Skip to content

Microsoft Windows 11 Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • IPv6 source routing must be configured to highest protection.

    <VulnDiscussion>Configuring the system to disable IPv6 source routing protects against spoofing.</VulnDiscussion><FalsePositives>...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The system must be configured to prevent IP source routing.

    &lt;VulnDiscussion&gt;Configuring the system to disable IP source routing protects against spoofing.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&l...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • SRG-OS-000120-GPOS-00061

    <GroupDescription></GroupDescription>
    Group
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The built-in administrator account must be renamed.

    &lt;VulnDiscussion&gt;The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name i...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • SRG-OS-000423-GPOS-00187

    <GroupDescription></GroupDescription>
    Group
  • The system must be configured to require a strong session key.

    &lt;VulnDiscussion&gt;A computer connecting to a domain controller will establish a secure channel. Requiring strong session keys enforces 128-bit ...
    Rule Medium Severity
  • SRG-OS-000279-GPOS-00109

    <GroupDescription></GroupDescription>
    Group
  • File Explorer shell protocol must run in protected mode.

    &lt;VulnDiscussion&gt;The shell protocol will limit the set of folders applications can open when run in protected mode. Restricting files an appli...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • SRG-OS-000033-GPOS-00014

    <GroupDescription></GroupDescription>
    Group
  • The Windows Remote Management (WinRM) service must not allow unencrypted traffic.

    &lt;VulnDiscussion&gt;Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connection...
    Rule Medium Severity
  • SRG-OS-000373-GPOS-00156

    <GroupDescription></GroupDescription>
    Group
  • Internet Information System (IIS) or its subcomponents must not be installed on a workstation.

    &lt;VulnDiscussion&gt;IIS is not installed by default. Installation of Internet Information System (IIS) may allow unauthorized internet services t...
    Rule High Severity
  • SRG-OS-000096-GPOS-00050

    <GroupDescription></GroupDescription>
    Group
  • Simple Network Management Protocol (SNMP) must not be installed on the system.

    &lt;VulnDiscussion&gt;"SNMP" is not installed by default. Some protocols and services do not support required security features, such as encrypting...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules