Skip to content

STEP 7: Configure OS baseline and vulnerability scanning

This step is optional.

Enabling Auto Provisioning of Azure Security Center monitoring agent and connect VMs to OMS workspace allows Cloudneeti application to collect data of OS baselines security policies as available in CIS listed here.

Deploy partner vulnerability scanning in Azure Security Center and installing the solution on multiple VMs allows to provide visibility into threat protection.

Steps Prerequisite for VM Baseline Policies Prerequisite for vulnerability assessment
7.1 Connect VMs to OMS workspace Yes Yes
7.2 Install vulnerability solution on VMs NA Yes
7.3 Verify instance status NA Yes
7.4 Verify data on Cloudneeti Yes Yes

7.1 Connect VMs to OMS workspace

Installing the Log Analytics VM extension for Windows and Linux allows Azure Monitor to collect data from your Azure VMs.

  1. Navigate to Log Analytics Workspaces

  2. Create or use existing log analytics workspace

    Azure vulnerability

  3. Select Windows VMs for connecting the Log Analytics workspace

    Azure vulnerability

  4. Click Connect to add log analytics workspace

    Azure vulnerability

  5. Enable Auto Provisioning of Azure Security Center monitoring agent.

    Azure vulnerability

    Azure vulnerability

  6. Verify extension is added

    Azure vulnerability

  7. Check Recommendation, it may take some time.

    Azure vulnerability

7.2 Install vulnerability solution on VMs

Deploy a partner vulnerability scanning solution on VMs

  1. Navigate to Compute & apps in Security Center

  2. Choose recommendation

    Azure vulnerability

  3. Install solution on selected VMs

    Azure vulnerability

  4. Add details for installing Qualys agent

    Azure vulnerability

  5. Verify the extension status Qualys agent should be Provisioning succeeded

    Azure vulnerability

7.3 Verify instance status is healthy

  1. Navigate to Compute & apps(2) in Security Center(1)

  2. Select VMs and Servers (3)

  3. Select VM to be verified (4)

    Azure vulnerability

  4. Select recommendation Vulnerability assessment solution should be installed on your virtual machines

    Azure vulnerability

7.4 Verify data on Cloudneeti (to be done post step 8)

After successful scan, Azure Windows VM vulnerability assessment will appear on Vulnerability tab on Asset Security dashboard

Azure vulnerability

Azure OS baseline policies

Windows 12 R2

Category Policy Title
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Policy: Account Logon: Credential Validation
Win OS-12R2 - Audit Policy Windows 2012R2 - Ensure 'Audit Application Group Management' is set
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Policy: Account Management: Other Account Management Events
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Policy: Account Management: Security Group Management
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Policy: Account Management: User Account Management
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Policy: Detailed Tracking: Process Creation
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Policy: Logon-Logoff: Account Lockout
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Policy: Logon-Logoff: Logoff
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Policy: Logon-Logoff: Logon
Win OS-12R2 - Audit Policy Windows 2012R2 - Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Policy: Logon-Logoff: Special Logon
Win OS-12R2 - Audit Policy Windows 2012R2 - Ensure 'Audit Removable Storage' is set to 'Success and Failure'
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Policy: Policy Change: Audit Policy Change'
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Policy: Policy Change: Authentication Policy Change
Win OS-12R2 - Audit Policy Windows 2012R2 - Ensure 'Audit Authorization Policy Change' is set to 'Success'
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Policy: Privilege Use: Sensitive Privilege Use
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Policy: System: IPsec Driver
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Policy: System: Other System Events
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Policy: System: Security State Change
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Policy: System: Security System Extension
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Policy: System: System Integrity
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Central Access Policy Staging
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Handle Manipulation
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Kernel Object
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit File System
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Detailed File Share
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Filtering Platform Packet Drop
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Non Sensitive Privilege Use
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit MPSSVC Rule-Level Policy Change
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Network Policy Server
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit File Share
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit IPsec Main Mode
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit IPsec Quick Mode
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Filtering Platform Policy Change
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Filtering Platform Connection
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Application Generated
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit IPsec Extended Mode
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit DPAPI Activity
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Other Privilege Use Events
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Other Object Access Events
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Other Account Logon Events
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Policy: Detailed Tracking: Process Termination
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit RPC Events
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Registry
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit User/Device Claims
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Policy: Logon-Logoff: IPsec Main Mode
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Other Policy Change Events
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit Process Termination
Win OS-12R2 - Audit Policy Windows 2012R2 - Audit SAM
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Allow Basic authentication' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Network access: Do not allow anonymous enumeration of SAM accounts
Win OS-12R2 - Registry Policy Windows 2012R2 - Network access: Do not allow anonymous enumeration of SAM accounts and shares
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only)
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Microsoft network server: Idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Do not display network selection UI' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Configure 'Network access: Remotely accessible registry paths'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Always install with elevated privileges' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Allow unencrypted traffic' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Allow user control over installs' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Always prompt for password upon connection' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Configure 'Network access: Remotely accessible registry paths and sub-paths'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Disallow Digest authentication' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes (default)'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Turn off heap termination on corruption' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Do not display the password reveal button' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Configure Default consent' is set to 'Enabled: Send all data'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Include command line in process creation events' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Require secure RPC communication' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Do not use temporary folders per session' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Network access: Sharing and security model for local accounts
Win OS-12R2 - Registry Policy Windows 2012R2 - Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Win OS-12R2 - Registry Policy Windows 2012R2 - System objects: Require case insensitivity for non-Windows subsystems
Win OS-12R2 - Registry Policy Windows 2012R2 - Network access: Let Everyone permissions apply to anonymous users
Win OS-12R2 - Registry Policy Windows 2012R2 - Network security: LDAP client signing requirements
Win OS-12R2 - Registry Policy Windows 2012R2 - Network access: Restrict anonymous access to Named Pipes and Shares
Win OS-12R2 - Registry Policy Windows 2012R2 - User Account Control: Admin Approval Mode for the Built-in Administrator account
Win OS-12R2 - Registry Policy Windows 2012R2 - 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Win OS-12R2 - Registry Policy Windows 2012R2 - Network security: Do not store LAN Manager hash value on next password change
Win OS-12R2 - Registry Policy Windows 2012R2 - System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
Win OS-12R2 - Registry Policy Windows 2012R2 - Network security: Allow LocalSystem NULL session fallback
Win OS-12R2 - Registry Policy Windows 2012R2 - Windows Firewall: Public: Display a notification
Win OS-12R2 - Registry Policy Windows 2012R2 - Windows Firewall: Public: Outbound connections
Win OS-12R2 - Registry Policy Windows 2012R2 - User Account Control: Run all administrators in Admin Approval Mode
Win OS-12R2 - Registry Policy Windows 2012R2 - Windows Firewall: Domain: Display a notification
Win OS-12R2 - Registry Policy Windows 2012R2 - User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
Win OS-12R2 - Registry Policy Windows 2012R2 - Windows Firewall: Private: Display a notification
Win OS-12R2 - Registry Policy Windows 2012R2 - User Account Control: Behavior of the elevation prompt for standard users
Win OS-12R2 - Registry Policy Windows 2012R2 - User Account Control: Only elevate UIAccess applications that are installed in secure locations
Win OS-12R2 - Registry Policy Windows 2012R2 - User Account Control: Detect application installations and prompt for elevation
Win OS-12R2 - Registry Policy Windows 2012R2 - User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
Win OS-12R2 - Registry Policy Windows 2012R2 - User Account Control: Virtualize file and registry write failures to per-user locations
Win OS-12R2 - Registry Policy Windows 2012R2 - User Account Control: Switch to the secure desktop when prompting for elevation
Win OS-12R2 - Registry Policy Windows 2012R2 - Windows Firewall: Domain: Outbound connections
Win OS-12R2 - Registry Policy Windows 2012R2 - Windows Firewall: Private: Outbound connections
Win OS-12R2 - Registry Policy Windows 2012R2 - Devices: Allow undock without having to log on
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Enable Windows NTP Client' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Disable SMB v1 server
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Always use classic logon' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Detect change from default RDP port
Win OS-12R2 - Registry Policy Windows 2012R2 - Disable Windows Search Service
Win OS-12R2 - Registry Policy Windows 2012R2 - Require user authentication for remote connections by using Network Level Authentication
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes (default)'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes (default)'
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes (default)'
Win OS-12R2 - Registry Policy Windows 2012R2 - System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
Win OS-12R2 - Registry Policy Windows 2012R2 - Recovery console: Allow floppy copy and access to all drives and all folders
Win OS-12R2 - Registry Policy Windows 2012R2 - Specify the interval to check for definition updates
Win OS-12R2 - Registry Policy Windows 2012R2 - Windows Firewall: Private: Allow unicast response
Win OS-12R2 - Registry Policy Windows 2012R2 - Windows Firewall: Domain: Allow unicast response
Win OS-12R2 - Registry Policy Windows 2012R2 - Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'
Win OS-12R2 - Registry Policy Windows 2012R2 - Shutdown: Clear virtual memory pagefile
Win OS-12R2 - Registry Policy Windows 2012R2 - Windows Firewall: Public: Allow unicast response
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Enforce password history' is set to '24 or more password(s)'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Maximum password age' is set to '70 or fewer days, but not 0'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Minimum password age' is set to '1 or more day(s)'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Minimum password length' is set to '14 or more character(s)'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Password must meet complexity requirements' is set to 'Enabled'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Store passwords using reversible encryption' is set to 'Disabled'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'
Win OS-12R2 - Security Policy Windows 2012R2 - Configure 'Access this computer from the network'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Act as part of the operating system' is set to 'No One'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Allow log on locally' is set to 'Administrators'
Win OS-12R2 - Security Policy Windows 2012R2 - Configure 'Allow log on through Remote Desktop Services'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Back up files and directories' is set to 'Administrators'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Create a pagefile' is set to 'Administrators'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Create a token object' is set to 'No One'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Create permanent shared objects' is set to 'No One'
Win OS-12R2 - Security Policy Windows 2012R2 - Configure 'Create symbolic links'
Win OS-12R2 - Security Policy Windows 2012R2 - Configure 'Deny access to this computer from the network'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Deny log on as a batch job' to include 'Guests'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Deny log on as a service' to include 'Guests'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Deny log on locally' to include 'Guests'
Win OS-12R2 - Security Policy Windows 2012R2 - Configure 'Deny log on through Remote Desktop Services'
Win OS-12R2 - Security Policy Windows 2012R2 - Configure 'Enable computer and user accounts to be trusted for delegation'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Force shutdown from a remote system' is set to 'Administrators'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Increase scheduling priority' is set to 'Administrators'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Load and unload device drivers' is set to 'Administrators'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Lock pages in memory' is set to 'No One'
Win OS-12R2 - Security Policy Windows 2012R2 - Configure 'Manage auditing and security log'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Modify an object label' is set to 'No One'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Modify firmware environment values' is set to 'Administrators'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Perform volume maintenance tasks' is set to 'Administrators'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Profile single process' is set to 'Administrators'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Restore files and directories' is set to 'Administrators'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Shut down the system' is set to 'Administrators'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Take ownership of files or other objects' is set to 'Administrators'
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)
Win OS-12R2 - Security Policy Windows 2012R2 - Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE-WdiServiceHost'
Win OS-12R2 - Security Policy Windows 2012R2 - Increase a process working set
Win OS-12R2 - Security Policy Windows 2012R2 - Bypass traverse checking

Windows 16

Category Policy Title
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit Application Group Management' is set
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit Authentication Policy Change' is set to 'Success'
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit Logoff' is set to 'Success'
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit Security State Change' is set to 'Success'
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit Logon' is set to 'Success and Failure'
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit Security Group Management' is set to 'Success'
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit Policy Change' is set to 'Success'
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit User Account Management' is set to 'Success and Failure'
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit IPsec Driver' is set to 'Success and Failure'
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit Other System Events' is set to 'Success and Failure'
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit Removable Storage' is set to 'Success and Failure'
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit Credential Validation' is set to 'Success and Failure'
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit Security System Extension' is set to 'Success'
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit Account Lockout' is set to 'Success and Failure'
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit Authorization Policy Change' is set to 'Success'
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit System Integrity' is set to 'Success'
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit Special Logon' is set to 'Success'
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit Process Creation' is set to 'Success and Failure'
Win OS-16 - Audit Policy Windows 2016 - Audit IPsec Extended Mode
Win OS-16 - Audit Policy Windows 2016 - Audit Detailed File Share
Win OS-16 - Audit Policy Windows 2016 - Audit Filtering Platform Packet Drop
Win OS-16 - Audit Policy Windows 2016 - Audit MPSSVC Rule-Level Policy Change
Win OS-16 - Audit Policy Windows 2016 - Audit Kernel Object
Win OS-16 - Audit Policy Windows 2016 - Audit IPsec Main Mode
Win OS-16 - Audit Policy Windows 2016 - Audit File Share
Win OS-16 - Audit Policy Windows 2016 - Audit Other Object Access Events
Win OS-16 - Audit Policy Windows 2016 - Audit IPsec Quick Mode
Win OS-16 - Audit Policy Windows 2016 - Audit Filtering Platform Policy Change
Win OS-16 - Audit Policy Windows 2016 - Audit Handle Manipulation
Win OS-16 - Audit Policy Windows 2016 - Audit Network Policy Server
Win OS-16 - Audit Policy Windows 2016 - Audit Central Access Policy Staging
Win OS-16 - Audit Policy Windows 2016 - Audit Other Account Logon Events
Win OS-16 - Audit Policy Windows 2016 - Audit Non Sensitive Privilege Use
Win OS-16 - Audit Policy Windows 2016 - Audit Filtering Platform Connection
Win OS-16 - Audit Policy Windows 2016 - Audit Application Generated
Win OS-16 - Audit Policy Windows 2016 - Audit DPAPI Activity
Win OS-16 - Audit Policy Windows 2016 - Audit File System
Win OS-16 - Audit Policy Windows 2016 - Audit User/Device Claims
Win OS-16 - Audit Policy Windows 2016 - Audit Policy: Detailed Tracking: Process Termination
Win OS-16 - Audit Policy Windows 2016 - Audit Policy: Logon-Logoff: IPsec Main Mode
Win OS-16 - Audit Policy Windows 2016 - Audit Process Termination
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit PNP Activity' is set to 'Success'
Win OS-16 - Audit Policy Windows 2016 - Audit SAM
Win OS-16 - Audit Policy Windows 2016 - Audit Registry
Win OS-16 - Audit Policy Windows 2016 - Ensure 'Audit Group Membership' is set to 'Success'
Win OS-16 - Audit Policy Windows 2016 - Audit Other Policy Change Events
Win OS-16 - Audit Policy Windows 2016 - Audit Other Privilege Use Events
Win OS-16 - Audit Policy Windows 2016 - Audit RPC Events
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Do not display network selection UI' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Shut down the system' is set to 'Administrators'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Disallow Digest authentication' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Allow indexing of encrypted files' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Allow unencrypted traffic' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Do not use temporary folders per session' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Microsoft network server: Idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Devices: Prevent users from installing printer drivers'is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Always prompt for password upon connection' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Include command line in process creation events' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Configure 'Network access: Remotely accessible registry paths'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Configure Windows SmartScreen' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Allow Basic authentication' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Allow user control over installs' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Do not display the password reveal button' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'
Win OS-16 - Registry Policy Windows 2016 - Configure 'Network access: Remotely accessible registry paths and sub-paths'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Always install with elevated privileges' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Require secure RPC communication' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Turn off heap termination on corruption' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'UAC: Elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'UAC: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'UAC: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Application: Specify the maximum log file size(KB)' is set to 'Enabled: 32,768 or greater'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only)
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only)
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only)
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Allow search and Cortana to use location' is set to 'Disabled
Win OS-16 - Registry Policy Windows 2016 - Disable 'Configure local setting override for reporting to Microsoft MAPS'
Win OS-16 - Registry Policy Windows 2016 - Disable SMB v1 server
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Allow Cortana above lock screen' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Allow Cortana' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Allow Input Personalization' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Do not show feedback notifications' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Enable Windows NTP Client' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Enable insecure guest logons' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Enable 'Scan removable drives' by setting DisableRemovableDriveScanning (REG_DWORD) to 0
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Continue experiences on this device' is set to 'Disabled'
Win OS-16 - Registry Policy Windows 2016 - Enable 'Send file samples when further analysis is required' for 'Send Safe Samples'
Win OS-16 - Registry Policy Windows 2016 - Enable 'Turn on behavior monitoring'
Win OS-16 - Registry Policy Windows 2016 - Disable Windows Search Service
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Devices: Allow undock without having to log on
Win OS-16 - Registry Policy Windows 2016 - Detect change from default RDP port
Win OS-16 - Registry Policy Windows 2016 - Windows Firewall: Domain: Allow unicast response
Win OS-16 - Registry Policy Windows 2016 - Shutdown: Clear virtual memory pagefile
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes (default)'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes (default)'
Win OS-16 - Registry Policy Windows 2016 - Windows Firewall: Public: Allow unicast response
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Turn off multicast name resolution' is set to 'Enabled' (MS Only)
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes (default)'
Win OS-16 - Registry Policy Windows 2016 - Recovery console: Allow floppy copy and access to all drives and all folders
Win OS-16 - Registry Policy Windows 2016 - Windows Firewall: Private: Allow unicast response
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes (default)'
Win OS-16 - Registry Policy Windows 2016 - Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
Win OS-16 - Registry Policy Windows 2016 - Require user authentication for remote connections by using Network Level Authentication
Win OS-16 - Registry Policy Windows 2016 - System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
Win OS-16 - Security Policy Windows 2016 - Ensure 'Increase scheduling priority' is set to 'Administrators'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Take ownership of files or other objects' is set to 'Administrators'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Modify firmware environment values' is set to 'Administrators'
Win OS-16 - Security Policy Windows 2016 - Configure 'Deny access to this computer from the network'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Force shutdown from a remote system' is set to 'Administrators'
Win OS-16 - Security Policy Windows 2016 - Configure 'Allow log on locally'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Deny log on locally' is configured
Win OS-16 - Security Policy Windows 2016 - Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'
Win OS-16 - Security Policy Windows 2016 - Configure 'Enable computer and user accounts to be trusted for delegation'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Load and unload device drivers' is configured
Win OS-16 - Security Policy Windows 2016 - Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Deny log on as a service' is configured
Win OS-16 - Security Policy Windows 2016 - Configure 'Access this computer from the network'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Minimum password length' is set to '14 or more character(s)'
Win OS-16 - Security Policy Windows 2016 - Configure 'Create symbolic links'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Deny log on through Remote Desktop Services' is configured
Win OS-16 - Security Policy Windows 2016 - Ensure 'Lock pages in memory' is set to 'No One'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Restore files and directories' is set to 'Administrators, Backup Operators'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Create a token object' is set to 'No One'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Create a pagefile' is set to 'Administrators'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Store passwords using reversible encryption' is set to 'Disabled'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Password must meet complexity requirements' is set to 'Enabled'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Change the system time' is configured
Win OS-16 - Security Policy Windows 2016 - Ensure 'Perform volume maintenance tasks' is set to 'Administrators'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Deny log on as a batch job' is configured
Win OS-16 - Security Policy Windows 2016 - Ensure 'Back up files and directories' is configured
Win OS-16 - Security Policy Windows 2016 - Configure 'Allow log on through Remote Desktop Services'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Minimum password age' is set to '1 or more day(s)'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Profile single process' is set to 'Administrators'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Maximum password age' is set to '70 or fewer days, but not 0'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Create permanent shared objects' is set to 'No One'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Act as part of the operating system' is set to 'No One'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'
Win OS-16 - Security Policy Windows 2016 - Configure 'Manage auditing and security log'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Enforce password history' is set to '24 or more password(s)'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Modify an object label' is set to 'No One'
Win OS-16 - Security Policy Windows 2016 - Ensure 'Accounts: Guest account status' is set to 'Disabled'
Win OS-16 - Security Policy Windows 2016 - Specify the interval to check for definition updates
Win OS-16 - Security Policy Windows 2016 - Bypass traverse checking
Win OS-16 - Security Policy Windows 2016 - Increase a process working set

Ubuntu 18.04

Category Policy Title
Ubuntu 18.04 - Initial Setup Ubuntu 18.04 - Ensure nodev option set on removable media partitions
Ubuntu 18.04 - Initial Setup Ubuntu 18.04 - Ensure nosuid option set on removable media partitions
Ubuntu 18.04 - Initial Setup Ubuntu 18.04 - Ensure noexec option set on removable media partitions
Ubuntu 18.04 - Initial Setup Ubuntu 18.04 - Ensure XD/NX support is enabled
Ubuntu 18.04 - Initial Setup Ubuntu 18.04 - Ensure address space layout randomization (ASLR) is enabled
Ubuntu 18.04 - Services Ubuntu 18.04 - Ensure xinetd is not enabled
Ubuntu 18.04 - Services Ubuntu 18.04 - Ensure rsh server is not enabled
Ubuntu 18.04 - Services Ubuntu 18.04 - Ensure telnet server is not enabled
Ubuntu 18.04 - Services Ubuntu 18.04 - Ensure tftp server is not enabled
Ubuntu 18.04 - Services Ubuntu 18.04 - Ensure IMAP and POP3 server is not enabled
Ubuntu 18.04 - Services Ubuntu 18.04 - Ensure Avahi Server is not enabled
Ubuntu 18.04 - Services Ubuntu 18.04 - Ensure CUPS is not enabled
Ubuntu 18.04 - Services Ubuntu 18.04 - Ensure DHCP Server is not enabled
Ubuntu 18.04 - Services Ubuntu 18.04 - Ensure LDAP server is not enabled
Ubuntu 18.04 - Services Ubuntu 18.04 - Ensure DNS Server is not enabled
Ubuntu 18.04 - Services Ubuntu 18.04 - Ensure NIS Client is not installed
Ubuntu 18.04 - Services Ubuntu 18.04 - Ensure rsh client is not installed
Ubuntu 18.04 - Services Ubuntu 18.04 - Ensure telnet client is not installed
Ubuntu 18.04 - Network Configuration Ubuntu 18.04 - Ensure IP forwarding is disabled
Ubuntu 18.04 - Network Configuration Ubuntu 18.04 - Ensure source routed packets are not accepted
Ubuntu 18.04 - Network Configuration Ubuntu 18.04 - Ensure broadcast ICMP requests are ignored
Ubuntu 18.04 - Network Configuration Ubuntu 18.04 - Ensure bogus ICMP responses are ignored
Ubuntu 18.04 - Network Configuration Ubuntu 18.04 - Ensure Reverse Path Filtering is enabled
Ubuntu 18.04 - Network Configuration Ubuntu 18.04 - Ensure TCP SYN Cookies is enabled
Ubuntu 18.04 - Network Configuration Ubuntu 18.04 - Ensure RDS is disabled
Ubuntu 18.04 - Network Configuration Ubuntu 18.04 - Ensure wireless interfaces are disabled
Ubuntu 18.04 - Logging and Auditing Ubuntu 18.04 - Ensure rsyslog Service is enabled
Ubuntu 18.04 - Logging and Auditing Ubuntu 18.04 - Ensure rsyslog default file permissions configured
Ubuntu 18.04 - Logging and Auditing Ubuntu 18.04 - Ensure remote rsyslog messages are only accepted on designated log hosts
Ubuntu 18.04 - Logging and Auditing Ubuntu 18.04 - Ensure rsyslog or syslog-ng is installed
Ubuntu 18.04 - Logging and Auditing Ubuntu 18.04 - Ensure logrotate is configured
Ubuntu 18.04 - Access, Authentication and Authorization Ubuntu 18.04 - Ensure cron daemon is enabled
Ubuntu 18.04 - Access, Authentication and Authorization Ubuntu 18.04 - Ensure SSH PermitUserEnvironment is disabled
Ubuntu 18.04 - Access, Authentication and Authorization Ubuntu 18.04 - Ensure SSH Protocol is set to 2
Ubuntu 18.04 - Access, Authentication and Authorization Ubuntu 18.04 - Ensure SSH IgnoreRhosts is enabled
Ubuntu 18.04 - Access, Authentication and Authorization Ubuntu 18.04 - Ensure SSH HostbasedAuthentication is disabled
Ubuntu 18.04 - Access, Authentication and Authorization Ubuntu 18.04 - Ensure SSH PermitEmptyPasswords is disabled
Ubuntu 18.04 - System Maintenance Ubuntu 18.04 - Ensure permissions on /etc/passwd are configured
Ubuntu 18.04 - System Maintenance Ubuntu 18.04 - Ensure permissions on /etc/group are configured
Ubuntu 18.04 - System Maintenance Ubuntu 18.04 - Ensure root is the only UID 0 account

CentOS

Category Policy Title
CentOS 7 - Network Configuration CentOS 7 - Ensure wireless interfaces are disabled
CentOS 7 - Network Configuration CentOS 7 - Ensure IP forwarding is disabled
CentOS 7 - Network Configuration CentOS 7 - Ensure source routed packets are not accepted
CentOS 7 - Network Configuration CentOS 7 - Ensure broadcast ICMP requests are ignored
CentOS 7 - Network Configuration CentOS 7 - Ensure bogus ICMP responses are ignored
CentOS 7 - Network Configuration CentOS 7 - Ensure Reverse Path Filtering is enabled
CentOS 7 - Network Configuration CentOS 7 - Ensure TCP SYN Cookies is enabled
CentOS 7 - Network Configuration CentOS 7 - Ensure RDS is disabled
CentOS 7 - Logging and Auditing CentOS 7 - Ensure logrotate is configured
CentOS 7 - Logging and Auditing CentOS 7 - Ensure rsyslog Service is enabled
CentOS 7 - Logging and Auditing CentOS 7 - Ensure rsyslog default file permissions configured
CentOS 7 - Logging and Auditing CentOS 7 - Ensure remote rsyslog messages are only accepted on designated log hosts.
CentOS 7 - Logging and Auditing CentOS 7 - Ensure rsyslog or syslog-ng is installed
CentOS 7 - Initial Setup CentOS 7 - Ensure nodev option set on removable media partitions
CentOS 7 - Initial Setup CentOS 7 - Ensure nosuid option set on removable media partitions
CentOS 7 - Initial Setup CentOS 7 - Ensure noexec option set on removable media partitions
CentOS 7 - Initial Setup CentOS 7 - Ensure XD/NX support is enabled
CentOS 7 - Initial Setup CentOS 7 - Ensure address space layout randomization (ASLR) is enabled
CentOS 7 - Services CentOS 7 - Ensure rsh server is not enabled
CentOS 7 - Services CentOS 7 - Ensure telnet server is not enabled
CentOS 7 - Services CentOS 7 - Ensure Avahi Server is not enabled
CentOS 7 - Services CentOS 7 - Ensure CUPS is not enabled
CentOS 7 - Services CentOS 7 - Ensure DHCP Server is not enabled
CentOS 7 - Services CentOS 7 - Ensure rsh client is not installed
CentOS 7 - Services CentOS 7 - Ensure telnet client is not installed
CentOS 7 - Access, Authentication and Authorization CentOS 7 - Ensure cron daemon is enabled
CentOS 7 - Access, Authentication and Authorization CentOS 7 - Ensure SSH PermitUserEnvironment is disabled
CentOS 7 - Access, Authentication and Authorization CentOS 7 - Ensure SSH Protocol is set to 2
CentOS 7 - Access, Authentication and Authorization CentOS 7 - Ensure SSH IgnoreRhosts is enabled
CentOS 7 - Access, Authentication and Authorization CentOS 7 - Ensure SSH HostbasedAuthentication is disabled
CentOS 7 - Access, Authentication and Authorization CentOS 7 - Ensure SSH PermitEmptyPasswords is disabled
CentOS 7 - System Maintenance CentOS 7 - Ensure permissions on /etc/passwd are configured
CentOS 7 - System Maintenance CentOS 7 - Ensure permissions on /etc/group are configured
CentOS 7 - System Maintenance CentOS 7 - Ensure root is the only UID 0 account