Skip to content
Log In

Microsoft Windows 11 Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • The Remote Desktop Session Host must require secure RPC communications.

    Allowing unsecure RPC communication exposes the system to man in the middle attacks and data disclosure attacks. A man in the middle attack occurs when an intruder captures packets between a client...
    Rule Medium Severity
    Show

  • Remote Desktop Services must be configured with the client connection encryption set to the required level.

    Remote connections must be encrypted to prevent interception of data or sensitive information. Selecting "High Level" will ensure encryption of Remote Desktop Services sessions in both directions.
    Rule Medium Severity
    Show

  • The Windows Installer feature "Always install with elevated privileges" must be disabled.

    Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain fu...
    Rule High Severity
    Show

  • Automatically signing in the last interactive user after a system-initiated restart must be disabled.

    Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling th...
    Rule Medium Severity
    Show

  • The Windows Remote Management (WinRM) service must not store RunAs credentials.

    Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins.
    Rule Medium Severity
    Show

  • Windows 11 must be configured to prevent Windows apps from being activated by voice while the system is locked.

    Allowing Windows apps to be activated by voice from the lock screen could allow for unauthorized use. Requiring logon will ensure the apps are only used by authorized personnel.
    Rule Medium Severity
    Show

  • The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.

    To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interopera...
    Rule Medium Severity
    Show

  • Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.

    The registry is integral to the function, security, and stability of the Windows system. Changing the system's registry permissions allows the possibility of unauthorized and anonymous modification...
    Rule Medium Severity
    Show

  • Local accounts with blank passwords must be restricted to prevent access from the network.

    An account without a password can allow unauthorized access to a system as only the username would be required. Password policies must prevent accounts with blank passwords from existing on a syste...
    Rule Medium Severity
    Show

  • The built-in guest account must be renamed.

    The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized us...
    Rule Medium Severity
    Show

  • Audit policy using subcategories must be enabled.

    Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...
    Rule Medium Severity
    Show

  • The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.

    Unattended systems are susceptible to unauthorized use and must be locked when unattended. The screen saver must be set at a maximum of 15 minutes and be password protected. This protects critical ...
    Rule Medium Severity
    Show

  • The Smart Card removal option must be configured to Force Logoff or Lock Workstation.

    Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.
    Rule Medium Severity
    Show

  • Unencrypted passwords must not be sent to third-party SMB Servers.

    Some non-Microsoft SMB servers only support unencrypted (plain text) password authentication. Sending plain text passwords across the network, when authenticating to an SMB server, reduces the over...
    Rule Medium Severity
    Show

  • Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.

    Certain encryption types are no longer considered secure. This setting configures a minimum encryption type for Kerberos, preventing the use of the DES and RC4 encryption suites.
    Rule Medium Severity
    Show

  • The system must be configured to prevent the storage of the LAN Manager hash of passwords.

    The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether or not a LAN Manager hash...
    Rule High Severity
    Show

  • The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.

    The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, is retained in later Windows versions for compa...
    Rule High Severity
    Show

  • User Account Control approval mode for the built-in Administrator must be enabled.

    User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator...
    Rule Medium Severity
    Show

  • Windows 11 must use multifactor authentication for local and network access to privileged and nonprivileged accounts.

    Without the use of multifactor authentication, the ease of access to privileged and nonprivileged functions is greatly increased. All domain accounts must be enabled for multifactor authenticatio...
    Rule Medium Severity
    Show

  • User Account Control must only elevate UIAccess applications that are installed in secure locations.

    User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Windows to only allow appl...
    Rule Medium Severity
    Show

  • User Account Control must run all administrators in Admin Approval Mode, enabling UAC.

    User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC.
    Rule Medium Severity
    Show

  • User Account Control must virtualize file and registry write failures to per-user locations.

    User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures non-UAC compliant applicat...
    Rule Medium Severity
    Show

  • Passwords for enabled local Administrator accounts must be changed at least every 60 days.

    The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. A local Administrator account is not generally used and its password may not...
    Rule Medium Severity
    Show

  • The "Act as part of the operating system" user right must not be assigned to any groups or accounts.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Act as part of the operating system" user right can assume the ident...
    Rule High Severity
    Show

  • The "Create global objects" user right must only be assigned to Administrators, Service, Local Service, and Network Service.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Create global objects" user right can create objects that are availa...
    Rule Medium Severity
    Show

  • The "Debug programs" user right must only be assigned to the Administrators group.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Debug Programs" user right can attach a debugger to any process or t...
    Rule High Severity
    Show

  • The "Deny log on as a service" user right on Windows 11 domain-joined workstations must be configured to prevent access from highly privileged domain accounts.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Deny log on as a service" right defines accounts that are denied log on as a servi...
    Rule Medium Severity
    Show

  • The "Deny log on locally" user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Deny log on locally" right defines accounts that are prevented from logging on int...
    Rule Medium Severity
    Show

  • The "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Enable computer and user accounts to be trusted for delegation" user right allows ...
    Rule Medium Severity
    Show

  • The "Impersonate a client after authentication" user right must only be assigned to Administrators, Service, Local Service, and Network Service.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Impersonate a client after authentication" user right allows a program to imperson...
    Rule Medium Severity
    Show

  • The "Restore files and directories" user right must only be assigned to the Administrators group.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Restore files and directories" user right can circumvent file and di...
    Rule Medium Severity
    Show

  • The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.

    Control of credentials and the system must be maintained within the enterprise. Enabling this setting allows enterprise credentials to be used with modern style apps that support this, instead of M...
    Rule Low Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • NTLM must be prevented from falling back to a Null session.

    NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000373-GPOS-00157

    Group
    Show

  • SRG-OS-000373-GPOS-00157

    Group
    Show

  • A host-based firewall must be installed and enabled on the system.

    A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00232

    Group
    Show

  • Bluetooth must be turned off when not in use.

    If not configured properly, Bluetooth may allow rogue devices to communicate with a system. If a rogue device is paired with a system, there is potential for sensitive information to be compromised.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The system must notify the user when a Bluetooth device attempts to connect.

    If not configured properly, Bluetooth may allow rogue devices to communicate with a system. If a rogue device is paired with a system, there is potential for sensitive information to be compromised.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000077-GPOS-00045

    Group
    Show

  • The display of slide shows on the lock screen must be disabled.

    Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged on user.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • IPv6 source routing must be configured to highest protection.

    Configuring the system to disable IPv6 source routing protects against spoofing.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The system must be configured to prevent IP source routing.

    Configuring the system to disable IP source routing protects against spoofing.
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules