change</Name>
<Type>AuditPolicy</Type>
<ExpectedValue>Success and Failure</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<AuditPolicyId>0cce9210-69ae-11d9-bed3-505054503030</AuditPolicyId>
</BaselineAuditPolicyRule>
<BaselineAuditPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>86e1a199-4b35-41ff-bb21-39f4af716963</Id>
<OriginalId>2768f99a-87a1-4be6-bf44-efcfd1412dea</OriginalId>
<CceId>CCE-11160-9</CceId>
<Name>Audit Policy: Policy Change: Authentication Policy Change</Name>
<Type>AuditPolicy</Type>
<ExpectedValue>Success</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<AuditPolicyId>0cce9230-69ae-11d9-bed3-505054503030</AuditPolicyId>
</BaselineAuditPolicyRule>
<BaselineAuditPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>76412698-02d6-4b76-afbe-9f33bbc3883d</Id>
<OriginalId>6598ae0c-9227-4f87-b754-f68d2f5820fc</OriginalId>
<CceId>CCE-10514-8</CceId>
<Name>Audit Policy: Detailed Tracking: Process Creation</Name>
<Type>AuditPolicy</Type>
<ExpectedValue>Success</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<AuditPolicyId>0cce922b-69ae-11d9-bed3-505054503030</AuditPolicyId>
</BaselineAuditPolicyRule>
<BaselineAuditPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>76d23535-e8ce-469a-ac37-3bc01aa61edf</Id>
<OriginalId>b8fc1e7a-57fd-48a0-827e-f466b21663ae</OriginalId>
<CceId>CCE-11034-6</CceId>
<Name>Audit Policy: System: System Integrity</Name>
<Type>AuditPolicy</Type>
<ExpectedValue>Success and Failure</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<AuditPolicyId>0cce9212-69ae-11d9-bed3-505054503030</AuditPolicyId>
</BaselineAuditPolicyRule>
<BaselineAuditPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>b9155e5d-38e5-434b-8bb9-c51c5b8d711d</Id>
<OriginalId>abcedd04-373e-493b-8fc4-610ca4e2c11e</OriginalId>
<CceId>CCE-11107-0</CceId>
<Name>Audit Policy: Logon-Logoff: Logon</Name>
<Type>AuditPolicy</Type>
<ExpectedValue>Success and Failure</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<AuditPolicyId>0cce9215-69ae-11d9-bed3-505054503030</AuditPolicyId>
</BaselineAuditPolicyRule>
<BaselineAuditPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>689f305b-32bb-4adb-9803-3e9abf92040d</Id>
<OriginalId>f3179229-59a3-4c89-8eb2-45cdf42660b1</OriginalId>
<CceId>CCE-10737-5</CceId>
<Name>Audit Policy: Logon-Logoff: Special Logon</Name>
<Type>AuditPolicy</Type>
<ExpectedValue>Success</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<AuditPolicyId>0cce921b-69ae-11d9-bed3-505054503030</AuditPolicyId>
</BaselineAuditPolicyRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>26d1d493-7dd9-489b-9baf-b7536b3bd33d</Id>
<OriginalId>b881554b-111f-46a8-9079-b9eeb9ea60f6</OriginalId>
<CceId>CCE-10112-1</CceId>
<Name>Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Control\Lsa</KeyPath>
<ValueName>scenoapplylegacyauditpolicy</ValueName>
</BaselineRegistryRule>
<BaselineAuditPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>1d6b2096-7cb0-4581-9c90-81ff5b8c3f76</Id>
<OriginalId>17bbd596-ee57-4506-b4eb-b8914b2d8b34</OriginalId>
<CceId>CCE-10203-8</CceId>
<Name>Audit Policy: Account Management: User Account Management</Name>
<Type>AuditPolicy</Type>
<ExpectedValue>Success and Failure</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<AuditPolicyId>0cce9235-69ae-11d9-bed3-505054503030</AuditPolicyId>
</BaselineAuditPolicyRule>
<BaselineAuditPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>7465c062-040b-4d9f-81aa-2f0e817a9189</Id>
<OriginalId>5bd3a1dc-6de8-4021-a1a7-f1cf51f51235</OriginalId>
<CceId>CCE-11029-6</CceId>
<Name>Audit Policy: System: Security System Extension</Name>
<Type>AuditPolicy</Type>
<ExpectedValue>Success and Failure</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<AuditPolicyId>0cce9211-69ae-11d9-bed3-505054503030</AuditPolicyId>
</BaselineAuditPolicyRule>
<BaselineAuditPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>8fca8f1c-687c-49fd-9156-2c509fa47ada</Id>
<OriginalId>591401f2-3712-4434-ae22-e8633dcf2ad5</OriginalId>
<CceId>CCE-11003-1</CceId>
<Name>Audit Policy: Privilege Use: Sensitive Privilege Use</Name>
<Type>AuditPolicy</Type>
<ExpectedValue>Success and Failure</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<AuditPolicyId>0cce9228-69ae-11d9-bed3-505054503030</AuditPolicyId>
</BaselineAuditPolicyRule>
<BaselineAuditPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>693d5b3e-f65a-4838-9fd4-d5869138339c</Id>
<OriginalId>821af41f-7ff7-4dae-a841-c098b7112b0c</OriginalId>
<CceId>CCE-10385-3</CceId>
<Name>Audit Policy: Policy Change: Audit Policy Change</Name>
<Type>AuditPolicy</Type>
<ExpectedValue>Success and Failure</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<AuditPolicyId>0cce922f-69ae-11d9-bed3-505054503030</AuditPolicyId>
</BaselineAuditPolicyRule>
<BaselineAuditPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>8592b5cb-92c6-4ba4-ba3f-7cd39d978c6b</Id>
<OriginalId>a94d7f10-22ff-48e8-bd82-1dfc5ccb1cb4</OriginalId>
<CceId>CCE-10860-5</CceId>
<Name>Audit Policy: Account Management: Computer Account Management</Name>
<Type>AuditPolicy</Type>
<ExpectedValue>Success</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<AuditPolicyId>0cce9236-69ae-11d9-bed3-505054503030</AuditPolicyId>
</BaselineAuditPolicyRule>
<BaselineAuditPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>93c0cbae-f049-4723-9a8e-e3a1ad0d3f12</Id>
<OriginalId>9f28bf93-31ae-4a09-b064-a391772fe13d</OriginalId>
<CceId>CCE-11102-1</CceId>
<Name>Audit Policy: Logon-Logoff: Logoff</Name>
<Type>AuditPolicy</Type>
<ExpectedValue>Success</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<AuditPolicyId>0cce9216-69ae-11d9-bed3-505054503030</AuditPolicyId>
</BaselineAuditPolicyRule>
<BaselineAuditPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>4d7050b6-03e8-4ac9-9e3c-19dba2825252</Id>
<OriginalId>56d671e2-8ff8-47cd-adeb-82fb86067598</OriginalId>
<CceId>CCE-10741-7</CceId>
<Name>Audit Policy: Account Management: Security Group Management</Name>
<Type>AuditPolicy</Type>
<ExpectedValue>Success and Failure</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<AuditPolicyId>0cce9237-69ae-11d9-bed3-505054503030</AuditPolicyId>
</BaselineAuditPolicyRule>
<BaselineAuditPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>22d4c34b-941b-4eff-8e03-386d35ae96d2</Id>
<OriginalId>504f27d5-2540-48f2-9aa4-ee0eebc84728</OriginalId>
<CceId>CCE-10390-3</CceId>
<Name>Audit Policy: System: IPsec Driver</Name>
<Type>AuditPolicy</Type>
<ExpectedValue>Success and Failure</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<AuditPolicyId>0cce9213-69ae-11d9-bed3-505054503030</AuditPolicyId>
</BaselineAuditPolicyRule>
<BaselineAuditPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>3a1954ae-d8dc-401b-8bb1-17d90e506ec5</Id>
<OriginalId>ebd86e7c-c2be-461a-9db9-c4f9fd79e32f</OriginalId>
<CceId>CCE-10192-3</CceId>
<Name>Audit Policy: Account Logon: Credential Validation</Name>
<Type>AuditPolicy</Type>
<ExpectedValue>Success and Failure</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<AuditPolicyId>0cce923f-69ae-11d9-bed3-505054503030</AuditPolicyId>
</BaselineAuditPolicyRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>231333ed-10ad-4971-9c7c-2b008dcbd5cb</Id>
<OriginalId>450b73e6-5bad-4c64-8d1f-abffea2f08d7</OriginalId>
<CceId>CCE-10918-1</CceId>
<Name>Retain old events</Name>
<Type>Registry</Type>
<ExpectedValue>Disabled</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>String</RegValueType>
<KeyPath>Software\Policies\Microsoft\Windows\EventLog\Application</KeyPath>
<ValueName>Retention</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>d5f5ae2b-80ad-4bc4-9888-0db5eeeb9626</Id>
<OriginalId>19a0c0e2-48ca-4a9f-9493-bd547b86d8ad</OriginalId>
<CceId>CCE-11011-4</CceId>
<Name>MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning</Name>
<Type>Registry</Type>
<ExpectedValue>90</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>SYSTEM\CurrentControlSet\Services\Eventlog\Security</KeyPath>
<ValueName>WarningLevel</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>cf2df9dc-f13e-47d3-ae6e-ecdec2acbd53</Id>
<OriginalId>e2e11f15-b46c-44f4-829d-5012808ca980</OriginalId>
<CceId>CCE-11055-1</CceId>
<Name>Retain old events</Name>
<Type>Registry</Type>
<ExpectedValue>Disabled</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>String</RegValueType>
<KeyPath>Software\Policies\Microsoft\Windows\EventLog\System</KeyPath>
<ValueName>Retention</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>c8e7e8fc-8ec6-4e54-a61e-48ca9fdd30c1</Id>
<OriginalId>25c67f65-0d37-41d5-9e75-72707c97a290</OriginalId>
<CceId>CCE-10742-5</CceId>
<Name>Audit: Shut down system immediately if unable to log security audits</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Control\Lsa</KeyPath>
<ValueName>crashonauditfail</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>cb4d96eb-96c1-4c75-a903-6543ea31b3d0</Id>
<OriginalId>76e64466-6461-4950-95ae-dd69521f5b10</OriginalId>
<CceId>CCE-10663-3</CceId>
<Name>Retain old events</Name>
<Type>Registry</Type>
<ExpectedValue>Disabled</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>String</RegValueType>
<KeyPath>Software\Policies\Microsoft\Windows\EventLog\Security</KeyPath>
<ValueName>Retention</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>4e92baed-9e27-4c04-9eeb-5b9069e28d30</Id>
<OriginalId>e197f79b-a454-407c-9307-7b3210313e61</OriginalId>
<CceId>CCE-10297-0</CceId>
<Name>Network access: Let Everyone permissions apply to anonymous users</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Control\Lsa</KeyPath>
<ValueName>EveryoneIncludesAnonymous</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>bc30bbf7-ac93-4a3c-8904-fe1d0c400feb</Id>
<OriginalId>adfc53c0-573a-4b06-8a91-4dc91e830362</OriginalId>
<CceId>CCE-10926-4</CceId>
<Name>Interactive logon: Number of previous logons to cache (in case domain controller is not available)</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>String</RegValueType>
<KeyPath>Software\Microsoft\Windows NT\CurrentVersion\Winlogon</KeyPath>
<ValueName>cachedlogonscount</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>ed020231-a3c3-48ab-bfb1-81dd1feb7a66</Id>
<OriginalId>096b92bd-142b-4c28-985f-f3ba1322265f</OriginalId>
<CceId>CCE-10705-2</CceId>
<Name>Interactive logon: Require Domain Controller authentication to unlock workstation</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Microsoft\Windows NT\CurrentVersion\Winlogon</KeyPath>
<ValueName>ForceUnlockLogon</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>4cedb857-92dd-4411-b1bf-973eb9219eea</Id>
<OriginalId>ec468e43-6141-4bfe-970f-ca02d37d0ca7</OriginalId>
<CceId>CCE-10984-3</CceId>
<Name>Network security: LAN Manager authentication level</Name>
<Type>Registry</Type>
<ExpectedValue>5</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Control\Lsa</KeyPath>
<ValueName>LmCompatibilityLevel</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>96c15ab2-1211-4ba5-a06b-3fdd651cb20d</Id>
<OriginalId>6e48c65a-e5dd-4d64-a6e9-dfd86742f91e</OriginalId>
<CceId>CCE-10614-6</CceId>
<Name>Network security: LDAP client signing requirements</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Services\LDAP</KeyPath>
<ValueName>LDAPClientIntegrity</ValueName>
</BaselineRegistryRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>b0ec9d5e-916f-4356-83aa-c23522102b33</Id>
<OriginalId>b61bd492-74b0-40f3-909d-36b9bf54e94c</OriginalId>
<CceId>CCE-10548-6</CceId>
<Name>Increase a process working set</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>Administrators, Local Service</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeIncreaseWorkingSetPrivilege</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>a9bd9fba-a513-4a1b-8ee7-2406781abb11</Id>
<OriginalId>591bd8ac-a5b3-41cc-8978-2bce50123a00</OriginalId>
<CceId>CCE-10915-7</CceId>
<Name>Debug programs</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>Administrators</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeDebugPrivilege</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>e036064a-196b-4a55-8421-513d8e914c62</Id>
<OriginalId>d2197a4c-19f4-4630-b15a-aaf85c813045</OriginalId>
<CceId>CCE-10750-8</CceId>
<Name>Deny log on locally</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>Guests</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeDenyInteractiveLogonRight</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>a0ceb614-2d5a-4a24-bd66-0d543397927d</Id>
<OriginalId>eba90e79-8551-416f-9258-a48e1d9a60c7</OriginalId>
<CceId>CCE-9961-4</CceId>
<Name>Increase scheduling priority</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>Administrators</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeIncreaseBasePriorityPrivilege</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>0ea400fe-0fd1-4bd0-a88c-8005d66f9cf9</Id>
<OriginalId>485ea1c9-091c-434b-b8e0-c9d8cbfde052</OriginalId>
<CceId>CCE-10618-7</CceId>
<Name>Enable computer and user accounts to be trusted for delegation</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>No One</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeEnableDelegationPrivilege</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>9a1fd9ef-1012-4551-936b-5ecbc8c97c1e</Id>
<OriginalId>60859cb4-3ad7-4a2f-8564-fcfde3ee1768</OriginalId>
<CceId>CCE-9972-1</CceId>
<Name>Access Credential Manager as a trusted caller</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>No One</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeTrustedCredManAccessPrivilege</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>e3f139fc-32de-495f-b4f9-4c53abbfa876</Id>
<OriginalId>204ff604-1cab-46c8-aa22-01e7d78925e4</OriginalId>
<CceId>CCE-10439-8</CceId>
<Name>Shut down the system</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>Administrators</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeShutdownPrivilege</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>8c4b0b20-47c6-487c-990e-a5ac471d30f4</Id>
<OriginalId>38165ccc-d675-481c-8881-231a5c2032f9</OriginalId>
<CceId>CCE-10955-3</CceId>
<Name>Lock pages in memory</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>No One</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeLockMemoryPrivilege</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>1bfef068-0fc4-4cd8-9105-a8e982bbe093</Id>
<OriginalId>23a1c3b4-4d38-4153-854a-e315ad699d9b</OriginalId>
<CceId>CCE-10853-0</CceId>
<Name>Allow log on locally</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>Administrators</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeInteractiveLogonRight</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>2214028d-98f5-432a-aec3-20f577db00f1</Id>
<OriginalId>3ebdc510-830f-4520-9bce-2fe8f4f88b3f</OriginalId>
<CceId>CCE-10274-9</CceId>
<Name>Generate security audits</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>Local Service, Network Service</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeAuditPrivilege</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>c6bfbe4f-44ea-4520-83e9-4501034e40d4</Id>
<OriginalId>4b696c3e-dd2c-4d5e-bb0a-d7190de2c322</OriginalId>
<CceId>CCE-10849-8</CceId>
<Name>Adjust memory quotas for a process</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>Administrators, Local Service, Network Service</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeIncreaseQuotaPrivilege</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>23bdbbde-f468-4644-bfb7-1a353be1113b</Id>
<OriginalId>b9af2cf2-1528-469c-b7e8-3787c4513479</OriginalId>
<CceId>CCE-10733-4</CceId>
<Name>Deny access to this computer from the network</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>Guests</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeDenyNetworkLogonRight</SettingName>
</BaselineSecurityPolicyRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>fe061bfb-e1ac-4644-b585-705f6b503b14</Id>
<OriginalId>a9411a96-e13f-4b37-ab31-b84a06d63460</OriginalId>
<CceId>CCE-9999-4</CceId>
<Name>Devices: Prevent users from installing printer drivers</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers</KeyPath>
<ValueName>AddPrinterDrivers</ValueName>
</BaselineRegistryRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>ec0fd6be-7fe8-43bc-bf6c-36ce0b322fbe</Id>
<OriginalId>8dcd558f-d276-493c-86e4-b259adab009b</OriginalId>
<CceId>CCE-10969-4</CceId>
<Name>Remove computer from docking station</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>Administrators</ExpectedValue>
<Severity>Informational</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeUndockPrivilege</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>6266af3a-175f-47b9-803e-5027d13f9932</Id>
<OriginalId>8840018d-e63a-4e69-96a8-c06af7e963a8</OriginalId>
<CceId>CCE-10785-4</CceId>
<Name>Force shutdown from a remote system</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>Administrators</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeRemoteShutdownPrivilege</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>54992e80-e168-4130-93a1-83ca45d6a65a</Id>
<OriginalId>78c974e6-940e-4fec-8697-73d0ed54943c</OriginalId>
<CceId>CCE-10858-9</CceId>
<Name>Allow log on through Remote Desktop Services</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>Administrators</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeRemoteInteractiveLogonRight</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>0392b393-395e-42bf-ba60-8d99efc4d2d4</Id>
<OriginalId>8797b752-5346-436e-8502-cd5031cc77d5</OriginalId>
<CceId>CCE-10596-5</CceId>
<Name>Deny log on as a batch job</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>Guests</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeDenyBatchLogonRight</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>d9573ad7-8ead-4e63-9c33-8a6878334de2</Id>
<OriginalId>f540aa73-5550-4058-9209-e268908611d5</OriginalId>
<CceId>CCE-10954-6</CceId>
<Name>Take ownership of files or other objects</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>Administrators</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeTakeOwnershipPrivilege</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>339b3e19-18dd-4b45-b143-890ba5c7db9f</Id>
<OriginalId>87691f9f-e18e-42c3-ac3c-621c7b30bdda</OriginalId>
<CceId>CCE-9946-5</CceId>
<Name>Impersonate a client after authentication</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>Administrators, SERVICE, Local Service, Network Service</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeImpersonatePrivilege</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>21284d82-93ef-43f6-ab37-f34f8440d76c</Id>
<OriginalId>c3a6cfaf-1504-4d55-ace8-1ebc971d9ebc</OriginalId>
<CceId>CCE-10792-0</CceId>
<Name>Create global objects</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>Administrators, SERVICE, LOCAL SERVICE, NETWORK SERVICE</ExpectedValue>
<Severity>Warning</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeCreateGlobalPrivilege</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>03a3b47c-0c6c-4018-b037-84b0f1490738</Id>
<OriginalId>48cf8aee-1c72-4c3e-9f2a-c6dfe8990219</OriginalId>
<CceId>CCE-10086-7</CceId>
<Name>Access this computer from the network</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>Administrators, Authenticated Users</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeNetworkLogonRight</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>961c29bc-6fed-4c5f-9618-2a5bb29eb8a4</Id>
<OriginalId>52a9b265-75cb-45a0-ac23-3e5d4fa566c2</OriginalId>
<CceId>CCE-9937-4</CceId>
<Name>Create a pagefile</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>Administrators</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeCreatePagefilePrivilege</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>0e89f12e-f34d-491d-af40-2ad0df92c685</Id>
<OriginalId>c25cfa17-7dbb-4699-a9a9-f53962a70de9</OriginalId>
<CceId>CCE-10369-7</CceId>
<Name>Bypass traverse checking</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>Administrators, Authenticated Users, Backup Operators, Local Service, Network Service</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeChangeNotifyPrivilege</SettingName>
</BaselineSecurityPolicyRule>
<BaselineSecurityPolicyRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>fa8423d8-c3a6-4add-a569-e1c69903e80e</Id>
<OriginalId>b77b9700-3212-4d5f-9547-dbe8ffd32574</OriginalId>
<CceId>CCE-10232-7</CceId>
<Name>Act as part of the operating system</Name>
<Type>SecurityPolicy</Type>
<ExpectedValue>No One</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<SectionName>Privilege Rights</SectionName>
<SettingName>SeTcbPrivilege</SettingName>
</BaselineSecurityPolicyRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>e1a0bdfb-7818-407a-90d7-ceca5afc22e4</Id>
<OriginalId>7ff3401a-70b6-40fa-bb33-73024f591b93</OriginalId>
<CceId>CCE-10794-6</CceId>
<Name>User Account Control: Detect application installations and prompt for elevation</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Microsoft\Windows\CurrentVersion\Policies\System</KeyPath>
<ValueName>EnableInstallerDetection</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>8d613795-0999-48f8-b5f1-e765c37feddd</Id>
<OriginalId>0d380cb0-a162-4dbb-b54b-d41a2a7f9036</OriginalId>
<CceId>CCE-10570-0</CceId>
<Name>User Account Control: Only elevate UIAccess applications that are installed in secure locations</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Microsoft\Windows\CurrentVersion\Policies\System</KeyPath>
<ValueName>EnableSecureUIAPaths</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>b587824a-9d13-40ee-89ed-a6f991f9faa9</Id>
<OriginalId>444439f0-8c54-4a1f-9e91-03533d9a69fb</OriginalId>
<CceId>CCE-10534-6</CceId>
<Name>User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</KeyPath>
<ValueName>EnableUIADesktopToggle</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>7c76c315-9fcc-43e7-a32f-79fe81891b8c</Id>
<OriginalId>f50c62f4-6c34-466b-b495-54c834820a24</OriginalId>
<CceId>CCE-10865-4</CceId>
<Name>User Account Control: Virtualize file and registry write failures to per-user locations</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Microsoft\Windows\CurrentVersion\Policies\System</KeyPath>
<ValueName>EnableVirtualization</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>f334f5f8-3e7c-448f-bc29-2f8dcd563ec8</Id>
<OriginalId>d3ebc555-daf1-451f-88a1-61b1b5ac71b5</OriginalId>
<CceId>CCE-10922-3</CceId>
<Name>User Account Control: Only elevate executables that are signed and validated</Name>
<Type>Registry</Type>
<ExpectedValue>0</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Microsoft\Windows\CurrentVersion\Policies\System</KeyPath>
<ValueName>ValidateAdminCodeSignatures</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>63510c29-d816-4171-a536-a3ec134ed03c</Id>
<OriginalId>5a0c69d4-3f9a-4c0c-afe9-89a70342a2f7</OriginalId>
<CceId>CCE-10807-6</CceId>
<Name>User Account Control: Behavior of the elevation prompt for standard users</Name>
<Type>Registry</Type>
<ExpectedValue>3</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Microsoft\Windows\CurrentVersion\Policies\System</KeyPath>
<ValueName>ConsentPromptBehaviorUser</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>101e02bf-b941-4c25-acc3-84720e01677f</Id>
<OriginalId>5fbabdf6-6786-46f6-b959-596af69f2650</OriginalId>
<CceId>CCE-11028-8</CceId>
<Name>User Account Control: Admin Approval Mode for the Built-in Administrator account</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Microsoft\Windows\CurrentVersion\Policies\System</KeyPath>
<ValueName>FilterAdministratorToken</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>5cfa6664-dff2-480e-b898-b872ddda8b63</Id>
<OriginalId>ef509260-bd3a-450b-807d-16b454851c6f</OriginalId>
<CceId>CCE-10684-9</CceId>
<Name>User Account Control: Run all administrators in Admin Approval Mode</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Microsoft\Windows\CurrentVersion\Policies\System</KeyPath>
<ValueName>EnableLUA</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>88cf53a6-c871-4e61-af7c-45b9250d2ce8</Id>
<OriginalId>a43ef40c-3543-4204-a431-0f01df930b63</OriginalId>
<CceId>CCE-10109-7</CceId>
<Name>User Account Control: Switch to the secure desktop when prompting for elevation</Name>
<Type>Registry</Type>
<ExpectedValue>1</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Microsoft\Windows\CurrentVersion\Policies\System</KeyPath>
<ValueName>PromptOnSecureDesktop</ValueName>
</BaselineRegistryRule>
<BaselineRegistryRule>
<BaselineId>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</BaselineId>
<Id>cd347f23-72f0-43b0-863c-b0b8fe570b16</Id>
<OriginalId>48974513-39ec-472c-9ee8-5cb8abf3cb64</OriginalId>
<CceId>CCE-11023-9</CceId>
<Name>User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode</Name>
<Type>Registry</Type>
<ExpectedValue>5</ExpectedValue>
<Severity>Critical</Severity>
<AnalyzeOperation>Equals</AnalyzeOperation>
<Enabled>true</Enabled>
<Hive>LocalMachine</Hive>
<RegValueType>Int</RegValueType>
<KeyPath>Software\Microsoft\Windows\CurrentVersion\Policies\System</KeyPath>
<ValueName>ConsentPromptBehaviorAdmin</ValueName>
</BaselineRegistryRule>
</Rules>
<Id>9ff96717-0c7f-4ed0-a7a0-22bdd9c7a75b</Id>
<Name>WS2008R2SP1 Member Server Security Compliance</Name>
<Type>WindowsOS</Type>
</BaselineRuleset>
</ArrayOfBaselineRuleset>
Home
