Windows Registry Editor Version 5.00 ;;; Windows 10 Home Hardening ;;; Repository: https://github.com/teusink/Home-Security-by-W10-Hardening/ ;;; Registry target: HKEY_LOCAL_MACHINE ;;; Source: Computer Internet Security (CIS) - Level 1 ;;; Author: Joram Teusink ;;; Due to the target being Windows 10 Home the following parts are excluded from the CIS Level 1 baseline: ;;; - BitLocker Drive Encryption ;;; - Remote Desktop Services (formerly Terminal Services) ;;; Due to the target being Windows 10 Home and Pro the following parts are excluded from the CIS Level 1 baseline: ;;; - Local Administrator Password Solution (LAPS) ;;; - Microsoft Solutions for Security (MSS) (Legacy) ;;; - Windows Connection Manager (WCM) ;;; - Group Policy ;;; - Kerberos ;;; - Application, Security, Setup and System Event Log Service ;;; 2.3.1.2 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] ; 0 = This policy is disabled (Default) ; 1 = Users can’t add Microsoft accounts ; 3 = Users can’t add or log on with Microsoft accounts (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES "NoConnectedUser"=dword:0000000 ;;; 2.3.1.4 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa] ; 0 = Off ; 1 = On (Default + CIS L1) "LimitBlankPasswordUse"=dword:0000000 ;;; 2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' ;[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"SCENoApplyLegacyAuditPolicy"=dword:0000001 ;;; 2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa] ; 0 = Off (Default + CIS L1) ; 1 = On "CrashOnAuditFail"=dword:0000000 ;;; 2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] ; 0 = Administrators only (Default) ; 1 = Administrators and power users ; 2 = Administrators and interactive users (CIS L1) "AllocateDASD"="2" ;;; 2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters] ; 0 = Off ; 1 = On (Default + CIS L1) "RequireSignOrSeal"=dword:0000001 ;;; 2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters] ; 0 = Off ; 1 = On (Default + CIS L1) "SealSecureChannel"=dword:0000001 ;;; 2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters] ; 0 = Off ; 1 = On (Default + CIS L1) "SignSecureChannel"=dword:0000001 ;;; 2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters] ; 0 = Off (Default + CIS L1) ; 1 = On "DisablePasswordChange"=dword:0000000 ;;; 2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters] ; 0 = Off ; 1e = 30 days (Default + CIS L1) "MaximumPasswordAge"=dword:0000001e ;;; 2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters] ; 0 = Off ; 1 = On (Default + CIS L1) "RequireStrongKey"=dword:0000001 ;;; 2.3.7.1 (L1) Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] ; 0 = Off (Default) ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES "DontDisplayLastUserName"=dword:0000000 ;;; 2.3.7.2 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"DisableCAD"=dword:0000001 ;;; 2.3.7.4 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] ; 0 = Off (Default) ; 384 = 900 seconds, 15 minutes (CIS L1) "InactivityTimeoutSecs"=dword:00000384 ;;; 2.3.7.5 (L1) Configure 'Interactive logon: Message text for users attempting to log on' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] ; = Off (Default) ; = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES "LegalNoticeText"="" ;;; 2.3.7.6 (L1) Configure 'Interactive logon: Message title for users attempting to log on' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] ; = Off (Default) ; = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES "LegalNoticeCaption"="" ;;; 2.3.7.8 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] ; 0 = Off ; 5 = 5 Days (Default, CIS L1) "PasswordExpiryWarning"=dword:0000005 ;;; 2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] ; 0 = no action, when smart-card is removed (Default) ; 1 = lock workstation, when smart-card is removed (CIS L1) ; 2 = force logoff, when smart-card is removed "ScRemoveOption"="1" ;;; 2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters] ; 0 = Off (Default) ; 1 = On (CIS L1) "RequireSecuritySignature"=dword:0000001 ;;; 2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters] ; 0 = Off ; 1 = On (Default, CIS L1) "EnableSecuritySignature"=dword:0000001 ;;; 2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters] ; 0 = Off (Default, CIS L1) ; 1 = On "EnablePlainTextPassword"=dword:0000000 ;;; 2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters] ; 0 = Off (Default) ; f = 15 Minutes (CIS L1) "AutoDisconnect"=dword:000000f ;;; 2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters] ; 0 = Off (Default) ; 1 = On (CIS L1) "RequireSecuritySignature"=dword:0000001 ;;; 2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters] ; 0 = Off (Default) ; 1 = On (CIS L1) "EnableSecuritySignature"=dword:0000001 ;;; 2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters] ; 0 = Off ; 1 = On (Default, CIS L1) "enableforcedlogoff"=dword:0000001 ;;; 2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher ;[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters] ; = (Default) ; 0 = No validation ; 1 = Validate if provided by client (CIS L1) ; 2 = Require match from client (CIS L1+) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"SMBServerNameHardeningLevel"=dword:0000001 ;;; 2.3.10.2 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa] ; 0 = Off ; 1 = On (Default, CIS L1) "RestrictAnonymousSAM"=dword:0000001 ;;; 2.3.10.3 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa] ; 0 = Off (Default) ; 1 = On (CIS L1) "RestrictAnonymous"=dword:0000001 ;;; 2.3.10.4 (L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa] ; 0 = Off (Default) ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES "DisableDomainCreds"=dword:0000000 ;;; 2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa] ; 0 = Off (Default, CIS L1) ; 1 = On "EveryoneIncludesAnonymous"=dword:0000000 ;;; 2.3.10.6 (L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None' [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters] ; = Off (Default, CIS L1) "NullSessionPipes"=hex(7):00,00 ;;; 2.3.10.7 (L1) Ensure 'Network access: Remotely accessible registry paths' ;[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths] ; = see CLI baseline (Default, CIS L1) ; KEY DISABLED TO NOT INTERRUPT FUTURE UPDATES ;"Machine"=hex(7):53,00,79,00,73,00,74,00,65,00,6d,00,5c,00,43,00,75,00,72,00,\ ; 72,00,65,00,6e,00,74,00,43,00,6f,00,6e,00,74,00,72,00,6f,00,6c,00,53,00,65,\ ; 00,74,00,5c,00,43,00,6f,00,6e,00,74,00,72,00,6f,00,6c,00,5c,00,50,00,72,00,\ ; 6f,00,64,00,75,00,63,00,74,00,4f,00,70,00,74,00,69,00,6f,00,6e,00,73,00,00,\ ; 00,53,00,79,00,73,00,74,00,65,00,6d,00,5c,00,43,00,75,00,72,00,72,00,65,00,\ ; 6e,00,74,00,43,00,6f,00,6e,00,74,00,72,00,6f,00,6c,00,53,00,65,00,74,00,5c,\ ; 00,43,00,6f,00,6e,00,74,00,72,00,6f,00,6c,00,5c,00,53,00,65,00,72,00,76,00,\ ; 65,00,72,00,20,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,\ ; 00,6e,00,73,00,00,00,53,00,6f,00,66,00,74,00,77,00,61,00,72,00,65,00,5c,00,\ ; 4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,\ ; 00,64,00,6f,00,77,00,73,00,20,00,4e,00,54,00,5c,00,43,00,75,00,72,00,72,00,\ ; 65,00,6e,00,74,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,00,00 ;;; 2.3.10.8 (L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' ;[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths] ; = see CLI baseline (Default, CIS L1) ; KEY DISABLED TO NOT INTERRUPT FUTURE UPDATES ; "Machine"=hex(7):53,00,79,00,73,00,74,00,65,00,6d,00,5c,00,43,00,75,00,72,00,\ ; 72,00,65,00,6e,00,74,00,43,00,6f,00,6e,00,74,00,72,00,6f,00,6c,00,53,00,65,\ ; 00,74,00,5c,00,43,00,6f,00,6e,00,74,00,72,00,6f,00,6c,00,5c,00,50,00,72,00,\ ; 69,00,6e,00,74,00,5c,00,50,00,72,00,69,00,6e,00,74,00,65,00,72,00,73,00,00,\ ; 00,53,00,79,00,73,00,74,00,65,00,6d,00,5c,00,43,00,75,00,72,00,72,00,65,00,\ ; 6e,00,74,00,43,00,6f,00,6e,00,74,00,72,00,6f,00,6c,00,53,00,65,00,74,00,5c,\ ; 00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,73,00,5c,00,45,00,76,00,65,00,\ ; 6e,00,74,00,6c,00,6f,00,67,00,00,00,53,00,6f,00,66,00,74,00,77,00,61,00,72,\ ; 00,65,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,\ ; 4f,00,4c,00,41,00,50,00,20,00,53,00,65,00,72,00,76,00,65,00,72,00,00,00,53,\ ; 00,6f,00,66,00,74,00,77,00,61,00,72,00,65,00,5c,00,4d,00,69,00,63,00,72,00,\ ; 6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,\ ; 00,20,00,4e,00,54,00,5c,00,43,00,75,00,72,00,72,00,65,00,6e,00,74,00,56,00,\ ; 65,00,72,00,73,00,69,00,6f,00,6e,00,5c,00,50,00,72,00,69,00,6e,00,74,00,00,\ ; 00,53,00,6f,00,66,00,74,00,77,00,61,00,72,00,65,00,5c,00,4d,00,69,00,63,00,\ ; 72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,\ ; 00,73,00,20,00,4e,00,54,00,5c,00,43,00,75,00,72,00,72,00,65,00,6e,00,74,00,\ ; 56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,5c,00,57,00,69,00,6e,00,64,00,6f,\ ; 00,77,00,73,00,00,00,53,00,79,00,73,00,74,00,65,00,6d,00,5c,00,43,00,75,00,\ ; 72,00,72,00,65,00,6e,00,74,00,43,00,6f,00,6e,00,74,00,72,00,6f,00,6c,00,53,\ ; 00,65,00,74,00,5c,00,43,00,6f,00,6e,00,74,00,72,00,6f,00,6c,00,5c,00,43,00,\ ; 6f,00,6e,00,74,00,65,00,6e,00,74,00,49,00,6e,00,64,00,65,00,78,00,00,00,53,\ ; 00,79,00,73,00,74,00,65,00,6d,00,5c,00,43,00,75,00,72,00,72,00,65,00,6e,00,\ ; 74,00,43,00,6f,00,6e,00,74,00,72,00,6f,00,6c,00,53,00,65,00,74,00,5c,00,43,\ ; 00,6f,00,6e,00,74,00,72,00,6f,00,6c,00,5c,00,54,00,65,00,72,00,6d,00,69,00,\ ; 6e,00,61,00,6c,00,20,00,53,00,65,00,72,00,76,00,65,00,72,00,00,00,53,00,79,\ ; 00,73,00,74,00,65,00,6d,00,5c,00,43,00,75,00,72,00,72,00,65,00,6e,00,74,00,\ ; 43,00,6f,00,6e,00,74,00,72,00,6f,00,6c,00,53,00,65,00,74,00,5c,00,43,00,6f,\ ; 00,6e,00,74,00,72,00,6f,00,6c,00,5c,00,54,00,65,00,72,00,6d,00,69,00,6e,00,\ ; 61,00,6c,00,20,00,53,00,65,00,72,00,76,00,65,00,72,00,5c,00,55,00,73,00,65,\ ; 00,72,00,43,00,6f,00,6e,00,66,00,69,00,67,00,00,00,53,00,79,00,73,00,74,00,\ ; 65,00,6d,00,5c,00,43,00,75,00,72,00,72,00,65,00,6e,00,74,00,43,00,6f,00,6e,\ ; 00,74,00,72,00,6f,00,6c,00,53,00,65,00,74,00,5c,00,43,00,6f,00,6e,00,74,00,\ ; 72,00,6f,00,6c,00,5c,00,54,00,65,00,72,00,6d,00,69,00,6e,00,61,00,6c,00,20,\ ; 00,53,00,65,00,72,00,76,00,65,00,72,00,5c,00,44,00,65,00,66,00,61,00,75,00,\ ; 6c,00,74,00,55,00,73,00,65,00,72,00,43,00,6f,00,6e,00,66,00,69,00,67,00,75,\ ; 00,72,00,61,00,74,00,69,00,6f,00,6e,00,00,00,53,00,6f,00,66,00,74,00,77,00,\ ; 61,00,72,00,65,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,\ ; 00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,54,00,5c,00,\ ; 43,00,75,00,72,00,72,00,65,00,6e,00,74,00,56,00,65,00,72,00,73,00,69,00,6f,\ ; 00,6e,00,5c,00,50,00,65,00,72,00,66,00,6c,00,69,00,62,00,00,00,53,00,79,00,\ ; 73,00,74,00,65,00,6d,00,5c,00,43,00,75,00,72,00,72,00,65,00,6e,00,74,00,43,\ ; 00,6f,00,6e,00,74,00,72,00,6f,00,6c,00,53,00,65,00,74,00,5c,00,53,00,65,00,\ ; 72,00,76,00,69,00,63,00,65,00,73,00,5c,00,53,00,79,00,73,00,6d,00,6f,00,6e,\ ; 00,4c,00,6f,00,67,00,00,00,00,00 ;;; 2.3.10.9 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters] ; 0 = Off ; 1 = On (Default, CIS L1) "RestrictNullSessAccess"=dword:0000001 ;;; 2.3.10.10 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] ; = (Default) ; O:BAG:BAD:(A;;RC;;;BA) = On (CIS L1) "restrictremotesam"="O:BAG:BAD:(A;;RC;;;BA)" ;;; 2.3.10.11 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters] ; = (Default) "NullSessionShares"=hex(7):00,00 ;;; 2.3.10.12 (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] ; 0 = Off (Default, CIS L1) ; 1 = On "ForceGuest"=dword:0000000 ;;; 2.3.11.1 (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "UseMachineId"=dword:0000000 ;;; 2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "AllowNullSessionFallback"=dword:0000000 ;;; 2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "AllowOnlineID"=dword:0000000 ;;; 2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters] ; = (Default) ; 2147483644 = Various encryption types (CIS L1) "SupportedEncryptionTypes"="2147483644" ;;; 2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa] ; 0 = Off ; 1 = On (Default, CIS L1) "NoLMHash"=dword:0000001 ;;; 2.3.11.6 (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters] ; 0 = Off ; 1 = On (Default, CIS L1) "EnableForcedLogOff"=dword:0000001 ;;; 2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa] ; 0 = Clients use LM and NTLM authentication, but they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication (Default) ; 1 = Clients use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication ; 2 = Clients use only NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controller accepts LM, NTLM, and NTLMv2 authentication ; 3 = Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication ; 4 = Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM authentication responses, but it accepts NTLM and NTLMv2 ; 5 = Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM and NTLM authentication responses, but it accepts NTLMv2 (CIS L1) "LmCompatibilityLevel"=dword:0000005 ;;; 2.3.11.8 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP] ; 0 = Off ; 1 = On (Default, CIS L1) "LDAPClientIntegrity"=dword:0000001 ;;; 2.3.11.9 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0] ; 0 = Off ; 10 = Require message integrity ; 20 = Require message confidentiality ; 80000 = Require NTLMv2 session security ; 20000000 = Require 128 bit encryption ; 20080000 = Require NTLMv2 session security, Require 128-bit encryption (CIS L1) "NTLMMinClientSec"=dword:20080000 ;;; 2.3.11.10 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0] ; 0 = Off ; 10 = Require message integrity ; 20 = Require message confidentiality ; 80000 = Require NTLMv2 session security ; 20000000 = Require 128 bit encryption ; 20080000 = Require NTLMv2 session security, Require 128-bit encryption (CIS L1) "NTLMMinServerSec"=dword:20080000 ;;; 2.3.15.1 (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel] ; 0 = Off ; 1 = On (Default, CIS L1) "ObCaseInsensitive"=dword:0000001 ;;; 2.3.15.2 (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager] ; 0 = Off ; 1 = On (Default, CIS L1) "ProtectionMode"=dword:0000001 ;;; 2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "FilterAdministratorToken"=dword:0000001 ;;; 2.3.17.2 (L1) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] ; 0 = Off (Default, CIS L1) ; 1 = On "EnableUIADesktopToggle"=dword:0000000 ;;; 2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] ; 0 = This option allows the Consent Admin to perform an operation that requires elevation without consent or credentials ; 1 = This option prompts the Consent Admin to enter his or her user name and password (or another valid admin) when an operation requires elevation of privilege. This operation occurs on the secure desktop ; 2 = This option prompts the administrator in Admin Approval Mode to select either "Permit" or "Deny" an operation that requires elevation of privilege. If the Consent Admin selects Permit, the operation will continue with the highest available privilege. "Prompt for consent" removes the inconvenience of requiring that users enter their name and password to perform a privileged task. This operation occurs on the secure desktop (Default, CIS L1) ; 3 = This option prompts the Consent Admin to enter his or her user name and password (or that of another valid admin) when an operation requires elevation of privilege ; 4 = This prompts the administrator in Admin Approval Mode to select either "Permit" or "Deny" an operation that requires elevation of privilege. If the Consent Admin selects Permit, the operation will continue with the highest available privilege. "Prompt for consent" removes the inconvenience of requiring that users enter their name and password to perform a privileged task ; 5 = This promt is used to prompt the administrator in Admin Approval Mode to select either "Permit" or "Deny" for an operation that requires elevation of privilege for any non-Windows binaries. If the Consent Admin selects Permit, the operation will continue with the highest available privilege. This operation will happen on the secure desktop "ConsentPromptBehaviorAdmin"=dword:0000002 ;;; 2.3.17.4 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] ; 0 = This option SHOULD be set to ensure that any operation that requires elevation of privilege will fail as a standard user (CIS L1) ; 1 = This option SHOULD be set to ensure that a standard user on the Secure Desktop that needs to perform an operation that requires elevation of privilege will be prompted for an administrative user name and password. If the user enters valid credentials, the operation will continue with the applicable privilege ; 3 = This option SHOULD be set to ensure that a standard user that needs to perform an operation that requires elevation of privilege will be prompted for an administrative user name and password. If the user enters valid credentials, the operation will continue with the applicable privilege (Default) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES "ConsentPromptBehaviorUser"=dword:0000003 ;;; 2.3.17.5 (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] ; 0 = Off ; 1 = On (Default, CIS L1) "EnableInstallerDetection"=dword:0000001 ;;; 2.3.17.6 (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] ; 0 = Off ; 1 = On (Default, CIS L1) "EnableSecureUIAPaths"=dword:0000001 ;;; 2.3.17.7 (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] ; 0 = Off ; 1 = On (Default, CIS L1) "EnableLUA"=dword:0000001 ;;; 2.3.17.8 (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] ; 0 = Off ; 1 = On (Default, CIS L1) "PromptOnSecureDesktop"=dword:0000001 ;;; 2.3.17.9 (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] ; 0 = Off ; 1 = On (Default, CIS L1) "EnableVirtualization"=dword:0000001 ;;; 5.3 (L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser] ; = (Default) ; 2 = Automatic ; 3 = Manual ; 4 = Disabled (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"Start"=dword:0000003 ;;; 5.6 (L1) Ensure 'HomeGroup Listener (HomeGroupListener)' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener] ; 2 = Automatic ; 3 = Manual (Default) ; 4 = Disabled (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"Start"=dword:0000003 ;;; 5.7 (L1) Ensure 'HomeGroup Provider (HomeGroupProvider)' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider] ; 2 = Automatic ; 3 = Manual (Default) ; 4 = Disabled (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"Start"=dword:0000003 ;;; 5.8 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' ;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN] ; = (Default) ; 2 = Automatic ; 3 = Manual ; 4 = Disabled (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"Start"=dword:0000003 ;;; 5.9 (L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon] ; = (Default) ; 2 = Automatic ; 3 = Manual ; 4 = Disabled (CIS L1) ;"Start"=dword:0000004 ;;; 5.10 (L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess) ' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess] ; = (Default) ; 2 = Automatic ; 3 = Manual ; 4 = Disabled (CIS L1) ;"Start"=dword:0000004 ;;; 5.12 (L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed' ;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager] ; = (Default) ; 2 = Automatic ; 3 = Manual ; 4 = Disabled (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"Start"=dword:0000003 ;;; 5.13 (L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed' ;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC] ; = (Default) ; 2 = Automatic ; 3 = Manual ; 4 = Disabled (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"Start"=dword:0000003 ;;; 5.24 (L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator] ; 2 = Automatic ; 3 = Manual (Default) ; 4 = Disabled (CIS L1) ;"Start"=dword:0000004 ;;; 5.26 (L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess] ; 2 = Automatic ; 3 = Manual ; 4 = Disabled (Default, CIS L1) ;"Start"=dword:0000004 ;;; 5.28 (L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed' ;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp] ; = (Default) ; 2 = Automatic ; 3 = Manual ; 4 = Disabled (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"Start"=dword:0000003 ;;; 5.30 (L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV] ; 2 = Automatic ; 3 = Manual (Default) ; 4 = Disabled (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"Start"=dword:0000003 ;;; 5.31 (L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost] ; 2 = Automatic ; 3 = Manual (Default) ; 4 = Disabled (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"Start"=dword:0000003 ;;; 5.32 (L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed' ;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc] ; = (Default) ; 2 = Automatic ; 3 = Manual ; 4 = Disabled (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"Start"=dword:0000003 ;;; 5.35 (L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc] ; = (Default) ; 2 = Automatic ; 3 = Manual ; 4 = Disabled (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"Start"=dword:0000003 ;;; 5.36 (L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc] ; 2 = Automatic ; 3 = Manual (Default) ; 4 = Disabled (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"Start"=dword:0000003 ;;; 5.38 (L1) Ensure 'WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc)' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc] ; 2 = Automatic ; 3 = Manual (Default) ; 4 = Disabled (CIS L1) ;"Start"=dword:0000004 ;;; 5.39 (L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed' ;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC] ; = (Default) ; 2 = Automatic ; 3 = Manual ; 4 = Disabled (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"Start"=dword:0000003 ;;; 9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "EnableFirewall"=dword:0000001 ;;; 9.1.2 (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "DefaultInboundAction"=dword:0000001 ;;; 9.1.3 (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "DefaultOutboundAction"=dword:0000000 ;;; 9.1.4 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"DisableNotifications"=dword:0000000 ;;; 9.1.5 (L1) Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes (default)' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "AllowLocalPolicyMerge"=dword:0000001 ;;; 9.1.6 (L1) Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes (default)' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "AllowLocalIPsecPolicyMerge"=dword:0000001 ;;; 9.1.7 (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging] ; = (Default) ; = %SYSTEMROOT%\System32\logfiles\firewall\domainfw.log (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"LogFilePath"="%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log" ;;; 9.1.8 (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging] ; = (Default) ; 4000 = 16,384 KB (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"LogFileSize"=dword:0004000 ;;; 9.1.9 (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"LogDroppedPackets"=dword:0000001 ;;; 9.1.10 (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"LogSuccessfulConnections"=dword:0000001 ;;; 9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "EnableFirewall"=dword:0000001 ;;; 9.2.2 (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "DefaultInboundAction"=dword:0000001 ;;; 9.2.3 (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "DefaultOutboundAction"=dword:0000000 ;;; 9.2.4 (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"DisableNotifications"=dword:0000000 ;;; 9.2.5 (L1) Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes (default)' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "AllowLocalPolicyMerge"=dword:0000001 ;;; 9.2.6 (L1) Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes (default)' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "AllowLocalIPsecPolicyMerge"=dword:0000001 ;;; 9.2.7 (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging] ; = (Default) ; = %SYSTEMROOT%\System32\logfiles\firewall\privatefw.log (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"LogFilePath"="%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log" ;;; 9.2.8 (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging] ; = (Default) ; 4000 = 16,384 KB (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"LogFileSize"=dword:0004000 ;;; 9.2.9 (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"LogDroppedPackets"=dword:0000001 ;;; 9.2.10 (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ;"LogSuccessfulConnections"=dword:0000001 ;;; 9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "EnableFirewall"=dword:0000001 ;;; 9.3.2 (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "DefaultInboundAction"=dword:0000001 ;;; 9.3.3 (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "DefaultOutboundAction"=dword:0000000 ;;; 9.3.4 (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "DisableNotifications"=dword:0000000 ;; 9.3.5 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"AllowLocalPolicyMerge"=dword:0000001 ;;; 9.3.6 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"AllowLocalIPsecPolicyMerge"=dword:0000000 ;;; 9.3.7 (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging] ; = (Default) ; = %SYSTEMROOT%\System32\logfiles\firewall\publicfw.log (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"LogFilePath"="%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log" ;;; 9.3.8 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging] ; = (Default) ; 4000 = 16,384 KB (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"LogFileSize"=dword:0004000 ;;; 9.3.9 (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"LogDroppedPackets"=dword:0000001 ;;; 9.3.10 (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"LogSuccessfulConnections"=dword:0000001 ;;; 18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"NoLockScreenCamera"=dword:0000000 ;;; 18.1.1.2 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"NoLockScreenSlideshow"=dword:0000000 ;;; 18.1.2.1 (L1) Ensure 'Allow Input Personalization' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"AllowInputPersonalization"=dword:0000001 ;;; 18.3.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"AutoAdminLogon"=dword:0000001 ;;; 18.3.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters] ; = (Default) ; 0 = No additional protection, source routed packets are allowed ; 1 = Medium, source routed packets ignored when IP forwarding is enabled ; 2 = Highest protection, source routing is completely disabled (CIS L1) "DisableIPSourceRouting"=dword:0000002 ;;; 18.3.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters] ; = (Default) ; 0 = No additional protection, source routed packets are allowed ; 1 = Medium, source routed packets ignored when IP forwarding is enabled ; 2 = Highest protection, source routing is completely disabled (CIS L1) "DisableIPSourceRouting"=dword:0000002 ;;; 18.3.5 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters] ; 0 = Off (CIS L1) ; 1 = On (Default) "EnableICMPRedirect"=dword:0000000 ;;; 18.3.7 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "nonamereleaseondemand"=dword:0000001 ;;; 18.3.9 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "SafeDllSearchMode"=dword:0000001 ;;; 18.3.10 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] ; = (Default) ; 5 = 5 seconds (CIS L1) "ScreenSaverGracePeriod"=dword:0000005 ;;; 18.4.4.1 (L1) Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)') [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters] ; = (Default) ; 2 = (CIS L1) "NodeType"=dword:0000002 ;;; 18.4.8.1 (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled' [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "AllowInsecureGuestAuth"=dword:0000000 ;;; 18.4.23.2.1 (L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config] ; 0 = Off (CIS L1) ; 1 = On (Default) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES "AutoConnectAllowedOEM"=dword:0000000 ;;; 18.6.1 (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"LocalAccountTokenFilterPolicy"=dword:0000001 ;;; 18.6.2 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "UseLogonCredential"=dword:0000000 ;;; 18.8.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Disabled' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "ProcessCreationIncludeCmdLine_Enabled"=dword:0000000 ;;; 18.8.12 Early Launch Antimalware [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch] ; = (Default) ; 8 = Only good drivers ; 1 = Good and unknown drivers ; 3 = Good, unknown, and bad but critical drivers (CIS L1) ; 7 = All drivers "DriverLoadPolicy"=dword:0000003 ;;; 18.8.25.1 (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"BlockUserFromShowingAccountDetailsOnSignin"=dword:0000000 ;;; 18.8.25.2 (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"DontDisplayNetworkSelectionUI"=dword:0000000 ;;; 18.8.25.3 (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; FEATURE DOES NOT EXISTS IN NON-CORPORATE ENVIRONMENT ;"DontEnumerateConnectedUsers"=dword:0000001 ;;; 18.8.25.4 (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; FEATURE DOES NOT EXISTS IN NON-CORPORATE ENVIRONMENT ;"EnumerateLocalUsers"=dword:0000000 ;;; 18.8.25.5 (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"DisableLockScreenAppNotifications"=dword:0000000 ;;; 18.8.25.6 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; FEATURE DOES NOT EXISTS IN NON-CORPORATE ENVIRONMENT ;"AllowDomainPINLogon"=dword:0000000 ;;; 18.8.26.1 (L1) Ensure 'Untrusted Font Blocking' is set to 'Enabled: Block untrusted fonts and log events' [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions] ; = (Default) ; 00,10,a5,d4,e8,00,00,00 (1000000000000) = Block untrusted fonts and log events (CIS L1) ; 00,20,4a,a9,d1,01,00,00 (2000000000000) = Do not block untrusted fonts ; 00,30,ef,7d,ba,02,00,00 (3000000000000) = Log events without blocking untrusted fonts "MitigationOptions_FontBocking"=hex(b):00,10,a5,d4,e8,00,00,00 ;;; 18.8.29.5.1 (L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"DCSettingIndex"=dword:0000001 ;;; 18.8.29.5.2 (L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"ACSettingIndex"=dword:0000001 ;;; 18.8.29.5.3 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"DCSettingIndex"=dword:0000001 ;;; 18.8.29.5.4 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"ACSettingIndex"=dword:0000001 ;;; 18.8.29.5.5 (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "DCSettingIndex"=dword:0000001 ;;; 18.8.29.5.6 (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "ACSettingIndex"=dword:0000001 ;;; 18.8.31.1 (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' [HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "fAllowUnsolicited"=dword:0000000 ;;; 18.8.31.2 (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"fAllowToGetHelp"=dword:0000001 ;;; 18.8.32.1 (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "EnableAuthEpResolution"=dword:0000001 ;;; 18.8.32.2 (L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "RestrictRemoteClients"=dword:0000001 ;;; 18.9.6.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' ;[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; FEATURE DOES NOT EXISTS IN NON-CORPORATE ENVIRONMENT ;"MSAOptional"=dword:0000001 ;;; 18.9.8.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "NoAutoplayfornonVolume"=dword:0000001 ;;; 18.9.8.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "NoAutorun"=dword:0000001 ;;; 18.9.8.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] ; = (Default) ; 1 = Disables AutoPlay on drives of unknown type. ; 4 = Disables AutoPlay on removable drives. ; 8 = Disables AutoPlay on fixed drives. ; 10 = Disables AutoPlay on network drives. ; 20 = Disables AutoPlay on CD-ROM drives. ; 40 = Disables AutoPlay on RAM drives. ; 80 = Disables AutoPlay on drives of unknown type. ; ff = Disables AutoPlay on all types of drives. (CIS L1) "NoDriveTypeAutoRun"=dword:00000ff ;;; 18.9.10.1.1 (L1) Ensure 'Use enhanced anti-spoofing when available' is set to 'Enabled' [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "EnhancedAntiSpoofing"=dword:0000001 ;;; 18.9.13.1 (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "DisableWindowsConsumerFeatures"=dword:0000001 ;;; 18.9.14.1a (L1) Ensure 'Allow projection to PC' is set to 'Enabled' [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ; Further configured through "HKLM-CUSTOM.REG" "AllowProjectionToPC"=dword:0000001 ;;; 18.9.14.1b (L1) Ensure 'Require pin for pairing' is set to 'Enabled' [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "RequirePinForPairing"=dword:0000001 ;;; 18.9.15.1 (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"DisablePasswordReveal"=dword:0000000 ;;; 18.9.15.2 (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"EnumerateAdministrators"=dword:0000000 ;;; 18.9.16.1 (L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection] ; = (Default) ; 0 = Security: Security data only (CIS L1) ; 1 = Basic: Security + basic system and quality data ; 2 = Enhanced: Basic + enhanced insights and advanced reliability data ; 3 = Full: Enhanced + full diagnostics data "AllowTelemetry"=dword:0000000 ;;; 18.9.16.2 (L1) Ensure 'Disable pre-release features or settings' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"EnableConfigFlighting"=dword:0000001 ;;; 18.9.16.3 (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "DoNotShowFeedbackNotifications"=dword:0000001 ;;; 18.9.16.4 (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"AllowBuildPreview"=dword:0000001 ;;; 18.9.17.1 (L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeliveryOptimization] ; = (Default) ; 0 = HTTP only, no peering ; 1 = HTTP blended with peering behind the same NAT ; 2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2 ; 3 = HTTP blended with Internet Peering ; 99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services ; 100 = Bypass mode. Do not use Delivery Optimization and use BITS instead. "DODownloadMode"=dword:0000002 ;;; 18.9.30.2 (L1) Ensure 'Configure Windows SmartScreen' is set to 'Enabled' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System] ; = (Default) ; 0 : Turn off SmartScreen ; 1 : Give user a warning before running downloaded unknown software ; 2 : Require approval from an administrator before running downloaded unknown software. (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES "EnableSmartScreen"=dword:0000001 ;;; 18.9.30.3 (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "NoDataExecutionPrevention"=dword:0000001 ;;; 18.9.30.4 (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "NoHeapTerminationOnCorruption"=dword:0000000 ;;; 18.9.30.5 (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "PreXPSP2ShellProtocolBehavior"=dword:0000000 ;;; 18.9.33.1 (L1) Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HomeGroup] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"DisableHomeGroup"=dword:0000000 ;;; 18.9.75.1 (L1) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"DisableAutomaticRestartSignOn"=dword:0000000 ;;; 18.9.41.3 (L1) Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main] ; = (Default) ; 0 = Block all cookies ; 1 = Block only 3rd-party cookies (CIS L1) ; 2 = Allow all cookies ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"Cookies"=dword:0000000 ;;; 18.9.41.4 (L1) Ensure 'Configure Password Manager' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main] ; = (Default) ; no = Off (CIS L1) ; yes = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"FormSuggest Passwords"="" ;;; 18.9.41.6 (L1) Ensure 'Configure search suggestions in Address bar' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"ShowSearchSuggestionsGlobal"=dword:0000000 ;;; 18.9.41.7 (L1) Ensure 'Configure SmartScreen Filter' is set to 'Enabled' [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "EnabledV9"=dword:0000000 ;;; 18.9.47.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\OneDrive] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"DisableFileSyncNGSC"=dword:0000000 ;;; 18.9.53.1 (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"DisableEnclosureDownload"=dword:0000000 ;;; 18.9.54.2 (L1) Ensure 'Allow Cortana' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"AllowCortana"=dword:0000001 ;;; 18.9.54.3 (L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"AllowCortanaAboveLock"=dword:0000001 ;;; 18.9.54.4 (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "AllowIndexingEncryptedStoresOrItems"=dword:0000000 ;;; 18.9.54.5 (L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"AllowSearchToUseLocation"=dword:0000001 ;;; 18.9.61.2 (L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled' [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore] ; = (Default) ; 2 = Off ; 4 = On (CIS L1) "AutoDownload"=dword:0000004 ;;; 18.9.61.3 (L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"DisableOSUpgrade"=dword:0000001 ;;; 18.9.71.1 (L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"AllowGameDVR"=dword:0000001 ;;; 18.9.73.2 (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"AllowWindowsInkWorkspace"=dword:0000001 ;;; 18.9.74.1 (L1) Ensure 'Allow user control over installs' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"EnableUserControl"=dword:0000001 ;;; 18.9.74.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"AlwaysInstallElevated"=dword:0000000 ;;; 18.9.75.1 (L1) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; NON-COMPLIANCE TO NOT DISRUPT COMMON HOME FEATURES ;"DisableAutomaticRestartSignOn"=dword:0000000 ;;; 18.9.84.1 (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled' [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "EnableScriptBlockLogging"=dword:0000000 ;;; 18.9.84.2 (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "EnableTranscripting"=dword:0000000 ;;; 18.9.86.1.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "AllowBasic"=dword:0000000 ;;; 18.9.86.1.2 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "AllowUnencryptedTraffic"=dword:0000000 ;;; 18.9.86.1.3 (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "AllowDigest"=dword:0000000 ;;; 18.9.86.2.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "AllowBasic"=dword:0000000 ;;; 18.9.86.2.3 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On "AllowUnencryptedTraffic"=dword:0000000 ;;; 18.9.86.2.4 (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) "DisableRunAs"=dword:0000000 ;;; 18.9.90.1.1 (L1) Ensure 'Select when Feature Updates are received' is set to 'Enabled: Current Branch for Business, 180 days' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] ; = (Default) ; 2 (2) = Preview Build - Fast ; 4 (4) = Preview Build - Slow ; 8 (8) = Release Preview ; 16 (10) = Semi-Annual Channel (Targeted) ; 32 (20) = Semi-Annual Channel (CIS L1) ; FEATURE DOES NOT EXISTS IN NON-CORPORATE ENVIRONMENT ;"BranchReadinessLevel"=dword:0000020 ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] ; = (Default) ; 0 (0) = 0 days (min) ; 180 (b4) = 180 days (CIS L1) ; 365 (16d) = 365 days (max) ; FEATURE DOES NOT EXISTS IN NON-CORPORATE ENVIRONMENT ;"DeferFeatureUpdatesPeriodInDays"=dword:0000000 ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] ; = (Default) ; 0 = Off ; 1 = On (CIS L1) ; FEATURE DOES NOT EXISTS IN NON-CORPORATE ENVIRONMENT ;"DeferFeatureUpdates"=dword:0000000 ;;; 18.9.90.1.2 (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] ; = (Default) ; 0 (0) = 0 days (min) ; 180 (b4) = 180 days (CIS L1) ; 365 (16d) = 365 days (max) ; FEATURE DOES NOT EXISTS IN NON-CORPORATE ENVIRONMENT ;"DeferQualityUpdatesPeriodInDays"=dword:0000000 ;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; FEATURE DOES NOT EXISTS IN NON-CORPORATE ENVIRONMENT ;"DeferQualityUpdates"=dword:0000000 ;;; 18.9.90.2 (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; FEATURE DOES NOT EXISTS IN NON-CORPORATE ENVIRONMENT ;"NoAutoUpdate"=dword:0000000 ;;; 18.9.90.3 (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU] ; = (Default) ; 0 = Every day (CIS L1) ; 1 = Every Sunday ; 2 = Every Monday ; 3 = Every Tuesday ; 4 = Every Wednesday ; 5 = Every Thursday ; 6 = Every Friday ; 7 = Every Saturday ; FEATURE DOES NOT EXISTS IN NON-CORPORATE ENVIRONMENT ;"ScheduledInstallDay"=dword:0000000 ;;; 18.9.90.4 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' ;[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU] ; = (Default) ; 0 = Off (CIS L1) ; 1 = On ; FEATURE DOES NOT EXISTS IN NON-CORPORATE ENVIRONMENT ;"NoAutoRebootWithLoggedOnUsers"=dword:0000000