Skip to content
Log In

Microsoft Windows 10 Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.

    SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS complian...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • The Secondary Logon service must be disabled on Windows 10.

    The Secondary Logon service provides a means for entering alternate credentials, typically used to run commands with elevated privileges. Using privileged credentials in a standard user session ca...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10.

    Accounts or groups given rights on a system may show up as unresolved SIDs for various reasons including deletion of the accounts or groups. If the account or group objects are reanimated, there i...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Bluetooth must be turned off when not in use.

    If not configured properly, Bluetooth may allow rogue devices to communicate with a system. If a rogue device is paired with a system, there is potential for sensitive information to be compromised.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000185-GPOS-00079

    Group
    Show

  • Windows 10 nonpersistent VM sessions must not exceed 24 hours.

    For virtual desktop implementations (VDIs) where the virtual desktop instance is deleted or refreshed upon logoff, the organization should enforce that sessions be terminated within 24 hours. This ...
    Rule Medium Severity
    Show

  • SRG-OS-000329-GPOS-00128

    Group
    Show

  • SRG-OS-000021-GPOS-00005

    Group
    Show

  • The number of allowed bad logon attempts must be configured to 3 or less.

    The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the l...
    Rule Medium Severity
    Show

  • SRG-OS-000021-GPOS-00005

    Group
    Show

  • The period of time before the bad logon counter is reset must be configured to 15 minutes.

    The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that must pass after failed logon attempts before the co...
    Rule Medium Severity
    Show

  • SRG-OS-000077-GPOS-00045

    Group
    Show

  • The password history must be configured to 24 passwords remembered.

    A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change a password to a unique password on a regularly schedule...
    Rule Medium Severity
    Show

  • SRG-OS-000076-GPOS-00044

    Group
    Show

  • SRG-OS-000075-GPOS-00043

    Group
    Show

  • SRG-OS-000078-GPOS-00046

    Group
    Show

  • SRG-OS-000069-GPOS-00037

    Group
    Show

  • The built-in Microsoft password complexity filter must be enabled.

    The use of complex passwords increases their strength against guessing and brute-force attacks. This setting configures the system to verify that newly created passwords conform to the Windows pas...
    Rule Medium Severity
    Show

  • SRG-OS-000073-GPOS-00041

    Group
    Show

  • Reversible password encryption must be disabled.

    Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords. For this reason, this policy must never be enabled.
    Rule High Severity
    Show

  • SRG-OS-000470-GPOS-00214

    Group
    Show

  • The system must be configured to audit Account Logon - Credential Validation failures.

    Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...
    Rule Medium Severity
    Show

  • SRG-OS-000470-GPOS-00214

    Group
    Show

  • The system must be configured to audit Account Logon - Credential Validation successes.

    Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...
    Rule Medium Severity
    Show

  • SRG-OS-000004-GPOS-00004

    Group
    Show

  • SRG-OS-000004-GPOS-00004

    Group
    Show

  • SRG-OS-000004-GPOS-00004

    Group
    Show

  • The system must be configured to audit Account Management - User Account Management successes.

    Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...
    Rule Medium Severity
    Show

  • SRG-OS-000365-GPOS-00152

    Group
    Show

  • The system must be configured to audit Detailed Tracking - PNP Activity successes.

    Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...
    Rule Medium Severity
    Show

  • SRG-OS-000365-GPOS-00152

    Group
    Show

  • SRG-OS-000470-GPOS-00214

    Group
    Show

  • The system must be configured to audit Logon/Logoff - Account Lockout failures.

    Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...
    Rule Medium Severity
    Show

  • SRG-OS-000470-GPOS-00214

    Group
    Show

  • SRG-OS-000032-GPOS-00013

    Group
    Show

  • The system must be configured to audit Logon/Logoff - Logoff successes.

    Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...
    Rule Medium Severity
    Show

  • SRG-OS-000032-GPOS-00013

    Group
    Show

  • The system must be configured to audit Logon/Logoff - Logon failures.

    Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...
    Rule Medium Severity
    Show

  • SRG-OS-000032-GPOS-00013

    Group
    Show

  • The system must be configured to audit Logon/Logoff - Logon successes.

    Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...
    Rule Medium Severity
    Show

  • SRG-OS-000470-GPOS-00214

    Group
    Show

  • The system must be configured to audit Logon/Logoff - Special Logon successes.

    Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules