Skip to content
Log In

Microsoft Windows 11 Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-OS-000073-GPOS-00041

    Group
    Show

  • SRG-OS-000125-GPOS-00065

    Group
    Show

  • The Windows Remote Management (WinRM) client must not use Digest authentication.

    Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks.
    Rule Medium Severity
    Show

  • SRG-OS-000028-GPOS-00009

    Group
    Show

  • Windows 11 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.

    UEFI provides additional security features in comparison to legacy BIOS firmware, including Secure Boot. UEFI is required to support additional security features in Windows 11, including virtualiza...
    Rule Medium Severity
    Show

  • Windows 11 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: Continuously, where ESS is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).

    An approved tool for continuous network scanning must be installed and configured to run. Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, ...
    Rule Medium Severity
    Show

  • Windows 11 systems must be maintained at a supported servicing level.

    Windows 11 is maintained by Microsoft at servicing levels for specific periods of time to support Windows as a Service. Systems at unsupported servicing levels or releases will not receive security...
    Rule High Severity
    Show

  • Only accounts responsible for the administration of a system must have Administrator rights on the system.

    An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify required security restrictions on that machine and mak...
    Rule High Severity
    Show

  • Inbound exceptions to the firewall on Windows 11 domain workstations must only allow authorized remote management hosts.

    Allowing inbound access to domain workstations from other systems may allow lateral movement across systems if credentials are compromised. Limiting inbound connections only from authorized remote ...
    Rule Medium Severity
    Show

  • Data Execution Prevention (DEP) must be configured to at least OptOut.

    Attackers are constantly looking for vulnerabilities in systems and applications. Data Execution Prevention (DEP) prevents harmful code from running in protected memory locations reserved for Windo...
    Rule High Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules