Accounts: Administrator accounts must not be enumerated during elevation
f3afb7e7-d38a-42f2-8290-56da3b445913
Accounts: Deny log on locally user right must be configured to prevent access from highly privileged domain accounts
fd44a45e-ef9e-4c54-bebf-22bba68a185c
Accounts: Local Guest account should be disabled
538d811a-0a0a-4336-8294-63bc2c092ebb
Accounts: Lockout duration must be configured to 15 minutes or greater
d9b675fb-1bb2-4ff3-88ea-0e74ab40e2a7
Accounts: Must have the built-in Windows password complexity policy enabled
be6a2756-21d7-452c-b0a1-e6032f14f422
Accounts: Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater
56655e04-3824-4810-9be4-aaa6e1c1c2ac
Accounts: Must require passwords
00279417-0255-4ff4-8b5c-dbb7866085e2
Accounts: Reversible password encryption must be disabled
71ebd815-0ca9-44c9-b7b8-c96e155e7afb
Accounts: The number of allowed bad logon attempts must be configured to three or less
409871a1-6b58-45ab-9dfd-8b40e948ecd2
Accounts: Users must be prompted to authenticate when the system wakes from sleep (on battery)
ef3c9259-d0d3-434a-8e7c-ab945deaa3f0
Accounts: Users must be prompted to authenticate when the system wakes from sleep (plugged in)
bf4a43bc-9605-4596-a562-5e4073fe21d5
Accounts: Users must be required to enter a password to access private keys stored on the computer
c9946229-3c27-4eb5-ae8f-6f777a9ad637
Accounts: must disable automatically signing in the last interactive user after a system-initiated restart
30d230a9-ff8e-44a2-ac87-f35b77bff14a
Auditing: Command line data must be included in process creation events
c787dcd2-355b-4ff5-8265-3eb860f11670
Auditing: Event Log / Viewer must be protected from unauthorized modification and deletion
09651036-eca5-4f3a-83fb-0ff12719b201
Auditing: Event Log size for Application log must be at least 32768 KB
b38cea25-93f2-42d7-ac5f-f2c1e93f974a
Auditing: Event Log size for Security log must be at least 196608 KB
f9befa07-2636-4c53-a43f-db2035b9cdff
Auditing: Event Log size for System log must be at least 32768 KB
4decda12-e17d-45d8-bb5e-53f26706acbf
Auditing: Must force audit policy subcategory settings to override audit policy category settings
9929dbd2-a4fb-40ea-9a2d-8a1db39a5729
Auditing: Removable Storage
af074caf-14a4-41f5-9ebd-e2214dc48240
Autoplay: Should be disabled for all drives
2cb75d59-8ef3-4fa3-90e1-8bec9e51c703
Autorun: behavior must be configured to prevent Autorun commands
746184bf-3f96-4365-8bb4-c7abf8a772ac
Compliance: BitLocker should be configured in FIPS mode
330f6517-5c88-4086-b456-d3026307c001
Compliance: BitLocker should use AES 256 encryption
77de846e-473b-4c4d-8d70-85d27342fc45
Debug Programs: User right must only be assigned to the Administrators group
76794e3a-d350-45a6-adf9-a4a9708271f9
Domain Controller: Must be configured to allow reset of machine account passwords
4d599278-5660-4513-abe4-715f546475bb
Domain Controller: Must require LDAP access signing
9e1e28ee-d597-49db-b33d-cfee0ba15c69
Domain Controller: Permissions on the Active Directory data files must only allow System and Administrators access
1bb127e7-c293-41f4-a937-c9c76d35cb8a
Domain Controller: SYSVOL directory must have proper access control permissions
15074903-9e8a-4d2f-b6d4-4e5ab30e64d7
Domain Controller: The password for the krbtgt account on a domain must be reset at least every 180 days
18ef977d-1c89-4ea7-ac53-0438873cb1db
Domain Controllers: Accounts: Deny log on locally user right must be configured to prevent access from highly privileged domain accounts
8d9748ad-695f-489e-bf31-4d1e8e397a7b
Domain Member: Must be running Credential Guard on domain-joined members
52b8eaca-e97b-4b7b-bda8-2f67dd947dbc
Domain Member: Digitally sign secure channel data (when possible) must be configured to Enabled
5ef4fc08-d231-41c5-95c2-1bb8abc26209
Domain Member: Group policy objects must be reprocessed even if they have not changed
0652c1f1-ca23-46d0-a60f-7f62281b866e
Domain Member: LDAP client signing requirements
5c9b1fb7-3d92-4d13-be5f-13d7894e50d0
Domain Member: Local users on domain-joined member servers must not be enumerated
a115da09-58b1-40dd-85ca-6f6e4cac977d
Exchange Server: Build Version Check (Exchange Updated)
7772c56a-ec1f-43d5-b8ce-548359123060
FIPS 140: Security Requirements for Cryptographic Modules
b6109218-a32b-479a-8465-055340a1759c
File System: Local volumes must be formatted with NTFS
b6493fb9-ad83-494c-93e3-3dbfaeb9b303
General: AntiVirus/Antimalware Status
6d48a68a-3e44-4a00-8d42-670e41c9942c
General: Machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver
bf06c136-7223-41ac-8288-e0940126a884
General: Windows Defender SmartScreen must be enabled (Server)
4595ee72-d404-4b45-aae4-102fefd1a165
Logon: Network selection UI must not be displayed
3476077b-5d03-4819-9ef0-213402f37eed
Network Access: Do not allow anonymous enumeration of SAM accounts and shares
752e0588-decf-451b-9fef-cc3235765d54
Network Access: Microsoft network Client: Digitally sign communications (always) must be configured to Enabled
af452788-473f-4255-bb87-72b7390e187f
Network Access: Microsoft network Client: Digitally sign communications (if server agrees) must be configured to Enabled
a35d34f6-b9b1-4c82-8cac-31a7c4fdbc14
Network Access: Microsoft network Server: Digitally sign communications (always) must be configured to Enabled
707d1ae2-c6f2-46af-966d-d3559db69094
Network Access: Microsoft network Server: Digitally sign communications (if client agrees) must be configured to Enabled
189e99fb-1c5c-43ed-b044-4dcbccf3820f
Network Access: Must be configured to prevent anonymous users from having the same permissions as the Everyone group
35f2c214-8c49-47cf-b324-9f7620f8dd16
Network Access: Must have the Server Message Block (SMB) v1 protocol disabled on the SMB server
9a3ba1fc-6a60-4752-9827-152b821e5c0a
Network Access: Must prevent NTLM from falling back to a Null session
793452ad-d37f-461b-a270-cc4e0ea1c2a5
Network Access: Restrict anonymous access to Named Pipes and Shares
e7aa340c-ec27-4603-b780-851d94a0ecbf
Network Access: Services using Local System when reverting to NTLM authentication must use computer identity
0b49395c-beb5-480b-a1b8-1096622607a1
Network Access: The Server Message Block (SMB) v1 protocol must be disabled on the SMB client
78c4c60a-a039-4a47-b614-3138d7bcfe4f
Network Access: Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers
9cce3400-f772-4b0c-8f12-11157e102f87
Network: Internet Protocol version 6 (IPv6) source routing must use highest protection level to prevent IP source routing
d5030382-fcd1-4d7c-88e3-f1defebc7cf0
Network: Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing
655d213f-bed4-43aa-9bbf-f4bf77a2defd
Passwords: Enforce history
d0163b5f-23ab-4377-bc49-709e891a6b2b
Passwords: Maximum Age
794aed82-0f0a-46e0-8135-204c50b12462
Passwords: Minimum Password Age
c3b194cc-701a-43f4-bd84-86caada64337
Passwords: Minimum length
e352dda0-c735-4b4e-ba26-097f5dbab32c
Remote Desktop Services: Idle session time limit
a06670b6-460f-45ae-93ef-02d41f52d45e
Remote Management: Windows Remote Management (WinRM) client must not use Digest authentication
1a0eb6a5-9009-4dc3-b12f-bed65052c49d
TLS/SSL Insecure Ciphers (SCHANNEL)
78fcd8a8-18af-49f4-8a64-bccb901e5557
Windows OS: Build Version Check (End Of Life)
07b6c273-cdb3-4a4d-889d-d1d54dc0eb5f