Skip to content
Log In

II - Mission Support Public

Rules and Groups employed by this XCCDF Profile

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • Insecure logons to an SMB server must be disabled.

    Insecure guest logons allow unauthenticated access to shared folders. Shared resources on a system must require authentication to establish proper access.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.

    Additional security requirements are applied to Universal Naming Convention (UNC) paths specified in hardened UNC paths before allowing access to them. This aids in preventing tampering with or spo...
    Rule Medium Severity
    Show

  • SRG-OS-000042-GPOS-00020

    Group
    Show

  • Command line data must be included in process creation events.

    Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • Windows Server 2016 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.

    Virtualization-based security (VBS) provides the platform for the additional security features Credential Guard and virtualization-based protection of code integrity. Secure Boot is the minimum sec...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.

    Compromised boot drivers can introduce malware prior to protection mechanisms that load after initialization. The Early Launch Antimalware driver can limit allowed drivers based on classifications ...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • Group Policy objects must be reprocessed even if they have not changed.

    Registry entries for group policy settings can potentially be changed from the required configuration. This could occur as part of troubleshooting or by a malicious process on a compromised system....
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Downloading print driver packages over HTTP must be prevented.

    Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive informati...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Printing over HTTP must be prevented.

    Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive informati...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • The network selection user interface (UI) must not be displayed on the logon screen.

    Enabling interaction with the network selection UI allows users to change connections to available networks without signing in to Windows.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • Users must be prompted to authenticate when the system wakes from sleep (on battery).

    A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be required when accessing a system. This setting ensures...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • Users must be prompted to authenticate when the system wakes from sleep (plugged in).

    A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be required when accessing a system. This setting ensures...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.

    Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive informati...
    Rule Low Severity
    Show

  • SRG-OS-000368-GPOS-00154

    Group
    Show

  • AutoPlay must be turned off for non-volume devices.

    Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon as media is inserted into the drive. As a result, the setup file of programs or m...
    Rule High Severity
    Show

  • SRG-OS-000368-GPOS-00154

    Group
    Show

  • The default AutoRun behavior must be configured to prevent AutoRun commands.

    Allowing AutoRun commands to execute may introduce malicious code to a system. Configuring this setting prevents AutoRun commands from executing.
    Rule High Severity
    Show

  • SRG-OS-000368-GPOS-00154

    Group
    Show

  • AutoPlay must be disabled for all drives.

    Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon media is inserted into the drive. As a result, the setup file of programs or musi...
    Rule High Severity
    Show

  • SRG-OS-000134-GPOS-00068

    Group
    Show

  • Administrator accounts must not be enumerated during elevation.

    Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the system to always require users to type in a usern...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • Windows Telemetry must be configured to Security or Basic.

    Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability will prevent potentially sensitive information ...
    Rule Medium Severity
    Show

  • SRG-OS-000341-GPOS-00132

    Group
    Show

  • The Application event log size must be configured to 32768 KB or greater.

    Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.
    Rule Medium Severity
    Show

  • SRG-OS-000341-GPOS-00132

    Group
    Show

  • The Security event log size must be configured to 196608 KB or greater.

    Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.
    Rule Medium Severity
    Show

  • SRG-OS-000341-GPOS-00132

    Group
    Show

  • The System event log size must be configured to 32768 KB or greater.

    Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2016 Windows SmartScreen must be enabled.

    Windows SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling SmartScreen will warn users of potentially malicious programs.
    Rule Medium Severity
    Show

  • SRG-OS-000433-GPOS-00192

    Group
    Show

  • Explorer Data Execution Prevention must be enabled.

    Data Execution Prevention provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will prevent Data Execution Prevention from being t...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • Turning off File Explorer heap termination on corruption must be disabled.

    Legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Disabling this feature will prevent this.
    Rule Low Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • File Explorer shell protocol must run in protected mode.

    The shell protocol will limit the set of folders that applications can open when run in protected mode. Restricting files an application can open to a limited set of folders increases the security ...
    Rule Medium Severity
    Show

  • SRG-OS-000373-GPOS-00157

    Group
    Show

  • Passwords must not be saved in the Remote Desktop Client.

    Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving pa...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules