Microsoft Windows 10 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The system must be configured to audit System - Security System Extension successes.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...Rule Medium Severity -
Windows 10 permissions for the Application event log must prevent access by non-privileged accounts.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...Rule Medium Severity -
Windows 10 permissions for the System event log must prevent access by non-privileged accounts.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...Rule Medium Severity -
Windows 10 must be configured to audit other Logon/Logoff Events Failures.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows 10 must cover or disable the built-in or attached camera when not in use.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Medium Severity -
Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
A compromised local administrator account can provide means for an attacker to move laterally between domain systems. With User Account Control enabled, filtering the privileged token for built-in...Rule Medium Severity -
Simultaneous connections to the internet or a Windows domain must be limited.
Multiple network connections can provide additional attack vectors to a system and must be limited. The "Minimize the number of simultaneous connections to the Internet or a Windows Domain" setting...Rule Medium Severity -
Connections to non-domain networks when connected to a domain authenticated network must be blocked.
Multiple network connections can provide additional attack vectors to a system and should be limited. When connected to a domain, communication must go through the domain connection.Rule Medium Severity -
Command line data must be included in process creation events.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers.
By being launched first by the kernel, ELAM ( Early Launch Antimalware) is ensured to be launched before any third-party software, and is therefore able to detect malware in the boot process and pr...Rule Medium Severity -
The network selection user interface (UI) must not be displayed on the logon screen.
Enabling interaction with the network selection UI allows users to change connections to available networks without signing into Windows.Rule Medium Severity -
The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive informat...Rule Low Severity -
Windows Telemetry must not be configured to Full.
Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability will prevent potentially sensitive information ...Rule Medium Severity -
Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge.
The Windows Defender SmartScreen filter in Microsoft Edge provides warning messages and blocks potentially malicious websites and file downloads. If users are allowed to ignore warnings from the W...Rule Medium Severity -
Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge.
The Windows Defender SmartScreen filter in Microsoft Edge provides warning messages and blocks potentially malicious websites and file downloads. If users are allowed to ignore warnings from the W...Rule Medium Severity -
The Windows Defender SmartScreen filter for Microsoft Edge must be enabled.
The Windows Defender SmartScreen filter in Microsoft Edge provides warning messages and blocks potentially malicious websites.Rule Medium Severity -
Windows 10 must be configured to disable Windows Game Recording and Broadcasting.
Windows Game Recording and Broadcasting is intended for use with games, however it could potentially record screen shots of other applications and expose sensitive data. Disabling the feature will...Rule Medium Severity -
The use of a hardware security device with Windows Hello for Business must be enabled.
The use of a Trusted Platform Module (TPM) to store keys for Windows Hello for Business provides additional security. Keys stored in the TPM may only be used on that system while keys stored using...Rule Medium Severity -
Windows 10 must be configured to require a minimum pin length of six characters or greater.
Windows allows the use of PINs as well as biometrics for authentication without sending a password to a network or website where it could be compromised. Longer minimum PIN lengths increase the av...Rule Medium Severity -
Passwords must not be saved in the Remote Desktop Client.
Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving pa...Rule Medium Severity -
Local drives must be prevented from sharing with Remote Desktop Session Hosts.
Preventing users from sharing the local drives on their client computers to Remote Session Hosts that they access helps reduce possible exposure of sensitive data.Rule Medium Severity -
Remote Desktop Services must always prompt a client for passwords upon connection.
This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a...Rule Medium Severity -
The Remote Desktop Session Host must require secure RPC communications.
Allowing unsecure RPC communication exposes the system to man in the middle attacks and data disclosure attacks. A man in the middle attack occurs when an intruder captures packets between a client...Rule Medium Severity -
Remote Desktop Services must be configured with the client connection encryption set to the required level.
Remote connections must be encrypted to prevent interception of data or sensitive information. Selecting "High Level" will ensure encryption of Remote Desktop Services sessions in both directions.Rule Medium Severity -
Attachments must be prevented from being downloaded from RSS feeds.
Attachments from RSS feeds may not be secure. This setting will prevent attachments from being downloaded from RSS feeds.Rule Medium Severity -
Basic authentication for RSS feeds over HTTP must not be used.
Basic authentication uses plain text passwords that could be used to compromise a system.Rule Medium Severity -
Indexing of encrypted files must be turned off.
Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed.Rule Medium Severity -
Users must be prevented from changing installation options.
Installation options for applications are typically controlled by administrators. This setting prevents users from changing installation options that may bypass security features.Rule Medium Severity -
The Windows Installer Always install with elevated privileges must be disabled.
Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain fu...Rule High Severity -
Users must be notified if a web-based program attempts to install software.
Web-based programs may attempt to install malicious software on a system. Ensuring users are notified if a web-based program attempts to install software allows them to refuse the installation.Rule Medium Severity -
Automatically signing in the last interactive user after a system-initiated restart must be disabled.
Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling t...Rule Medium Severity -
PowerShell script block logging must be enabled on Windows 10.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
The Windows Remote Management (WinRM) client must not use Basic authentication.
Basic authentication uses plain text passwords that could be used to compromise a system.Rule High Severity -
The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.Rule Medium Severity -
The Windows Remote Management (WinRM) service must not use Basic authentication.
Basic authentication uses plain text passwords that could be used to compromise a system.Rule High Severity -
The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.Rule Medium Severity -
The Windows Remote Management (WinRM) service must not store RunAs credentials.
Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins.Rule Medium Severity -
The Windows Remote Management (WinRM) client must not use Digest authentication.
Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks.Rule Medium Severity -
Windows 10 must be configured to prevent Windows apps from being activated by voice while the system is locked.
Allowing Windows apps to be activated by voice from the lock screen could allow for unauthorized use. Requiring logon will ensure the apps are only used by authorized personnel.Rule Medium Severity -
The convenience PIN for Windows 10 must be disabled.
This policy controls whether a domain user can sign in using a convenience PIN to prevent enabling (Password Stuffer).Rule Medium Severity -
Windows Ink Workspace must be configured to disallow access above the lock.
This action secures Windows Ink, which contains applications and features oriented toward pen computing.Rule Medium Severity -
Windows 10 should be configured to prevent users from receiving suggestions for third-party or additional applications.
Windows spotlight features may suggest apps and content from third-party software publishers in addition to Microsoft apps and content.Rule Low Severity -
Windows 10 Kernel (Direct Memory Access) DMA Protection must be enabled.
Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderboltâ„¢ 3 ports. Drive-by DMA attacks can lead to disclosure of...Rule Medium Severity -
The DoD Root CA certificates must be installed in the Trusted Root Store.
To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure the trust chain is ...Rule Medium Severity -
The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems.
To ensure secure websites protected with External Certificate Authority (ECA) server certificates are properly validated, the system must trust the ECA Root CAs. The ECA root certificates will ensu...Rule Medium Severity -
The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interopera...Rule Medium Severity -
Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
The registry is integral to the function, security, and stability of the Windows system. Changing the system's registry permissions allows the possibility of unauthorized and anonymous modificatio...Rule Medium Severity -
Local accounts with blank passwords must be restricted to prevent access from the network.
An account without a password can allow unauthorized access to a system as only the username would be required. Password policies should prevent accounts with blank passwords from existing on a sy...Rule Medium Severity -
The built-in administrator account must be renamed.
The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of this account and the system.Rule Medium Severity -
Audit policy using subcategories must be enabled.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.