The POSIX subsystem file components should not be present 800-68 na DISA STIG Section 5.2.2 DISA Gold Disk ID 1079 NSA na CM-6 oval:gov.nist.1:def:229 This check verifies that the registry keys associated with the POSIX subsystem have been deleted. 800-68 na DISA STIG na DISA Gold na NSA Chapter 15 CM-6 Keep systems up to current patch levels to eliminate known vulnerabilities and weaknesses. 800-68 Section 4.3 DISA STIG Section 5.2.1 DISA Gold Disk ID 1073 NSA chapter 1 CM-6 Inadequate physical protection can undermine all other security precautions utilized to protect the system. This can jeopardize the confidentiality, availability, and integrity of the system. Physical security of the AIS is the first line protection of any system. 800-68 na DISA STIG Section 3.1 DISA Gold Disk ID 1070 NSA na CM-6 Using a privileged account to perform routine functions makes the computer vulnerable to attack by any virus or Trojan Horse inadvertently introduced during a session that has been granted full privileges. The rule of least privilege should always be enforced. 800-68 na DISA STIG Section 3.2 DISA Gold Disk ID 1140 NSA na CM-6 Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to cirvumvent the file access restrictions present on NTFS disk drives for the purpose of backup and restore. Members of the Backup Operators group should have special logon accounts for performing their backup duties. 800-68 na DISA STIG Section 3.3 DISA Gold Disk ID 1168 NSA na CM-6 This check verifies that all shared accounts on the system are documented and justified. Any shared account must be documented with the IAO as shared accounts do not provide individual accountability for system access and resource usage. Documentation should include the reason for the account, who has access to this account, and how the risk of using a shared account, which provides no individual identification and accountability is mitigated. 800-68 na DISA STIG Section 3.4 DISA Gold Disk ID 1072 NSA na CM-6 The Security Event Log contains information on security exceptions that occur on the system. This data is critical for identifying security vulnerabilities and intrusions. The Application and System logs can also contain information that is critical in assessing security events. Therefore, these logs must be protected from unauthorized access and modification. Only individuals who have auditing responsibilities (IAO, IAM, auditors, etc.) should be members of this group. The individual System Administrators responsible for maintaining this system can also be members of this group. 800-68 na DISA STIG Section 3.5 DISA Gold Disk ID 1137 NSA na CM-6 To be of value, audit logs will be reviewed on a regular basis to identify security breaches and potential weaknesses in the security structure. 800-68 na DISA STIG Section 3.6 DISA Gold Disk ID 3491 NSA na CM-6 Recovery of a damaged or compromised system will be difficult without an up-to-date Emergency Repair Disk (ERD). An ERD also allows recovery of a damaged or corrupted system that cannot be rebooted. The ERD, when used in the recovery process, can restore the local systems user database to the version that existed when the ERD was previously made. In particular, if the ERD contained an administrator account without a password, then that exposed account may be attacked. As a valuable system resource, the ERD should be protected and stored in a physically secure location. 800-68 na DISA STIG Section 3.7 DISA Gold Disk ID 1076 NSA na CM-6 Mobile USB Disk devices are designed to plug into the USB port on a Windows 2000/2003/XP machine. If the Plug and Play service is running, and the USB ports are not disabled, then the device is recognized and installed without intervention, and will appear as another removable drive in Windows Explorer. These devices are small and portable, and can be easily stolen. Physical protection of the device is essential. These devices are also easily concealable. Generally, Windows will immediately recognize that the USB device has been connected, and will activate it. An unauthorized individual could quickly attach the device, copy sensitive files, and disconnect it in a short period of time. 800-68 na DISA STIG Section 3.8 DISA Gold Disk ID 3693 NSA na CM-6 The Microsoft Security Configuration Toolset that is integrated in Windows XP should be used to configure platforms for security compliance. The SCM allows system administrators to consolidate all security related system settings into a single configuration file. These settings can then be applied consistently to any number of Windows Machines. The SCM can use the same configuration file to check platforms for compliance with security policy. If an alternate method is used to configure a system (e.g. manually), that achieves the same configured result, then this is acceptable. 800-68 na DISA STIG Section 3.9 DISA Gold Disk ID 1128 NSA na CM-6 This check applies to machines whose services are accessed remotely. (e.g. FTP, Telnet, etc.). When unencrypted access to system services is permitted, an intruder can intercept user identification and passwords that are being transmitted in clear text. This could give an intruder unlimited access to the network. 800-68 na DISA STIG Section 3.10 DISA Gold Disk ID 2908 NSA na CM-6 CCE-871 This forces users to change their passwords regularly. The lower this value is set, the more likely users will be to choose poor passwords that are easier for them to remember (e.g., Mypasswd1, Mypasswd2, Mypasswd3). The higher this value is set, the more likely the password will be compromised and used by unauthorized parties. 800-68 Section 6.1 - Table A-1.2 DISA STIG Section 5.4.1.1 DISA Gold Disk ID 1104 NSA Chapter 4 - Table 1 Row 2 CM-6 oval:gov.nist.1:def:17 CCE-324 This setting requires users to wait for a certain number of days before changing their password again. The setting prevents a user from changing a password when it reaches the maximum age and then immediately changing it back to the previous password. Unfortunately, this setting also prevents users who inadvertently reveal a new password to others from changing it immediately without administrator intervention. 800-68 Section 6.1 - Table A-1.3 DISA STIG Section 5.4.1.2 DISA Gold Disk ID 1105 NSA Chapter 4 - Table 1 Row 3 CM-6 oval:gov.nist.1:def:18 CCE-100 This setting specifies the minimum length of a password in characters. The rationale behind this setting is that longer passwords are more difficult to guess and crack than shorter passwords. The downside is that longer passwords are often more difficult for users to remember. Organizations that want to set a relatively large minimum password length should encourage their users to use passphrases, which may be easier to remember than conventional passwords. 800-68 Section 6.1 - Table A-1.4 DISA STIG Section 5.4.1.3 DISA Gold Disk ID 7082 NSA Chapter 4 - Table 1 Row 4 CM-6 oval:gov.nist.1:def:19 CCE-633 Like the Minimum Password Length setting, this setting makes it more difficult to guess or crack passwords. Enabling this setting implements complexity requirements including not having the user account name in the password and using a mixture of character types, including upper case and lower case letters, digits, and special characters such as punctuation marks. 800-68 Section 6.1 - Table A-1.5 DISA STIG Section 5.4.1.5 DISA Gold Disk ID 1150 NSA Chapter 4 - Table 1 Row 5 CM-6 oval:gov.nist.1:def:21 CCE-60 This setting determines how many old passwords the system will remember for each account. Users will be prevented from reusing any of the old passwords. For example, if this is set to 24, then the system will not allow users to reuse any of their last 24 passwords. Old passwords may have been compromised, or an attacker may have taken a long time to crack encrypted passwords. Reusing an old password could inadvertently give attackers access to the system. 800-68 Section 6.1 - Table A-1.1 DISA STIG Section 5.4.1.4 DISA Gold Disk ID 1107 NSA Chapter 4 - Table 1 Row 1 CM-6 oval:gov.nist.1:def:16 CCE-479 If this setting is enabled, passwords will be stored in a decryptible format, putting them at higher risk of compromise. This setting should be disabled unless it is needed to support a legacy authentication protocol, such as Challenge Handshake Authentication Protocol (CHAP). 800-68 Section 6.1 - Table A-1.6 DISA STIG Section 5.4.1.6 DISA Gold Disk ID 2372 NSA Chapter 4 - Table 1 Row 6 CM-6 oval:gov.nist.1:def:22 This check determines whether the site has implemented a password filter that enforces the DOD requirments. 800-68 na DISA STIG Section 5.2.3 DISA Gold Disk ID 1131 NSA na CM-6 oval:gov.nist.1:def:230 CCE-658 The threshold value specifies the maximum number of failed attempts that can occur before the account is locked out. 800-68 Section 6.1 - Table A-2.2 DISA STIG Section 5.4.2.1 DISA Gold Disk ID 1097 NSA Chapter 4 - Table 2 Row 2 CM-6 oval:gov.nist.1:def:24 CCE-980 This value specifies how long the user account should be locked out. This is often set to a low but substantial value (e.g., 15 minutes), for two reasons. First, a legitimate user that is accidentally locked out only has to wait 15 minutes to regain access, instead of asking an administrator to unlock the account. Second, an attacker who is guessing passwords using brute force methods will only be able to try a small number of passwords at a time, then wait 15 minutes before trying any more. This greatly reduces the chances that the brute force attack will be successful. 800-68 Section 6.1 - Table A-2.1 DISA STIG Section 5.4.2.3 DISA Gold Disk ID 1099 NSA Chapter 4 - Table 2 Row 1 CM-6 oval:gov.nist.1:def:23 CCE-733 This specifies the time period to be used with the lockout threshold value. For example, if the threshold is set to 10 attempts and the duration is set to 15 minutes, then if more than 10 failed login attempts occur with a single user account within a 15-minute period, the account will be disabled. 800-68 Section 6.1 - Table A-2.3 DISA STIG Section 5.4.2.2 DISA Gold Disk ID 1098 NSA Chapter 4 - Table 2 Row 3 CM-6 oval:gov.nist.1:def:26 CCE-315 Audits when a user logs on or off a remote computer from this workstation. 800-68 Section 6.2.1 - Table A-3.1 DISA STIG Section 5.4.3.1 DISA Gold Disk ID 7100 NSA Chapter 5 - Table 4 Row 1 CM-6 oval:gov.nist.1:def:27 CCE-596 Audits when a user account or group is created, changed, or deleted; a user account is renamed, disabled, or enabled; a password is set or changed. 800-68 Section 6.2.1 - Table A-3.2 DISA STIG Section 5.4.3.1 DISA Gold Disk ID 7100 NSA Chapter 5 - Table 4 Row 2 CM-6 oval:gov.nist.1:def:29 CCE-10 Audits the event of a user accessing an active directory object that has its own System Access Control List (SACL) specified. This setting is not applicable to Windows XP systems. 800-68 Section 6.2.1 - Table A-3.3 DISA STIG Section 5.4.3.1 DISA Gold Disk ID 7100 NSA Chapter 5 - Table 4 Row 3 CM-6 oval:gov.nist.1:def:30 CCE-429 Audits users logging on, logging off, or making a network connection to the local computer. 800-68 Section 6.2.1 - Table A-3.3 DISA STIG Section 5.4.3.1 DISA Gold Disk ID 7100 NSA Chapter 5 - Table 4 Row 4 CM-6 oval:gov.nist.1:def:32 CCE-812 Audits a user accessing an object (for example, a file, folder, registry key, or printer) that has its own SACL specified. Auditing of success or failure of system wide object access will create numerous log entries. Certain object access failures may be normal as a result of applications requesting all access types to objects, even though the application does not require all access types to function properly. Use object access auditing with caution. 800-68 Section 6.2.1 - Table A-3.4 DISA STIG Section 5.4.3.1 DISA Gold Disk ID 7100 NSA Chapter 5 - Table 4 Row 5 CM-6 oval:gov.nist.1:def:34 CCE-966 Audits every change to user rights assignment policies, audit policies, and trust policies. 800-68 Section 6.2.1 - Table A-3.6 DISA STIG Section 5.4.3.1 DISA Gold Disk ID 7100 NSA Chapter 5 - Table 4 Row 6 CM-6 oval:gov.nist.1:def:35 CCE-874 Audits each instance of a user exercising a user right. This is likely to generate a very large number of events. 800-68 Section 6.2.1 - Table A-3.7 DISA STIG Section 5.4.3.1 DISA Gold Disk ID 7100 NSA Chapter 5 - Table 4 Row 7 CM-6 oval:gov.nist.1:def:36 CCE-8 Audits detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Enabling this setting will generate many events, so it should only be used when absolutely necessary. 800-68 Section 6.2.1 - Table A-3.8 DISA STIG Section 5.4.3.1 DISA Gold Disk ID 7100 NSA Chapter 5 - Table 4 Row 8 CM-6 oval:gov.nist.1:def:40 CCE-149 Audits when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. 800-68 Section 6.2.1 - Table A-3.9 DISA STIG Section 5.4.3.1 DISA Gold Disk ID 7100 NSA Chapter 5 - Table 4 Row 9 CM-6 oval:gov.nist.1:def:37 CCE-532 Verify that the user right 'Access This Computer From The Network' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.1 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 1 CM-6 oval:gov.nist.1:def:161 CCE-162 Verify that the user right 'Act As Part Of The Operating System' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.2 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 2 CM-6 oval:gov.nist.1:def:162 CCE-183 Verify that the user right 'Add Workstations To Domain' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.3 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 3 CM-6 oval:gov.nist.1:def:163 CCE-807 Verify that the user right 'Adjust Memory Quotas For A Process' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.4 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 4 CM-6 oval:gov.nist.1:def:164 CCE-965 Verify that the user right 'Allow Log On Locally' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.5 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 26 CM-6 oval:gov.nist.1:def:165 CCE-883 Verify that the user right 'Allow Log On Through Terminal Services' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.6 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 5 CM-6 oval:gov.nist.1:def:166 CCE-931 Verify that the user right 'Back Up Files and Directories' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.7 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 6 CM-6 oval:gov.nist.1:def:167 CCE-376 Verify that the user right 'Bypass Traverse Checking' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.8 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 7 CM-6 oval:gov.nist.1:def:168 CCE-799 Verify that the user right 'Change the System Time' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.9 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 8 CM-6 oval:gov.nist.1:def:169 CCE-895 Verify that the user right 'Create A Pagefile' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.10 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 9 CM-6 oval:gov.nist.1:def:170 CCE-926 Verify that the user right 'Create A Token Object' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.11 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 10 CM-6 oval:gov.nist.1:def:171 CCE-383 Verify that the user right 'Create Global Objects' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.12 DISA STIG na DISA Gold Disk na NSA na CM-6 CCE-335 Verify that the user right 'Create Permanent Shared Objects' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.13 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 11 CM-6 oval:gov.nist.1:def:172 CCE-842 Verify that the user right 'Debug Programs' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.14 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 12 CM-6 oval:gov.nist.1:def:173 CCE-898 Verify that the user right 'Deny Access To This Computer From The Network' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.15 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 13 CM-6 oval:gov.nist.1:def:175 CCE-165 Verify that the user right 'Deny Logon As A Batch Job' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.16 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 14 CM-6 oval:gov.nist.1:def:176 CCE-597 Verify that the user right 'Deny Logon As A Service' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.17 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 15 CM-6 oval:gov.nist.1:def:677 CCE-64 Verify that the user right 'Deny Logon Locally' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.18 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 16 CM-6 oval:gov.nist.1:def:177 CCE-108 Verify that the user right 'Deny Logon Through Terminal Services' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.19 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 17 CM-6 oval:gov.nist.1:def:178 CCE-15 Verify that the user right 'Enable Computer and User Accounts To Be Trusted For Delegation' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.20 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 18 CM-6 oval:gov.nist.1:def:179 CCE-754 Verify that the user right 'Force Shutdown From A Remote System' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.21 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 19 CM-6 oval:gov.nist.1:def:180 CCE-939 Verify that the user right 'Generate Security Audits' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.22 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 20 CM-6 oval:gov.nist.1:def:181 CCE-304 Verify that the user right 'Impersonate a Client After Authentication' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.17 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA na CM-6 CCE-349 Verify that the user right 'Increase Scheduling Priority' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.24 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 21 CM-6 oval:gov.nist.1:def:182 CCE-860 Verify that the user right 'Load And Unload Device Drivers' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.25 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 22 CM-6 oval:gov.nist.1:def:183 CCE-749 Verify that the user right 'Lock Pages In Memory' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.26 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 23 CM-6 oval:gov.nist.1:def:184 CCE-177 Verify that the user right 'Log On As A Batch Job' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.27 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 24 CM-6 oval:gov.nist.1:def:185 CCE-216 Verify that the user right 'Log On As A Service' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.28 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 25 CM-6 oval:gov.nist.1:def:186 CCE-850 Verify that the user right 'Manage Auditing And Security Log' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.29 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 27 CM-6 oval:gov.nist.1:def:187 CCE-17 Verify that the user right 'Modify Firmware Environment Values' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.30 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 28 CM-6 oval:gov.nist.1:def:188 CCE-314 Verify that the user right 'Perform Volume Maintenance Tasks' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.31 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 29 CM-6 oval:gov.nist.1:def:189 CCE-260 Verify that the user right 'Profile Single Process' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.32 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 30 CM-6 oval:gov.nist.1:def:190 CCE-599 Verify that the user right 'Profile System Performance' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.33 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 31 CM-6 oval:gov.nist.1:def:191 CCE-656 Verify that the user right 'Remove Computer From Docking Station' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.34 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 32 CM-6 oval:gov.nist.1:def:192 CCE-667 Verify that the user right 'Replace A Process Level Token' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.35 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 33 CM-6 oval:gov.nist.1:def:193 CCE-553 Verify that the user right 'Restore Files And Directories' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.36 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 34 CM-6 oval:gov.nist.1:def:194 CCE-839 Verify that the user right 'Shut Down The System' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.37 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 35 CM-6 oval:gov.nist.1:def:195 CCE-381 Verify that the user right 'Synchronize Directory Service Data' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.38 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 36 CM-6 oval:gov.nist.1:def:238 CCE-492 Verify that the user right 'Take Ownership Of Files Or Other Objects' has been granted appropriately. 800-68 Section 6.2.2 - Table A-4.39 DISA STIG Section 5.4.4.1 DISA Gold Disk ID 1103 NSA Chapter 5 - Table 5 Row 37 CM-6 oval:gov.nist.1:def:196 CCE-499 The Administrator account status is enabled to allow the administrator to perform configuration control of the system. 800-68 Section 6.2.3 - Table A-5.1 DISA STIG na DISA Gold Disk na NSA Chapter 5 - Table 6 Row 1 CM-6 oval:gov.nist.1:def:242 CCE-332 A system faces an increased vulnerability threat if the built-in guest account is not disabled. This account is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned. This account is a member of the Everyone user group and has all the rights and permissions associated with that group, which could subsequently provide access to system resources to anonymous users. Ensure the built-in guest account is disabled. 800-68 Section 6.2.3 - Table A-5.2 DISA STIG Section 5.4.5.1 DISA Gold Disk ID 1113 NSA Chapter 5 - Table 6 Row 2 CM-6 oval:gov.nist.1:def:243 CCE-533 In Windows XP Professional, accounts with null or blank passwords can only be used to log on at the physical system’s logon screen. This means that accounts with blank or null passwords cannot be used over networks or with the secondary logon service (RunAs). This feature prevents attackers and malware from gaining remote access through blank passwords. Section 6 contains information on other recommended password settings. 800-68 Section 6.2.3 - Table A-5.3 DISA STIG Section 5.4.5.2 DISA Gold Disk ID 3344 NSA Chapter 5 - Table 6 Row 3 CM-6 oval:gov.nist.1:def:42 CCE-438 The Administrator account is created by default when installing Windows XP. Associating the Administrator SID with a different name may thwart a potential hacker who is targeting the built-in Administrator account. 800-68 Section 6.2.3 - Table A-5.4 DISA STIG Section 5.4.5.3 DISA Gold Disk ID 1115 NSA Chapter 5 - Table 6 Row 4 CM-6 CCE-834 The Guest account is created by default when installing Windows XP, but is disabled. Associating the Guest SID with a different name may thwart a potential hacker who is targeting the built-in Guest account. 800-68 Section 6.2.3 - Table A-5.5 DISA STIG Section 5.4.5.4 DISA Gold Disk ID 1114 NSA Chapter 5 - Table 6 Row 5 CM-6 CCE-2 Controls the ability to audit access of global systems objects. When this setting is enabled, system objects such as mutexes, events, semaphores, and DOS devices, are created with a default system access control list (SACL). 800-68 Section 6.2.3 - Table A-5.6 DISA STIG na DISA Gold Disk na NSA Chapter 5 - Table 6 Row 6 CM-6 oval:gov.nist.1:def:45 CCE-905 Controls the ability to audit the use of all user privileges, including Backup and Restor. If this policy is disabled, certain user rights will not be audited even if "Audit privilege use" audit policy is enabled. 800-68 Section 6.2.3 - Table A-5.7 DISA STIG na DISA Gold Disk na NSA Chapter 5 - Table 6 Row 7 CM-6 oval:gov.nist.1:def:52 CCE-92 If events cannot be written to the security log, the system is halted immediately. If the system halts as a result of a full log, an administrator must log ont the system and clear the log. 800-68 Section 6.2.3 - Table A-5.8 DISA STIG Section 5.4.5.5 DISA Gold Disk ID 1091 NSA Chapter 5 - Table 6 Row 8 CM-6 CCE-458 This check verifies that Windows Server 2003/XP, is configured to restrict DCOM access permissions. 800-68 Section 6.2.3 - Table A-5.9 DISA STIG Section 5.4.5.67 DISA Gold Disk ID 8336 NSA na CM-6 CCE-740 This check verifies that Windows Server 2003/XP, is configured to restrict DCOM launch permissions. 800-68 Section 6.2.3 - Table A-5.10 DISA STIG Section 5.4.5.68 DISA Gold Disk ID 8337 NSA na CM-6 CCE-186 Since the removal of a computer should be controlled, users should have to log on before undocking the computer to ensure that they have the appropriate rights to undock the system. 800-68 Section 6.2.3 - Table A-5.11 DISA STIG Section 5.4.5.7 DISA Gold Disk ID 3372 NSA Chapter 5 - Table 6 Row 9 CM-6 oval:gov.nist.1:def:53 CCE-919 Verifies that only the correct users are allowed to format and eject removable media> 800-68 Section 6.2.3 - Table A-5.12 DISA STIG Section 5.4.5.8 DISA Gold Disk ID 1117 NSA Chapter 5 - Table 6 Row 10 CM-6 oval:gov.nist.1:def:43 CCE-402 This setting determines who is allowed to install a printer driver as part of adding a network printer. 800-68 Section 6.2.3 - Table A-5.13 DISA STIG Section 5.4.5.9 DISA Gold Disk ID 1151 NSA Chapter 5 - Table 6 Row 11 CM-6 oval:gov.nist.1:def:56 CCE-565 Removable media devices (CD-ROM) are readable by others on the network if they are not properly configured. A process can remain running in the background after a user logs off, thereby, permitting access to the media, while another user is logged on to the system. 800-68 Section 6.2.3 - Table A-5.14 DISA STIG na DISA Gold Disk na NSA Chapter 5 - Table 6 Row 12 CM-6 oval:gov.nist.1:def:58 CCE-463 Removable media devices (floppy disks) are readable by others on the network if they are not properly configured. A process can remain running in the background after a user logs off, thereby, permitting access to the media, while another user is logged on to the system. 800-68 Section 6.2.3 - Table A-5.15 DISA STIG Section 5.4.5.10 DISA Gold Disk ID 1085 NSA Chapter 5 - Table 6 Row 13 CM-6 oval:gov.nist.1:def:59 CCE-413 When an attempt is made to install a device driver (by means of the Windows XP device installer) that has not been certified by the Windows Hardware Quality Lab (WHQL), a warning should be issued, but the installation allowed to continue. 800-68 Section 6.2.3 - Table A-5.16 DISA STIG Section 5.4.5.11 DISA Gold Disk ID 1160 NSA Chapter 5 - Table 6 Row 14 CM-6 oval:gov.nist.1:def:60 CCE-257 This setting determines if Server Operators are allowed to submit jobs using the AT schedule utility. 800-68 Section 6.2.3 - Table A-5.17 DISA STIG na DISA Gold Disk na NSA Chapter 5 - Table 6 Row 15 CM-6 CCE-710 Requires signing be negotiated before Lightweight Directory Access Protocol (LDAP) clients can bind with Active Directory LDAP server. 800-68 Section 6.2.3 - Table A-5.18 DISA STIG na DISA Gold Disk na NSA Chapter 5 - Table 6 Row 16 CM-6 CCE-490 Determines whether a domain controller will accept password requests for computer accounts. 800-68 Section 6.2.3 - Table A-5.19 DISA STIG na DISA Gold Disk na NSA Chapter 5 - Table 6 Row 17 CM-6 CCE-549 Domain member: Digitally encrypt or sign secure channel data (always). Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted or signed. If this policy is enabled, outgoing secure channel traffic should be encrypted. 800-68 Section 6.2.3 - Table A-5.20 DISA STIG Section 5.4.5.12 DISA Gold Disk ID 1160 NSA Chapter 5 - Table 6 Row 18 CM-6 oval:gov.nist.1:def:61 CCE-161 Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic should be encrypted. 800-68 Section 6.2.3 - Table A-5.21 DISA STIG Section 5.4.5.13 DISA Gold Disk ID 1163 NSA Chapter 5 - Table 6 Row 19 CM-6 oval:gov.nist.1:def:62 CCE-918 Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, all outgoing secure channel traffic should be signed. 800-68 Section 6.2.3 - Table A-5.22 DISA STIG Section 5.4.5.14 DISA Gold Disk ID 1164 NSA Chapter 5 - Table 6 Row 20 CM-6 oval:gov.nist.1:def:63 CCE-831 Computer account passwords are changed automatically every seven days. Enabling this policy to disable automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for your system. If this policy is disabled, a new password for the computer account will be generated every week. 800-68 Section 6.2.3 - Table A-5.23 DISA STIG Section 5.4.5.15 DISA Gold Disk ID 1165 NSA Chapter 5 - Table 6 Row 21 CM-6 oval:gov.nist.1:def:64 CCE-194 This setting controls the maximum password age that a machine account may have. This setting should be set to no more that 7 days, ensuring that the machine changes its password monthly. 800-68 Section 6.2.3 - Table A-5.24 DISA STIG Section 5.4.5.16 DISA Gold Disk ID 3373 NSA Chapter 5 - Table 6 Row 22 CM-6 oval:gov.nist.1:def:65 CCE-417 This setting controls the required strength of a session key. Session keys in Windows XP are stronger than those in NT and should be used whenever possible. 800-68 Section 6.2.3 - Table A-5.25 DISA STIG Section 5.4.5.17 DISA Gold Disk ID 3374 NSA Chapter 5 - Table 6 Row 23 CM-6 oval:gov.nist.1:def:66 CCE-22 This setting determines wheter user information should be displayed when the session is locked. 800-68 Section 6.2.3 - Table A-5.26 DISA STIG na DISA Gold Disk na NSA na CM-6 CCE-65 This setting determines whether the name of the last user to log on to the computer will be displayed in the Windows logon dialog box. 800-68 Section 6.2.3 - Table A-5.27 DISA STIG na DISA Gold Disk na NSA Chapter 5 - Table 6 Row 24 CM-6 oval:gov.nist.1:def:68 CCE-133 Disabling the Ctrl+Alt+Del security attention sequence can compromise system security. Because only Windows responds to the Ctrl+Alt+Del security sequence, you can be assured that any passwords you enter following that sequence are sent only to Windows. If you eliminate the sequence requirement, malicious programs can request and receive your Windows password. Disabling this sequence also suppresses a custom logon banner. 800-68 Section 6.2.3 - Table A-5.28 DISA STIG Section 5.4.5.18 DISA Gold Disk ID 1154 NSA Chapter 5 - Table 6 Row 26 CM-6 oval:gov.nist.1:def:69 CCE-829 Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. 800-68 Section 6.2.3 - Table A-5.29 DISA STIG Section 5.4.5.19 DISA Gold Disk ID 1089 NSA Chapter 5 - Table 6 Row 27 CM-6 oval:gov.nist.1:def:70 CCE-23 The logon banner should be titled with a warning label containing the name of the owning organization. 800-68 Section 6.2.3 - Table A-5.30 DISA STIG Section 5.4.5.19 DISA Gold Disk ID 1089 NSA Chapter 5 - Table 6 Row 28 CM-6 oval:gov.nist.1:def:71 CCE-773 The default Windows XP configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons such as the users machine is disconnected from the network or domain controllers are not available. Even though the credential cache is well-protected, storing encrypted copies of users passwords on workstations do not always have the same physical protection required for domain controllers. If a workstation is attacked, the unauthorized individual may isolate the password to a domain user account using a password-cracking program, and gain access to the domain. 800-68 Section 6.2.3 - Table A-5.31 DISA STIG Section 5.4.5.20 DISA Gold Disk ID 1090 NSA Chapter 5 - Table 6 Row 29 CM-6 oval:gov.nist.1:def:72 CCE-814 This setting configures the system to display a warning to users telling them how many days are left before their password expires. By giving the user advanced warning, the user has time to construct a sufficiently strong password. 800-68 Section 6.2.3 - Table A-5.32 DISA STIG Section 5.4.5.21 DISA Gold Disk ID 1172 NSA Chapter 5 - Table 6 Row 30 CM-6 oval:gov.nist.1:def:74 CCE-374 This setting controls the behavior of the system when you attempt to unlock the workstation. If this setting is enabled, the system will pass the credentials to the domain controller (if in a domain) for authentication before allowing the system to be unlocked. 800-68 Section 6.2.3 - Table A-5.33 DISA STIG Section 5.4.5.22 DISA Gold Disk ID 3375 NSA Chapter 5 - Table 6 Row 31 CM-6 oval:gov.nist.1:def:75 CCE-828 This setting determines whether smart cards are required. 800-68 Section 6.2.3 - Table A-5.34 DISA STIG na DISA Gold Disk na NSA na CM-6 CCE-443 When the smart card for a logged-on user is removed from the smart card reader, the workstation should be locked. 800-68 Section 6.2.3 - Table A-5.35 DISA STIG Section 5.4.5.23 DISA Gold Disk ID 1157 NSA Chapter 5 - Table 6 Row 32 CM-6 oval:gov.nist.1:def:78 CCE-576 This check verifies that the client policy is set to always sign packets. 800-68 Section 6.2.3 - Table A-5.36 DISA STIG Section 5.4.5.24 DISA Gold Disk ID 6832 NSA Chapter 5 - Table 6 Row 33 CM-6 oval:gov.nist.1:def:79 CCE-519 This check verifies that the client policy is set to sign packets if the server agrees. 800-68 Section 6.2.3 - Table A-5.37 DISA STIG Section 5.4.5.25 DISA Gold Disk ID 1166 NSA Chapter 5 - Table 6 Row 34 CM-6 oval:gov.nist.1:def:81 CCE-228 Some non-Microsoft SMB servers only support unencrypted (plain text) password authentication. Sending plain text passwords across the network, when authenticating to an SMB server, reduces the overall security of the environment. Check with the Vendor of the SMB server to see if there is a way to support encrypted password authentication. 800-68 Section 6.2.3 - Table A-5.38 DISA STIG Section 5.4.5.26 DISA Gold Disk ID 1141 NSA Chapter 5 - Table 6 Row 35 CM-6 oval:gov.nist.1:def:82 CCE-222 Administrators should use this setting to control when a computer disconnects an inactive SMB session. If client activity resumes, the session is automatically reestablished. 800-68 Section 6.2.3 - Table A-5.39 DISA STIG Section 5.4.5.27 DISA Gold Disk ID 1174 NSA Chapter 5 - Table 6 Row 36 CM-6 oval:gov.nist.1:def:83 CCE-171 This check verifies that the server policy is set to always sign packets. 800-68 Section 6.2.3 - Table A-5.40 DISA STIG Section 5.4.5.28 DISA Gold Disk ID 6833 NSA Chapter 5 - Table 6 Row 37 CM-6 oval:gov.nist.1:def:84 CCE-104 Microsoft network server: Digitally sign communications (if client agrees). This check verifies that the server policy is set to sign packets if the client agrees. 800-68 Section 6.2.3 - Table A-5.41 DISA STIG Section 5.4.5.29 DISA Gold Disk ID 1162 NSA Chapter 5 - Table 6 Row 38 CM-6 oval:gov.nist.1:def:85 CCE-278 Users should not be permitted to remain logged on to the network after they have exceeded their permitted logon hours. In many cases, this indicates that a user forgot to log off before leaving for the day. However, it may also indicate that a user is attempting unauthorized access at a time when the system may be less closely monitored. 800-68 Section 6.2.3 - Table A-5.42 DISA STIG Section 5.4.5.30 DISA Gold Disk ID 1136 NSA Chapter 539 CM-6 oval:gov.nist.1:def:86 CCE-953 Determines if an anonymous user can request security identifier (SID) attributes for another user or use a SID to get the corresponding username. 800-68 Section 6.2.3 - Table A-5.43 DISA STIG Section 5.4.5.45 DISA Gold Disk ID 3337 NSA Chapter 5 - Table 6 Row 40 CM-6 oval:gov.nist.1:def:77 CCE-318 If this setting is disabled, it allows anonymous logon users (null session connections) to list all account names, thus providing a map of potential points to attack the system. 800-68 Section 6.2.3 - Table A-5.44 DISA STIG Section 5.4.5.46 DISA Gold Disk ID 1093 NSA Chapter 5 - Table 6 Row 41 CM-6 oval:gov.nist.1:def:87 CCE-195 If this setting is disabled, it allows anonymous logon users (null session connections) to list all account names and enumerate all shared resources, thus providing a map of potential points to attack the system. 800-68 Section 6.2.3 - Table A-5.45 DISA STIG Section 5.4.5.46 DISA Gold Disk ID 1093 NSA Chapter 5 - Table 6 Row 42 CM-6 oval:gov.nist.1:def:88 CCE-542 This setting controls the storage of authentication credentials or .NET passports on the local system. Such credentials should never be stored on the local machine as that may lead to account compromise. 800-68 Section 6.2.3 - Table A-5.46 DISA STIG Section 5.4.5.47 DISA Gold Disk ID 3376 NSA Chapter 5 - Table 6 Row 43 CM-6 oval:gov.nist.1:def:89 CCE-18 This setting helps define the permissions that anonymous users have. If this setting is enabled then anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users should not have these permissions or rights. 800-68 Section 6.2.3 - Table A-5.47 DISA STIG Section 5.4.5.48 DISA Gold Disk ID 3377 NSA Chapter 5 - Table 6 Row 44 CM-6 oval:gov.nist.1:def:90 CCE-136 Network access: Named Pipes that can be accessed anonymously. Pipes are internal system communications processes. They are identified internally by ID numbers that vary between systems. To make access to these processes easier, these pipes are given names that do not vary between systems. This setting controls which of these pipes anonymous users may access. 800-68 Section 6.2.3 - Table A-5.48 DISA STIG Section 5.4.5.49 DISA Gold Disk ID 3338 NSA Chapter 5 - Table 6 Row 45 CM-6 oval:gov.nist.1:def:91 CCE-189 Network access: Remotely accessible registry paths. This setting controls which registry paths are accessible from a remote computer. 800-68 Section 6.2.3 - Table A-5.49 DISA STIG Section 5.4.5.50 DISA Gold Disk ID 3339 NSA Chapter 5 - Table 6 Row 46 CM-6 oval:gov.nist.1:def:92 CCE-638 This check determines whether anonymous access is restricted to named pipes and shares. 800-68 Section 6.2.3 - Table A-5.50 DISA STIG na DISA Gold Disk na NSA na CM-6 CCE-942 This setting controls which network shares may be accessed by an anonymous user. The default setting includes the shares, DFS$, and COMCFG. It is recommended that they be left as the default setting. 800-68 Section 6.2.3 - Table A-5.51 DISA STIG Section 5.4.5.51 DISA Gold Disk ID 3340 NSA Chapter 5 - Table 6 Row 47 CM-6 oval:gov.nist.1:def:93 CCE-343 Windows XP includes two network-sharing security models Classic and Guest only. It is recommended that the Classic mode be used. 800-68 Section 6.2.3 - Table A-5.52 DISA STIG Section 5.4.5.52 DISA Gold Disk ID 3378 NSA Chapter 5 - Table 6 Row 48 CM-6 oval:gov.nist.1:def:94 CCE-233 This setting controls whether or not a LAN Manager hash of the password is stored in the SAM the next time the password is changed. The LAN Manager hash is a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. 800-68 Section 6.2.3 - Table A-5.53 DISA STIG Section 5.4.5.53 DISA Gold Disk ID 3379 NSA Chapter 5 - Table 6 Row 49 CM-6 oval:gov.nist.1:def:95 CCE-775 This setting controls whether or not users are forced to log off when their allowed logon hours expire. If logon hours are set for users, then this should be enforced. 800-68 Section 6.2.3 - Table A-5.54 DISA STIG Section 5.4.5.54 DISA Gold Disk ID 3380 NSA Chapter 5 - Table 6 Row 50 CM-6 oval:gov.nist.1:def:244 CCE-719 The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts from computers that are running Windows. The Kerberos protocol is the protocol of choice in Windows systems, when there is a choice. The Windows NTLM protocol was the default for authentication in Microsoft Windows NT version 4.0. It is retained in Windows 2000 for compatibility with clients and servers that are running Windows NT version 4.0 and earlier. It is also used to authenticate logons to stand-alone computers that are running Windows 2000. 800-68 Section 6.2.3 - Table A-5.55 DISA STIG Section 5.4.5.55 DISA Gold Disk ID 1153 NSA Chapter 5 - Table 6 Row 51 CM-6 oval:gov.nist.1:def:96 CCE-719 The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts from computers that are running Windows. The Kerberos protocol is the protocol of choice in Windows systems, when there is a choice. The Windows NTLM protocol was the default for authentication in Microsoft Windows NT version 4.0. It is retained in Windows 2000 for compatibility with clients and servers that are running Windows NT version 4.0 and earlier. It is also used to authenticate logons to stand-alone computers that are running Windows 2000. 800-68 Section 6.2.3 - Table A-5.55 DISA STIG Section 5.4.5.55 DISA Gold Disk ID 1153 NSA Chapter 5 - Table 6 Row 51 CM-6 oval:gov.nist.1:def:97 CCE-732 This setting controls the signing requirements for LDAP clients. This setting should be set to Negotiate signing or Require signing depending on the environment and type of LDAP server in use. 800-68 Section 6.2.3 - Table A-5.56 DISA STIG Section 5.4.5.56 DISA Gold Disk ID 3381 NSA Chapter 5 - Table 6 Row 52 CM-6 oval:gov.nist.1:def:98 CCE-674 Starting with Windows 2000 Microsoft has implemented a variety of security support providers for use with RPC sessions. In a homogenous Windows XP environment, all of the options should be enabled and testing should be performed in a heterogeneous environment to determine the maximum-security level that provides reliable functionality. 800-68 Section 6.2.3 - Table A-5.57 DISA STIG Section 5.4.5.57 DISA Gold Disk ID 3382 NSA Chapter 5 - Table 6 Row 53 CM-6 oval:gov.nist.1:def:99 CCE-766 Starting with Windows 2000 Microsoft has implemented a variety of security support providers for use with RPC sessions. In a homogenous Windows XP environment, all of the options should be enabled and testing should be performed in a heterogeneous environment to determine the maximum-security level that provides reliable functionality. 800-68 Section 6.2.3 - Table A-5.58 DISA STIG Section 5.4.5.58 DISA Gold Disk ID 3666 NSA Chapter 5 - Table 6 Row 54 CM-6 oval:gov.nist.1:def:100 CCE-410 If this option is enabled, the Recovery Console does not require you to provide a password and will automatically log on to the system, giving Administrator access to system files. By default, the Recovery Console requires you to provide the password for the Administrator account before accessing the system. 800-68 Section 6.2.3 - Table A-5.59 DISA STIG Section 5.4.5.59 DISA Gold Disk ID 1159 NSA Chapter 5 - Table 6 Row 55 CM-6 oval:gov.nist.1:def:101 CCE-76 Enabling this option enables the Recovery Console SET command, which allows you to set Recovery Console environment variables. This permits floppy copy and access to all drives and folders. It should be disabled. 800-68 Section 6.2.3 - Table A-5.60 DISA STIG Section 5.4.5.60 DISA Gold Disk ID 1158 NSA Chapter 5 - Table 6 Row 56 CM-6 oval:gov.nist.1:def:102 CCE-224 Displaying the shutdown button may allow individuals to shut down a system anonymously. Only authenticated users should be allowed to shut down the system. Preventing display of this button in the logon dialog box, ensures that individuals who shut down the system are authorized and tracked in the systems Security event log. 800-68 Section 6.2.3 - Table A-5.61 DISA STIG Section 5.4.5.61 DISA Gold Disk ID 1075 NSA Chapter 5 - Table 6 Row 57 CM-6 oval:gov.nist.1:def:103 CCE-422 Virtual memory support of Windows XP uses a system page file to swap blocks of memory not actively being used to disk. While Windows XP is running, this file is opened exclusively by the operating system, thus ensuring it is reasonably protected. However, the system page file should be wiped clean of all user data when the system shuts down. This ensures that sensitive information that may be in the page file is not available for retrieval by an anonymous user. 800-68 Section 6.2.3 - Table A-5.62 DISA STIG Section 5.4.5.62 DISA Gold Disk ID 1084 NSA Chapter 5 - Table 6 Row 58 CM-6 oval:gov.nist.1:def:104 CCE-647 This setting determines whether the system forces strong key protection for user keys stored on the system. 800-68 Section 6.2.3 - Table A-5.63 DISA STIG na DISA Gold Disk na NSA na CM-6 oval:gov.nist.1:def:73 CCE-55 This setting ensures that the system uses algorithms that are FIPS compliant for encryption, hashing, and signing. FIPS compliant algorithms meet specific standards established by the U.S. Government and should be the algorithms used for all OS encryption functions. 800-68 Section 6.2.3 - Table A-5.64 DISA STIG Section 5.4.5.63 DISA Gold Disk ID 3383 NSA Chapter 5 - Table 6 Row 59 CM-6 oval:gov.nist.1:def:105 CCE-575 Either the object creator or the Administrators group owns objects created by members of the Administrators group. In order to ensure accurate auditing and proper accountability, the default owner should be the object creator. 800-68 Section 6.2.3 - Table A-5.65 DISA STIG Section 5.4.5.64 DISA Gold Disk ID 3384 NSA Chapter 5 - Table 6 Row 60 CM-6 oval:gov.nist.1:def:106 CCE-300 This setting controls the behavior of non-Windows subsystems when dealing with the case of arguments or commands. Case sensitivity could lead to the access of files or commands that should be restricted. To prevent this from happening, case insensitivity should be required. 800-68 Section 6.2.3 - Table A-5.66 DISA STIG Section 5.4.5.65 DISA Gold Disk ID 3385 NSA Chapter 5 - Table 6 Row 61 CM-6 oval:gov.nist.1:def:107 CCE-508 System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links). Windows systems maintains an internal list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default DACL that specifies who can access the objects with what permissions. If this policy is enabled, the default DACL is stronger, allowing non-admin users to read shared objects, but not modify shared objects that they did not create. 800-68 Section 6.2.3 - Table A-5.67 DISA STIG Section 5.4.5.66 DISA Gold Disk ID 1173 NSA Chapter 5 - Table 6 Row 63 CM-6 oval:gov.nist.1:def:109 CCE-48 This check determines whether optional subsystems are allowed. 800-68 Section 6.2.3 - Table A-5.68 DISA STIG na DISA Gold Disk na NSA na CM-6 CCE-572 This check determines whether certificate rules are used on Windows executables for software restriction policies. 800-68 Section 6.2.3 - Table A-5.69 DISA STIG na DISA Gold Disk na NSA na CM-6 CCE-283 If enabled, this setting will allow a user to directly log on to the system with administrator privileges when the machine is rebooted. This would give full access to any unauthorized individual who reboots the computer. By default this setting is not enabled. If this setting exists, it should be disabled. If this capability exists, the default password will also be present in the registry, and must be removed. 800-68 Section 6.2.3 - Table A-5.70 DISA STIG Section 5.4.5.31 DISA Gold Disk ID 1145 NSA Chapter 5 - Table 6 Row 25 CM-6 oval:gov.nist.1:def:110 CCE-137 This check determines whether Windows is allowed to automatically restart after a system crash. 800-68 Section 6.2.3 - Table A-5.71 DISA STIG na DISA Gold Disk na NSA na CM-6 CCE-512 This check determines whether administrative shares are enabled. 800-68 Section 6.2.3 - Table A-5.72 DISA STIG na DISA Gold Disk na NSA na CM-6 CCE-564 This setting protects against packet spoofing. Set to 2 to completely disable source routing. 800-68 Section 6.2.3 - Table A-5.73 DISA STIG Section 5.4.5.32 DISA Gold Disk ID 4110 NSA na CM-6 oval:gov.nist.1:def:111 CCE-156 This check determines whether the dial-up password is prevented from being saved. 800-68 Section 6.2.3 - Table A-5.74 DISA STIG Section 5.4.5.6 DISA Gold Disk ID 1139 NSA na CM-6 CCE-897 If this setting is enabled, it could lead to a denial of service. 800-68 Section 6.2.3 - Table A-5.75 DISA STIG Section 5.4.5.33 DISA Gold Disk ID 4109 NSA na CM-6 oval:gov.nist.1:def:112 CCE-150 This check determines whether ICMP redirects are allowed to override OSPF generated routes. 800-68 Section 6.2.3 - Table A-5.76 DISA STIG Section 5.4.5.16 DISA Gold Disk ID 4111 NSA na CM-6 oval:gov.nist.1:def:113 CCE-139 This setting is not recommended to be enabled, except for highly secure environments. 800-68 Section 6.2.3 - Table A-5.77 DISA STIG na DISA Gold Disk na NSA na CM-6 oval:gov.nist.1:def:114 CCE-188 This check verifies that the system is configured to control how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. 800-68 Section 6.2.3 - Table A-5.78 DISA STIG na DISA Gold Disk na NSA na CM-6 oval:gov.nist.1:def:115 CCE-501 Setting this to 1 removes exemptions for Kerberos and RSVP traffic, and keeps exemptions for multicast, broadcast, and ISAKMP. 800-68 Section 6.2.3 - Table A-5.79 DISA STIG na DISA Gold Disk na NSA na CM-6 oval:gov.nist.1:def:116 CCE-44 This check verifies that the system is configured to turn off the Autorun feature on all drives 800-68 Section 6.2.3 - Table A-5.80 DISA STIG na DISA Gold Disk na NSA na CM-6 oval:gov.nist.1:def:117 CCE-817 This check verifies that the system is configured to prevent release of its NetBIOS name when a name-release request is received. 800-68 Section 6.2.3 - Table A-5.81 DISA STIG Section 5.4.5.35 DISA Gold Disk ID 4116 NSA na CM-6 oval:gov.nist.1:def:118 CCE-511 This check determines whether the system is allowed to generate 8.3 style filenames. 800-68 Section 6.2.3 - Table A-5.82 DISA STIG na DISA Gold Disk na NSA na CM-6 oval:gov.nist.1:def:119 CCE-952 This check verifies that the system is configured to disable the Internet Router Discovery Protocol (IDRP), which could lead to a denial of service. 800-68 Section 6.2.3 - Table A-5.83 DISA STIG Section 5.4.5.36 DISA Gold Disk ID 4112 NSA na CM-6 oval:gov.nist.1:def:121 CCE-271 The default search behavior, when an application calls a function in a Dynamic Link Library (DLL), is to search the current directory followed by the directories contained in the systems path environment variable. An unauthorized DLL inserted into an applications working directory could allow malicious code to be run on the system. Creating the SafeDllSearchMode registry key and setting the appropriate value forces the system to search the %Systemroot% for the DLL before searching the current directory or the rest of the path. 800-68 Section 6.2.3 - Table A-5.84 DISA STIG na DISA Gold Disk na NSA Chapter 5 - Table 6 Row 62 CM-6 oval:gov.nist.1:def:122 CCE-830 This check verifies that the system is configured to have password protection take effect immediately when the screen saver becomes active. 800-68 Section 6.2.3 - Table A-5.85 DISA STIG na DISA Gold Disk na NSA na CM-6 oval:gov.nist.1:def:123 CCE-284 This check verifies that the system is configured to protect against Syn attacks. The setting should be set to "Connections time out sooner if a SYN attack is detected." 800-68 Section 6.2.3 - Table A-5.86 DISA STIG Section 5.4.5.37 DISA Gold Disk ID 4117 NSA na CM-6 oval:gov.nist.1:def:124 CCE-577 This check verifies that the system is configured to control the maximum number of times that TCP retransmits a SYN before aborting the attempt. 800-68 Section 6.2.3 - Table A-5.87 DISA STIG Section 5.4.5.38 DISA Gold Disk ID 4437 NSA na CM-6 oval:gov.nist.1:def:125 CCE-872 This check verifies that the system is configured to control the maximum number of times that TCP retransmits unacknowledged data segments before aborting the attempt. 800-68 Section 6.2.3 - Table A-5.88 DISA STIG Section 5.4.5.39 DISA Gold Disk ID 4438 NSA na CM-6 oval:gov.nist.1:def:126 CCE-125 This check verifies that the system is configured to generate a warning when the Security Event Log has reached a defined threshold. If the system is configured to write to an audit server, or is configured to automatically archive full logs, then this check does not apply. 800-68 Section 6.2.3 - Table A-5.89 DISA STIG Section 5.4.5.43 DISA Gold Disk ID 4108 NSA na CM-6 oval:gov.nist.1:def:127 CCE-185 Inadequate log size will cause the log to fill up quickly and require frequent clearing by administrative personnel. An exception is for NT workstations that do not share resources. The smaller size should allow sufficient audit information for supporting the investigation of suspicious events, but since it is overwritten, does not require administrator interaction for clearing the file. Microsoft recommends that the combined size of all the event logs (including DNS logs, Directory Services logs, and Replication logs on Servers or Domain Controllers) should not exceed 300 megabytes. Exceeding the recommended value can impact performance. 800-68 Section 6.3 - Table A-6.1 DISA STIG Section 5.4.6.1 DISA Gold Disk ID 1118 NSA Chapter 6 - Table 7 Row 1 CM-6 oval:gov.nist.1:def:197 CCE-757 Inadequate log size will cause the log to fill up quickly and require frequent clearing by administrative personnel. An exception is for NT workstations that do not share resources. The smaller size should allow sufficient audit information for supporting the investigation of suspicious events, but since it is overwritten, does not require administrator interaction for clearing the file. Microsoft recommends that the combined size of all the event logs (including DNS logs, Directory Services logs, and Replication logs on Servers or Domain Controllers) should not exceed 300 megabytes. Exceeding the recommended value can impact performance. 800-68 Section 6.3 - Table A-6.2 DISA STIG Section 5.4.6.1 DISA Gold Disk ID 1118 NSA Chapter 6 - Table 7 Row 1 CM-6 oval:gov.nist.1:def:198 CCE-735 Inadequate log size will cause the log to fill up quickly and require frequent clearing by administrative personnel. An exception is for NT workstations that do not share resources. The smaller size should allow sufficient audit information for supporting the investigation of suspicious events, but since it is overwritten, does not require administrator interaction for clearing the file. Microsoft recommends that the combined size of all the event logs (including DNS logs, Directory Services logs, and Replication logs on Servers or Domain Controllers) should not exceed 300 megabytes. Exceeding the recommended value can impact performance. 800-68 Section 6.3 - Table A-6.3 DISA STIG Section 5.4.6.1 DISA Gold Disk ID 1118 NSA Chapter 6 - Table 7 Row 1 CM-6 oval:gov.nist.1:def:199 CCE-299 By default, the Windows XP event logs may be viewed over the network by an anonymous user. This method of access over the network is communicating through the Server service which has SYSTEM access to the actual log files. 800-68 Section 6.3 - Table A-6.4 DISA STIG Section 5.4.6.2 DISA Gold Disk ID 1095 NSA Chapter 6 - Table 7 Row 2 CM-6 oval:gov.nist.1:def:200 CCE-462 By default, the Windows XP event logs may be viewed over the network by an anonymous user. This method of access over the network is communicating through the Server service which has SYSTEM access to the actual log files. 800-68 Section 6.3 - Table A-6.5 DISA STIG Section 5.4.6.2 DISA Gold Disk ID 1095 NSA Chapter 6 - Table 7 Row 2 CM-6 oval:gov.nist.1:def:201 CCE-726 By default, the Windows XP event logs may be viewed over the network by an anonymous user. This method of access over the network is communicating through the Server service which has SYSTEM access to the actual log files. 800-68 Section 6.3 - Table A-6.6 DISA STIG Section 5.4.6.2 DISA Gold Disk ID 1095 NSA Chapter 6 - Table 7 Row 2 CM-6 oval:gov.nist.1:def:202 CCE-285 The application log should be configured to correctly handle itself when it reaches the maximum size. The log can be overwritten after a certain number of days, overwritten when it becomes full, or have to be cleared manually. 800-68 Section 6.3 - Table A-6.10 DISA STIG Section 5.4.6.3 DISA Gold Disk ID 1117 NSA Chapter 6 - Table 7 Row 3 CM-6 oval:gov.nist.1:def:203 CCE-523 The security log should be configured to correctly handle itself when it reaches the maximum size. The log can be overwritten after a certain number of days, overwritten when it becomes full, or have to be cleared manually. 800-68 Section 6.3 - Table A-6.11 DISA STIG Section 5.4.6.3 DISA Gold Disk ID 1117 NSA Chapter 6 - Table 7 Row 3 CM-6 oval:gov.nist.1:def:204 CCE-664 The system log should be configured to correctly handle itself when it reaches the maximum size. The log can be overwritten after a certain number of days, overwritten when it becomes full, or have to be cleared manually. 800-68 Section 6.3 - Table A-6.12 DISA STIG Section 5.4.6.3 DISA Gold Disk ID 1117 NSA Chapter 6 - Table 7 Row 3 CM-6 oval:gov.nist.1:def:205 CCE-506 The Restricted Groups option allows the administrator to manage membership of sensitive groups. The Backup Operators group is one such group. This group has been given significant privileges under Windows XP. 800-68 Section 6.4 - Table A-7.1 DISA STIG na DISA Gold Disk na NSA na CM-6 oval:gov.nist.1:def:206 CCE-990 The Restricted Groups option allows the administrator to manage membership of sensitive groups. The Power Users group is one such group. This group has been given significant privileges under Windows XP. 800-68 Section 6.4 - Table A-7.2 DISA STIG Section 5.4.7.1 DISA Gold Disk ID 2375 NSA Chapter 7 CM-6 oval:gov.nist.1:def:207 CCE-250 The Restricted Groups option allows the administrator to manage membership of sensitive groups. The Remote Desktop Users group is one such group. This group has been given significant privileges under Windows XP. 800-68 Section 6.4 - Table A-7.3 DISA STIG na DISA Gold Disk na NSA na CM-6 oval:gov.nist.1:def:208 CCE-487 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.1 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:209 CCE-954 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.6 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:210 CCE-294 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.9 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:211 CCE-78 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.18 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:212 CCE-712 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.19 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:213 CCE-311 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.22 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:214 CCE-738 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.24 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:215 CCE-729 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.30 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:216 CCE-232 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.33 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:217 CCE-217 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.35 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:245 CCE-768 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.36 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:246 CCE-750 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.46 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:247 CCE-663 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.47 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:218 CCE-223 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.52 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:219 CCE-870 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.59 DISA STIG na DISA Gold Disk na NSA na CM-6 oval:gov.nist.1:def:220 CCE-975 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.60 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:221 CCE-892 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.61 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:222 CCE-940 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.62 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:223 CCE-40 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.65 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:224 CCE-75 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.68 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:225 CCE-974 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.69 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:226 CCE-608 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.73 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:227 CCE-758 Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. 800-68 Section 6.5 - Table A-8.85 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6 oval:gov.nist.1:def:228 CCE-600 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.1 DISA STIG Section 5.4.10.1 - Table A.1 Row 3 DISA Gold Disk ID 1130 NSA Chapter 10 - Table 14 Row 42 CM-6 oval:gov.nist.1:def:128 CCE-393 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.2 DISA STIG Section 5.4.10.1 - Table A.1 Row 4 DISA Gold Disk ID 1130 NSA Chapter 10 - Table 14 Row 43 CM-6 oval:gov.nist.1:def:129 CCE-166 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.3 DISA STIG Section 5.4.10.1 - Table A.1 Row 5 DISA Gold Disk ID 1130 NSA na CM-6 oval:gov.nist.1:def:130 CCE-977 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.4 DISA STIG Section 5.4.10.1 - Table A.1 Row 6 DISA Gold Disk ID 1130 NSA na CM-6 oval:gov.nist.1:def:131 CCE-201 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.5 DISA STIG Section 5.4.10.1 - Table A.1 Row 7 DISA Gold Disk ID 1130 NSA na CM-6 oval:gov.nist.1:def:132 CCE-20 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.6 DISA STIG Section 5.4.10.1 - Table A.1 Row 8 DISA Gold Disk ID 1130 NSA na CM-6 oval:gov.nist.1:def:133 CCE-489 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.7 DISA STIG Section 5.4.10.1 - Table A.1 Row 9 DISA Gold Disk ID 1130 NSA na CM-6 oval:gov.nist.1:def:134 CCE-917 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.8 DISA STIG Section 5.4.10.1 - Table A.1 Row 10 DISA Gold Disk ID 1130 NSA na CM-6 oval:gov.nist.1:def:135 CCE-264 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.9 DISA STIG Section 5.4.10.1 - Table A.1 Row 11 DISA Gold Disk ID 1130 NSA na CM-6 oval:gov.nist.1:def:136 CCE-550 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 DISA STIG Section 5.4.10.1 - Table A.1 Row 12 DISA Gold Disk ID 1130 NSA Chapter 10 - Table 14 Row 59 CM-6 oval:gov.nist.1:def:137 CCE-731 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.11 DISA STIG Section 5.4.10.1 - Table A.1 Row 13 DISA Gold Disk ID 1130 NSA na CM-6 oval:gov.nist.1:def:138 CCE-607 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.12 DISA STIG Section 5.4.10.1 - Table A.1 Row 14 DISA Gold Disk ID 1130 NSA na CM-6 oval:gov.nist.1:def:139 CCE-158 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.13 DISA STIG Section 5.4.10.1 - Table A.1 Row 15 DISA Gold Disk ID 1130 NSA Chapter 10 - Table 14 Row 60 CM-6 oval:gov.nist.1:def:140 CCE-220 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.14 DISA STIG Section 5.4.10.1 - Table A.1 Row 16 DISA Gold Disk ID 1130 NSA Chapter 10 - Table 14 Row 61 CM-6 oval:gov.nist.1:def:141 CCE-242 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.15 DISA STIG Section 5.4.10.1 - Table A.1 Row 17 DISA Gold Disk ID 1130 NSA Chapter 10 - Table 14 Row 62 CM-6 oval:gov.nist.1:def:142 CCE-821 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.16 DISA STIG Section 5.4.10.1 - Table A.1 Row 18 DISA Gold Disk ID 1130 NSA Chapter 10 - Table 14 Row 63 CM-6 oval:gov.nist.1:def:143 CCE-997 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.17 DISA STIG Section 5.4.10.1 - Table A.1 Row 19 DISA Gold Disk ID 1130 NSA Chapter 10 - Table 14 Row 68 CM-6 oval:gov.nist.1:def:144 CCE-547 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.18 DISA STIG Section 5.4.10.1 - Table A.1 Row 20 DISA Gold Disk ID 1130 NSA Chapter 10 - Table 14 Row 69 CM-6 oval:gov.nist.1:def:145 CCE-795 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6- Table A-9.19 DISA STIG Section 5.4.10.1 - Table A.1 Row 2 DISA Gold Disk ID 1130 NSA Chapter 10 - Table 14 Row 36 CM-6 oval:gov.nist.1:def:146 CCE-865 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.20 DISA STIG Section 5.4.10.1 - Table A.1 Row 21 DISA Gold Disk ID 1130 NSA Chapter 10 - Table 14 Row 70 CM-6 oval:gov.nist.1:def:147 CCE-543 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.21 DISA STIG Section 5.4.10.1 - Table A.1 Row 22 DISA Gold Disk ID 1130 NSA Chapter 10 - Table 14 Row 71 CM-6 oval:gov.nist.1:def:148 CCE-657 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.22 DISA STIG Section 5.4.10.1 - Table A.1 Row 23 DISA Gold Disk ID 1130 NSA na CM-6 oval:gov.nist.1:def:149 CCE-274 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.23 DISA STIG Section 5.4.10.1 - Table A.1 Row 24 DISA Gold Disk ID 1130 NSA Chapter 10 - Table 14 Row 72 CM-6 oval:gov.nist.1:def:150 CCE-168 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.24 DISA STIG Section 5.4.10.1 - Table A.1 Row 25 DISA Gold Disk ID 1130 NSA Chapter 10 - Table 14 Row 73 CM-6 oval:gov.nist.1:def:151 CCE-353 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.25 DISA STIG Section 5.4.10.1 - Table A.1 Row 26 DISA Gold Disk ID 1130 NSA Chapter 10 - Table 14 Row 74 CM-6 oval:gov.nist.1:def:152 CCE-516 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.26 DISA STIG Section 5.4.10.1 - Table A.1 Row 27 DISA Gold Disk ID 1130 NSA na CM-6 oval:gov.nist.1:def:153 CCE-922 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.27 DISA STIG Section 5.4.10.1 - Table A.1 Row 28 DISA Gold Disk ID 1130 NSA Chapter 10 - Table 14 Row 76 CM-6 oval:gov.nist.1:def:154 CCE-921 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.28 DISA STIG Section 5.4.10.1 - Table A.1 Row 29 DISA Gold Disk ID 1130 NSA na CM-6 oval:gov.nist.1:def:155 CCE-225 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.29 DISA STIG Section 5.4.10.1 - Table A.1 Row 30 DISA Gold Disk ID 1130 NSA Chapter 10 - Table 14 Row 81 CM-6 oval:gov.nist.1:def:156 CCE-159 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.30 DISA STIG Section 5.4.10.1 - Table A.1 Row 31 DISA Gold Disk ID 1130 NSA na CM-6 oval:gov.nist.1:def:157 CCE-348 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.31 DISA STIG Section 5.4.10.1 - Table A.1 Row 32 DISA Gold Disk ID 1130 NSA Chapter 10 - Table 14 Row 82 CM-6 oval:gov.nist.1:def:158 CCE-718 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 Section 6.6 - Table A-9.32 DISA STIG Section 5.4.10.1 - Table A.1 Row 33 DISA Gold Disk ID 1130 NSA na CM-6 oval:gov.nist.1:def:159 CCE-272 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 na DISA STIG na DISA Gold Disk na NSA Chapter 10 - Table 14 Row 44 CM-6 oval:gov.nist.1:def:260 CCE-170 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 na DISA STIG na DISA Gold Disk na NSA Chapter 10 - Table 14 Row 46 CM-6 oval:gov.nist.1:def:261 CCE-386 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 na DISA STIG na DISA Gold Disk na NSA Chapter 10 - Table 14 Row 48 CM-6 oval:gov.nist.1:def:262 CCE-941 Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. 800-68 na DISA STIG na DISA Gold Disk na NSA Chapter 10 - Table 14 Row 49 CM-6 oval:gov.nist.1:def:263 CCE-363 The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit should be assigned. 800-68 na DISA STIG na DISA Gold Disk na NSA Chapter 9.4 - Table 10 Row 10 CM-6 oval:gov.nist.1:def:300 CCE-536 Setting this value to 0 disables the creation of a memory dump file by the Dr. Watson program debugger. Memory dumps can contain sensitive information such as passwords. See Section 7.9 for additional information on suppressing memory dump file creation. This setting should be enabled to troubleshoot a recurring problem. 800-68 Section 6.8.4 - Table 6-2.1 DISA STIG na DISA Gold Disk na NSA na CM-6 oval:gov.nist.1:def:400 CCE-243 Setting this value to 0 disables Dr. Watson. 800-68 Section 6.8.4 - Table 6-2.2 DISA STIG na DISA Gold Disk na NSA na CM-6 oval:gov.nist.1:def:401 CCE-344 Setting this value to 0 disables the autorun feature for CDs. 800-68 Section 6.8.4 - Table 6-2.3 DISA STIG na DISA Gold Disk na NSA na CM-6 oval:gov.nist.1:def:402 CCE-282 Setting this parameter to 1 causes the system to ignore ResetBrowser frames. Such frames can be used to shut down NetBIOS and master browsers and to declare a computer as being the new master browser. Earlier versions of Windows could be attacked through ResetBrowser frames. 800-68 Section 6.8.4 - Table 6-2.4 DISA STIG na DISA Gold Disk na NSA na CM-6 CCE-998 When this parameter is set to 1, TCP attempts to discover the Maximum Transmission Unit (MTU), the size of the largest packet that can be kept intact over the path to a remote host. Setting this parameter to 0 disables the feature and causes an MTU of 576 bytes to be used for all connections that are not made to hosts on the local subnet. 800-68 Section 6.8.4 - Table 6-2.5 DISA STIG na DISA Gold Disk na NSA na CM-6 CCE-333 This setting specifies the number of connections permitted in the SYN-RCVD state before SynAttackProtect measures are implemented. 800-68 Section 6.8.4 - Table 6-2.7 DISA STIG na DISA Gold Disk na NSA na CM-6 oval:gov.nist.1:def:404 CCE-751 This setting specifies the number of connections permitted in the SYN-RCVD state for which at least one retransmission of the SYN has been sent, before SynAttackProtect measures are implemented. 800-68 Section 6.8.4 - Table 6-2.8 DISA STIG na DISA Gold Disk na NSA na CM-6 oval:gov.nist.1:def:405 CCE-418 This setting specifies how many connection requests can be refused before SynAttackProtect measures are implemented. 800-68 Section 6.8.4 - Table 6-2.9 DISA STIG na DISA Gold Disk na NSA na CM-6 oval:gov.nist.1:def:406 Use NTFS for each hard drive partition unless there is a particular need to use another type of filesystem. 800-68 Section 4.1.1 DISA STIG Section 5.3.1 DISA Gold Disk ID 1081 NSA Chapter 10 CM-6 This check verifies that shared printers have properly configured share permissions. 800-68 na DISA STIG Section 5.2.4 DISA Gold Disk ID 1135 NSA na CM-6 Disable all network clients, services, and protocols that are not required. 800-68 Section 4.1.2.1 DISA STIG Section 5.3.2.1 DISA Gold Disk ID 3487 NSA na CM-6