Accounts: Administrator accounts must not be enumerated during elevation
f3afb7e7-d38a-42f2-8290-56da3b445913
Accounts: Automatic logons must be disabled
5db60bfa-0318-430e-ab7e-c2ff3e749ae9
Accounts: Block Microsoft accounts
6e815a39-7aa8-42e4-88d3-1778dfe85333
Accounts: Built-in Administrator account must be renamed
b1981ae3-ba91-4758-a98c-a5937a0498f7
Accounts: Built-in Guest account must be renamed
20dbd0a4-0373-4913-9f75-4ab7f6fcbdb0
Accounts: Deny log on locally user right must be configured to prevent access from highly privileged domain accounts
fd44a45e-ef9e-4c54-bebf-22bba68a185c
Accounts: Enable computer and user accounts delegation user right not be assigned to any groups or accounts
64f28abd-921c-4d04-b2c0-f047d20d673e
Accounts: Enable computer and user accounts to be trusted user right must only be assigned to the Admins group on DCs
42587e5b-a61b-49e2-b25b-5413d52ebd05
Accounts: Local Admin accounts must have their privileged token filtered to prevent elevated privileges used over the network
e4710a99-9bc1-4e34-80ad-5d2f84f57732
Accounts: Local Administrator account should be disabled
822e9bf2-405a-42cb-9566-8532df68939f
Accounts: Local Guest account should be disabled
538d811a-0a0a-4336-8294-63bc2c092ebb
Accounts: Local accounts with blank passwords must be restricted to prevent access from the network
3ef29cdc-8018-48a9-b210-13e18cf14d07
Accounts: Lockout duration must be configured to 15 minutes or greater
d9b675fb-1bb2-4ff3-88ea-0e74ab40e2a7
Accounts: Must be configured to enable Remote host allows delegation of non-exportable credentials
64e32afe-9577-4372-8f00-81829fd38ebf
Accounts: Must disable automatically signing in the last interactive user after a system-initiated restart
30d230a9-ff8e-44a2-ac87-f35b77bff14a
Accounts: Must have the built-in Windows password complexity policy enabled
be6a2756-21d7-452c-b0a1-e6032f14f422
Accounts: Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater
56655e04-3824-4810-9be4-aaa6e1c1c2ac
Accounts: Must require passwords
00279417-0255-4ff4-8b5c-dbb7866085e2
Accounts: Passwords for the built-in Administrator account must be changed at least every 60 days
e228712c-a432-4f66-898d-f0698df9e862
Accounts: Reversible password encryption must be disabled
71ebd815-0ca9-44c9-b7b8-c96e155e7afb
Accounts: The computer account password must not be prevented from being reset
e0059e71-73e6-4c05-9f59-b224041025ea
Accounts: The number of allowed bad logon attempts must be configured to three or less
409871a1-6b58-45ab-9dfd-8b40e948ecd2
Accounts: UIAccess applications must not be allowed to prompt for elevation without using the secure desktop
80e6af5a-3633-408e-b890-8b7581adda66
Accounts: User Account Control (UAC) must automatically deny standard user requests for elevation
2a28f305-e508-40e1-80e4-e7702143703b
Accounts: User Account Control (UAC) must be configured to detect application installations and prompt for elevation
ed5ca948-5cbf-431d-a5da-39d02bd64c48
Accounts: User Account Control (UAC) must run all administrators in Admin Approval Mode, enabling UAC
417239de-2859-45e4-9a8f-43c47f4daedb
Accounts: User Account Control (UAC) must virtualize file and registry write failures to per-user locations
938c99da-1577-427d-908d-8c5e31bd9546
Accounts: User Account Control (UAC) must, at a minimum, prompt administrators for consent on the secure desktop
0b28a1d9-618b-45ce-8938-f73cc84fce81
Accounts: User Account Control must only elevate UIAccess applications that are installed in secure locations
b6f678d0-7ffc-48e8-b89c-ca6d301de838
Accounts: Users must be prompted to authenticate when the system wakes from sleep (on battery)
ef3c9259-d0d3-434a-8e7c-ab945deaa3f0
Accounts: Users must be prompted to authenticate when the system wakes from sleep (plugged in)
bf4a43bc-9605-4596-a562-5e4073fe21d5
Accounts: Users must be required to enter a password to access private keys stored on the computer
c9946229-3c27-4eb5-ae8f-6f777a9ad637
Auditing: Command line data must be included in process creation events
c787dcd2-355b-4ff5-8265-3eb860f11670
Auditing: Event Log / Viewer must be protected from unauthorized modification and deletion
09651036-eca5-4f3a-83fb-0ff12719b201
Auditing: Event Log size for Application log must be at least 32768 KB
b38cea25-93f2-42d7-ac5f-f2c1e93f974a
Auditing: Event Log size for Security log must be at least 196608 KB
f9befa07-2636-4c53-a43f-db2035b9cdff
Auditing: Event Log size for System log must be at least 32768 KB
4decda12-e17d-45d8-bb5e-53f26706acbf
Auditing: Must force audit policy subcategory settings to override audit policy category settings
9929dbd2-a4fb-40ea-9a2d-8a1db39a5729
Auditing: Permissions for the Security event log must prevent access by non-privileged accounts
f67457c3-6d39-425d-9831-b5e44eaf7d6f
Auditing: Permissions for the System event log must prevent access by non-privileged accounts
31096f12-75ea-425b-b416-f0c0b87dc6ff
Auditing: System must be configured to audit Account Logon - Credential Validation failures
20d10fd0-520a-4b7e-b915-5e2e6649cf99
Auditing: System must be configured to audit Account Logon - Credential Validation successes
82478e12-7206-4b9c-8a68-2ccb6e3fe144
Auditing: System must be configured to audit Account Management - Computer Account Management successes
980236d7-5ee7-436d-83ce-5504b366d913
Auditing: System must be configured to audit Account Management - Other Account Management Events successes
b0fb3bb1-4400-4a94-bea1-8d64d4b170b3
Auditing: System must be configured to audit Account Management - Security Group Management successes
43fd3c2b-daf3-4408-8a5b-d04a79bd3bd4
Auditing: System must be configured to audit Account Management - User Account Management failures
d3e3b256-80cd-4f3a-bd46-487cda3513f2
Auditing: System must be configured to audit Account Management - User Account Management successes
b7a6152d-607d-424f-a0d1-78000be3512a
Auditing: System must be configured to audit DS Access - Directory Service Access failures
2b1b0887-d05b-4ac8-9a4d-622cf9938026
Auditing: System must be configured to audit DS Access - Directory Service Access successes
f9e3c6de-5fe8-4139-9f82-a92cf3ef8b33
Auditing: System must be configured to audit DS Access - Directory Service Changes successes
36178a14-eb8f-4e76-b554-c694324ae9de
Auditing: System must be configured to audit Detailed Tracking - Plug and Play Events successes
f5278646-f9f7-41df-b807-b1fd1c57cdfa
Auditing: System must be configured to audit Detailed Tracking - Process Creation successes
952d2e45-3b08-4224-bc01-6e35aeb38557
Auditing: System must be configured to audit Logon/Logoff - Group Membership successes
52b16e39-5909-4145-a76d-8fa0fc554dab
Auditing: System must be configured to audit Logon/Logoff - Special Logon successes
0a6702c1-b417-4100-b6af-8ee48a5d2f23
Auditing: System must be configured to audit Object Access - Other Object Access Events failures
8110968d-1cd4-430b-909e-52a487b78106
Auditing: System must be configured to audit Object Access - Other Object Access Events successes
81abf498-85f9-4536-a8c4-f6d26fe5f26f
Auditing: System must be configured to audit Object Access - Removable Storage failures
352b582c-c55c-4d71-9a19-4c9448d1c96d
Auditing: System must be configured to audit Object Access - Removable Storage successes
af074caf-14a4-41f5-9ebd-e2214dc48240
Auditing: System must be configured to audit Policy Change - Audit Policy Change failures
d7a89b74-da6a-4b5b-a3f7-1ead34cbc837
Auditing: System must be configured to audit Policy Change - Audit Policy Change successes
23e1491c-ff4e-45b1-be08-fe8c2a6209da
Auditing: System must be configured to audit Policy Change - Authentication Policy Change successes
48e1aa69-0cc4-44e2-8f00-8db93be2cdc1
Auditing: System must be configured to audit Policy Change - Authorization Policy Change successes
7338cb96-3198-4665-8c6e-755e05005b58
Auditing: System must be configured to audit Privilege Use - Sensitive Privilege Use failures
9345b515-8295-47a6-a353-fcdc72ff45ea
Auditing: System must be configured to audit Privilege Use - Sensitive Privilege Use successes
cc84129b-345b-4e6d-91d4-39bc1e8ee328
Auditing: System must be configured to audit System - Other System Events failures
501bae98-8af9-4dd4-b71e-30fc202958d5
Auditing: System must be configured to audit System - Other System Events successes
ffcd14a5-06ae-44e3-846b-c0661de732a6
Auditing: System must be configured to audit System - Security State Change successes
38e08d5e-0bc4-41e9-aec3-d30e8b243af6
Auditing: System must be configured to audit System - Security System Extension successes
cac02598-d29e-489c-afe0-8349bd676bf6
Auditing: System must be configured to audit System - System Integrity failures
0634f6e9-e443-4576-b0a2-e7013116b350
Auditing: System must be configured to audit System - System Integrity successes
14903b11-6904-4913-a981-5f3422dafaa4
Auditing: System must be configured to audit logoff successes
282bb2eb-115f-483f-85fb-637124552335
Auditing: System must be configured to audit logon failures
b052b9fc-5f3e-45e6-94f6-e0823790f14c
Auditing: System must be configured to audit logon successes
d46bf70a-28b8-489a-bb63-b549d576fc4f
Auditing: Windows must be configured to audit Logon/Logoff - Account Lockout Failures
bdab6cee-183b-4d5c-a916-853606d1a192
Auditing: Windows must be configured to audit System - IPsec Driver failures
2189409b-e597-47c5-a781-728c637258ae
Auditing: Windows must be configured to audit System - IPsec Driver successes
b67f6feb-ff6f-4e4c-a9d4-1d6cc8fd3fbd
Autoplay: Should be disabled for all drives
2cb75d59-8ef3-4fa3-90e1-8bec9e51c703
Autorun: behavior must be configured to prevent Autorun commands
746184bf-3f96-4365-8bb4-c7abf8a772ac
Compliance: BitLocker should use AES 256 encryption
77de846e-473b-4c4d-8d70-85d27342fc45
Compliance: System must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing
330f6517-5c88-4086-b456-d3026307c001
Credentials: WDigest Authentication must be disabled
13cb0c87-4b9a-4923-9768-87bafab6ef87
Debug Programs: User right must only be assigned to the Administrators group
76794e3a-d350-45a6-adf9-a4a9708271f9
Domain Controller: Add workstations to domain user right must only be assigned to the Administrators group on domain controllers
e88ec1dd-3e44-424f-930e-fde45ff8192b
Domain Controller: Allow log on through RD Services user right must only be assigned to the Adminis group
2d18c798-214a-4d1a-bbcc-282823e624a9
Domain Controller: Computer clock synchronization tolerance must be limited to five minutes or less
7b0ab870-00dd-4b1a-ac97-c297ae40215e
Domain Controller: Deny access to this computer from the network user right on DC must be configured to prevent unauth access
80a51e10-6e8d-4c26-9493-d3a41e531df0
Domain Controller: Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less
dd26607b-dc40-4958-9506-1bda6ee1de47
Domain Controller: Kerberos service ticket maximum lifetime must be limited to 600 minutes or less
62124d83-b9c6-4b9b-a580-eafd2c103cef
Domain Controller: Kerberos user logon restrictions must be enforced
4ba38a42-507b-4cf9-842d-d8ea09801e59
Domain Controller: Kerberos user ticket lifetime must be limited to 10 hours or less
b3bcdbc8-dfe2-4660-92f6-390d677ffb38
Domain Controller: Must be configured to allow reset of machine account passwords
4d599278-5660-4513-abe4-715f546475bb
Domain Controller: Must require LDAP access signing
9e1e28ee-d597-49db-b33d-cfee0ba15c69
Domain Controller: Network access must be limited to Admins, Authenticated Users, and Enterprise Domain Controllers
8963a7ff-817a-456e-9e65-fc6ecc10147e
Domain Controller: Permissions on the Active Directory data files must only allow System and Administrators access
1bb127e7-c293-41f4-a937-c9c76d35cb8a
Domain Controller: SYSVOL directory must have proper access control permissions
15074903-9e8a-4d2f-b6d4-4e5ab30e64d7
Domain Controller: System must be configured for certificate-based authentication for domain controllers
7b08353a-c241-4eb7-b1fd-872b7cf5528e
Domain Controller: The password for the krbtgt account on a domain must be reset at least every 180 days
18ef977d-1c89-4ea7-ac53-0438873cb1db
Domain Controllers: Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access
8d9748ad-695f-489e-bf31-4d1e8e397a7b
Domain Member: Must be running Credential Guard on domain-joined members
52b8eaca-e97b-4b7b-bda8-2f67dd947dbc
Domain Member: Caching of logon credentials must be limited - Desktop
a256ebbf-e5b2-4b73-a375-6587c8d1b0ba
Domain Member: Digitally encrypt or sign secure channel data (always) must be set to Enabled
8d6589f4-20fe-4018-bc26-7891353eac40
Domain Member: Digitally encrypt secure channel data (when possible) must be set to Enabled
9a6ea78e-a170-4015-9193-666f003f74f4
Domain Member: Digitally sign secure channel data (when possible) must be set to Enabled
5ef4fc08-d231-41c5-95c2-1bb8abc26209
Domain Member: Domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use
b7074672-cbee-4409-a64a-9b03894fcf2f
Domain Member: Group policy objects must be reprocessed even if they have not changed
0652c1f1-ca23-46d0-a60f-7f62281b866e
Domain Member: Local users on domain-joined member servers must not be enumerated
a115da09-58b1-40dd-85ca-6f6e4cac977d
Domain Member: Maximum age for machine account passwords must be configured to 30 days or less
ad52728e-be9b-4ab7-b329-5b11001e42de
Domain Member: must be configured to at least negotiate signing for LDAP client signing
5c9b1fb7-3d92-4d13-be5f-13d7894e50d0
Domain Member: must limit the caching of logon credentials to four or less - Server
95498795-fa0a-428a-8fd8-bbcc31cb79e8
Exchange Server: Build Version Check (Exchange Updated)
7772c56a-ec1f-43d5-b8ce-548359123060
Exploit Protection: Structured Exception Handling Overwrite Protection (SEHOP) must be enabled
d50f88d1-0103-4194-9add-21f3846dc0d2
Exploit Protection: system-level mitigation, Validate exception chains (SEHOP) must be on
3f0d630e-d744-450e-8e8a-6478118649fb
FIPS 140: Security Requirements for Cryptographic Modules
b6109218-a32b-479a-8465-055340a1759c
File System: Local volumes must be formatted with NTFS
b6493fb9-ad83-494c-93e3-3dbfaeb9b303
File System: Turning off File Explorer heap termination on corruption must be disabled
c7d4943e-c832-42d8-9b4b-423fb7c7dd37
File System: Windows must prevent Indexing of encrypted files
138956a4-8987-4f7f-b830-bf58e4ca7778
General: AntiVirus/Antimalware Status
6d48a68a-3e44-4a00-8d42-670e41c9942c
General: Downloading print driver packages over HTTP must be turned off
925b056c-6bae-4e27-aa19-f8d383455774
General: Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad
a9b5b413-0fc5-49c2-ab77-6761b329950c
General: Internet Information System (IIS) or its subcomponents must not be installed on a workstation
06778df5-6411-408f-9ea9-6637a3f5aab2
General: Machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver
bf06c136-7223-41ac-8288-e0940126a884
General: Printing over HTTP must be turned off
21735bdc-fd91-44a8-beca-9a48b6c5e166
General: Solicited Remote Assistance must not be allowed
ac242343-8a24-414b-8615-7de95dffd90d
General: The Microsoft Defender SmartScreen for Explorer must be enabled (Desktop)
4d189e65-af8b-463f-95d1-3880b7c459ec
General: Windows Defender SmartScreen must be enabled (Server)
4595ee72-d404-4b45-aae4-102fefd1a165
General: Windows firewall status
1f229f09-4c15-4bfe-b9f7-ed63d03cd70e
General: Windows must prevent the display of slide shows on the lock screen
f63c8b4d-8b8d-4327-8c5a-5bc64bf7245c
Internet Browser: Attachments must be prevented from being downloaded from RSS feeds
5ba4fbad-193e-4b62-8326-4bd0705112bd
Internet Browser: Basic authentication for RSS feeds over HTTP must not be used
a140d78e-249b-4c39-9d82-f54aeef02be0
Logon: Enable Display Last Logon Info
a108b75a-f851-4e02-b377-1bc6a2698949
Logon: Network selection UI must not be displayed
3476077b-5d03-4819-9ef0-213402f37eed
Logon: Require CTRL+ALT+DEL for interactive logons
d2d523f6-4e7a-46e3-b553-ab395a7563e4
Logon: Required legal notice must be configured to display before console logon
80422550-1cbd-4710-adcc-957dec2da87d
Logon: Smart Card removal option must be configured to Force Logoff or Lock Workstation
1cf17a56-a4f1-419e-9a3a-295b06486df5
Logon: Title for legal banner dialog box must be configured with the appropriate text
dbb83450-8da5-4977-9e2c-d87307f92015
Microsoft Edge: The Windows Defender SmartScreen filter for Microsoft Edge must be enabled (Windows 10)
7a337b09-3a6f-4270-8611-005b2a71cba4
Microsoft Edge: Users must not be allowed to ignore SmartScreen filter warnings for unverified files (Windows 10)
cc4e8e33-1af6-4c11-b010-2d102e48a767
Microsoft Edge: Users must not be allowed to ignore Windows Defender SmartScreen filter warnings (Windows 10)
857ef3ca-acd6-4d9e-900c-211b7ea5a04d
Microsoft Edge: Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge (Windows 10)
0d7e861b-915f-42c7-ade4-1bef056aac90
Network Access: Do not allow anonymous enumeration of Security Account Manager (SAM) accounts
752e0588-decf-451b-9fef-cc3235765d54
Network Access: Do not allow anonymous enumeration of shares
0d97c353-2198-4a09-a41b-9df3498067dc
Network Access: Insecure logons to an SMB server must be disabled
5b92eab1-8909-4598-8e4c-61eeb308c9f9
Network Access: Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites
582c56ca-6381-4b12-aca9-13cdfc465e73
Network Access: LAN Manager authentication level must be configured to send NTLMv2 response only and refuse LM and NTLM
2718ea3f-5f25-4e6d-a693-3c426f14357f
Network Access: Microsoft network Client: Digitally sign communications (always) must be configured to Enabled
af452788-473f-4255-bb87-72b7390e187f
Network Access: Microsoft network Client: Digitally sign communications (if server agrees) must be configured to Enabled
a35d34f6-b9b1-4c82-8cac-31a7c4fdbc14
Network Access: Microsoft network Server: Digitally sign communications (always) must be configured to Enabled
707d1ae2-c6f2-46af-966d-d3559db69094
Network Access: Microsoft network Server: Digitally sign communications (if client agrees) must be configured to Enabled
189e99fb-1c5c-43ed-b044-4dcbccf3820f
Network Access: Must Have the Server Message Block (SMB) v1 protocol disabled on the SMB client
78c4c60a-a039-4a47-b614-3138d7bcfe4f
Network Access: Must be configured to prevent anonymous users from having the same permissions as the Everyone group
35f2c214-8c49-47cf-b324-9f7620f8dd16
Network Access: Must have the Server Message Block (SMB) v1 protocol disabled on the SMB server
9a3ba1fc-6a60-4752-9827-152b821e5c0a
Network Access: Must prevent NTLM from falling back to a Null session
793452ad-d37f-461b-a270-cc4e0ea1c2a5
Network Access: Restrict anonymous access to Named Pipes and Shares
e7aa340c-ec27-4603-b780-851d94a0ecbf
Network Access: Restrict remote calls to the Security Account Manager [SAM] to Administrators
6f17b478-ef66-4c12-8e61-0ffaae9cd6b4
Network Access: Services using Local System when reverting to NTLM authentication must use computer identity
0b49395c-beb5-480b-a1b8-1096622607a1
Network Access: Setting Microsoft network server: Digitally sign communications (if client agrees) must be Enabled
c32fbe11-2738-4670-929b-b799d4a8a042
Network Access: System must be configured to require a strong session key
4332cad0-613a-47fb-ba71-a0ad576651b5
Network Access: System must not allow anonymous SID/Name translation
d31fa8ca-fc90-4361-9438-6a070d064974
Network Access: System must prevent PKU2U authentication using online identities
62385837-ef10-43ae-b1db-590f32a082c8
Network Access: Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers
9cce3400-f772-4b0c-8f12-11157e102f87
Network Access: Windows must not have the Server Message Block (SMB) v1 protocol installed
934a1499-9d7e-407b-86ab-9a58e10f4ed1
Network: Internet Protocol version 6 (IPv6) source routing must use highest protection level to prevent IP source routing
d5030382-fcd1-4d7c-88e3-f1defebc7cf0
Network: Simple TCP/IP Services must not be installed on the system
d0f0e951-4cca-4ca9-9b9e-e9e13e39ca99
Network: Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing
655d213f-bed4-43aa-9bbf-f4bf77a2defd
Network: System be configured to prevent ICMP redirects from overriding Open Shortest Path First (OSPF)-generated
20d9022d-7c47-4bd5-9748-c910f27509d0
Network: System must be configured to ignore NetBIOS name release requests except from WINS servers
26cbf73b-1296-4dfa-bad1-8d0d4c9a2954
Passwords: Maximum Password Age
794aed82-0f0a-46e0-8135-204c50b12462
Passwords: Minimum Password Age
c3b194cc-701a-43f4-bd84-86caada64337
Passwords: Windows must be configured to prevent the storage of the LAN Manager hash of passwords
8fbc83d9-7409-41aa-bf3c-a2360a8d9749
Passwords: history must be configured to 24 passwords remembered
d0163b5f-23ab-4377-bc49-709e891a6b2b
Passwords: must be configured to expire
89d6a5d0-bc9a-4c29-9a58-3764c36677ab
Passwords: must, at a minimum, be 14 characters
e352dda0-c735-4b4e-ba26-097f5dbab32c
PowerShell: Script block logging must be enabled
ab3e18c8-5f9b-4a08-8474-ff10619965bd
PowerShell: v2 should not be installed / enabled
f69ae077-386f-4543-9036-30e5b3377f62
Printing: Prevent users from installing printer drivers
889cec97-07a1-4c83-b5cb-c4d92203aa17
Privacy: Windows Telemetry must not be set to Full
0001b667-c79a-4486-802c-32d860cae99e
Remote Desktop: Access this computer from the network user right must only be assigned to the Admins and RD Users groups
81b2dce5-a703-4bc0-a9e8-a8f59959c1e1
Remote Desktop: Idle session time limit
a06670b6-460f-45ae-93ef-02d41f52d45e
Remote Desktop: Must always prompt a client for passwords upon connection
8cbb9955-eb5c-4bcf-9352-3bbc31f7ed71
Remote Desktop: Must be configured with the client connection encryption set to High Level
0cf4a80a-705e-4831-9e1d-bc91c93e4625
Remote Desktop: Must not save passwords in the Remote Desktop Client
bfb98113-cc94-400b-a385-af36657755f6
Remote Desktop: Must require secure Remote Procedure Call (RPC) communications
20a8c861-e142-4e51-bf82-b0ef8bd1343c
Remote Management: Unauthenticated RPC clients must be restricted from connecting to the RPC server
56db7e62-0a85-4531-9e71-97528bd04e43
Remote Management: Windows Remote Management (WinRM) client must not allow unencrypted traffic
0ccb829b-b4e0-45eb-9ba8-82a643949d74
Remote Management: Windows Remote Management (WinRM) client must not use Basic authentication
e4dd3ff4-f585-4e08-b91e-8bb3e02737c5
Remote Management: Windows Remote Management (WinRM) client must not use Digest authentication
1a0eb6a5-9009-4dc3-b12f-bed65052c49d
Remote Management: Windows Remote Management (WinRM) service must not allow unencrypted traffic
39413247-a65e-4c0f-ad88-481cc82b1610
Remote Management: Windows Remote Management (WinRM) service must not store RunAs credentials
84308839-5335-424f-bd4b-79b1c463e4d6
Remote Management: Windows Remote Management (WinRM) service must not use Basic authentication
4edbaac6-37f7-4a8f-a4d1-d5dd241d1c6d
Security: Access this computer from the network must be limited to Admins and Authenticated Users
961bf729-aa12-43fa-ab18-cd299df655b7
Security: Act as part of the operating system user right must not be assigned to any groups or accounts
5d1e7771-206b-47d5-b12c-287ccd360164
Security: Create a token object user right must not be assigned to any groups or accounts
95b6abcc-8651-42e0-83e8-1397a9df5442
Security: Kernel (Direct Memory Access) DMA Protection must be enabled
7464d97c-90d5-49f3-8f02-e3c5e854744d
Security: System default permissions of global system objects must be strengthened
5e582017-d8f1-44dd-8d33-24a7d8ef496e
Security: System must have orphaned security identifiers (SIDs) removed from user rights
2b73adc9-8ed0-41c7-8ffe-30e59930865f
Security: System must preserve zone information when saving attachments
3e0b99c8-17de-4faa-8330-9b82090603ff
Security: Systems must have UEFI firmware and be configured to run in UEFI mode, not Legacy BIOS
e0fcf99c-99e4-44e1-ba65-7799bb95df91
Security: TLS/SSL Insecure Ciphers (SCHANNEL)
78fcd8a8-18af-49f4-8a64-bccb901e5557
Threat Intel: Attack Vector: Vulnerable Fan Driver (WinRing0x64 sys)
8d1e0d7a-165c-4ba4-bc06-59a8fc8ea705
Windows Installer: Disable -Always install with elevated privileges- option
a6d113ff-fd83-4631-84b3-f58e266b4976
Windows Installer: Must prevent users from changing installation options
938832a1-8ded-48d6-99b6-2b783cd2d3ae
Windows OS: Build Version Check (End Of Life)
07b6c273-cdb3-4a4d-889d-d1d54dc0eb5f
Windows OS: Build Version Check (OS Updated)
c7b058ab-6360-4b5d-9cd2-45eafef8c489
Windows OS: Data Execution Prevention (DEP) must be configured to at least OptOut
df8e6841-1dd4-42ce-b374-28f997e12b6d
Windows OS: Explorer Data Execution Prevention must be enabled
c4e3c7a1-5b63-407a-8eb9-c6a4b52b9f93
Windows OS: Must not have the Fax Server role installed
f5e7d547-a431-4a6e-b4bd-b95e6e8cac99
Windows OS: Must not have the Microsoft FTP service installed
b9695d6b-88c2-41e6-9fd9-611790f33f59
Windows OS: Must not have the Peer Name Resolution Protocol installed
58ca06da-2c01-47dc-8d37-ff0afe984eed
Windows OS: Must not have the TFTP Client Installed
a5eca000-8a44-410e-ab8d-9f7eeae34216
Windows OS: Must not have the Telnet Client Installed
8fbc28fc-2d54-4b3c-af3f-9ec8d62e959b