CMMC Coverage Report

Summary

OS	Mapped	Total
Windows 2012 R2	178 (100%)	178
Windows 2016	320 (100%)	320
Windows 2019	209 (100%)	209
Windows 2022	207 (100%)	207

Detail

Mapped

The following controls are mapped:

Windows 2012 R2 (178/178 [100%])

oval:simp.cis.2.6.0.windows2012R2.2.3.5.5_L1_Ensure_Domain_controller_Refuse_machine_account_password_changes_is_set_to_Disabled_DC_only:def:1
- Title: (L1) Ensure ‘Domain controller: Refuse machine account password changes’ is set to ‘Disabled’ (DC only)
oval:simp.cis.2.6.0.windows2012R2.18.9.41.1.1_L2_Ensure_Turn_off_Windows_Location_Provider_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Windows Location Provider’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.19.7.47.2.1_L2_Ensure_Prevent_Codec_Download_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Prevent Codec Download’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.2.6.0.windows2012R2.2.2.48_L1_Ensure_Take_ownership_of_files_or_other_objects_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Take ownership of files or other objects’ is set to ‘Administrators’
oval:simp.cis.2.6.0.windows2012R2.2.3.10.12_L1_Ensure_Network_access_Shares_that_can_be_accessed_anonymously_is_set_to_None:def:1
- Title: (L1) Ensure ‘Network access: Shares that can be accessed anonymously’ is set to ‘None’
oval:simp.cis.2.6.0.windows2012R2.17.6.1_L1_Ensure_Audit_Detailed_File_Share_is_set_to_include_Failure:def:1
- Title: (L1) Ensure ‘Audit Detailed File Share’ is set to include ‘Failure’
oval:simp.cis.2.6.0.windows2012R2.17.6.2_L1_Ensure_Audit_File_Share_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit File Share’ is set to ‘Success and Failure’
oval:simp.cis.2.6.0.windows2012R2.19.7.28.1_L1_Ensure_Prevent_users_from_sharing_files_within_their_profile._is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Prevent users from sharing files within their profile.’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.2.6.0.windows2012R2.2.3.1.1_L1_Ensure_Accounts_Administrator_account_status_is_set_to_Disabled_MS_only:def:1
- Title: (L1) Ensure ‘Accounts: Administrator account status’ is set to ‘Disabled’ (MS only)
oval:simp.cis.2.6.0.windows2012R2.2.3.1.3_L1_Ensure_Accounts_Guest_account_status_is_set_to_Disabled_MS_only:def:1
- Title: (L1) Ensure ‘Accounts: Guest account status’ is set to ‘Disabled’ (MS only)
oval:simp.cis.2.6.0.windows2012R2.1.2.1_L1_Ensure_Account_lockout_duration_is_set_to_15_or_more_minutes:def:1
- Title: (L1) Ensure ‘Account lockout duration’ is set to ‘15 or more minute(s)’
oval:simp.cis.2.6.0.windows2012R2.1.2.2_L1_Ensure_Account_lockout_threshold_is_set_to_5_or_fewer_invalid_logon_attempts_but_not_0:def:1
- Title: (L1) Ensure ‘Account lockout threshold’ is set to ‘5 or fewer invalid logon attempt(s), but not 0’
oval:simp.cis.2.6.0.windows2012R2.2.3.7.3_L1_Ensure_Interactive_logon_Machine_inactivity_limit_is_set_to_900_or_fewer_seconds_but_not_0:def:1
- Title: (L1) Ensure ‘Interactive logon: Machine inactivity limit’ is set to ‘900 or fewer second(s), but not 0’
oval:simp.cis.2.6.0.windows2012R2.2.3.7.8_L1_Ensure_Interactive_logon_Require_Domain_Controller_Authentication_to_unlock_workstation_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Interactive logon: Require Domain Controller Authentication to unlock workstation’ is set to ‘Enabled’ (MS only)
oval:simp.cis.2.6.0.windows2012R2.2.3.7.9_L1_Ensure_Interactive_logon_Smart_card_removal_behavior_is_set_to_Lock_Workstation_or_higher:def:1
- Title: (L1) Ensure ‘Interactive logon: Smart card removal behavior’ is set to ‘Lock Workstation’ or higher
oval:simp.cis.2.6.0.windows2012R2.2.3.9.1_L1_Ensure_Microsoft_network_server_Amount_of_idle_time_required_before_suspending_session_is_set_to_15_or_fewer_minutes:def:1
- Title: (L1) Ensure ‘Microsoft network server: Amount of idle time required before suspending session’ is set to ‘15 or fewer minute(s)’
oval:simp.cis.2.6.0.windows2012R2.18.4.9_L1_Ensure_MSS_ScreenSaverGracePeriod_The_time_in_seconds_before_the_screen_saver_grace_period_expires_0_recommended_is_set_to_Enabled_5_or_fewer_seconds:def:1
- Title: (L1) Ensure ‘MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)’ is set to ‘Enabled: 5 or fewer seconds’
oval:simp.cis.2.6.0.windows2012R2.18.8.34.6.1_L1_Ensure_Require_a_password_when_a_computer_wakes_on_battery_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Require a password when a computer wakes (on battery)’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.34.6.2_L1_Ensure_Require_a_password_when_a_computer_wakes_plugged_in_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Require a password when a computer wakes (plugged in)’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.65.2.2_L1_Ensure_Do_not_allow_passwords_to_be_saved_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Do not allow passwords to be saved’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.65.3.10.1_L2_Ensure_Set_time_limit_for_active_but_idle_Remote_Desktop_Services_sessions_is_set_to_Enabled_15_minutes_or_less_but_not_Never_0:def:1
- Title: (L2) Ensure ‘Set time limit for active but idle Remote Desktop Services sessions’ is set to ‘Enabled: 15 minutes or less, but not Never (0)’
oval:simp.cis.2.6.0.windows2012R2.18.9.65.3.10.2_L2_Ensure_Set_time_limit_for_disconnected_sessions_is_set_to_Enabled_1_minute:def:1
- Title: (L2) Ensure ‘Set time limit for disconnected sessions’ is set to ‘Enabled: 1 minute’
oval:simp.cis.2.6.0.windows2012R2.18.9.91.1_L1_Ensure_Sign-in_and_lock_last_interactive_user_automatically_after_a_restart_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Sign-in and lock last interactive user automatically after a restart’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.19.1.3.1_L1_Ensure_Enable_screen_saver_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Enable screen saver’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.2.6.0.windows2012R2.19.1.3.2_L1_Ensure_Password_protect_the_screen_saver_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Password protect the screen saver’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.2.6.0.windows2012R2.19.1.3.3_L1_Ensure_Screen_saver_timeout_is_set_to_Enabled_900_seconds_or_fewer_but_not_0:def:1
- Title: (L1) Ensure ‘Screen saver timeout’ is set to ‘Enabled: 900 seconds or fewer, but not 0’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.2.6.0.windows2012R2.19.5.1.1_L1_Ensure_Turn_off_toast_notifications_on_the_lock_screen_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off toast notifications on the lock screen’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.2.6.0.windows2012R2.18.9.8.1_L1_Ensure_Disallow_Autoplay_for_non-volume_devices_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Disallow Autoplay for non-volume devices’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.8.2_L1_Ensure_Set_the_default_behavior_for_AutoRun_is_set_to_Enabled_Do_not_execute_any_autorun_commands:def:1
- Title: (L1) Ensure ‘Set the default behavior for AutoRun’ is set to ‘Enabled: Do not execute any autorun commands’
oval:simp.cis.2.6.0.windows2012R2.18.9.8.3_L1_Ensure_Turn_off_Autoplay_is_set_to_Enabled_All_drives:def:1
- Title: (L1) Ensure ‘Turn off Autoplay’ is set to ‘Enabled: All drives’
oval:simp.cis.2.6.0.windows2012R2.18.5.21.2_L2_Ensure_Prohibit_connection_to_non-domain_networks_when_connected_to_domain_authenticated_network_is_set_to_Enabled_MS_only:def:1
- Title: (L2) Ensure ‘Prohibit connection to non-domain networks when connected to domain authenticated network’ is set to ‘Enabled’ (MS only)
oval:simp.cis.2.6.0.windows2012R2.2.2.5_L1_Ensure_Add_workstations_to_domain_is_set_to_Administrators_DC_only:def:1
- Title: (L1) Ensure ‘Add workstations to domain’ is set to ‘Administrators’ (DC only)
oval:simp.cis.2.6.0.windows2012R2.2.2.8_L1_Ensure_Allow_log_on_through_Remote_Desktop_Services_is_set_to_Administrators_DC_only:def:1
- Title: (L1) Ensure ‘Allow log on through Remote Desktop Services’ is set to ‘Administrators’ (DC only)
oval:simp.cis.2.6.0.windows2012R2.2.2.9_L1_Ensure_Allow_log_on_through_Remote_Desktop_Services_is_set_to_Administrators_Remote_Desktop_Users_MS_only:def:1
- Title: (L1) Ensure ‘Allow log on through Remote Desktop Services’ is set to ‘Administrators, Remote Desktop Users’ (MS only)
oval:simp.cis.2.6.0.windows2012R2.2.3.17.1_L1_Ensure_User_Account_Control_Admin_Approval_Mode_for_the_Built-in_Administrator_account_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘User Account Control: Admin Approval Mode for the Built-in Administrator account’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.3.1_L1_Ensure_Apply_UAC_restrictions_to_local_accounts_on_network_logons_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Apply UAC restrictions to local accounts on network logons’ is set to ‘Enabled’ (MS only)
oval:simp.cis.2.6.0.windows2012R2.18.9.90.2_L1_Ensure_Always_install_with_elevated_privileges_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Always install with elevated privileges’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.19.7.43.1_L1_Ensure_Always_install_with_elevated_privileges_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Always install with elevated privileges’ is set to ‘Disabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.2.6.0.windows2012R2.18.4.8_L1_Ensure_MSS_SafeDllSearchMode_Enable_Safe_DLL_search_mode_recommended_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.47.9.1_L1_Ensure_Scan_all_downloaded_files_and_attachments_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Scan all downloaded files and attachments’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.47.9.2_L1_Ensure_Turn_off_real-time_protection_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Turn off real-time protection’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.47.9.3_L1_Ensure_Turn_on_behavior_monitoring_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn on behavior monitoring’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.47.9.4_L1_Ensure_Turn_on_script_scanning_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn on script scanning’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.47.12.2_L1_Ensure_Turn_on_e-mail_scanning_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn on e-mail scanning’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.47.15_L1_Ensure_Turn_off_Microsoft_Defender_AntiVirus_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Turn off Microsoft Defender AntiVirus’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.19.7.4.2_L1_Ensure_Notify_antivirus_programs_when_opening_attachments_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Notify antivirus programs when opening attachments’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.2.6.0.windows2012R2.18.9.47.12.1_L1_Ensure_Scan_removable_drives_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Scan removable drives’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.2.3.4.1_L1_Ensure_Devices_Allowed_to_format_and_eject_removable_media_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Devices: Allowed to format and eject removable media’ is set to ‘Administrators’
oval:simp.cis.2.6.0.windows2012R2.18.5.20.1_L2_Ensure_Configuration_of_wireless_settings_using_Windows_Connect_Now_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Configuration of wireless settings using Windows Connect Now’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.5.21.1_L1_Ensure_Minimize_the_number_of_simultaneous_connections_to_the_Internet_or_a_Windows_Domain_is_set_to_Enabled_1__Minimize_simultaneous_connections:def:1
- Title: (L1) Ensure ‘Minimize the number of simultaneous connections to the Internet or a Windows Domain’ is set to ‘Enabled: 1 = Minimize simultaneous connections’
oval:simp.cis.2.6.0.windows2012R2.18.8.22.1.6_L2_Ensure_Turn_off_printing_over_HTTP_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off printing over HTTP’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.47.11.1_L2_Ensure_Configure_Watson_events_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Configure Watson events’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.2.2.30_L1_Ensure_Generate_security_audits_is_set_to_LOCAL_SERVICE_NETWORK_SERVICE:def:1
- Title: (L1) Ensure ‘Generate security audits’ is set to ‘LOCAL SERVICE, NETWORK SERVICE’
oval:simp.cis.2.6.0.windows2012R2.2.3.2.1_L1_Ensure_Audit_Force_audit_policy_subcategory_settings_Windows_Vista_or_later_to_override_audit_policy_category_settings_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.53.1.1_L2_Ensure_Enable_Windows_NTP_Client_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Enable Windows NTP Client’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.53.1.2_L2_Ensure_Enable_Windows_NTP_Server_is_set_to_Disabled_MS_only:def:1
- Title: (L2) Ensure ‘Enable Windows NTP Server’ is set to ‘Disabled’ (MS only)
oval:simp.cis.2.6.0.windows2012R2.1.1.4_L1_Ensure_Minimum_password_length_is_set_to_14_or_more_characters:def:1
- Title: (L1) Ensure ‘Minimum password length’ is set to ‘14 or more character(s)’
oval:simp.cis.2.6.0.windows2012R2.1.1.5_L1_Ensure_Password_must_meet_complexity_requirements_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Password must meet complexity requirements’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.2.3.1.4_L1_Ensure_Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Accounts: Limit local account use of blank passwords to console logon only’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.2.1_L1_Ensure_LAPS_AdmPwd_GPO_Extension__CSE_is_installed_MS_only:def:1
- Title: (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)
oval:simp.cis.2.6.0.windows2012R2.18.2.3_L1_Ensure_Enable_Local_Admin_Password_Management_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Enable Local Admin Password Management’ is set to ‘Enabled’ (MS only)
oval:simp.cis.2.6.0.windows2012R2.18.2.4_L1_Ensure_Password_Settings_Password_Complexity_is_set_to_Enabled_Large_letters__small_letters__numbers__special_characters_MS_only:def:1
- Title: (L1) Ensure ‘Password Settings: Password Complexity’ is set to ‘Enabled: Large letters + small letters + numbers + special characters’ (MS only)
oval:simp.cis.2.6.0.windows2012R2.18.2.5_L1_Ensure_Password_Settings_Password_Length_is_set_to_Enabled_15_or_more_MS_only:def:1
- Title: (L1) Ensure ‘Password Settings: Password Length’ is set to ‘Enabled: 15 or more’ (MS only)
oval:simp.cis.2.6.0.windows2012R2.1.1.6_L1_Ensure_Store_passwords_using_reversible_encryption_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Store passwords using reversible encryption’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.2.3.8.3_L1_Ensure_Microsoft_network_client_Send_unencrypted_password_to_third-party_SMB_servers_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Microsoft network client: Send unencrypted password to third-party SMB servers’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.2.3.11.5_L1_Ensure_Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Network security: Do not store LAN Manager hash value on next password change’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.3.7_L1_Ensure_WDigest_Authentication_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘WDigest Authentication’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.4.1_L1_Ensure_MSS_AutoAdminLogon_Enable_Automatic_Logon_not_recommended_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.1.2.3_L1_Ensure_Reset_account_lockout_counter_after_is_set_to_15_or_more_minutes:def:1
- Title: (L1) Ensure ‘Reset account lockout counter after’ is set to ‘15 or more minute(s)’
oval:simp.cis.2.6.0.windows2012R2.2.3.5.3_L1_Ensure_Domain_controller_LDAP_server_channel_binding_token_requirements_is_set_to_Always_DC_Only:def:1
- Title: (L1) Ensure ‘Domain controller: LDAP server channel binding token requirements’ is set to ‘Always’ (DC Only)
oval:simp.cis.2.6.0.windows2012R2.18.9.102.1.1_L1_Ensure_Allow_Basic_authentication_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow Basic authentication’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.102.1.3_L1_Ensure_Disallow_Digest_authentication_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Disallow Digest authentication’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.102.2.1_L1_Ensure_Allow_Basic_authentication_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow Basic authentication’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.3.1_L1_Ensure_Include_command_line_in_process_creation_events_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Include command line in process creation events’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.100.1_L1_Ensure_Turn_on_PowerShell_Script_Block_Logging_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn on PowerShell Script Block Logging’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.22.1.1_L1_Ensure_Turn_off_downloading_of_print_drivers_over_HTTP_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off downloading of print drivers over HTTP’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.5.11.2_L1_Ensure_Prohibit_installation_and_configuration_of_Network_Bridge_on_your_DNS_domain_network_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Prohibit installation and configuration of Network Bridge on your DNS domain network’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.2.2.2_L1_Ensure_Access_this_computer_from_the_network_is_set_to_Administrators_Authenticated_Users_ENTERPRISE_DOMAIN_CONTROLLERS_DC_only:def:1
- Title: (L1) Ensure ‘Access this computer from the network’ is set to ‘Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS’ (DC only)
oval:simp.cis.2.6.0.windows2012R2.2.2.3_L1_Ensure_Access_this_computer_from_the_network__is_set_to_Administrators_Authenticated_Users_MS_only:def:1
- Title: (L1) Ensure ‘Access this computer from the network’ is set to ‘Administrators, Authenticated Users’ (MS only)
oval:simp.cis.2.6.0.windows2012R2.5.1_L1_Ensure_Print_Spooler_Spooler_is_set_to_Disabled_DC_only:def:1
- Title: (L1) Ensure ‘Print Spooler (Spooler)’ is set to ‘Disabled’ (DC only)
oval:simp.cis.2.6.0.windows2012R2.5.2_L2_Ensure_Print_Spooler_Spooler_is_set_to_Disabled_MS_only:def:1
- Title: (L2) Ensure ‘Print Spooler (Spooler)’ is set to ‘Disabled’ (MS only)
oval:simp.cis.2.6.0.windows2012R2.18.3.2_L1_Ensure_Configure_SMB_v1_client_driver_is_set_to_Enabled_Disable_driver_recommended:def:1
- Title: (L1) Ensure ‘Configure SMB v1 client driver’ is set to ‘Enabled: Disable driver (recommended)’
oval:simp.cis.2.6.0.windows2012R2.18.3.3_L1_Ensure_Configure_SMB_v1_server_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Configure SMB v1 server’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.3.6_L1_Ensure_NetBT_NodeType_configuration_is_set_to_Enabled_P-node_recommended:def:1
- Title: (L1) Ensure ‘NetBT NodeType configuration’ is set to ‘Enabled: P-node (recommended)’
oval:simp.cis.2.6.0.windows2012R2.18.4.2_L1_Ensure_MSS_DisableIPSourceRouting_IPv6_IP_source_routing_protection_level_protects_against_packet_spoofing_is_set_to_Enabled_Highest_protection_source_routing_is_completely_disabled:def:1
- Title: (L1) Ensure ‘MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)’ is set to ‘Enabled: Highest protection, source routing is completely disabled’
oval:simp.cis.2.6.0.windows2012R2.18.4.3_L1_Ensure_MSS_DisableIPSourceRouting_IP_source_routing_protection_level_protects_against_packet_spoofing_is_set_to_Enabled_Highest_protection_source_routing_is_completely_disabled:def:1
- Title: (L1) Ensure ‘MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)’ is set to ‘Enabled: Highest protection, source routing is completely disabled’
oval:simp.cis.2.6.0.windows2012R2.18.4.4_L1_Ensure_MSS_EnableICMPRedirect_Allow_ICMP_redirects_to_override_OSPF_generated_routes_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.4.5_L2_Ensure_MSS_KeepAliveTime_How_often_keep-alive_packets_are_sent_in_milliseconds_is_set_to_Enabled_300000_or_5_minutes_recommended:def:1
- Title: (L2) Ensure ‘MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds’ is set to ‘Enabled: 300,000 or 5 minutes (recommended)’
oval:simp.cis.2.6.0.windows2012R2.18.4.6_L1_Ensure_MSS_NoNameReleaseOnDemand_Allow_the_computer_to_ignore_NetBIOS_name_release_requests_except_from_WINS_servers_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.4.7_L2_Ensure_MSS_PerformRouterDiscovery_Allow_IRDP_to_detect_and_configure_Default_Gateway_addresses_could_lead_to_DoS_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.4.10_L2_Ensure_MSS_TcpMaxDataRetransmissions_IPv6_How_many_times_unacknowledged_data_is_retransmitted_is_set_to_Enabled_3:def:1
- Title: (L2) Ensure ‘MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted’ is set to ‘Enabled: 3’
oval:simp.cis.2.6.0.windows2012R2.18.4.11_L2_Ensure_MSS_TcpMaxDataRetransmissions_How_many_times_unacknowledged_data_is_retransmitted_is_set_to_Enabled_3:def:1
- Title: (L2) Ensure ‘MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted’ is set to ‘Enabled: 3’
oval:simp.cis.2.6.0.windows2012R2.18.5.4.2_L1_Ensure_Turn_off_multicast_name_resolution_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off multicast name resolution’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.5.9.1_L2_Ensure_Turn_on_Mapper_IO_LLTDIO_driver_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Turn on Mapper I/O (LLTDIO) driver’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.5.9.2_L2_Ensure_Turn_on_Responder_RSPNDR_driver_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Turn on Responder (RSPNDR) driver’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.5.10.2_L2_Ensure_Turn_off_Microsoft_Peer-to-Peer_Networking_Services_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Microsoft Peer-to-Peer Networking Services’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.5.19.2.1_L2_Disable_IPv6_Ensure_TCPIP6_Parameter_DisabledComponents_is_set_to_0xff_255:def:1
- Title: (L2) Disable IPv6 (Ensure TCPIP6 Parameter ‘DisabledComponents’ is set to ‘0xff (255)’)
oval:simp.cis.2.6.0.windows2012R2.18.5.20.2_L2_Ensure_Prohibit_access_of_the_Windows_Connect_Now_wizards_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Prohibit access of the Windows Connect Now wizards’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.7.1.1_L2_Ensure_Turn_off_notifications_network_usage_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off notifications network usage’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.22.1.2_L2_Ensure_Turn_off_handwriting_personalization_data_sharing_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off handwriting personalization data sharing’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.22.1.3_L2_Ensure_Turn_off_handwriting_recognition_error_reporting_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off handwriting recognition error reporting’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.22.1.4_L2_Ensure_Turn_off_Internet_Connection_Wizard_if_URL_connection_is_referring_to_Microsoft.com_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.22.1.5_L1_Ensure_Turn_off_Internet_download_for_Web_publishing_and_online_ordering_wizards_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off Internet download for Web publishing and online ordering wizards’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.22.1.7_L2_Ensure_Turn_off_Registration_if_URL_connection_is_referring_to_Microsoft.com_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Registration if URL connection is referring to Microsoft.com’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.22.1.8_L2_Ensure_Turn_off_Search_Companion_content_file_updates_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Search Companion content file updates’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.22.1.9_L2_Ensure_Turn_off_the_Order_Prints_picture_task_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off the “Order Prints” picture task’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.22.1.10_L2_Ensure_Turn_off_the_Publish_to_Web_task_for_files_and_folders_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off the “Publish to Web” task for files and folders’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.22.1.11_L2_Ensure_Turn_off_the_Windows_Messenger_Customer_Experience_Improvement_Program_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off the Windows Messenger Customer Experience Improvement Program’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.22.1.12_L2_Ensure_Turn_off_Windows_Customer_Experience_Improvement_Program_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Windows Customer Experience Improvement Program’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.22.1.13_L2_Ensure_Turn_off_Windows_Error_Reporting_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Windows Error Reporting’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.36.1_L1_Ensure_Configure_Offer_Remote_Assistance_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Configure Offer Remote Assistance’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.36.2_L1_Ensure_Configure_Solicited_Remote_Assistance_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Configure Solicited Remote Assistance’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.37.1_L1_Ensure_Enable_RPC_Endpoint_Mapper_Client_Authentication_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Enable RPC Endpoint Mapper Client Authentication’ is set to ‘Enabled’ (MS only)
oval:simp.cis.2.6.0.windows2012R2.18.8.37.2_L2_Ensure_Restrict_Unauthenticated_RPC_clients_is_set_to_Enabled_Authenticated_MS_only:def:1
- Title: (L2) Ensure ‘Restrict Unauthenticated RPC clients’ is set to ‘Enabled: Authenticated’ (MS only)
oval:simp.cis.2.6.0.windows2012R2.18.8.48.5.1_L2_Ensure_Microsoft_Support_Diagnostic_Tool_Turn_on_MSDT_interactive_communication_with_support_provider_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.48.11.1_L2_Ensure_EnableDisable_PerfTrack_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Enable/Disable PerfTrack’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.50.1_L2_Ensure_Turn_off_the_advertising_ID_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off the advertising ID’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.41.2_L2_Ensure_Turn_off_location_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off location’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.47.4.1_L1_Ensure_Configure_local_setting_override_for_reporting_to_Microsoft_MAPS_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Configure local setting override for reporting to Microsoft MAPS’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.47.4.2_L2_Ensure_Join_Microsoft_MAPS_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Join Microsoft MAPS’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.65.3.2.1_L2_Ensure_Restrict_Remote_Desktop_Services_users_to_a_single_Remote_Desktop_Services_session_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Restrict Remote Desktop Services users to a single Remote Desktop Services session’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.65.3.3.1_L2_Ensure_Do_not_allow_COM_port_redirection_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Do not allow COM port redirection’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.65.3.3.2_L1_Ensure_Do_not_allow_drive_redirection_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Do not allow drive redirection’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.65.3.3.3_L2_Ensure_Do_not_allow_LPT_port_redirection_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Do not allow LPT port redirection’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.65.3.3.4_L2_Ensure_Do_not_allow_supported_Plug_and_Play_device_redirection_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Do not allow supported Plug and Play device redirection’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.86.2.1_L1_Ensure_Configure_Default_consent_is_set_to_Enabled_Always_ask_before_sending_data:def:1
- Title: (L1) Ensure ‘Configure Default consent’ is set to ‘Enabled: Always ask before sending data’
oval:simp.cis.2.6.0.windows2012R2.18.9.86.3_L1_Ensure_Automatically_send_memory_dumps_for_OS-generated_error_reports_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Automatically send memory dumps for OS-generated error reports’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.102.2.2_L2_Ensure_Allow_remote_server_management_through_WinRM_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow remote server management through WinRM’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.103.1_L2_Ensure_Allow_Remote_Shell_Access_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow Remote Shell Access’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.19.6.6.1.1_L2_Ensure_Turn_off_Help_Experience_Improvement_Program_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Help Experience Improvement Program’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.2.6.0.windows2012R2.9.1.1_L1_Ensure_Windows_Firewall_Domain_Firewall_state_is_set_to_On_recommended:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Firewall state’ is set to ‘On (recommended)’
oval:simp.cis.2.6.0.windows2012R2.9.1.2_L1_Ensure_Windows_Firewall_Domain_Inbound_connections_is_set_to_Block_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Inbound connections’ is set to ‘Block (default)’
oval:simp.cis.2.6.0.windows2012R2.9.1.3_L1_Ensure_Windows_Firewall_Domain_Outbound_connections_is_set_to_Allow_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Outbound connections’ is set to ‘Allow (default)’
oval:simp.cis.2.6.0.windows2012R2.9.1.4_L1_Ensure_Windows_Firewall_Domain_Settings_Display_a_notification_is_set_to_No:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Settings: Display a notification’ is set to ‘No’
oval:simp.cis.2.6.0.windows2012R2.9.1.5_L1_Ensure_Windows_Firewall_Domain_Logging_Name_is_set_to_SystemRootSystem32logfilesfirewalldomainfw.log:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Logging: Name’ is set to ‘%SystemRoot%\System32\logfiles\firewall\domainfw.log’
oval:simp.cis.2.6.0.windows2012R2.9.1.6_L1_Ensure_Windows_Firewall_Domain_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Logging: Size limit (KB)’ is set to ‘16,384 KB or greater’
oval:simp.cis.2.6.0.windows2012R2.9.1.7_L1_Ensure_Windows_Firewall_Domain_Logging_Log_dropped_packets_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Logging: Log dropped packets’ is set to ‘Yes’
oval:simp.cis.2.6.0.windows2012R2.9.1.8_L1_Ensure_Windows_Firewall_Domain_Logging_Log_successful_connections_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Logging: Log successful connections’ is set to ‘Yes’
oval:simp.cis.2.6.0.windows2012R2.9.2.1_L1_Ensure_Windows_Firewall_Private_Firewall_state_is_set_to_On_recommended:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Firewall state’ is set to ‘On (recommended)’
oval:simp.cis.2.6.0.windows2012R2.9.2.2_L1_Ensure_Windows_Firewall_Private_Inbound_connections_is_set_to_Block_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Inbound connections’ is set to ‘Block (default)’
oval:simp.cis.2.6.0.windows2012R2.9.2.3_L1_Ensure_Windows_Firewall_Private_Outbound_connections_is_set_to_Allow_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Outbound connections’ is set to ‘Allow (default)’
oval:simp.cis.2.6.0.windows2012R2.9.2.4_L1_Ensure_Windows_Firewall_Private_Settings_Display_a_notification_is_set_to_No:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Settings: Display a notification’ is set to ‘No’
oval:simp.cis.2.6.0.windows2012R2.9.2.5_L1_Ensure_Windows_Firewall_Private_Logging_Name_is_set_to_SystemRootSystem32logfilesfirewallprivatefw.log:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Logging: Name’ is set to ‘%SystemRoot%\System32\logfiles\firewall\privatefw.log’
oval:simp.cis.2.6.0.windows2012R2.9.2.6_L1_Ensure_Windows_Firewall_Private_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Logging: Size limit (KB)’ is set to ‘16,384 KB or greater’
oval:simp.cis.2.6.0.windows2012R2.9.2.7_L1_Ensure_Windows_Firewall_Private_Logging_Log_dropped_packets_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Logging: Log dropped packets’ is set to ‘Yes’
oval:simp.cis.2.6.0.windows2012R2.9.2.8_L1_Ensure_Windows_Firewall_Private_Logging_Log_successful_connections_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Logging: Log successful connections’ is set to ‘Yes’
oval:simp.cis.2.6.0.windows2012R2.9.3.1_L1_Ensure_Windows_Firewall_Public_Firewall_state_is_set_to_On_recommended:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Firewall state’ is set to ‘On (recommended)’
oval:simp.cis.2.6.0.windows2012R2.9.3.2_L1_Ensure_Windows_Firewall_Public_Inbound_connections_is_set_to_Block_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Inbound connections’ is set to ‘Block (default)’
oval:simp.cis.2.6.0.windows2012R2.9.3.3_L1_Ensure_Windows_Firewall_Public_Outbound_connections_is_set_to_Allow_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Outbound connections’ is set to ‘Allow (default)’
oval:simp.cis.2.6.0.windows2012R2.9.3.4_L1_Ensure_Windows_Firewall_Public_Settings_Display_a_notification_is_set_to_No:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Settings: Display a notification’ is set to ‘No’
oval:simp.cis.2.6.0.windows2012R2.9.3.5_L1_Ensure_Windows_Firewall_Public_Settings_Apply_local_firewall_rules_is_set_to_No:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Settings: Apply local firewall rules’ is set to ‘No’
oval:simp.cis.2.6.0.windows2012R2.9.3.6_L1_Ensure_Windows_Firewall_Public_Settings_Apply_local_connection_security_rules_is_set_to_No:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Settings: Apply local connection security rules’ is set to ‘No’
oval:simp.cis.2.6.0.windows2012R2.9.3.7_L1_Ensure_Windows_Firewall_Public_Logging_Name_is_set_to_SystemRootSystem32logfilesfirewallpublicfw.log:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Logging: Name’ is set to ‘%SystemRoot%\System32\logfiles\firewall\publicfw.log’
oval:simp.cis.2.6.0.windows2012R2.9.3.8_L1_Ensure_Windows_Firewall_Public_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Logging: Size limit (KB)’ is set to ‘16,384 KB or greater’
oval:simp.cis.2.6.0.windows2012R2.9.3.9_L1_Ensure_Windows_Firewall_Public_Logging_Log_dropped_packets_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Logging: Log dropped packets’ is set to ‘Yes’
oval:simp.cis.2.6.0.windows2012R2.9.3.10_L1_Ensure_Windows_Firewall_Public_Logging_Log_successful_connections_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Logging: Log successful connections’ is set to ‘Yes’
oval:simp.cis.2.6.0.windows2012R2.1.1.2_L1_Ensure_Maximum_password_age_is_set_to_365_or_fewer_days_but_not_0:def:1
- Title: (L1) Ensure ‘Maximum password age’ is set to ‘365 or fewer days, but not 0’
oval:simp.cis.2.6.0.windows2012R2.1.1.3_L1_Ensure_Minimum_password_age_is_set_to_1_or_more_days:def:1
- Title: (L1) Ensure ‘Minimum password age’ is set to ‘1 or more day(s)’
oval:simp.cis.2.6.0.windows2012R2.18.2.2_L1_Ensure_Do_not_allow_password_expiration_time_longer_than_required_by_policy_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Do not allow password expiration time longer than required by policy’ is set to ‘Enabled’ (MS only)
oval:simp.cis.2.6.0.windows2012R2.18.2.6_L1_Ensure_Password_Settings_Password_Age_Days_is_set_to_Enabled_30_or_fewer_MS_only:def:1
- Title: (L1) Ensure ‘Password Settings: Password Age (Days)’ is set to ‘Enabled: 30 or fewer’ (MS only)
oval:simp.cis.2.6.0.windows2012R2.17.1.1_L1_Ensure_Audit_Credential_Validation_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit Credential Validation’ is set to ‘Success and Failure’
oval:simp.cis.2.6.0.windows2012R2.2.2.19_L1_Ensure_Debug_programs_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Debug programs’ is set to ‘Administrators’
oval:simp.cis.2.6.0.windows2012R2.2.3.6.1_L1_Ensure_Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Domain member: Digitally encrypt or sign secure channel data (always)’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.2.3.6.2_L1_Ensure_Domain_member_Digitally_encrypt_secure_channel_data_when_possible_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Domain member: Digitally encrypt secure channel data (when possible)’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.2.3.11.4_L1_Ensure_Network_security_Configure_encryption_types_allowed_for_Kerberos_is_set_to_AES128_HMAC_SHA1_AES256_HMAC_SHA1_Future_encryption_types:def:1
- Title: (L1) Ensure ‘Network security: Configure encryption types allowed for Kerberos’ is set to ‘AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types’
oval:simp.cis.2.6.0.windows2012R2.18.5.4.1_L1_Ensure_Configure_DNS_over_HTTPS_DoH_name_resolution_is_set_to_Enabled_Allow_DoH_or_higher:def:1
- Title: (L1) Ensure ‘Configure DNS over HTTPS (DoH) name resolution’ is set to ‘Enabled: Allow DoH’ or higher
oval:simp.cis.2.6.0.windows2012R2.18.9.102.1.2_L1_Ensure_Allow_unencrypted_traffic_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow unencrypted traffic’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.102.2.3_L1_Ensure_Allow_unencrypted_traffic_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow unencrypted traffic’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.9.67.2_L1_Ensure_Allow_indexing_of_encrypted_files_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow indexing of encrypted files’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.18.8.21.2_L1_Ensure_Configure_registry_policy_processing_Do_not_apply_during_periodic_background_processing_is_set_to_Enabled_FALSE:def:1
- Title: (L1) Ensure ‘Configure registry policy processing: Do not apply during periodic background processing’ is set to ‘Enabled: FALSE’
oval:simp.cis.2.6.0.windows2012R2.18.8.21.3_L1_Ensure_Configure_registry_policy_processing_Process_even_if_the_Group_Policy_objects_have_not_changed_is_set_to_Enabled_TRUE:def:1
- Title: (L1) Ensure ‘Configure registry policy processing: Process even if the Group Policy objects have not changed’ is set to ‘Enabled: TRUE’
oval:simp.cis.2.6.0.windows2012R2.18.8.21.4_L1_Ensure_Turn_off_background_refresh_of_Group_Policy_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Turn off background refresh of Group Policy’ is set to ‘Disabled’
oval:simp.cis.2.6.0.windows2012R2.2.3.9.4_L1_Ensure_Microsoft_network_server_Disconnect_clients_when_logon_hours_expire_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Microsoft network server: Disconnect clients when logon hours expire’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.2.3.11.6_L1_Ensure_Network_security_Force_logoff_when_logon_hours_expire_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Network security: Force logoff when logon hours expire’ is set to ‘Enabled’
oval:simp.cis.2.6.0.windows2012R2.17.5.2_L1_Ensure_Audit_Logoff_is_set_to_include_Success:def:1
- Title: (L1) Ensure ‘Audit Logoff’ is set to include ‘Success’
oval:simp.cis.2.6.0.windows2012R2.17.5.3_L1_Ensure_Audit_Logon_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit Logon’ is set to ‘Success and Failure’
oval:simp.cis.2.6.0.windows2012R2.17.5.4_L1_Ensure_Audit_Other_LogonLogoff_Events_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit Other Logon/Logoff Events’ is set to ‘Success and Failure’
oval:simp.cis.2.6.0.windows2012R2.17.5.5_L1_Ensure_Audit_Special_Logon_is_set_to_include_Success:def:1
- Title: (L1) Ensure ‘Audit Special Logon’ is set to include ‘Success’
  Windows 2016 (320/320 [100%])
oval:simp.cis.1.3.0.windows2016.2.3.4.2_L1_Ensure_Devices_Prevent_users_from_installing_printer_drivers_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Devices: Prevent users from installing printer drivers’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.3.5.4_L1_Ensure_Domain_controller_LDAP_server_signing_requirements_is_set_to_Require_signing_DC_only:def:1
- Title: (L1) Ensure ‘Domain controller: LDAP server signing requirements’ is set to ‘Require signing’ (DC only)
oval:simp.cis.1.3.0.windows2016.2.3.5.5_L1_Ensure_Domain_controller_Refuse_machine_account_password_changes_is_set_to_Disabled_DC_only:def:1
- Title: (L1) Ensure ‘Domain controller: Refuse machine account password changes’ is set to ‘Disabled’ (DC only)
oval:simp.cis.1.3.0.windows2016.2.3.6.4_L1_Ensure_Domain_member_Disable_machine_account_password_changes_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Domain member: Disable machine account password changes’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.2.3.6.5_L1_Ensure_Domain_member_Maximum_machine_account_password_age_is_set_to_30_or_fewer_days_but_not_0:def:1
- Title: (L1) Ensure ‘Domain member: Maximum machine account password age’ is set to ‘30 or fewer days, but not 0’
oval:simp.cis.1.3.0.windows2016.2.3.6.6_L1_Ensure_Domain_member_Require_strong_Windows_2000_or_later_session_key_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Domain member: Require strong (Windows 2000 or later) session key’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.3.7.1_L1_Ensure_Interactive_logon_Do_not_display_last_user_name_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Interactive logon: Do not display last user name’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.3.7.2_L1_Ensure_Interactive_logon_Do_not_require_CTRLALTDEL_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Interactive logon: Do not require CTRL+ALT+DEL’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.2.3.7.4_L1_Configure_Interactive_logon_Message_text_for_users_attempting_to_log_on:def:1
- Title: (L1) Configure ‘Interactive logon: Message text for users attempting to log on’
oval:simp.cis.1.3.0.windows2016.2.3.7.5_L1_Configure_Interactive_logon_Message_title_for_users_attempting_to_log_on:def:1
- Title: (L1) Configure ‘Interactive logon: Message title for users attempting to log on’
oval:simp.cis.1.3.0.windows2016.2.3.7.6_L2_Ensure_Interactive_logon_Number_of_previous_logons_to_cache_in_case_domain_controller_is_not_available_is_set_to_4_or_fewer_logons_MS_only:def:1
- Title: (L2) Ensure ‘Interactive logon: Number of previous logons to cache (in case domain controller is not available)’ is set to ‘4 or fewer logon(s)’ (MS only)
oval:simp.cis.1.3.0.windows2016.2.3.7.7_L1_Ensure_Interactive_logon_Prompt_user_to_change_password_before_expiration_is_set_to_between_5_and_14_days:def:1
- Title: (L1) Ensure ‘Interactive logon: Prompt user to change password before expiration’ is set to ‘between 5 and 14 days’
oval:simp.cis.1.3.0.windows2016.2.3.8.1_L1_Ensure_Microsoft_network_client_Digitally_sign_communications_always_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Microsoft network client: Digitally sign communications (always)’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.3.8.2_L1_Ensure_Microsoft_network_client_Digitally_sign_communications_if_server_agrees_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Microsoft network client: Digitally sign communications (if server agrees)’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.3.8.3_L1_Ensure_Microsoft_network_client_Send_unencrypted_password_to_third-party_SMB_servers_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Microsoft network client: Send unencrypted password to third-party SMB servers’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.2.3.9.2_L1_Ensure_Microsoft_network_server_Digitally_sign_communications_always_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Microsoft network server: Digitally sign communications (always)’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.3.9.3_L1_Ensure_Microsoft_network_server_Digitally_sign_communications_if_client_agrees_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Microsoft network server: Digitally sign communications (if client agrees)’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.3.9.5_L1_Ensure_Microsoft_network_server_Server_SPN_target_name_validation_level_is_set_to_Accept_if_provided_by_client_or_higher_MS_only:def:1
- Title: (L1) Ensure ‘Microsoft network server: Server SPN target name validation level’ is set to ‘Accept if provided by client’ or higher (MS only)
oval:simp.cis.1.3.0.windows2016.2.3.10.1_L1_Ensure_Network_access_Allow_anonymous_SIDName_translation_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Network access: Allow anonymous SID/Name translation’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.2.3.10.2_L1_Ensure_Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Network access: Do not allow anonymous enumeration of SAM accounts’ is set to ‘Enabled’ (MS only)
oval:simp.cis.1.3.0.windows2016.2.3.10.3_L1_Ensure_Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_and_shares_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Network access: Do not allow anonymous enumeration of SAM accounts and shares’ is set to ‘Enabled’ (MS only)
oval:simp.cis.1.3.0.windows2016.2.3.10.5_L1_Ensure_Network_access_Let_Everyone_permissions_apply_to_anonymous_users_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Network access: Let Everyone permissions apply to anonymous users’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.2.3.10.13L1_Ensure_Network_access_Sharing_and_security_model_for_local_accounts_is_set_to_Classic-_local_users_authenticate_as_themselves:def:1
- Title: (L1) Ensure ‘Network access: Sharing and security model for local accounts’ is set to ‘Classic - local users authenticate as themselves’
oval:simp.cis.1.3.0.windows2016.2.3.11.1_L1_Ensure_Network_security_Allow_Local_System_to_use_computer_identity_for_NTLM_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Network security: Allow Local System to use computer identity for NTLM’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.3.11.8_L1_Ensure_Network_security_LDAP_client_signing_requirements_is_set_to_Negotiate_signing_or_higher:def:1
- Title: (L1) Ensure ‘Network security: LDAP client signing requirements’ is set to ‘Negotiate signing’ or higher
oval:simp.cis.1.3.0.windows2016.2.3.11.9_L1_Ensure_Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_clients_is_set_to_Require_NTLMv2_session_security_Require_128-bit_encryption:def:1
- Title: (L1) Ensure ‘Network security: Minimum session security for NTLM SSP based (including secure RPC) clients’ is set to ‘Require NTLMv2 session security, Require 128-bit encryption’
oval:simp.cis.1.3.0.windows2016.2.3.11.10_L1_Ensure_Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_servers_is_set_to_Require_NTLMv2_session_security_Require_128-bit_encryption:def:1
- Title: (L1) Ensure ‘Network security: Minimum session security for NTLM SSP based (including secure RPC) servers’ is set to ‘Require NTLMv2 session security, Require 128-bit encryption’
oval:simp.cis.1.3.0.windows2016.2.3.15.1_L1_Ensure_System_objects_Require_case_insensitivity_for_non-Windows_subsystems_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘System objects: Require case insensitivity for non-Windows subsystems’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.3.17.3_L1_Ensure_User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users_is_set_to_Automatically_deny_elevation_requests:def:1
- Title: (L1) Ensure ‘User Account Control: Behavior of the elevation prompt for standard users’ is set to ‘Automatically deny elevation requests’
oval:simp.cis.1.3.0.windows2016.2.3.17.8_L1_Ensure_User_Account_Control_Virtualize_file_and_registry_write_failures_to_per-user_locations_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘User Account Control: Virtualize file and registry write failures to per-user locations’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.1.1.1_L1_Ensure_Prevent_enabling_lock_screen_camera_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Prevent enabling lock screen camera’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.1.1.2_L1_Ensure_Prevent_enabling_lock_screen_slide_show_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Prevent enabling lock screen slide show’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.1.2.2_L1_Ensure_Allow_users_to_enable_online_speech_recognition_services_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow users to enable online speech recognition services’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.5.5.1_L2_Ensure_Enable_Font_Providers_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Enable Font Providers’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.8.22.1.8_L2_Ensure_Turn_off_Search_Companion_content_file_updates_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Search Companion content file updates’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.22.1.9_L2_Ensure_Turn_off_the_Order_Prints_picture_task_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off the “Order Prints” picture task’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.22.1.10_L2_Ensure_Turn_off_the_Publish_to_Web_task_for_files_and_folders_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off the “Publish to Web” task for files and folders’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.22.1.11_L2_Ensure_Turn_off_the_Windows_Messenger_Customer_Experience_Improvement_Program_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off the Windows Messenger Customer Experience Improvement Program’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.22.1.12_L2_Ensure_Turn_off_Windows_Customer_Experience_Improvement_Program_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Windows Customer Experience Improvement Program’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.22.1.13_L2_Ensure_Turn_off_Windows_Error_Reporting_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Windows Error Reporting’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.36.2_L1_Ensure_Configure_Solicited_Remote_Assistance_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Configure Solicited Remote Assistance’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.12.1_L2_Ensure_Allow_Use_of_Camera_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow Use of Camera’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.15.1_L1_Ensure_Do_not_display_the_password_reveal_button_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Do not display the password reveal button’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.16.3_L1_Ensure_Do_not_show_feedback_notifications_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Do not show feedback notifications’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.39.1_L2_Ensure_Turn_off_location_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off location’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.63.3.2.1_L2_Ensure_Restrict_Remote_Desktop_Services_users_to_a_single_Remote_Desktop_Services_session_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Restrict Remote Desktop Services users to a single Remote Desktop Services session’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.85.1_L2_Ensure_Allow_suggested_apps_in_Windows_Ink_Workspace_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow suggested apps in Windows Ink Workspace’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.96.1_L1_Ensure_Turn_on_PowerShell_Script_Block_Logging_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Turn on PowerShell Script Block Logging’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.96.2_L1_Ensure_Turn_on_PowerShell_Transcription_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Turn on PowerShell Transcription’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.103.1.2_L1_Ensure_Select_when_Preview_Builds_and_Feature_Updates_are_received_is_set_to_Enabled_Semi-Annual_Channel_180_or_more_days:def:1
- Title: (L1) Ensure ‘Select when Preview Builds and Feature Updates are received’ is set to ‘Enabled: Semi-Annual Channel, 180 or more days’
oval:simp.cis.1.3.0.windows2016.19.7.8.1_L1_Ensure_Configure_Windows_spotlight_on_lock_screen_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Configure Windows spotlight on lock screen’ is set to Disabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2016.19.7.8.2_L1_Ensure_Do_not_suggest_third-party_content_in_Windows_spotlight_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Do not suggest third-party content in Windows spotlight’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2016.2.3.10.9_L1_Configure_Network_access_Remotely_accessible_registry_paths_and_sub-paths_is_configured:def:1
- Title: (L1) Configure ‘Network access: Remotely accessible registry paths and sub-paths’ is configured
oval:simp.cis.1.3.0.windows2016.2.3.10.10_L1_Ensure_Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Network access: Restrict anonymous access to Named Pipes and Shares’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.3.10.12_L1_Ensure_Network_access_Shares_that_can_be_accessed_anonymously_is_set_to_None:def:1
- Title: (L1) Ensure ‘Network access: Shares that can be accessed anonymously’ is set to ‘None’
oval:simp.cis.1.3.0.windows2016.2.3.15.2_L1_Ensure_System_objects_Strengthen_default_permissions_of_internal_system_objects_e.g._Symbolic_Links_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.17.4.1_L1_Ensure_Audit_Directory_Service_Access_is_set_to_include_Failure_DC_only:def:1
- Title: (L1) Ensure ‘Audit Directory Service Access’ is set to include ‘Failure’ (DC only)
oval:simp.cis.1.3.0.windows2016.17.4.2_L1_Ensure_Audit_Directory_Service_Changes_is_set_to_include_Success_DC_only:def:1
- Title: (L1) Ensure ‘Audit Directory Service Changes’ is set to include ‘Success’ (DC only)
oval:simp.cis.1.3.0.windows2016.17.6.1_L1_Ensure_Audit_Detailed_File_Share_is_set_to_include_Failure:def:1
- Title: (L1) Ensure ‘Audit Detailed File Share’ is set to include ‘Failure’
oval:simp.cis.1.3.0.windows2016.17.6.2_L1_Ensure_Audit_File_Share_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit File Share’ is set to ‘Success and Failure’
oval:simp.cis.1.3.0.windows2016.18.9.4.1_L2_Ensure_Allow_a_Windows_app_to_share_application_data_between_users_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow a Windows app to share application data between users’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.63.3.3.2_L1_Ensure_Do_not_allow_drive_redirection_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Do not allow drive redirection’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.63.3.11.1_L1_Ensure_Do_not_delete_temp_folders_upon_exit_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Do not delete temp folders upon exit’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.63.3.11.2_L1_Ensure_Do_not_use_temporary_folders_per_session_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Do not use temporary folders per session’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.19.7.28.1_L1_Ensure_Prevent_users_from_sharing_files_within_their_profile._is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Prevent users from sharing files within their profile.’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2016.2.2.20_L1_Ensure_Deny_access_to_this_computer_from_the_network_to_include_Guests_DC_only:def:1
- Title: (L1) Ensure ‘Deny access to this computer from the network’ to include ‘Guests’ (DC only)
oval:simp.cis.1.3.0.windows2016.2.2.21_L1_Ensure_Deny_access_to_this_computer_from_the_network_to_include_Guests_Local_account_and_member_of_Administrators_group_MS_only:def:1
- Title: (L1) Ensure ‘Deny access to this computer from the network’ to include ‘Guests, Local account and member of Administrators group’ (MS only)
oval:simp.cis.1.3.0.windows2016.2.2.22_L1_Ensure_Deny_log_on_as_a_batch_job_to_include_Guests:def:1
- Title: (L1) Ensure ‘Deny log on as a batch job’ to include ‘Guests’
oval:simp.cis.1.3.0.windows2016.2.2.23_L1_Ensure_Deny_log_on_as_a_service_to_include_Guests:def:1
- Title: (L1) Ensure ‘Deny log on as a service’ to include ‘Guests’
oval:simp.cis.1.3.0.windows2016.2.2.24_L1_Ensure_Deny_log_on_locally_to_include_Guests:def:1
- Title: (L1) Ensure ‘Deny log on locally’ to include ‘Guests’
oval:simp.cis.1.3.0.windows2016.2.2.25_L1_Ensure_Deny_log_on_through_Remote_Desktop_Services_to_include_Guests_DC_only:def:1
- Title: (L1) Ensure ‘Deny log on through Remote Desktop Services’ to include ‘Guests’ (DC only)
oval:simp.cis.1.3.0.windows2016.2.2.26_L1_Ensure_Deny_log_on_through_Remote_Desktop_Services_is_set_to_Guests_Local_account_MS_only:def:1
- Title: (L1) Ensure ‘Deny log on through Remote Desktop Services’ is set to ‘Guests, Local account’ (MS only)
oval:simp.cis.1.3.0.windows2016.2.3.1.1_L1_Ensure_Accounts_Administrator_account_status_is_set_to_Disabled_MS_only:def:1
- Title: (L1) Ensure ‘Accounts: Administrator account status’ is set to ‘Disabled’ (MS only)
oval:simp.cis.1.3.0.windows2016.2.3.1.2_L1_Ensure_Accounts_Block_Microsoft_accounts_is_set_to_Users_cant_add_or_log_on_with_Microsoft_accounts:def:1
- Title: (L1) Ensure ‘Accounts: Block Microsoft accounts’ is set to ‘Users can’t add or log on with Microsoft accounts’
oval:simp.cis.1.3.0.windows2016.2.3.1.3_L1_Ensure_Accounts_Guest_account_status_is_set_to_Disabled_MS_only:def:1
- Title: (L1) Ensure ‘Accounts: Guest account status’ is set to ‘Disabled’ (MS only)
oval:simp.cis.1.3.0.windows2016.2.3.1.5_L1_Configure_Accounts_Rename_administrator_account:def:1
- Title: (L1) Configure ‘Accounts: Rename administrator account’
oval:simp.cis.1.3.0.windows2016.2.3.1.6_L1_Configure_Accounts_Rename_guest_account:def:1
- Title: (L1) Configure ‘Accounts: Rename guest account’
oval:simp.cis.1.3.0.windows2016.18.9.44.1_L1_Ensure_Block_all_consumer_Microsoft_account_user_authentication_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Block all consumer Microsoft account user authentication’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.17.1.1_L1_Ensure_Audit_Credential_Validation_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit Credential Validation’ is set to ‘Success and Failure’
oval:simp.cis.1.3.0.windows2016.17.1.2_L1_Ensure_Audit_Kerberos_Authentication_Service_is_set_to_Success_and_Failure_DC_Only:def:1
- Title: (L1) Ensure ‘Audit Kerberos Authentication Service’ is set to ‘Success and Failure’ (DC Only)
oval:simp.cis.1.3.0.windows2016.17.1.3_L1_Ensure_Audit_Kerberos_Service_Ticket_Operations_is_set_to_Success_and_Failure_DC_Only:def:1
- Title: (L1) Ensure ‘Audit Kerberos Service Ticket Operations’ is set to ‘Success and Failure’ (DC Only)
oval:simp.cis.1.3.0.windows2016.17.2.1_L1_Ensure_Audit_Application_Group_Management_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit Application Group Management’ is set to ‘Success and Failure’
oval:simp.cis.1.3.0.windows2016.1.2.1_L1_Ensure_Account_lockout_duration_is_set_to_15_or_more_minutes:def:1
- Title: (L1) Ensure ‘Account lockout duration’ is set to ‘15 or more minute(s)’
oval:simp.cis.1.3.0.windows2016.1.2.2_L1_Ensure_Account_lockout_threshold_is_set_to_5_or_fewer_invalid_logon_attempts_but_not_0:def:1
- Title: (L1) Ensure ‘Account lockout threshold’ is set to ‘5 or fewer invalid logon attempt(s), but not 0’
oval:simp.cis.1.3.0.windows2016.2.3.7.3_L1_Ensure_Interactive_logon_Machine_inactivity_limit_is_set_to_900_or_fewer_seconds_but_not_0:def:1
- Title: (L1) Ensure ‘Interactive logon: Machine inactivity limit’ is set to ‘900 or fewer second(s), but not 0’
oval:simp.cis.1.3.0.windows2016.2.3.7.9_L1_Ensure_Interactive_logon_Smart_card_removal_behavior_is_set_to_Lock_Workstation_or_higher:def:1
- Title: (L1) Ensure ‘Interactive logon: Smart card removal behavior’ is set to ‘Lock Workstation’ or higher
oval:simp.cis.1.3.0.windows2016.2.3.9.1_L1_Ensure_Microsoft_network_server_Amount_of_idle_time_required_before_suspending_session_is_set_to_15_or_fewer_minutes:def:1
- Title: (L1) Ensure ‘Microsoft network server: Amount of idle time required before suspending session’ is set to ‘15 or fewer minute(s)’
oval:simp.cis.1.3.0.windows2016.18.4.9_L1_Ensure_MSS_ScreenSaverGracePeriod_The_time_in_seconds_before_the_screen_saver_grace_period_expires_0_recommended_is_set_to_Enabled_5_or_fewer_seconds:def:1
- Title: (L1) Ensure ‘MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)’ is set to ‘Enabled: 5 or fewer seconds’
oval:simp.cis.1.3.0.windows2016.18.8.27.1_L2_Ensure_Disallow_copying_of_user_input_methods_to_the_system_account_for_sign-in_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Disallow copying of user input methods to the system account for sign-in’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.28.1_L1_Ensure_Block_user_from_showing_account_details_on_sign-in_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Block user from showing account details on sign-in’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.28.5_L1_Ensure_Turn_off_app_notifications_on_the_lock_screen_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off app notifications on the lock screen’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.28.6_L1_Ensure_Turn_off_picture_password_sign-in_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off picture password sign-in’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.28.7_L1_Ensure_Turn_on_convenience_PIN_sign-in_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Turn on convenience PIN sign-in’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.8.34.6.3_L1_Ensure_Require_a_password_when_a_computer_wakes_on_battery_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Require a password when a computer wakes (on battery)’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.34.6.4_L1_Ensure_Require_a_password_when_a_computer_wakes_plugged_in_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Require a password when a computer wakes (plugged in)’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.63.2.2_L1_Ensure_Do_not_allow_passwords_to_be_saved_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Do not allow passwords to be saved’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.63.3.10.1_L2_Ensure_Set_time_limit_for_active_but_idle_Remote_Desktop_Services_sessions_is_set_to_Enabled_15_minutes_or_less_but_not_Never_0:def:1
- Title: (L2) Ensure ‘Set time limit for active but idle Remote Desktop Services sessions’ is set to ‘Enabled: 15 minutes or less, but not Never (0)’
oval:simp.cis.1.3.0.windows2016.18.9.63.3.10.2_L2_Ensure_Set_time_limit_for_disconnected_sessions_is_set_to_Enabled_1_minute:def:1
- Title: (L2) Ensure ‘Set time limit for disconnected sessions’ is set to ‘Enabled: 1 minute’
oval:simp.cis.1.3.0.windows2016.18.9.85.2_L1_Ensure_Allow_Windows_Ink_Workspace_is_set_to_Enabled_On_but_disallow_access_above_lock_OR_Disabled_but_not_Enabled_On:def:1
- Title: (L1) Ensure ‘Allow Windows Ink Workspace’ is set to ‘Enabled: On, but disallow access above lock’ OR ‘Disabled’ but not ‘Enabled: On’
oval:simp.cis.1.3.0.windows2016.18.9.87.1_L1_Ensure_Sign-in_and_lock_last_interactive_user_automatically_after_a_restart_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Sign-in and lock last interactive user automatically after a restart’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.19.1.3.1_L1_Ensure_Enable_screen_saver_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Enable screen saver’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2016.19.1.3.2_L1_Ensure_Password_protect_the_screen_saver_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Password protect the screen saver’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2016.19.1.3.3_L1_Ensure_Screen_saver_timeout_is_set_to_Enabled_900_seconds_or_fewer_but_not_0:def:1
- Title: (L1) Ensure ‘Screen saver timeout’ is set to ‘Enabled: 900 seconds or fewer, but not 0’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2016.19.5.1.1_L1_Ensure_Turn_off_toast_notifications_on_the_lock_screen_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off toast notifications on the lock screen’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2016.17.3.1_L1_Ensure_Audit_PNP_Activity_is_set_to_include_Success:def:1
- Title: (L1) Ensure ‘Audit PNP Activity’ is set to include ‘Success’
oval:simp.cis.1.3.0.windows2016.17.6.4_L1_Ensure_Audit_Removable_Storage_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit Removable Storage’ is set to ‘Success and Failure’
oval:simp.cis.1.3.0.windows2016.18.9.8.1_L1_Ensure_Disallow_Autoplay_for_non-volume_devices_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Disallow Autoplay for non-volume devices’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.8.2_L1_Ensure_Set_the_default_behavior_for_AutoRun_is_set_to_Enabled_Do_not_execute_any_autorun_commands:def:1
- Title: (L1) Ensure ‘Set the default behavior for AutoRun’ is set to ‘Enabled: Do not execute any autorun commands’
oval:simp.cis.1.3.0.windows2016.18.9.8.3_L1_Ensure_Turn_off_Autoplay_is_set_to_Enabled_All_drives:def:1
- Title: (L1) Ensure ‘Turn off Autoplay’ is set to ‘Enabled: All drives’
oval:simp.cis.1.3.0.windows2016.2.2.5_L1_Ensure_Add_workstations_to_domain_is_set_to_Administrators_DC_only:def:1
- Title: (L1) Ensure ‘Add workstations to domain’ is set to ‘Administrators’ (DC only)
oval:simp.cis.1.3.0.windows2016.2.2.6_L1_Ensure_Adjust_memory_quotas_for_a_process_is_set_to_Administrators_LOCAL_SERVICE_NETWORK_SERVICE:def:1
- Title: (L1) Ensure ‘Adjust memory quotas for a process’ is set to ‘Administrators, LOCAL SERVICE, NETWORK SERVICE’
oval:simp.cis.1.3.0.windows2016.2.2.7_L1_Ensure_Allow_log_on_locally_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Allow log on locally’ is set to ‘Administrators’
oval:simp.cis.1.3.0.windows2016.2.2.8_L1_Ensure_Allow_log_on_through_Remote_Desktop_Services_is_set_to_Administrators_DC_only:def:1
- Title: (L1) Ensure ‘Allow log on through Remote Desktop Services’ is set to ‘Administrators’ (DC only)
oval:simp.cis.1.3.0.windows2016.2.2.9_L1_Ensure_Allow_log_on_through_Remote_Desktop_Services_is_set_to_Administrators_Remote_Desktop_Users_MS_only:def:1
- Title: (L1) Ensure ‘Allow log on through Remote Desktop Services’ is set to ‘Administrators, Remote Desktop Users’ (MS only)
oval:simp.cis.1.3.0.windows2016.2.2.36_L2_Ensure_Log_on_as_a_batch_job_is_set_to_Administrators_DC_Only:def:1
- Title: (L2) Ensure ‘Log on as a batch job’ is set to ‘Administrators’ (DC Only)
oval:simp.cis.1.3.0.windows2016.2.3.10.11_L1_Ensure_Network_access_Restrict_clients_allowed_to_make_remote_calls_to_SAM_is_set_to_Administrators_Remote_Access_Allow_MS_only:def:1
- Title: (L1) Ensure ‘Network access: Restrict clients allowed to make remote calls to SAM’ is set to ‘Administrators: Remote Access: Allow’ (MS only)
oval:simp.cis.1.3.0.windows2016.2.3.13.1_L1_Ensure_Shutdown_Allow_system_to_be_shut_down_without_having_to_log_on_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Shutdown: Allow system to be shut down without having to log on’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.2.3.17.2_L1_Ensure_User_Account_Control_Behavior_of_the_elevation_prompt_for_administrators_in_Admin_Approval_Mode_is_set_to_Prompt_for_consent_on_the_secure_desktop:def:1
- Title: (L1) Ensure ‘User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode’ is set to ‘Prompt for consent on the secure desktop’
oval:simp.cis.1.3.0.windows2016.2.3.17.6_L1_Ensure_User_Account_Control_Run_all_administrators_in_Admin_Approval_Mode_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘User Account Control: Run all administrators in Admin Approval Mode’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.3.17.7_L1_Ensure_User_Account_Control_Switch_to_the_secure_desktop_when_prompting_for_elevation_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘User Account Control: Switch to the secure desktop when prompting for elevation’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.17.8.1_L1_Ensure_Audit_Sensitive_Privilege_Use_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit Sensitive Privilege Use’ is set to ‘Success and Failure’
oval:simp.cis.1.3.0.windows2016.18.3.1_L1_Ensure_Apply_UAC_restrictions_to_local_accounts_on_network_logons_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Apply UAC restrictions to local accounts on network logons’ is set to ‘Enabled’ (MS only)
oval:simp.cis.1.3.0.windows2016.18.4.1_L1_Ensure_MSS_AutoAdminLogon_Enable_Automatic_Logon_not_recommended_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.5.11.2_L1_Ensure_Prohibit_installation_and_configuration_of_Network_Bridge_on_your_DNS_domain_network_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Prohibit installation and configuration of Network Bridge on your DNS domain network’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.5.11.4_L1_Ensure_Require_domain_users_to_elevate_when_setting_a_networks_location_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Require domain users to elevate when setting a network’s location’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.86.1_L1_Ensure_Allow_user_control_over_installs_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow user control over installs’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.86.2_L1_Ensure_Always_install_with_elevated_privileges_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Always install with elevated privileges’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.19.7.43.1_L1_Ensure_Always_install_with_elevated_privileges_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Always install with elevated privileges’ is set to ‘Disabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2016.2.3.10.6_L1_Configure_Network_access_Named_Pipes_that_can_be_accessed_anonymously_DC_only:def:1
- Title: (L1) Configure ‘Network access: Named Pipes that can be accessed anonymously’ (DC only)
oval:simp.cis.1.3.0.windows2016.2.3.10.7_L1_Configure_Network_access_Named_Pipes_that_can_be_accessed_anonymously_MS_only:def:1
- Title: (L1) Configure ‘Network access: Named Pipes that can be accessed anonymously’ (MS only)
oval:simp.cis.1.3.0.windows2016.18.4.8_L1_Ensure_MSS_SafeDllSearchMode_Enable_Safe_DLL_search_mode_recommended_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.14.1_L1_Ensure_Boot-Start_Driver_Initialization_Policy_is_set_to_Enabled_Good_unknown_and_bad_but_critical:def:1
- Title: (L1) Ensure ‘Boot-Start Driver Initialization Policy’ is set to ‘Enabled: Good, unknown and bad but critical’
oval:simp.cis.1.3.0.windows2016.18.9.45.3.1_L1_Ensure_Configure_local_setting_override_for_reporting_to_Microsoft_MAPS_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Configure local setting override for reporting to Microsoft MAPS’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.45.5.1_L2_Ensure_Enable_file_hash_computation_feature_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Enable file hash computation feature’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.45.8.1_L1_Ensure_Scan_all_downloaded_files_and_attachments_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Scan all downloaded files and attachments’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.45.8.2_L1_Ensure_Turn_off_real-time_protection_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Turn off real-time protection’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.45.8.3_L1_Ensure_Turn_on_behavior_monitoring_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn on behavior monitoring’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.45.11.2_L1_Ensure_Turn_on_e-mail_scanning_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn on e-mail scanning’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.45.14_L1_Ensure_Configure_detection_for_potentially_unwanted_applications_is_set_to_Enabled_Block:def:1
- Title: (L1) Ensure ‘Configure detection for potentially unwanted applications’ is set to ‘Enabled: Block’
oval:simp.cis.1.3.0.windows2016.18.9.45.15_L1_Ensure_Turn_off_Microsoft_Defender_AntiVirus_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Turn off Microsoft Defender AntiVirus’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.19.7.4.2_L1_Ensure_Notify_antivirus_programs_when_opening_attachments_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Notify antivirus programs when opening attachments’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2016.2.3.4.1_L1_Ensure_Devices_Allowed_to_format_and_eject_removable_media_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Devices: Allowed to format and eject removable media’ is set to ‘Administrators’
oval:simp.cis.1.3.0.windows2016.18.9.45.11.1_L1_Ensure_Scan_removable_drives_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Scan removable drives’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.2.10_L1_Ensure_Back_up_files_and_directories_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Back up files and directories’ is set to ‘Administrators’
oval:simp.cis.1.3.0.windows2016.2.2.11_L1_Ensure_Change_the_system_time_is_set_to_Administrators_LOCAL_SERVICE:def:1
- Title: (L1) Ensure ‘Change the system time’ is set to ‘Administrators, LOCAL SERVICE’
oval:simp.cis.1.3.0.windows2016.2.2.12_L1_Ensure_Change_the_time_zone_is_set_to_Administrators_LOCAL_SERVICE:def:1
- Title: (L1) Ensure ‘Change the time zone’ is set to ‘Administrators, LOCAL SERVICE’
oval:simp.cis.1.3.0.windows2016.2.2.13_L1_Ensure_Create_a_pagefile_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Create a pagefile’ is set to ‘Administrators’
oval:simp.cis.1.3.0.windows2016.2.2.15_L1_Ensure_Create_global_objects_is_set_to_Administrators_LOCAL_SERVICE_NETWORK_SERVICE_SERVICE:def:1
- Title: (L1) Ensure ‘Create global objects’ is set to ‘Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE’
oval:simp.cis.1.3.0.windows2016.2.2.17_L1_Ensure_Create_symbolic_links_is_set_to_Administrators_DC_only:def:1
- Title: (L1) Ensure ‘Create symbolic links’ is set to ‘Administrators’ (DC only)
oval:simp.cis.1.3.0.windows2016.2.2.18_L1_Ensure_Create_symbolic_links_is_set_to_Administrators_NT_VIRTUAL_MACHINEVirtual_Machines_MS_only:def:1
- Title: (L1) Ensure ‘Create symbolic links’ is set to ‘Administrators, NT VIRTUAL MACHINE\Virtual Machines’ (MS only)
oval:simp.cis.1.3.0.windows2016.2.2.19_L1_Ensure_Debug_programs_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Debug programs’ is set to ‘Administrators’
oval:simp.cis.1.3.0.windows2016.2.2.27_L1_Ensure_Enable_computer_and_user_accounts_to_be_trusted_for_delegation_is_set_to_Administrators_DC_only:def:1
- Title: (L1) Ensure ‘Enable computer and user accounts to be trusted for delegation’ is set to ‘Administrators’ (DC only)
oval:simp.cis.1.3.0.windows2016.2.2.29_L1_Ensure_Force_shutdown_from_a_remote_system_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Force shutdown from a remote system’ is set to ‘Administrators’
oval:simp.cis.1.3.0.windows2016.2.2.31_L1_Ensure_Impersonate_a_client_after_authentication_is_set_to_Administrators_LOCAL_SERVICE_NETWORK_SERVICE_SERVICE_DC_only:def:1
- Title: (L1) Ensure ‘Impersonate a client after authentication’ is set to ‘Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE’ (DC only)
oval:simp.cis.1.3.0.windows2016.2.2.32_L1_Ensure_Impersonate_a_client_after_authentication_is_set_to_Administrators_LOCAL_SERVICE_NETWORK_SERVICE_SERVICE_and_when_the_Web_Server_IIS_Role_with_Web_Services_Role_Service_is_installed_IIS_IUSRS_MS_only:def:1
- Title: (L1) Ensure ‘Impersonate a client after authentication’ is set to ‘Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE’ and (when the Web Server (IIS) Role with Web Services Role Service is installed) ‘IIS_IUSRS’ (MS only)
oval:simp.cis.1.3.0.windows2016.2.2.33_L1_Ensure_Increase_scheduling_priority_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Increase scheduling priority’ is set to ‘Administrators’
oval:simp.cis.1.3.0.windows2016.2.2.34_L1_Ensure_Load_and_unload_device_drivers_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Load and unload device drivers’ is set to ‘Administrators’
oval:simp.cis.1.3.0.windows2016.2.2.37_L1_Ensure_Manage_auditing_and_security_log_is_set_to_Administrators_and_when_Exchange_is_running_in_the_environment_Exchange_Servers_DC_only:def:1
- Title: (L1) Ensure ‘Manage auditing and security log’ is set to ‘Administrators’ and (when Exchange is running in the environment) ‘Exchange Servers’ (DC only)
oval:simp.cis.1.3.0.windows2016.2.2.38_L1_Ensure_Manage_auditing_and_security_log_is_set_to_Administrators_MS_only:def:1
- Title: (L1) Ensure ‘Manage auditing and security log’ is set to ‘Administrators’ (MS only)
oval:simp.cis.1.3.0.windows2016.2.2.40_L1_Ensure_Modify_firmware_environment_values_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Modify firmware environment values’ is set to ‘Administrators’
oval:simp.cis.1.3.0.windows2016.2.2.41_L1_Ensure_Perform_volume_maintenance_tasks_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Perform volume maintenance tasks’ is set to ‘Administrators’
oval:simp.cis.1.3.0.windows2016.2.2.42_L1_Ensure_Profile_single_process_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Profile single process’ is set to ‘Administrators’
oval:simp.cis.1.3.0.windows2016.2.2.43_L1_Ensure_Profile_system_performance_is_set_to_Administrators_NT_SERVICEWdiServiceHost:def:1
- Title: (L1) Ensure ‘Profile system performance’ is set to ‘Administrators, NT SERVICE\WdiServiceHost’
oval:simp.cis.1.3.0.windows2016.2.2.45_L1_Ensure_Restore_files_and_directories_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Restore files and directories’ is set to ‘Administrators’
oval:simp.cis.1.3.0.windows2016.2.2.46_L1_Ensure_Shut_down_the_system_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Shut down the system’ is set to ‘Administrators’
oval:simp.cis.1.3.0.windows2016.2.2.48_L1_Ensure_Take_ownership_of_files_or_other_objects_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Take ownership of files or other objects’ is set to ‘Administrators’
oval:simp.cis.1.3.0.windows2016.2.3.5.1_L1_Ensure_Domain_controller_Allow_server_operators_to_schedule_tasks_is_set_to_Disabled_DC_only:def:1
- Title: (L1) Ensure ‘Domain controller: Allow server operators to schedule tasks’ is set to ‘Disabled’ (DC only)
oval:simp.cis.1.3.0.windows2016.18.5.20.1_L2_Ensure_Configuration_of_wireless_settings_using_Windows_Connect_Now_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Configuration of wireless settings using Windows Connect Now’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.5.20.2_L2_Ensure_Prohibit_access_of_the_Windows_Connect_Now_wizards_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Prohibit access of the Windows Connect Now wizards’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.5.21.1_L1_Ensure_Minimize_the_number_of_simultaneous_connections_to_the_Internet_or_a_Windows_Domain_is_set_to_Enabled_1__Minimize_simultaneous_connections:def:1
- Title: (L1) Ensure ‘Minimize the number of simultaneous connections to the Internet or a Windows Domain’ is set to ‘Enabled: 1 = Minimize simultaneous connections’
oval:simp.cis.1.3.0.windows2016.18.5.21.2_L2_Ensure_Prohibit_connection_to_non-domain_networks_when_connected_to_domain_authenticated_network_is_set_to_Enabled_MS_only:def:1
- Title: (L2) Ensure ‘Prohibit connection to non-domain networks when connected to domain authenticated network’ is set to ‘Enabled’ (MS only)
oval:simp.cis.1.3.0.windows2016.2.3.6.1_L1_Ensure_Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Domain member: Digitally encrypt or sign secure channel data (always)’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.3.6.2_L1_Ensure_Domain_member_Digitally_encrypt_secure_channel_data_when_possible_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Domain member: Digitally encrypt secure channel data (when possible)’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.3.6.3_L1_Ensure_Domain_member_Digitally_sign_secure_channel_data_when_possible_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Domain member: Digitally sign secure channel data (when possible)’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.22.1.2_L2_Ensure_Turn_off_handwriting_personalization_data_sharing_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off handwriting personalization data sharing’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.22.1.3_L2_Ensure_Turn_off_handwriting_recognition_error_reporting_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off handwriting recognition error reporting’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.22.1.4_L2_Ensure_Turn_off_Internet_Connection_Wizard_if_URL_connection_is_referring_to_Microsoft.com_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.22.1.6_L2_Ensure_Turn_off_printing_over_HTTP_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off printing over HTTP’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.47.5.1_L2_Ensure_Microsoft_Support_Diagnostic_Tool_Turn_on_MSDT_interactive_communication_with_support_provider_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.8.47.11.1_L2_Ensure_EnableDisable_PerfTrack_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Enable/Disable PerfTrack’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.8.49.1_L2_Ensure_Turn_off_the_advertising_ID_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off the advertising ID’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.13.1_L1_Ensure_Turn_off_Microsoft_consumer_experiences_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off Microsoft consumer experiences’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.16.1L1_Ensure_Allow_Telemetry_is_set_to_Enabled_0-Security_Enterprise_Only_or_Enabled_1-_Basic:def:1
- Title: (L1) Ensure ‘Allow Telemetry’ is set to ‘Enabled: 0 - Security [Enterprise Only]’ or ‘Enabled: 1 - Basic’
oval:simp.cis.1.3.0.windows2016.18.9.16.2_L2_Ensure_Configure_Authenticated_Proxy_usage_for_the_Connected_User_Experience_and_Telemetry_service_is_set_to_Enabled_Disable_Authenticated_Proxy_usage:def:1
- Title: (L2) Ensure ‘Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service’ is set to ‘Enabled: Disable Authenticated Proxy usage’
oval:simp.cis.1.3.0.windows2016.18.9.45.3.2_L2_Ensure_Join_Microsoft_MAPS_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Join Microsoft MAPS’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.45.10.1_L2_Ensure_Configure_Watson_events_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Configure Watson events’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.65.3_L1_Ensure_Allow_indexing_of_encrypted_files_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow indexing of encrypted files’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.70.1_L2_Ensure_Turn_off_KMS_Client_Online_AVS_Validation_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off KMS Client Online AVS Validation’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.19.6.6.1.1_L2_Ensure_Turn_off_Help_Experience_Improvement_Program_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Help Experience Improvement Program’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2016.19.7.8.3_L2_Ensure_Do_not_use_diagnostic_data_for_tailored_experiences_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Do not use diagnostic data for tailored experiences’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2016.19.7.8.4_L2_Ensure_Turn_off_all_Windows_spotlight_features_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off all Windows spotlight features’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2016.2.3.2.1_L1_Ensure_Audit_Force_audit_policy_subcategory_settings_Windows_Vista_or_later_to_override_audit_policy_category_settings_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.3.2.2_L1_Ensure_Audit_Shut_down_system_immediately_if_unable_to_log_security_audits_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Audit: Shut down system immediately if unable to log security audits’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.9.1.5_L1_Ensure_Windows_Firewall_Domain_Logging_Name_is_set_to_SystemRootSystem32logfilesfirewalldomainfw.log:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Logging: Name’ is set to ‘%SystemRoot%\System32\logfiles\firewall\domainfw.log’
oval:simp.cis.1.3.0.windows2016.9.1.7_L1_Ensure_Windows_Firewall_Domain_Logging_Log_dropped_packets_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Logging: Log dropped packets’ is set to ‘Yes’
oval:simp.cis.1.3.0.windows2016.9.1.8_L1_Ensure_Windows_Firewall_Domain_Logging_Log_successful_connections_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Logging: Log successful connections’ is set to ‘Yes’
oval:simp.cis.1.3.0.windows2016.9.2.5_L1_Ensure_Windows_Firewall_Private_Logging_Name_is_set_to_SystemRootSystem32logfilesfirewallprivatefw.log:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Logging: Name’ is set to ‘%SystemRoot%\System32\logfiles\firewall\privatefw.log’
oval:simp.cis.1.3.0.windows2016.9.2.7_L1_Ensure_Windows_Firewall_Private_Logging_Log_dropped_packets_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Logging: Log dropped packets’ is set to ‘Yes’
oval:simp.cis.1.3.0.windows2016.9.2.8_L1_Ensure_Windows_Firewall_Private_Logging_Log_successful_connections_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Logging: Log successful connections’ is set to ‘Yes’
oval:simp.cis.1.3.0.windows2016.9.3.7_L1_Ensure_Windows_Firewall_Public_Logging_Name_is_set_to_SystemRootSystem32logfilesfirewallpublicfw.log:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Logging: Name’ is set to ‘%SystemRoot%\System32\logfiles\firewall\publicfw.log’
oval:simp.cis.1.3.0.windows2016.9.3.9_L1_Ensure_Windows_Firewall_Public_Logging_Log_dropped_packets_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Logging: Log dropped packets’ is set to ‘Yes’
oval:simp.cis.1.3.0.windows2016.9.3.10_L1_Ensure_Windows_Firewall_Public_Logging_Log_successful_connections_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Logging: Log successful connections’ is set to ‘Yes’
oval:simp.cis.1.3.0.windows2016.18.8.52.1.1_L2_Ensure_Enable_Windows_NTP_Client_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Enable Windows NTP Client’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.3.17.4_L1_Ensure_User_Account_Control_Detect_application_installations_and_prompt_for_elevation_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘User Account Control: Detect application installations and prompt for elevation’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.22.1.1_L1_Ensure_Turn_off_downloading_of_print_drivers_over_HTTP_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off downloading of print drivers over HTTP’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.16.4_L1_Ensure_Toggle_user_control_over_Insider_builds_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Toggle user control over Insider builds’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.81.1.1_L1_Ensure_Configure_Windows_Defender_SmartScreen_is_set_to_Enabled_Warn_and_prevent_bypass:def:1
- Title: (L1) Ensure ‘Configure Windows Defender SmartScreen’ is set to ‘Enabled: Warn and prevent bypass’
oval:simp.cis.1.3.0.windows2016.18.9.103.1.1_L1_Ensure_Manage_preview_builds_is_set_to_Enabled_Disable_preview_builds:def:1
- Title: (L1) Ensure ‘Manage preview builds’ is set to ‘Enabled: Disable preview builds’
oval:simp.cis.1.3.0.windows2016.19.7.47.2.1_L2_Ensure_Prevent_Codec_Download_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Prevent Codec Download’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.1.1.5_L1_Ensure_Password_must_meet_complexity_requirements_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Password must meet complexity requirements’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.2.30_L1_Ensure_Generate_security_audits_is_set_to_LOCAL_SERVICE_NETWORK_SERVICE:def:1
- Title: (L1) Ensure ‘Generate security audits’ is set to ‘LOCAL SERVICE, NETWORK SERVICE’
oval:simp.cis.1.3.0.windows2016.2.2.44_L1_Ensure_Replace_a_process_level_token_is_set_to_LOCAL_SERVICE_NETWORK_SERVICE:def:1
- Title: (L1) Ensure ‘Replace a process level token’ is set to ‘LOCAL SERVICE, NETWORK SERVICE’
oval:simp.cis.1.3.0.windows2016.2.3.1.4_L1_Ensure_Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Accounts: Limit local account use of blank passwords to console logon only’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.3.17.1_L1_Ensure_User_Account_Control_Admin_Approval_Mode_for_the_Built-in_Administrator_account_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘User Account Control: Admin Approval Mode for the Built-in Administrator account’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.2.1_L1_Ensure_LAPS_AdmPwd_GPO_Extension__CSE_is_installed_MS_only:def:1
- Title: (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)
oval:simp.cis.1.3.0.windows2016.18.2.3_L1_Ensure_Enable_Local_Admin_Password_Management_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Enable Local Admin Password Management’ is set to ‘Enabled’ (MS only)
oval:simp.cis.1.3.0.windows2016.1.1.6_L1_Ensure_Store_passwords_using_reversible_encryption_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Store passwords using reversible encryption’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.2.3.10.4_L2_Ensure_Network_access_Do_not_allow_storage_of_passwords_and_credentials_for_network_authentication_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Network access: Do not allow storage of passwords and credentials for network authentication’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.3.11.4_L1_Ensure_Network_security_Configure_encryption_types_allowed_for_Kerberos_is_set_to_AES128_HMAC_SHA1_AES256_HMAC_SHA1_Future_encryption_types:def:1
- Title: (L1) Ensure ‘Network security: Configure encryption types allowed for Kerberos’ is set to ‘AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types’
oval:simp.cis.1.3.0.windows2016.2.3.11.5_L1_Ensure_Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Network security: Do not store LAN Manager hash value on next password change’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.3.6_L1_Ensure_WDigest_Authentication_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘WDigest Authentication’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.8.3.1_L1_Ensure_Include_command_line_in_process_creation_events_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Include command line in process creation events’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.8.4.1_L1_Ensure_Encryption_Oracle_Remediation_is_set_to_Enabled_Force_Updated_Clients:def:1
- Title: (L1) Ensure ‘Encryption Oracle Remediation’ is set to ‘Enabled: Force Updated Clients’
oval:simp.cis.1.3.0.windows2016.18.8.4.2_L1_Ensure_Remote_host_allows_delegation_of_non-exportable_credentials_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Remote host allows delegation of non-exportable credentials’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.5.1_NG_Ensure_Turn_On_Virtualization_Based_Security_is_set_to_Enabled:def:1
- Title: (NG) Ensure ‘Turn On Virtualization Based Security’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.5.2_NG_Ensure_Turn_On_Virtualization_Based_Security_Select_Platform_Security_Level_is_set_to_Secure_Boot_and_DMA_Protection:def:1
- Title: (NG) Ensure ‘Turn On Virtualization Based Security: Select Platform Security Level’ is set to ‘Secure Boot and DMA Protection’
oval:simp.cis.1.3.0.windows2016.18.8.5.3_NG_Ensure_Turn_On_Virtualization_Based_Security_Virtualization_Based_Protection_of_Code_Integrity_is_set_to_Enabled_with_UEFI_lock:def:1
- Title: (NG) Ensure ‘Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity’ is set to ‘Enabled with UEFI lock’
oval:simp.cis.1.3.0.windows2016.18.8.5.4_NG_Ensure_Turn_On_Virtualization_Based_Security_Require_UEFI_Memory_Attributes_Table_is_set_to_True_checked:def:1
- Title: (NG) Ensure ‘Turn On Virtualization Based Security: Require UEFI Memory Attributes Table’ is set to ‘True (checked)’
oval:simp.cis.1.3.0.windows2016.18.8.5.5_NG_Ensure_Turn_On_Virtualization_Based_Security_Credential_Guard_Configuration_is_set_to_Enabled_with_UEFI_lock_MS_Only:def:1
- Title: (NG) Ensure ‘Turn On Virtualization Based Security: Credential Guard Configuration’ is set to ‘Enabled with UEFI lock’ (MS Only)
oval:simp.cis.1.3.0.windows2016.18.8.5.6_NG_Ensure_Turn_On_Virtualization_Based_Security_Credential_Guard_Configuration_is_set_to_Disabled_DC_Only:def:1
- Title: (NG) Ensure ‘Turn On Virtualization Based Security: Credential Guard Configuration’ is set to ‘Disabled’ (DC Only)
oval:simp.cis.1.3.0.windows2016.18.8.5.7_NG_Ensure_Turn_On_Virtualization_Based_Security_Secure_Launch_Configuration_is_set_to_Enabled:def:1
- Title: (NG) Ensure ‘Turn On Virtualization Based Security: Secure Launch Configuration’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.63.3.9.1_L1_Ensure_Always_prompt_for_password_upon_connection_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Always prompt for password upon connection’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.1.1.1_L1_Ensure_Enforce_password_history_is_set_to_24_or_more_passwords:def:1
- Title: (L1) Ensure ‘Enforce password history’ is set to ‘24 or more password(s)’
oval:simp.cis.1.3.0.windows2016.1.1.2_L1_Ensure_Maximum_password_age_is_set_to_365_or_fewer_days_but_not_0:def:1
- Title: (L1) Ensure ‘Maximum password age’ is set to ‘365 or fewer days, but not 0’
oval:simp.cis.1.3.0.windows2016.1.1.4_L1_Ensure_Minimum_password_length_is_set_to_14_or_more_characters:def:1
- Title: (L1) Ensure ‘Minimum password length’ is set to ‘14 or more character(s)’
oval:simp.cis.1.3.0.windows2016.1.2.3_L1_Ensure_Reset_account_lockout_counter_after_is_set_to_15_or_more_minutes:def:1
- Title: (L1) Ensure ‘Reset account lockout counter after’ is set to ‘15 or more minute(s)’
oval:simp.cis.1.3.0.windows2016.2.3.5.3_L1_Ensure_Domain_controller_LDAP_server_channel_binding_token_requirements_is_set_to_Always_DC_Only:def:1
- Title: (L1) Ensure ‘Domain controller: LDAP server channel binding token requirements’ is set to ‘Always’ (DC Only)
oval:simp.cis.1.3.0.windows2016.18.9.98.1.1_L1_Ensure_Allow_Basic_authentication_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow Basic authentication’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.98.1.2_L1_Ensure_Allow_unencrypted_traffic_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow unencrypted traffic’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.98.1.3_L1_Ensure_Disallow_Digest_authentication_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Disallow Digest authentication’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.98.2.1_L1_Ensure_Allow_Basic_authentication_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow Basic authentication’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.98.2.3_L1_Ensure_Allow_unencrypted_traffic_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow unencrypted traffic’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.5.14.1_L1_Ensure_Hardened_UNC_Paths_is_set_to_Enabled_with_Require_Mutual_Authentication_and_Require_Integrity_set_for_all_NETLOGON_and_SYSVOL_shares:def:1
- Title: (L1) Ensure ‘Hardened UNC Paths’ is set to ‘Enabled, with “Require Mutual Authentication” and “Require Integrity” set for all NETLOGON and SYSVOL shares’
oval:simp.cis.1.3.0.windows2016.9.1.6_L1_Ensure_Windows_Firewall_Domain_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Logging: Size limit (KB)’ is set to ‘16,384 KB or greater’
oval:simp.cis.1.3.0.windows2016.9.2.6_L1_Ensure_Windows_Firewall_Private_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Logging: Size limit (KB)’ is set to ‘16,384 KB or greater’
oval:simp.cis.1.3.0.windows2016.9.3.8_L1_Ensure_Windows_Firewall_Public_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Logging: Size limit (KB)’ is set to ‘16,384 KB or greater’
oval:simp.cis.1.3.0.windows2016.17.9.1_L1_Ensure_Audit_IPsec_Driver_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit IPsec Driver’ is set to ‘Success and Failure’
oval:simp.cis.1.3.0.windows2016.17.9.2_L1_Ensure_Audit_Other_System_Events_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit Other System Events’ is set to ‘Success and Failure’
oval:simp.cis.1.3.0.windows2016.17.9.3_L1_Ensure_Audit_Security_State_Change_is_set_to_include_Success:def:1
- Title: (L1) Ensure ‘Audit Security State Change’ is set to include ‘Success’
oval:simp.cis.1.3.0.windows2016.17.9.4_L1_Ensure_Audit_Security_System_Extension_is_set_to_include_Success:def:1
- Title: (L1) Ensure ‘Audit Security System Extension’ is set to include ‘Success’
oval:simp.cis.1.3.0.windows2016.17.9.5_L1_Ensure_Audit_System_Integrity_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit System Integrity’ is set to ‘Success and Failure’
oval:simp.cis.1.3.0.windows2016.18.4.12_L1_Ensure_MSS_WarningLevel_Percentage_threshold_for_the_security_event_log_at_which_the_system_will_generate_a_warning_is_set_to_Enabled_90_or_less:def:1
- Title: (L1) Ensure ‘MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning’ is set to ‘Enabled: 90% or less’
oval:simp.cis.1.3.0.windows2016.9.1.1_L1_Ensure_Windows_Firewall_Domain_Firewall_state_is_set_to_On_recommended:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Firewall state’ is set to ‘On (recommended)’
oval:simp.cis.1.3.0.windows2016.9.1.2_L1_Ensure_Windows_Firewall_Domain_Inbound_connections_is_set_to_Block_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Inbound connections’ is set to ‘Block (default)’
oval:simp.cis.1.3.0.windows2016.9.1.3_L1_Ensure_Windows_Firewall_Domain_Outbound_connections_is_set_to_Allow_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Outbound connections’ is set to ‘Allow (default)’
oval:simp.cis.1.3.0.windows2016.9.1.4_L1_Ensure_Windows_Firewall_Domain_Settings_Display_a_notification_is_set_to_No:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Settings: Display a notification’ is set to ‘No’
oval:simp.cis.1.3.0.windows2016.9.2.1_L1_Ensure_Windows_Firewall_Private_Firewall_state_is_set_to_On_recommended:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Firewall state’ is set to ‘On (recommended)’
oval:simp.cis.1.3.0.windows2016.9.2.2_L1_Ensure_Windows_Firewall_Private_Inbound_connections_is_set_to_Block_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Inbound connections’ is set to ‘Block (default)’
oval:simp.cis.1.3.0.windows2016.9.2.3_L1_Ensure_Windows_Firewall_Private_Outbound_connections_is_set_to_Allow_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Outbound connections’ is set to ‘Allow (default)’
oval:simp.cis.1.3.0.windows2016.9.2.4_L1_Ensure_Windows_Firewall_Private_Settings_Display_a_notification_is_set_to_No:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Settings: Display a notification’ is set to ‘No’
oval:simp.cis.1.3.0.windows2016.9.3.1_L1_Ensure_Windows_Firewall_Public_Firewall_state_is_set_to_On_recommended:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Firewall state’ is set to ‘On (recommended)’
oval:simp.cis.1.3.0.windows2016.9.3.2_L1_Ensure_Windows_Firewall_Public_Inbound_connections_is_set_to_Block_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Inbound connections’ is set to ‘Block (default)’
oval:simp.cis.1.3.0.windows2016.9.3.3_L1_Ensure_Windows_Firewall_Public_Outbound_connections_is_set_to_Allow_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Outbound connections’ is set to ‘Allow (default)’
oval:simp.cis.1.3.0.windows2016.9.3.4_L1_Ensure_Windows_Firewall_Public_Settings_Display_a_notification_is_set_to_No:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Settings: Display a notification’ is set to ‘No’
oval:simp.cis.1.3.0.windows2016.9.3.5_L1_Ensure_Windows_Firewall_Public_Settings_Apply_local_firewall_rules_is_set_to_No:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Settings: Apply local firewall rules’ is set to ‘No’
oval:simp.cis.1.3.0.windows2016.9.3.6_L1_Ensure_Windows_Firewall_Public_Settings_Apply_local_connection_security_rules_is_set_to_No:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Settings: Apply local connection security rules’ is set to ‘No’
oval:simp.cis.1.3.0.windows2016.2.2.2_L1_Ensure_Access_this_computer_from_the_network_is_set_to_Administrators_Authenticated_Users_ENTERPRISE_DOMAIN_CONTROLLERS_DC_only:def:1
- Title: (L1) Ensure ‘Access this computer from the network’ is set to ‘Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS’ (DC only)
oval:simp.cis.1.3.0.windows2016.2.2.3_L1_Ensure_Access_this_computer_from_the_network__is_set_to_Administrators_Authenticated_Users_MS_only:def:1
- Title: (L1) Ensure ‘Access this computer from the network’ is set to ‘Administrators, Authenticated Users’ (MS only)
oval:simp.cis.1.3.0.windows2016.2.3.5.2_L1_Ensure_Domain_controller_Allow_vulnerable_Netlogon_secure_channel_connections_is_set_to_Not_Configured_DC_Only:def:1
- Title: (L1) Ensure ‘Domain controller: Allow vulnerable Netlogon secure channel connections’ is set to ‘Not Configured’ (DC Only)
oval:simp.cis.1.3.0.windows2016.18.1.3_L2_Ensure_Allow_Online_Tips_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow Online Tips’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.3.2_L1_Ensure_Configure_SMB_v1_client_driver_is_set_to_Enabled_Disable_driver_recommended:def:1
- Title: (L1) Ensure ‘Configure SMB v1 client driver’ is set to ‘Enabled: Disable driver (recommended)’
oval:simp.cis.1.3.0.windows2016.18.3.3_L1_Ensure_Configure_SMB_v1_server_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Configure SMB v1 server’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.3.5_L1_Ensure_NetBT_NodeType_configuration_is_set_to_Enabled_P-node_recommended:def:1
- Title: (L1) Ensure ‘NetBT NodeType configuration’ is set to ‘Enabled: P-node (recommended)’
oval:simp.cis.1.3.0.windows2016.18.4.2_L1_Ensure_MSS_DisableIPSourceRouting_IPv6_IP_source_routing_protection_level_protects_against_packet_spoofing_is_set_to_Enabled_Highest_protection_source_routing_is_completely_disabled:def:1
- Title: (L1) Ensure ‘MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)’ is set to ‘Enabled: Highest protection, source routing is completely disabled’
oval:simp.cis.1.3.0.windows2016.18.4.3_L1_Ensure_MSS_DisableIPSourceRouting_IP_source_routing_protection_level_protects_against_packet_spoofing_is_set_to_Enabled_Highest_protection_source_routing_is_completely_disabled:def:1
- Title: (L1) Ensure ‘MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)’ is set to ‘Enabled: Highest protection, source routing is completely disabled’
oval:simp.cis.1.3.0.windows2016.18.4.4_L1_Ensure_MSS_EnableICMPRedirect_Allow_ICMP_redirects_to_override_OSPF_generated_routes_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.4.5_L2_Ensure_MSS_KeepAliveTime_How_often_keep-alive_packets_are_sent_in_milliseconds_is_set_to_Enabled_300000_or_5_minutes_recommended:def:1
- Title: (L2) Ensure ‘MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds’ is set to ‘Enabled: 300,000 or 5 minutes (recommended)’
oval:simp.cis.1.3.0.windows2016.18.4.6_L1_Ensure_MSS_NoNameReleaseOnDemand_Allow_the_computer_to_ignore_NetBIOS_name_release_requests_except_from_WINS_servers_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.4.7_L2_Ensure_MSS_PerformRouterDiscovery_Allow_IRDP_to_detect_and_configure_Default_Gateway_addresses_could_lead_to_DoS_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.4.10_L2_Ensure_MSS_TcpMaxDataRetransmissions_IPv6_How_many_times_unacknowledged_data_is_retransmitted_is_set_to_Enabled_3:def:1
- Title: (L2) Ensure ‘MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted’ is set to ‘Enabled: 3’
oval:simp.cis.1.3.0.windows2016.18.4.11_L2_Ensure_MSS_TcpMaxDataRetransmissions_How_many_times_unacknowledged_data_is_retransmitted_is_set_to_Enabled_3:def:1
- Title: (L2) Ensure ‘MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted’ is set to ‘Enabled: 3’
oval:simp.cis.1.3.0.windows2016.18.5.4.1_L1_Ensure_Turn_off_multicast_name_resolution_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off multicast name resolution’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.5.8.1_L1_Ensure_Enable_insecure_guest_logons_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Enable insecure guest logons’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.5.9.1_L2_Ensure_Turn_on_Mapper_IO_LLTDIO_driver_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Turn on Mapper I/O (LLTDIO) driver’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.5.9.2_L2_Ensure_Turn_on_Responder_RSPNDR_driver_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Turn on Responder (RSPNDR) driver’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.5.10.2_L2_Ensure_Turn_off_Microsoft_Peer-to-Peer_Networking_Services_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Microsoft Peer-to-Peer Networking Services’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.5.11.3_L1_Ensure_Prohibit_use_of_Internet_Connection_Sharing_on_your_DNS_domain_network_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Prohibit use of Internet Connection Sharing on your DNS domain network’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.5.19.2.1_L2_Disable_IPv6_Ensure_TCPIP6_Parameter_DisabledComponents_is_set_to_0xff_255:def:1
- Title: (L2) Disable IPv6 (Ensure TCPIP6 Parameter ‘DisabledComponents’ is set to ‘0xff (255)’)
oval:simp.cis.1.3.0.windows2016.18.7.1.1_L2_Ensure_Turn_off_notifications_network_usage_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off notifications network usage’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.21.4_L1_Ensure_Continue_experiences_on_this_device_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Continue experiences on this device’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.8.34.6.1_L2_Ensure_Allow_network_connectivity_during_connected-standby_on_battery_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow network connectivity during connected-standby (on battery)’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.8.34.6.2_L2_Ensure_Allow_network_connectivity_during_connected-standby_plugged_in_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow network connectivity during connected-standby (plugged in)’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.8.36.1_L1_Ensure_Configure_Offer_Remote_Assistance_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Configure Offer Remote Assistance’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.8.37.1_L1_Ensure_Enable_RPC_Endpoint_Mapper_Client_Authentication_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Enable RPC Endpoint Mapper Client Authentication’ is set to ‘Enabled’ (MS only)
oval:simp.cis.1.3.0.windows2016.18.8.37.2_L2_Ensure_Restrict_Unauthenticated_RPC_clients_is_set_to_Enabled_Authenticated_MS_only:def:1
- Title: (L2) Ensure ‘Restrict Unauthenticated RPC clients’ is set to ‘Enabled: Authenticated’ (MS only)
oval:simp.cis.1.3.0.windows2016.18.8.52.1.2_L2_Ensure_Enable_Windows_NTP_Server_is_set_to_Disabled_MS_only:def:1
- Title: (L2) Ensure ‘Enable Windows NTP Server’ is set to ‘Disabled’ (MS only)
oval:simp.cis.1.3.0.windows2016.18.9.43.1_L2_Ensure_Allow_Message_Service_Cloud_Sync_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow Message Service Cloud Sync’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.62.1_L2_Ensure_Turn_off_Push_To_Install_service_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Push To Install service’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.63.3.3.1_L2_Ensure_Do_not_allow_COM_port_redirection_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Do not allow COM port redirection’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.63.3.3.3_L2_Ensure_Do_not_allow_LPT_port_redirection_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Do not allow LPT port redirection’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.63.3.3.4_L2_Ensure_Do_not_allow_supported_Plug_and_Play_device_redirection_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Do not allow supported Plug and Play device redirection’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.98.2.2_L2_Ensure_Allow_remote_server_management_through_WinRM_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow remote server management through WinRM’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.99.1_L2_Ensure_Allow_Remote_Shell_Access_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow Remote Shell Access’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.15.2_L1_Ensure_Enumerate_administrator_accounts_on_elevation_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Enumerate administrator accounts on elevation’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.63.3.9.2_L1_Ensure_Require_secure_RPC_communication_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Require secure RPC communication’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.63.3.9.3_L1_Ensure_Require_use_of_specific_security_layer_for_remote_RDP_connections_is_set_to_Enabled_SSL:def:1
- Title: (L1) Ensure ‘Require use of specific security layer for remote (RDP) connections’ is set to ‘Enabled: SSL’
oval:simp.cis.1.3.0.windows2016.18.9.63.3.9.4_L1_Ensure_Require_user_authentication_for_remote_connections_by_using_Network_Level_Authentication_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Require user authentication for remote connections by using Network Level Authentication’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.9.63.3.9.5_L1_Ensure_Set_client_connection_encryption_level_is_set_to_Enabled_High_Level:def:1
- Title: (L1) Ensure ‘Set client connection encryption level’ is set to ‘Enabled: High Level’
oval:simp.cis.1.3.0.windows2016.18.2.2_L1_Ensure_Do_not_allow_password_expiration_time_longer_than_required_by_policy_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Do not allow password expiration time longer than required by policy’ is set to ‘Enabled’ (MS only)
oval:simp.cis.1.3.0.windows2016.18.8.21.2_L1_Ensure_Configure_registry_policy_processing_Do_not_apply_during_periodic_background_processing_is_set_to_Enabled_FALSE:def:1
- Title: (L1) Ensure ‘Configure registry policy processing: Do not apply during periodic background processing’ is set to ‘Enabled: FALSE’
oval:simp.cis.1.3.0.windows2016.18.8.21.3_L1_Ensure_Configure_registry_policy_processing_Process_even_if_the_Group_Policy_objects_have_not_changed_is_set_to_Enabled_TRUE:def:1
- Title: (L1) Ensure ‘Configure registry policy processing: Process even if the Group Policy objects have not changed’ is set to ‘Enabled: TRUE’
oval:simp.cis.1.3.0.windows2016.18.8.21.5_L1_Ensure_Turn_off_background_refresh_of_Group_Policy_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Turn off background refresh of Group Policy’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2016.18.9.45.4.3.1_L1_Ensure_Prevent_users_and_apps_from_accessing_dangerous_websites_is_set_to_Enabled_Block:def:1
- Title: (L1) Ensure ‘Prevent users and apps from accessing dangerous websites’ is set to ‘Enabled: Block’
oval:simp.cis.1.3.0.windows2016.18.8.22.1.5_L1_Ensure_Turn_off_Internet_download_for_Web_publishing_and_online_ordering_wizards_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off Internet download for Web publishing and online ordering wizards’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.18.8.22.1.7_L2_Ensure_Turn_off_Registration_if_URL_connection_is_referring_to_Microsoft.com_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Registration if URL connection is referring to Microsoft.com’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.3.9.4_L1_Ensure_Microsoft_network_server_Disconnect_clients_when_logon_hours_expire_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Microsoft network server: Disconnect clients when logon hours expire’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.2.3.11.6_L1_Ensure_Network_security_Force_logoff_when_logon_hours_expire_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Network security: Force logoff when logon hours expire’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2016.17.5.3_L1_Ensure_Audit_Logoff_is_set_to_include_Success:def:1
- Title: (L1) Ensure ‘Audit Logoff’ is set to include ‘Success’
oval:simp.cis.1.3.0.windows2016.17.5.4_L1_Ensure_Audit_Logon_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit Logon’ is set to ‘Success and Failure’
oval:simp.cis.1.3.0.windows2016.17.5.5_L1_Ensure_Audit_Other_LogonLogoff_Events_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit Other Logon/Logoff Events’ is set to ‘Success and Failure’
  Windows 2019 (209/209 [100%])
oval:simp.cis.1.3.0.windows2019.18.8.26.1_L1_Ensure_Enumeration_policy_for_external_devices_incompatible_with_Kernel_DMA_Protection_is_set_to_Enabled_Block_All:def:1
- Title: (L1) Ensure ‘Enumeration policy for external devices incompatible with Kernel DMA Protection’ is set to ‘Enabled: Block All’
oval:simp.cis.1.3.0.windows2019.2.3.5.4_L1_Ensure_Domain_controller_LDAP_server_signing_requirements_is_set_to_Require_signing_DC_only:def:1
- Title: (L1) Ensure ‘Domain controller: LDAP server signing requirements’ is set to ‘Require signing’ (DC only)
oval:simp.cis.1.3.0.windows2019.2.3.5.5_L1_Ensure_Domain_controller_Refuse_machine_account_password_changes_is_set_to_Disabled_DC_only:def:1
- Title: (L1) Ensure ‘Domain controller: Refuse machine account password changes’ is set to ‘Disabled’ (DC only)
oval:simp.cis.1.3.0.windows2019.18.9.90.1_L1_Ensure_Allow_user_control_over_installs_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow user control over installs’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.19.7.47.2.1_L2_Ensure_Prevent_Codec_Download_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Prevent Codec Download’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2019.2.2.48_L1_Ensure_Take_ownership_of_files_or_other_objects_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Take ownership of files or other objects’ is set to ‘Administrators’
oval:simp.cis.1.3.0.windows2019.2.3.10.12_L1_Ensure_Network_access_Shares_that_can_be_accessed_anonymously_is_set_to_None:def:1
- Title: (L1) Ensure ‘Network access: Shares that can be accessed anonymously’ is set to ‘None’
oval:simp.cis.1.3.0.windows2019.17.6.1_L1_Ensure_Audit_Detailed_File_Share_is_set_to_include_Failure:def:1
- Title: (L1) Ensure ‘Audit Detailed File Share’ is set to include ‘Failure’
oval:simp.cis.1.3.0.windows2019.17.6.2_L1_Ensure_Audit_File_Share_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit File Share’ is set to ‘Success and Failure’
oval:simp.cis.1.3.0.windows2019.18.9.4.1_L2_Ensure_Allow_a_Windows_app_to_share_application_data_between_users_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow a Windows app to share application data between users’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.19.7.28.1_L1_Ensure_Prevent_users_from_sharing_files_within_their_profile._is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Prevent users from sharing files within their profile.’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2019.2.3.1.1_L1_Ensure_Accounts_Administrator_account_status_is_set_to_Disabled_MS_only:def:1
- Title: (L1) Ensure ‘Accounts: Administrator account status’ is set to ‘Disabled’ (MS only)
oval:simp.cis.1.3.0.windows2019.2.3.1.3_L1_Ensure_Accounts_Guest_account_status_is_set_to_Disabled_MS_only:def:1
- Title: (L1) Ensure ‘Accounts: Guest account status’ is set to ‘Disabled’ (MS only)
oval:simp.cis.1.3.0.windows2019.18.9.46.1_L1_Ensure_Block_all_consumer_Microsoft_account_user_authentication_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Block all consumer Microsoft account user authentication’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.1.2.1_L1_Ensure_Account_lockout_duration_is_set_to_15_or_more_minutes:def:1
- Title: (L1) Ensure ‘Account lockout duration’ is set to ‘15 or more minute(s)’
oval:simp.cis.1.3.0.windows2019.1.2.2_L1_Ensure_Account_lockout_threshold_is_set_to_5_or_fewer_invalid_logon_attempts_but_not_0:def:1
- Title: (L1) Ensure ‘Account lockout threshold’ is set to ‘5 or fewer invalid logon attempt(s), but not 0’
oval:simp.cis.1.3.0.windows2019.2.3.7.3_L1_Ensure_Interactive_logon_Machine_inactivity_limit_is_set_to_900_or_fewer_seconds_but_not_0:def:1
- Title: (L1) Ensure ‘Interactive logon: Machine inactivity limit’ is set to ‘900 or fewer second(s), but not 0’
oval:simp.cis.1.3.0.windows2019.2.3.7.8_L1_Ensure_Interactive_logon_Require_Domain_Controller_Authentication_to_unlock_workstation_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Interactive logon: Require Domain Controller Authentication to unlock workstation’ is set to ‘Enabled’ (MS only)
oval:simp.cis.1.3.0.windows2019.2.3.7.9_L1_Ensure_Interactive_logon_Smart_card_removal_behavior_is_set_to_Lock_Workstation_or_higher:def:1
- Title: (L1) Ensure ‘Interactive logon: Smart card removal behavior’ is set to ‘Lock Workstation’ or higher
oval:simp.cis.1.3.0.windows2019.2.3.9.1_L1_Ensure_Microsoft_network_server_Amount_of_idle_time_required_before_suspending_session_is_set_to_15_or_fewer_minutes:def:1
- Title: (L1) Ensure ‘Microsoft network server: Amount of idle time required before suspending session’ is set to ‘15 or fewer minute(s)’
oval:simp.cis.1.3.0.windows2019.18.4.9_L1_Ensure_MSS_ScreenSaverGracePeriod_The_time_in_seconds_before_the_screen_saver_grace_period_expires_0_recommended_is_set_to_Enabled_5_or_fewer_seconds:def:1
- Title: (L1) Ensure ‘MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)’ is set to ‘Enabled: 5 or fewer seconds’
oval:simp.cis.1.3.0.windows2019.18.8.34.6.3_L1_Ensure_Require_a_password_when_a_computer_wakes_on_battery_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Require a password when a computer wakes (on battery)’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.8.34.6.4_L1_Ensure_Require_a_password_when_a_computer_wakes_plugged_in_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Require a password when a computer wakes (plugged in)’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.65.2.2_L1_Ensure_Do_not_allow_passwords_to_be_saved_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Do not allow passwords to be saved’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.65.3.10.1_L2_Ensure_Set_time_limit_for_active_but_idle_Remote_Desktop_Services_sessions_is_set_to_Enabled_15_minutes_or_less_but_not_Never_0:def:1
- Title: (L2) Ensure ‘Set time limit for active but idle Remote Desktop Services sessions’ is set to ‘Enabled: 15 minutes or less, but not Never (0)’
oval:simp.cis.1.3.0.windows2019.18.9.65.3.10.2_L2_Ensure_Set_time_limit_for_disconnected_sessions_is_set_to_Enabled_1_minute:def:1
- Title: (L2) Ensure ‘Set time limit for disconnected sessions’ is set to ‘Enabled: 1 minute’
oval:simp.cis.1.3.0.windows2019.18.9.91.1_L1_Ensure_Sign-in_and_lock_last_interactive_user_automatically_after_a_restart_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Sign-in and lock last interactive user automatically after a restart’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.19.1.3.1_L1_Ensure_Enable_screen_saver_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Enable screen saver’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2019.19.1.3.2_L1_Ensure_Password_protect_the_screen_saver_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Password protect the screen saver’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2019.19.1.3.3_L1_Ensure_Screen_saver_timeout_is_set_to_Enabled_900_seconds_or_fewer_but_not_0:def:1
- Title: (L1) Ensure ‘Screen saver timeout’ is set to ‘Enabled: 900 seconds or fewer, but not 0’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2019.19.5.1.1_L1_Ensure_Turn_off_toast_notifications_on_the_lock_screen_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off toast notifications on the lock screen’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2019.19.7.8.1_L1_Ensure_Configure_Windows_spotlight_on_lock_screen_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Configure Windows spotlight on lock screen’ is set to Disabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2019.18.9.8.1_L1_Ensure_Disallow_Autoplay_for_non-volume_devices_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Disallow Autoplay for non-volume devices’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.8.2_L1_Ensure_Set_the_default_behavior_for_AutoRun_is_set_to_Enabled_Do_not_execute_any_autorun_commands:def:1
- Title: (L1) Ensure ‘Set the default behavior for AutoRun’ is set to ‘Enabled: Do not execute any autorun commands’
oval:simp.cis.1.3.0.windows2019.18.9.8.3_L1_Ensure_Turn_off_Autoplay_is_set_to_Enabled_All_drives:def:1
- Title: (L1) Ensure ‘Turn off Autoplay’ is set to ‘Enabled: All drives’
oval:simp.cis.1.3.0.windows2019.18.9.17.5_L1_Ensure_Enable_OneSettings_Auditing_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Enable OneSettings Auditing’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.5.21.2_L2_Ensure_Prohibit_connection_to_non-domain_networks_when_connected_to_domain_authenticated_network_is_set_to_Enabled_MS_only:def:1
- Title: (L2) Ensure ‘Prohibit connection to non-domain networks when connected to domain authenticated network’ is set to ‘Enabled’ (MS only)
oval:simp.cis.1.3.0.windows2019.2.2.5_L1_Ensure_Add_workstations_to_domain_is_set_to_Administrators_DC_only:def:1
- Title: (L1) Ensure ‘Add workstations to domain’ is set to ‘Administrators’ (DC only)
oval:simp.cis.1.3.0.windows2019.2.2.8_L1_Ensure_Allow_log_on_through_Remote_Desktop_Services_is_set_to_Administrators_DC_only:def:1
- Title: (L1) Ensure ‘Allow log on through Remote Desktop Services’ is set to ‘Administrators’ (DC only)
oval:simp.cis.1.3.0.windows2019.2.2.9_L1_Ensure_Allow_log_on_through_Remote_Desktop_Services_is_set_to_Administrators_Remote_Desktop_Users_MS_only:def:1
- Title: (L1) Ensure ‘Allow log on through Remote Desktop Services’ is set to ‘Administrators, Remote Desktop Users’ (MS only)
oval:simp.cis.1.3.0.windows2019.2.3.17.1_L1_Ensure_User_Account_Control_Admin_Approval_Mode_for_the_Built-in_Administrator_account_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘User Account Control: Admin Approval Mode for the Built-in Administrator account’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.3.1_L1_Ensure_Apply_UAC_restrictions_to_local_accounts_on_network_logons_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Apply UAC restrictions to local accounts on network logons’ is set to ‘Enabled’ (MS only)
oval:simp.cis.1.3.0.windows2019.18.9.90.2_L1_Ensure_Always_install_with_elevated_privileges_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Always install with elevated privileges’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.19.7.43.1_L1_Ensure_Always_install_with_elevated_privileges_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Always install with elevated privileges’ is set to ‘Disabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2019.18.4.8_L1_Ensure_MSS_SafeDllSearchMode_Enable_Safe_DLL_search_mode_recommended_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.47.6.1_L2_Ensure_Enable_file_hash_computation_feature_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Enable file hash computation feature’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.47.9.1_L1_Ensure_Scan_all_downloaded_files_and_attachments_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Scan all downloaded files and attachments’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.47.9.2_L1_Ensure_Turn_off_real-time_protection_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Turn off real-time protection’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.9.47.9.3_L1_Ensure_Turn_on_behavior_monitoring_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn on behavior monitoring’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.47.9.4_L1_Ensure_Turn_on_script_scanning_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn on script scanning’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.47.12.2_L1_Ensure_Turn_on_e-mail_scanning_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn on e-mail scanning’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.47.15_L1_Ensure_Configure_detection_for_potentially_unwanted_applications_is_set_to_Enabled_Block:def:1
- Title: (L1) Ensure ‘Configure detection for potentially unwanted applications’ is set to ‘Enabled: Block’
oval:simp.cis.1.3.0.windows2019.18.9.47.16_L1_Ensure_Turn_off_Microsoft_Defender_AntiVirus_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Turn off Microsoft Defender AntiVirus’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.19.7.4.2_L1_Ensure_Notify_antivirus_programs_when_opening_attachments_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Notify antivirus programs when opening attachments’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2019.18.9.47.12.1_L1_Ensure_Scan_removable_drives_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Scan removable drives’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.2.3.4.1_L1_Ensure_Devices_Allowed_to_format_and_eject_removable_media_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Devices: Allowed to format and eject removable media’ is set to ‘Administrators’
oval:simp.cis.1.3.0.windows2019.18.5.20.1_L2_Ensure_Configuration_of_wireless_settings_using_Windows_Connect_Now_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Configuration of wireless settings using Windows Connect Now’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.5.21.1_L1_Ensure_Minimize_the_number_of_simultaneous_connections_to_the_Internet_or_a_Windows_Domain_is_set_to_Enabled_3__Prevent_Wi-Fi_when_on_Ethernet:def:1
- Title: (L1) Ensure ‘Minimize the number of simultaneous connections to the Internet or a Windows Domain’ is set to ‘Enabled: 3 = Prevent Wi-Fi when on Ethernet’
oval:simp.cis.1.3.0.windows2019.18.8.22.1.6_L2_Ensure_Turn_off_printing_over_HTTP_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off printing over HTTP’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.47.11.1_L2_Ensure_Configure_Watson_events_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Configure Watson events’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.2.2.30_L1_Ensure_Generate_security_audits_is_set_to_LOCAL_SERVICE_NETWORK_SERVICE:def:1
- Title: (L1) Ensure ‘Generate security audits’ is set to ‘LOCAL SERVICE, NETWORK SERVICE’
oval:simp.cis.1.3.0.windows2019.2.3.2.1_L1_Ensure_Audit_Force_audit_policy_subcategory_settings_Windows_Vista_or_later_to_override_audit_policy_category_settings_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.8.53.1.1_L2_Ensure_Enable_Windows_NTP_Client_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Enable Windows NTP Client’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.8.53.1.2_L2_Ensure_Enable_Windows_NTP_Server_is_set_to_Disabled_MS_only:def:1
- Title: (L2) Ensure ‘Enable Windows NTP Server’ is set to ‘Disabled’ (MS only)
oval:simp.cis.1.3.0.windows2019.18.9.108.4.2_L1_Ensure_Select_when_Preview_Builds_and_Feature_Updates_are_received_is_set_to_Enabled_180_or_more_days:def:1
- Title: (L1) Ensure ‘Select when Preview Builds and Feature Updates are received’ is set to ‘Enabled: 180 or more days’
oval:simp.cis.1.3.0.windows2019.18.9.17.8_L1_Ensure_Toggle_user_control_over_Insider_builds_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Toggle user control over Insider builds’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.9.108.4.1_L1_Ensure_Manage_preview_builds_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Manage preview builds’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.1.1.4_L1_Ensure_Minimum_password_length_is_set_to_14_or_more_characters:def:1
- Title: (L1) Ensure ‘Minimum password length’ is set to ‘14 or more character(s)’
oval:simp.cis.1.3.0.windows2019.1.1.5_L1_Ensure_Password_must_meet_complexity_requirements_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Password must meet complexity requirements’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.1.1.6_L1_Ensure_Relax_minimum_password_length_limits_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Relax minimum password length limits’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.2.3.1.4_L1_Ensure_Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Accounts: Limit local account use of blank passwords to console logon only’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.2.1_L1_Ensure_LAPS_AdmPwd_GPO_Extension__CSE_is_installed_MS_only:def:1
- Title: (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)
oval:simp.cis.1.3.0.windows2019.18.2.3_L1_Ensure_Enable_Local_Admin_Password_Management_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Enable Local Admin Password Management’ is set to ‘Enabled’ (MS only)
oval:simp.cis.1.3.0.windows2019.18.2.4_L1_Ensure_Password_Settings_Password_Complexity_is_set_to_Enabled_Large_letters__small_letters__numbers__special_characters_MS_only:def:1
- Title: (L1) Ensure ‘Password Settings: Password Complexity’ is set to ‘Enabled: Large letters + small letters + numbers + special characters’ (MS only)
oval:simp.cis.1.3.0.windows2019.18.2.5_L1_Ensure_Password_Settings_Password_Length_is_set_to_Enabled_15_or_more_MS_only:def:1
- Title: (L1) Ensure ‘Password Settings: Password Length’ is set to ‘Enabled: 15 or more’ (MS only)
oval:simp.cis.1.3.0.windows2019.1.1.7_L1_Ensure_Store_passwords_using_reversible_encryption_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Store passwords using reversible encryption’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.2.3.8.3_L1_Ensure_Microsoft_network_client_Send_unencrypted_password_to_third-party_SMB_servers_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Microsoft network client: Send unencrypted password to third-party SMB servers’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.2.3.11.5_L1_Ensure_Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Network security: Do not store LAN Manager hash value on next password change’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.3.7_L1_Ensure_WDigest_Authentication_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘WDigest Authentication’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.4.1_L1_Ensure_MSS_AutoAdminLogon_Enable_Automatic_Logon_not_recommended_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.1.2.3_L1_Ensure_Reset_account_lockout_counter_after_is_set_to_15_or_more_minutes:def:1
- Title: (L1) Ensure ‘Reset account lockout counter after’ is set to ‘15 or more minute(s)’
oval:simp.cis.1.3.0.windows2019.2.3.5.3_L1_Ensure_Domain_controller_LDAP_server_channel_binding_token_requirements_is_set_to_Always_DC_Only:def:1
- Title: (L1) Ensure ‘Domain controller: LDAP server channel binding token requirements’ is set to ‘Always’ (DC Only)
oval:simp.cis.1.3.0.windows2019.18.8.4.2_L1_Ensure_Remote_host_allows_delegation_of_non-exportable_credentials_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Remote host allows delegation of non-exportable credentials’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.102.1.1_L1_Ensure_Allow_Basic_authentication_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow Basic authentication’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.9.102.1.3_L1_Ensure_Disallow_Digest_authentication_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Disallow Digest authentication’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.102.2.1_L1_Ensure_Allow_Basic_authentication_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow Basic authentication’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.8.3.1_L1_Ensure_Include_command_line_in_process_creation_events_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Include command line in process creation events’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.100.1_L1_Ensure_Turn_on_PowerShell_Script_Block_Logging_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn on PowerShell Script Block Logging’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.8.22.1.1_L1_Ensure_Turn_off_downloading_of_print_drivers_over_HTTP_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off downloading of print drivers over HTTP’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.5.11.2_L1_Ensure_Prohibit_installation_and_configuration_of_Network_Bridge_on_your_DNS_domain_network_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Prohibit installation and configuration of Network Bridge on your DNS domain network’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.2.2.2_L1_Ensure_Access_this_computer_from_the_network_is_set_to_Administrators_Authenticated_Users_ENTERPRISE_DOMAIN_CONTROLLERS_DC_only:def:1
- Title: (L1) Ensure ‘Access this computer from the network’ is set to ‘Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS’ (DC only)
oval:simp.cis.1.3.0.windows2019.2.2.3_L1_Ensure_Access_this_computer_from_the_network__is_set_to_Administrators_Authenticated_Users_MS_only:def:1
- Title: (L1) Ensure ‘Access this computer from the network’ is set to ‘Administrators, Authenticated Users’ (MS only)
oval:simp.cis.1.3.0.windows2019.5.1_L1_Ensure_Print_Spooler_Spooler_is_set_to_Disabled_DC_only:def:1
- Title: (L1) Ensure ‘Print Spooler (Spooler)’ is set to ‘Disabled’ (DC only)
oval:simp.cis.1.3.0.windows2019.5.2_L2_Ensure_Print_Spooler_Spooler_is_set_to_Disabled_MS_only:def:1
- Title: (L2) Ensure ‘Print Spooler (Spooler)’ is set to ‘Disabled’ (MS only)
oval:simp.cis.1.3.0.windows2019.18.1.3_L2_Ensure_Allow_Online_Tips_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow Online Tips’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.3.2_L1_Ensure_Configure_SMB_v1_client_driver_is_set_to_Enabled_Disable_driver_recommended:def:1
- Title: (L1) Ensure ‘Configure SMB v1 client driver’ is set to ‘Enabled: Disable driver (recommended)’
oval:simp.cis.1.3.0.windows2019.18.3.3_L1_Ensure_Configure_SMB_v1_server_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Configure SMB v1 server’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.3.6_L1_Ensure_NetBT_NodeType_configuration_is_set_to_Enabled_P-node_recommended:def:1
- Title: (L1) Ensure ‘NetBT NodeType configuration’ is set to ‘Enabled: P-node (recommended)’
oval:simp.cis.1.3.0.windows2019.18.4.2_L1_Ensure_MSS_DisableIPSourceRouting_IPv6_IP_source_routing_protection_level_protects_against_packet_spoofing_is_set_to_Enabled_Highest_protection_source_routing_is_completely_disabled:def:1
- Title: (L1) Ensure ‘MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)’ is set to ‘Enabled: Highest protection, source routing is completely disabled’
oval:simp.cis.1.3.0.windows2019.18.4.3_L1_Ensure_MSS_DisableIPSourceRouting_IP_source_routing_protection_level_protects_against_packet_spoofing_is_set_to_Enabled_Highest_protection_source_routing_is_completely_disabled:def:1
- Title: (L1) Ensure ‘MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)’ is set to ‘Enabled: Highest protection, source routing is completely disabled’
oval:simp.cis.1.3.0.windows2019.18.4.4_L1_Ensure_MSS_EnableICMPRedirect_Allow_ICMP_redirects_to_override_OSPF_generated_routes_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.4.5_L2_Ensure_MSS_KeepAliveTime_How_often_keep-alive_packets_are_sent_in_milliseconds_is_set_to_Enabled_300000_or_5_minutes_recommended:def:1
- Title: (L2) Ensure ‘MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds’ is set to ‘Enabled: 300,000 or 5 minutes (recommended)’
oval:simp.cis.1.3.0.windows2019.18.4.6_L1_Ensure_MSS_NoNameReleaseOnDemand_Allow_the_computer_to_ignore_NetBIOS_name_release_requests_except_from_WINS_servers_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.4.7_L2_Ensure_MSS_PerformRouterDiscovery_Allow_IRDP_to_detect_and_configure_Default_Gateway_addresses_could_lead_to_DoS_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.4.10_L2_Ensure_MSS_TcpMaxDataRetransmissions_IPv6_How_many_times_unacknowledged_data_is_retransmitted_is_set_to_Enabled_3:def:1
- Title: (L2) Ensure ‘MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted’ is set to ‘Enabled: 3’
oval:simp.cis.1.3.0.windows2019.18.4.11_L2_Ensure_MSS_TcpMaxDataRetransmissions_How_many_times_unacknowledged_data_is_retransmitted_is_set_to_Enabled_3:def:1
- Title: (L2) Ensure ‘MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted’ is set to ‘Enabled: 3’
oval:simp.cis.1.3.0.windows2019.18.5.4.2_L1_Ensure_Turn_off_multicast_name_resolution_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off multicast name resolution’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.5.8.1_L1_Ensure_Enable_insecure_guest_logons_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Enable insecure guest logons’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.5.9.1_L2_Ensure_Turn_on_Mapper_IO_LLTDIO_driver_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Turn on Mapper I/O (LLTDIO) driver’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.5.9.2_L2_Ensure_Turn_on_Responder_RSPNDR_driver_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Turn on Responder (RSPNDR) driver’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.5.10.2_L2_Ensure_Turn_off_Microsoft_Peer-to-Peer_Networking_Services_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Microsoft Peer-to-Peer Networking Services’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.5.11.3_L1_Ensure_Prohibit_use_of_Internet_Connection_Sharing_on_your_DNS_domain_network_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Prohibit use of Internet Connection Sharing on your DNS domain network’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.5.19.2.1_L2_Disable_IPv6_Ensure_TCPIP6_Parameter_DisabledComponents_is_set_to_0xff_255:def:1
- Title: (L2) Disable IPv6 (Ensure TCPIP6 Parameter ‘DisabledComponents’ is set to ‘0xff (255)’)
oval:simp.cis.1.3.0.windows2019.18.5.20.2_L2_Ensure_Prohibit_access_of_the_Windows_Connect_Now_wizards_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Prohibit access of the Windows Connect Now wizards’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.7.1.1_L2_Ensure_Turn_off_notifications_network_usage_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off notifications network usage’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.8.21.4_L1_Ensure_Continue_experiences_on_this_device_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Continue experiences on this device’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.8.22.1.2_L2_Ensure_Turn_off_handwriting_personalization_data_sharing_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off handwriting personalization data sharing’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.8.22.1.3_L2_Ensure_Turn_off_handwriting_recognition_error_reporting_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off handwriting recognition error reporting’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.8.22.1.4_L2_Ensure_Turn_off_Internet_Connection_Wizard_if_URL_connection_is_referring_to_Microsoft.com_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.8.22.1.5_L1_Ensure_Turn_off_Internet_download_for_Web_publishing_and_online_ordering_wizards_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off Internet download for Web publishing and online ordering wizards’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.8.22.1.7_L2_Ensure_Turn_off_Registration_if_URL_connection_is_referring_to_Microsoft.com_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Registration if URL connection is referring to Microsoft.com’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.8.22.1.8_L2_Ensure_Turn_off_Search_Companion_content_file_updates_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Search Companion content file updates’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.8.22.1.9_L2_Ensure_Turn_off_the_Order_Prints_picture_task_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off the “Order Prints” picture task’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.8.22.1.10_L2_Ensure_Turn_off_the_Publish_to_Web_task_for_files_and_folders_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off the “Publish to Web” task for files and folders’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.8.22.1.11_L2_Ensure_Turn_off_the_Windows_Messenger_Customer_Experience_Improvement_Program_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off the Windows Messenger Customer Experience Improvement Program’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.8.22.1.12_L2_Ensure_Turn_off_Windows_Customer_Experience_Improvement_Program_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Windows Customer Experience Improvement Program’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.8.22.1.13_L2_Ensure_Turn_off_Windows_Error_Reporting_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Windows Error Reporting’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.8.31.2_L2_Ensure_Allow_upload_of_User_Activities_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow upload of User Activities’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.8.34.6.1_L2_Ensure_Allow_network_connectivity_during_connected-standby_on_battery_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow network connectivity during connected-standby (on battery)’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.8.34.6.2_L2_Ensure_Allow_network_connectivity_during_connected-standby_plugged_in_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow network connectivity during connected-standby (plugged in)’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.8.36.1_L1_Ensure_Configure_Offer_Remote_Assistance_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Configure Offer Remote Assistance’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.8.36.2_L1_Ensure_Configure_Solicited_Remote_Assistance_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Configure Solicited Remote Assistance’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.8.37.1_L1_Ensure_Enable_RPC_Endpoint_Mapper_Client_Authentication_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Enable RPC Endpoint Mapper Client Authentication’ is set to ‘Enabled’ (MS only)
oval:simp.cis.1.3.0.windows2019.18.8.37.2_L2_Ensure_Restrict_Unauthenticated_RPC_clients_is_set_to_Enabled_Authenticated_MS_only:def:1
- Title: (L2) Ensure ‘Restrict Unauthenticated RPC clients’ is set to ‘Enabled: Authenticated’ (MS only)
oval:simp.cis.1.3.0.windows2019.18.8.48.5.1_L2_Ensure_Microsoft_Support_Diagnostic_Tool_Turn_on_MSDT_interactive_communication_with_support_provider_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.8.48.11.1_L2_Ensure_EnableDisable_PerfTrack_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Enable/Disable PerfTrack’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.8.50.1_L2_Ensure_Turn_off_the_advertising_ID_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off the advertising ID’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.14.2_L1_Ensure_Turn_off_Microsoft_consumer_experiences_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off Microsoft consumer experiences’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.17.1_L1_Ensure_Allow_Diagnostic_Data_is_set_to_Enabled_Diagnostic_data_off_not_recommended_or_Enabled_Send_required_diagnostic_data:def:1
- Title: (L1) Ensure ‘Allow Diagnostic Data’ is set to ‘Enabled: Diagnostic data off (not recommended)’ or ‘Enabled: Send required diagnostic data’
oval:simp.cis.1.3.0.windows2019.18.9.17.2_L2_Ensure_Configure_Authenticated_Proxy_usage_for_the_Connected_User_Experience_and_Telemetry_service_is_set_to_Enabled_Disable_Authenticated_Proxy_usage:def:1
- Title: (L2) Ensure ‘Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service’ is set to ‘Enabled: Disable Authenticated Proxy usage’
oval:simp.cis.1.3.0.windows2019.18.9.17.4_L1_Ensure_Do_not_show_feedback_notifications_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Do not show feedback notifications’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.41.1_L2_Ensure_Turn_off_location_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off location’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.45.1_L2_Ensure_Allow_Message_Service_Cloud_Sync_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow Message Service Cloud Sync’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.9.47.4.1_L1_Ensure_Configure_local_setting_override_for_reporting_to_Microsoft_MAPS_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Configure local setting override for reporting to Microsoft MAPS’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.9.47.4.2_L2_Ensure_Join_Microsoft_MAPS_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Join Microsoft MAPS’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.9.64.1_L2_Ensure_Turn_off_Push_To_Install_service_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Push To Install service’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.65.3.2.1_L2_Ensure_Restrict_Remote_Desktop_Services_users_to_a_single_Remote_Desktop_Services_session_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Restrict Remote Desktop Services users to a single Remote Desktop Services session’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.65.3.3.1_L2_Ensure_Do_not_allow_COM_port_redirection_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Do not allow COM port redirection’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.65.3.3.2_L1_Ensure_Do_not_allow_drive_redirection_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Do not allow drive redirection’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.65.3.3.3_L2_Ensure_Do_not_allow_LPT_port_redirection_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Do not allow LPT port redirection’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.65.3.3.4_L2_Ensure_Do_not_allow_supported_Plug_and_Play_device_redirection_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Do not allow supported Plug and Play device redirection’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.67.2_L2_Ensure_Allow_Cloud_Search_is_set_to_Enabled_Disable_Cloud_Search:def:1
- Title: (L2) Ensure ‘Allow Cloud Search’ is set to ‘Enabled: Disable Cloud Search’
oval:simp.cis.1.3.0.windows2019.18.9.72.1_L2_Ensure_Turn_off_KMS_Client_Online_AVS_Validation_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off KMS Client Online AVS Validation’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.18.9.89.1_L2_Ensure_Allow_suggested_apps_in_Windows_Ink_Workspace_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow suggested apps in Windows Ink Workspace’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.9.89.2_L1_Ensure_Allow_Windows_Ink_Workspace_is_set_to_Enabled_On_but_disallow_access_above_lock_OR_Disabled_but_not_Enabled_On:def:1
- Title: (L1) Ensure ‘Allow Windows Ink Workspace’ is set to ‘Enabled: On, but disallow access above lock’ OR ‘Disabled’ but not ‘Enabled: On’
oval:simp.cis.1.3.0.windows2019.18.9.102.2.2_L2_Ensure_Allow_remote_server_management_through_WinRM_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow remote server management through WinRM’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.9.103.1_L2_Ensure_Allow_Remote_Shell_Access_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow Remote Shell Access’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.19.6.6.1.1_L2_Ensure_Turn_off_Help_Experience_Improvement_Program_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Help Experience Improvement Program’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2019.19.7.8.3_L2_Ensure_Do_not_use_diagnostic_data_for_tailored_experiences_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Do not use diagnostic data for tailored experiences’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2019.19.7.8.4_L2_Ensure_Turn_off_all_Windows_spotlight_features_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off all Windows spotlight features’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.3.0.windows2019.9.1.1_L1_Ensure_Windows_Firewall_Domain_Firewall_state_is_set_to_On_recommended:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Firewall state’ is set to ‘On (recommended)’
oval:simp.cis.1.3.0.windows2019.9.1.2_L1_Ensure_Windows_Firewall_Domain_Inbound_connections_is_set_to_Block_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Inbound connections’ is set to ‘Block (default)’
oval:simp.cis.1.3.0.windows2019.9.1.3_L1_Ensure_Windows_Firewall_Domain_Outbound_connections_is_set_to_Allow_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Outbound connections’ is set to ‘Allow (default)’
oval:simp.cis.1.3.0.windows2019.9.1.4_L1_Ensure_Windows_Firewall_Domain_Settings_Display_a_notification_is_set_to_No:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Settings: Display a notification’ is set to ‘No’
oval:simp.cis.1.3.0.windows2019.9.1.5_L1_Ensure_Windows_Firewall_Domain_Logging_Name_is_set_to_SystemRootSystem32logfilesfirewalldomainfw.log:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Logging: Name’ is set to ‘%SystemRoot%\System32\logfiles\firewall\domainfw.log’
oval:simp.cis.1.3.0.windows2019.9.1.6_L1_Ensure_Windows_Firewall_Domain_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Logging: Size limit (KB)’ is set to ‘16,384 KB or greater’
oval:simp.cis.1.3.0.windows2019.9.1.7_L1_Ensure_Windows_Firewall_Domain_Logging_Log_dropped_packets_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Logging: Log dropped packets’ is set to ‘Yes’
oval:simp.cis.1.3.0.windows2019.9.1.8_L1_Ensure_Windows_Firewall_Domain_Logging_Log_successful_connections_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Logging: Log successful connections’ is set to ‘Yes’
oval:simp.cis.1.3.0.windows2019.9.2.1_L1_Ensure_Windows_Firewall_Private_Firewall_state_is_set_to_On_recommended:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Firewall state’ is set to ‘On (recommended)’
oval:simp.cis.1.3.0.windows2019.9.2.2_L1_Ensure_Windows_Firewall_Private_Inbound_connections_is_set_to_Block_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Inbound connections’ is set to ‘Block (default)’
oval:simp.cis.1.3.0.windows2019.9.2.3_L1_Ensure_Windows_Firewall_Private_Outbound_connections_is_set_to_Allow_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Outbound connections’ is set to ‘Allow (default)’
oval:simp.cis.1.3.0.windows2019.9.2.4_L1_Ensure_Windows_Firewall_Private_Settings_Display_a_notification_is_set_to_No:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Settings: Display a notification’ is set to ‘No’
oval:simp.cis.1.3.0.windows2019.9.2.5_L1_Ensure_Windows_Firewall_Private_Logging_Name_is_set_to_SystemRootSystem32logfilesfirewallprivatefw.log:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Logging: Name’ is set to ‘%SystemRoot%\System32\logfiles\firewall\privatefw.log’
oval:simp.cis.1.3.0.windows2019.9.2.6_L1_Ensure_Windows_Firewall_Private_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Logging: Size limit (KB)’ is set to ‘16,384 KB or greater’
oval:simp.cis.1.3.0.windows2019.9.2.7_L1_Ensure_Windows_Firewall_Private_Logging_Log_dropped_packets_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Logging: Log dropped packets’ is set to ‘Yes’
oval:simp.cis.1.3.0.windows2019.9.2.8_L1_Ensure_Windows_Firewall_Private_Logging_Log_successful_connections_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Logging: Log successful connections’ is set to ‘Yes’
oval:simp.cis.1.3.0.windows2019.9.3.1_L1_Ensure_Windows_Firewall_Public_Firewall_state_is_set_to_On_recommended:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Firewall state’ is set to ‘On (recommended)’
oval:simp.cis.1.3.0.windows2019.9.3.2_L1_Ensure_Windows_Firewall_Public_Inbound_connections_is_set_to_Block_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Inbound connections’ is set to ‘Block (default)’
oval:simp.cis.1.3.0.windows2019.9.3.3_L1_Ensure_Windows_Firewall_Public_Outbound_connections_is_set_to_Allow_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Outbound connections’ is set to ‘Allow (default)’
oval:simp.cis.1.3.0.windows2019.9.3.4_L1_Ensure_Windows_Firewall_Public_Settings_Display_a_notification_is_set_to_No:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Settings: Display a notification’ is set to ‘No’
oval:simp.cis.1.3.0.windows2019.9.3.5_L1_Ensure_Windows_Firewall_Public_Settings_Apply_local_firewall_rules_is_set_to_No:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Settings: Apply local firewall rules’ is set to ‘No’
oval:simp.cis.1.3.0.windows2019.9.3.6_L1_Ensure_Windows_Firewall_Public_Settings_Apply_local_connection_security_rules_is_set_to_No:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Settings: Apply local connection security rules’ is set to ‘No’
oval:simp.cis.1.3.0.windows2019.9.3.7_L1_Ensure_Windows_Firewall_Public_Logging_Name_is_set_to_SystemRootSystem32logfilesfirewallpublicfw.log:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Logging: Name’ is set to ‘%SystemRoot%\System32\logfiles\firewall\publicfw.log’
oval:simp.cis.1.3.0.windows2019.9.3.8_L1_Ensure_Windows_Firewall_Public_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Logging: Size limit (KB)’ is set to ‘16,384 KB or greater’
oval:simp.cis.1.3.0.windows2019.9.3.9_L1_Ensure_Windows_Firewall_Public_Logging_Log_dropped_packets_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Logging: Log dropped packets’ is set to ‘Yes’
oval:simp.cis.1.3.0.windows2019.9.3.10_L1_Ensure_Windows_Firewall_Public_Logging_Log_successful_connections_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Logging: Log successful connections’ is set to ‘Yes’
oval:simp.cis.1.3.0.windows2019.1.1.2_L1_Ensure_Maximum_password_age_is_set_to_365_or_fewer_days_but_not_0:def:1
- Title: (L1) Ensure ‘Maximum password age’ is set to ‘365 or fewer days, but not 0’
oval:simp.cis.1.3.0.windows2019.1.1.3_L1_Ensure_Minimum_password_age_is_set_to_1_or_more_days:def:1
- Title: (L1) Ensure ‘Minimum password age’ is set to ‘1 or more day(s)’
oval:simp.cis.1.3.0.windows2019.18.2.2_L1_Ensure_Do_not_allow_password_expiration_time_longer_than_required_by_policy_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Do not allow password expiration time longer than required by policy’ is set to ‘Enabled’ (MS only)
oval:simp.cis.1.3.0.windows2019.18.2.6_L1_Ensure_Password_Settings_Password_Age_Days_is_set_to_Enabled_30_or_fewer_MS_only:def:1
- Title: (L1) Ensure ‘Password Settings: Password Age (Days)’ is set to ‘Enabled: 30 or fewer’ (MS only)
oval:simp.cis.1.3.0.windows2019.17.1.1_L1_Ensure_Audit_Credential_Validation_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit Credential Validation’ is set to ‘Success and Failure’
oval:simp.cis.1.3.0.windows2019.2.2.19_L1_Ensure_Debug_programs_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Debug programs’ is set to ‘Administrators’
oval:simp.cis.1.3.0.windows2019.2.3.6.1_L1_Ensure_Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Domain member: Digitally encrypt or sign secure channel data (always)’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.2.3.6.2_L1_Ensure_Domain_member_Digitally_encrypt_secure_channel_data_when_possible_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Domain member: Digitally encrypt secure channel data (when possible)’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.2.3.11.4_L1_Ensure_Network_security_Configure_encryption_types_allowed_for_Kerberos_is_set_to_AES128_HMAC_SHA1_AES256_HMAC_SHA1_Future_encryption_types:def:1
- Title: (L1) Ensure ‘Network security: Configure encryption types allowed for Kerberos’ is set to ‘AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types’
oval:simp.cis.1.3.0.windows2019.18.5.4.1_L1_Ensure_Configure_DNS_over_HTTPS_DoH_name_resolution_is_set_to_Enabled_Allow_DoH_or_higher:def:1
- Title: (L1) Ensure ‘Configure DNS over HTTPS (DoH) name resolution’ is set to ‘Enabled: Allow DoH’ or higher
oval:simp.cis.1.3.0.windows2019.18.9.102.1.2_L1_Ensure_Allow_unencrypted_traffic_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow unencrypted traffic’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.9.102.2.3_L1_Ensure_Allow_unencrypted_traffic_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow unencrypted traffic’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.9.67.3_L1_Ensure_Allow_indexing_of_encrypted_files_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow indexing of encrypted files’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.8.21.2_L1_Ensure_Configure_registry_policy_processing_Do_not_apply_during_periodic_background_processing_is_set_to_Enabled_FALSE:def:1
- Title: (L1) Ensure ‘Configure registry policy processing: Do not apply during periodic background processing’ is set to ‘Enabled: FALSE’
oval:simp.cis.1.3.0.windows2019.18.8.21.3_L1_Ensure_Configure_registry_policy_processing_Process_even_if_the_Group_Policy_objects_have_not_changed_is_set_to_Enabled_TRUE:def:1
- Title: (L1) Ensure ‘Configure registry policy processing: Process even if the Group Policy objects have not changed’ is set to ‘Enabled: TRUE’
oval:simp.cis.1.3.0.windows2019.18.8.21.5_L1_Ensure_Turn_off_background_refresh_of_Group_Policy_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Turn off background refresh of Group Policy’ is set to ‘Disabled’
oval:simp.cis.1.3.0.windows2019.18.9.47.5.3.1_L1_Ensure_Prevent_users_and_apps_from_accessing_dangerous_websites_is_set_to_Enabled_Block:def:1
- Title: (L1) Ensure ‘Prevent users and apps from accessing dangerous websites’ is set to ‘Enabled: Block’
oval:simp.cis.1.3.0.windows2019.2.3.9.4_L1_Ensure_Microsoft_network_server_Disconnect_clients_when_logon_hours_expire_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Microsoft network server: Disconnect clients when logon hours expire’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.2.3.11.6_L1_Ensure_Network_security_Force_logoff_when_logon_hours_expire_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Network security: Force logoff when logon hours expire’ is set to ‘Enabled’
oval:simp.cis.1.3.0.windows2019.17.5.3_L1_Ensure_Audit_Logoff_is_set_to_include_Success:def:1
- Title: (L1) Ensure ‘Audit Logoff’ is set to include ‘Success’
oval:simp.cis.1.3.0.windows2019.17.5.4_L1_Ensure_Audit_Logon_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit Logon’ is set to ‘Success and Failure’
oval:simp.cis.1.3.0.windows2019.17.5.5_L1_Ensure_Audit_Other_LogonLogoff_Events_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit Other Logon/Logoff Events’ is set to ‘Success and Failure’
oval:simp.cis.1.3.0.windows2019.17.5.6_L1_Ensure_Audit_Special_Logon_is_set_to_include_Success:def:1
- Title: (L1) Ensure ‘Audit Special Logon’ is set to include ‘Success’
  Windows 2022 (207/207 [100%])
oval:simp.cis.1.0.0.windows2022.18.8.26.1_L1_Ensure_Enumeration_policy_for_external_devices_incompatible_with_Kernel_DMA_Protection_is_set_to_Enabled_Block_All:def:1
- Title: (L1) Ensure ‘Enumeration policy for external devices incompatible with Kernel DMA Protection’ is set to ‘Enabled: Block All’
oval:simp.cis.1.0.0.windows2022.2.2.48_L1_Ensure_Take_ownership_of_files_or_other_objects_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Take ownership of files or other objects’ is set to ‘Administrators’
oval:simp.cis.1.0.0.windows2022.2.3.10.12_L1_Ensure_Network_access_Shares_that_can_be_accessed_anonymously_is_set_to_None:def:1
- Title: (L1) Ensure ‘Network access: Shares that can be accessed anonymously’ is set to ‘None’
oval:simp.cis.1.0.0.windows2022.17.6.1_L1_Ensure_Audit_Detailed_File_Share_is_set_to_include_Failure:def:1
- Title: (L1) Ensure ‘Audit Detailed File Share’ is set to include ‘Failure’
oval:simp.cis.1.0.0.windows2022.17.6.2_L1_Ensure_Audit_File_Share_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit File Share’ is set to ‘Success and Failure’
oval:simp.cis.1.0.0.windows2022.18.9.4.1_L2_Ensure_Allow_a_Windows_app_to_share_application_data_between_users_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow a Windows app to share application data between users’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.19.7.28.1_L1_Ensure_Prevent_users_from_sharing_files_within_their_profile._is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Prevent users from sharing files within their profile.’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.0.0.windows2022.2.3.1.1_L1_Ensure_Accounts_Administrator_account_status_is_set_to_Disabled_MS_only:def:1
- Title: (L1) Ensure ‘Accounts: Administrator account status’ is set to ‘Disabled’ (MS only)
oval:simp.cis.1.0.0.windows2022.2.3.1.3_L1_Ensure_Accounts_Guest_account_status_is_set_to_Disabled_MS_only:def:1
- Title: (L1) Ensure ‘Accounts: Guest account status’ is set to ‘Disabled’ (MS only)
oval:simp.cis.1.0.0.windows2022.18.9.46.1_L1_Ensure_Block_all_consumer_Microsoft_account_user_authentication_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Block all consumer Microsoft account user authentication’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.1.2.1_L1_Ensure_Account_lockout_duration_is_set_to_15_or_more_minutes:def:1
- Title: (L1) Ensure ‘Account lockout duration’ is set to ‘15 or more minute(s)’
oval:simp.cis.1.0.0.windows2022.1.2.2_L1_Ensure_Account_lockout_threshold_is_set_to_5_or_fewer_invalid_logon_attempts_but_not_0:def:1
- Title: (L1) Ensure ‘Account lockout threshold’ is set to ‘5 or fewer invalid logon attempt(s), but not 0’
oval:simp.cis.1.0.0.windows2022.2.3.7.3_L1_Ensure_Interactive_logon_Machine_inactivity_limit_is_set_to_900_or_fewer_seconds_but_not_0:def:1
- Title: (L1) Ensure ‘Interactive logon: Machine inactivity limit’ is set to ‘900 or fewer second(s), but not 0’
oval:simp.cis.1.0.0.windows2022.2.3.7.8_L1_Ensure_Interactive_logon_Require_Domain_Controller_Authentication_to_unlock_workstation_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Interactive logon: Require Domain Controller Authentication to unlock workstation’ is set to ‘Enabled’ (MS only)
oval:simp.cis.1.0.0.windows2022.2.3.7.9_L1_Ensure_Interactive_logon_Smart_card_removal_behavior_is_set_to_Lock_Workstation_or_higher:def:1
- Title: (L1) Ensure ‘Interactive logon: Smart card removal behavior’ is set to ‘Lock Workstation’ or higher
oval:simp.cis.1.0.0.windows2022.2.3.9.1_L1_Ensure_Microsoft_network_server_Amount_of_idle_time_required_before_suspending_session_is_set_to_15_or_fewer_minutes:def:1
- Title: (L1) Ensure ‘Microsoft network server: Amount of idle time required before suspending session’ is set to ‘15 or fewer minute(s)’
oval:simp.cis.1.0.0.windows2022.18.4.9_L1_Ensure_MSS_ScreenSaverGracePeriod_The_time_in_seconds_before_the_screen_saver_grace_period_expires_0_recommended_is_set_to_Enabled_5_or_fewer_seconds:def:1
- Title: (L1) Ensure ‘MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)’ is set to ‘Enabled: 5 or fewer seconds’
oval:simp.cis.1.0.0.windows2022.18.8.34.6.3_L1_Ensure_Require_a_password_when_a_computer_wakes_on_battery_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Require a password when a computer wakes (on battery)’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.8.34.6.4_L1_Ensure_Require_a_password_when_a_computer_wakes_plugged_in_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Require a password when a computer wakes (plugged in)’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.65.2.2_L1_Ensure_Do_not_allow_passwords_to_be_saved_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Do not allow passwords to be saved’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.65.3.10.1_L2_Ensure_Set_time_limit_for_active_but_idle_Remote_Desktop_Services_sessions_is_set_to_Enabled_15_minutes_or_less_but_not_Never_0:def:1
- Title: (L2) Ensure ‘Set time limit for active but idle Remote Desktop Services sessions’ is set to ‘Enabled: 15 minutes or less, but not Never (0)’
oval:simp.cis.1.0.0.windows2022.18.9.65.3.10.2_L2_Ensure_Set_time_limit_for_disconnected_sessions_is_set_to_Enabled_1_minute:def:1
- Title: (L2) Ensure ‘Set time limit for disconnected sessions’ is set to ‘Enabled: 1 minute’
oval:simp.cis.1.0.0.windows2022.18.9.91.1_L1_Ensure_Sign-in_and_lock_last_interactive_user_automatically_after_a_restart_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Sign-in and lock last interactive user automatically after a restart’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.19.1.3.1_L1_Ensure_Enable_screen_saver_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Enable screen saver’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.0.0.windows2022.19.1.3.2_L1_Ensure_Password_protect_the_screen_saver_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Password protect the screen saver’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.0.0.windows2022.19.1.3.3_L1_Ensure_Screen_saver_timeout_is_set_to_Enabled_900_seconds_or_fewer_but_not_0:def:1
- Title: (L1) Ensure ‘Screen saver timeout’ is set to ‘Enabled: 900 seconds or fewer, but not 0’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.0.0.windows2022.19.5.1.1_L1_Ensure_Turn_off_toast_notifications_on_the_lock_screen_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off toast notifications on the lock screen’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.0.0.windows2022.19.7.8.1_L1_Ensure_Configure_Windows_spotlight_on_lock_screen_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Configure Windows spotlight on lock screen’ is set to Disabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.0.0.windows2022.18.9.8.1_L1_Ensure_Disallow_Autoplay_for_non-volume_devices_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Disallow Autoplay for non-volume devices’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.8.2_L1_Ensure_Set_the_default_behavior_for_AutoRun_is_set_to_Enabled_Do_not_execute_any_autorun_commands:def:1
- Title: (L1) Ensure ‘Set the default behavior for AutoRun’ is set to ‘Enabled: Do not execute any autorun commands’
oval:simp.cis.1.0.0.windows2022.18.9.8.3_L1_Ensure_Turn_off_Autoplay_is_set_to_Enabled_All_drives:def:1
- Title: (L1) Ensure ‘Turn off Autoplay’ is set to ‘Enabled: All drives’
oval:simp.cis.1.0.0.windows2022.18.9.17.5_L1_Ensure_Enable_OneSettings_Auditing_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Enable OneSettings Auditing’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.5.21.2_L2_Ensure_Prohibit_connection_to_non-domain_networks_when_connected_to_domain_authenticated_network_is_set_to_Enabled_MS_only:def:1
- Title: (L2) Ensure ‘Prohibit connection to non-domain networks when connected to domain authenticated network’ is set to ‘Enabled’ (MS only)
oval:simp.cis.1.0.0.windows2022.2.2.5_L1_Ensure_Add_workstations_to_domain_is_set_to_Administrators_DC_only:def:1
- Title: (L1) Ensure ‘Add workstations to domain’ is set to ‘Administrators’ (DC only)
oval:simp.cis.1.0.0.windows2022.2.2.8_L1_Ensure_Allow_log_on_through_Remote_Desktop_Services_is_set_to_Administrators_DC_only:def:1
- Title: (L1) Ensure ‘Allow log on through Remote Desktop Services’ is set to ‘Administrators’ (DC only)
oval:simp.cis.1.0.0.windows2022.2.2.9_L1_Ensure_Allow_log_on_through_Remote_Desktop_Services_is_set_to_Administrators_Remote_Desktop_Users_MS_only:def:1
- Title: (L1) Ensure ‘Allow log on through Remote Desktop Services’ is set to ‘Administrators, Remote Desktop Users’ (MS only)
oval:simp.cis.1.0.0.windows2022.2.3.17.1_L1_Ensure_User_Account_Control_Admin_Approval_Mode_for_the_Built-in_Administrator_account_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘User Account Control: Admin Approval Mode for the Built-in Administrator account’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.3.1_L1_Ensure_Apply_UAC_restrictions_to_local_accounts_on_network_logons_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Apply UAC restrictions to local accounts on network logons’ is set to ‘Enabled’ (MS only)
oval:simp.cis.1.0.0.windows2022.18.9.90.2_L1_Ensure_Always_install_with_elevated_privileges_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Always install with elevated privileges’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.19.7.43.1_L1_Ensure_Always_install_with_elevated_privileges_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Always install with elevated privileges’ is set to ‘Disabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.0.0.windows2022.18.4.8_L1_Ensure_MSS_SafeDllSearchMode_Enable_Safe_DLL_search_mode_recommended_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.47.6.1_L2_Ensure_Enable_file_hash_computation_feature_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Enable file hash computation feature’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.47.9.1_L1_Ensure_Scan_all_downloaded_files_and_attachments_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Scan all downloaded files and attachments’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.47.9.2_L1_Ensure_Turn_off_real-time_protection_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Turn off real-time protection’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.9.47.9.3_L1_Ensure_Turn_on_behavior_monitoring_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn on behavior monitoring’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.47.9.4_L1_Ensure_Turn_on_script_scanning_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn on script scanning’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.47.12.2_L1_Ensure_Turn_on_e-mail_scanning_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn on e-mail scanning’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.47.15_L1_Ensure_Configure_detection_for_potentially_unwanted_applications_is_set_to_Enabled_Block:def:1
- Title: (L1) Ensure ‘Configure detection for potentially unwanted applications’ is set to ‘Enabled: Block’
oval:simp.cis.1.0.0.windows2022.18.9.47.16_L1_Ensure_Turn_off_Microsoft_Defender_AntiVirus_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Turn off Microsoft Defender AntiVirus’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.19.7.4.2_L1_Ensure_Notify_antivirus_programs_when_opening_attachments_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Notify antivirus programs when opening attachments’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.0.0.windows2022.18.9.47.12.1_L1_Ensure_Scan_removable_drives_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Scan removable drives’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.2.3.4.1_L1_Ensure_Devices_Allowed_to_format_and_eject_removable_media_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Devices: Allowed to format and eject removable media’ is set to ‘Administrators’
oval:simp.cis.1.0.0.windows2022.18.5.20.1_L2_Ensure_Configuration_of_wireless_settings_using_Windows_Connect_Now_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Configuration of wireless settings using Windows Connect Now’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.5.21.1_L1_Ensure_Minimize_the_number_of_simultaneous_connections_to_the_Internet_or_a_Windows_Domain_is_set_to_Enabled_3__Prevent_Wi-Fi_when_on_Ethernet:def:1
- Title: (L1) Ensure ‘Minimize the number of simultaneous connections to the Internet or a Windows Domain’ is set to ‘Enabled: 3 = Prevent Wi-Fi when on Ethernet’
oval:simp.cis.1.0.0.windows2022.18.8.22.1.6_L2_Ensure_Turn_off_printing_over_HTTP_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off printing over HTTP’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.47.11.1_L2_Ensure_Configure_Watson_events_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Configure Watson events’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.2.2.30_L1_Ensure_Generate_security_audits_is_set_to_LOCAL_SERVICE_NETWORK_SERVICE:def:1
- Title: (L1) Ensure ‘Generate security audits’ is set to ‘LOCAL SERVICE, NETWORK SERVICE’
oval:simp.cis.1.0.0.windows2022.2.3.2.1_L1_Ensure_Audit_Force_audit_policy_subcategory_settings_Windows_Vista_or_later_to_override_audit_policy_category_settings_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.8.53.1.1_L2_Ensure_Enable_Windows_NTP_Client_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Enable Windows NTP Client’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.8.53.1.2_L2_Ensure_Enable_Windows_NTP_Server_is_set_to_Disabled_MS_only:def:1
- Title: (L2) Ensure ‘Enable Windows NTP Server’ is set to ‘Disabled’ (MS only)
oval:simp.cis.1.0.0.windows2022.18.9.108.4.2_L1_Ensure_Select_when_Preview_Builds_and_Feature_Updates_are_received_is_set_to_Enabled_180_or_more_days:def:1
- Title: (L1) Ensure ‘Select when Preview Builds and Feature Updates are received’ is set to ‘Enabled: 180 or more days’
oval:simp.cis.1.0.0.windows2022.18.9.17.8_L1_Ensure_Toggle_user_control_over_Insider_builds_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Toggle user control over Insider builds’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.9.108.4.1_L1_Ensure_Manage_preview_builds_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Manage preview builds’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.1.1.4_L1_Ensure_Minimum_password_length_is_set_to_14_or_more_characters:def:1
- Title: (L1) Ensure ‘Minimum password length’ is set to ‘14 or more character(s)’
oval:simp.cis.1.0.0.windows2022.1.1.5_L1_Ensure_Password_must_meet_complexity_requirements_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Password must meet complexity requirements’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.1.1.6_L1_Ensure_Relax_minimum_password_length_limits_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Relax minimum password length limits’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.2.3.1.4_L1_Ensure_Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Accounts: Limit local account use of blank passwords to console logon only’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.2.1_L1_Ensure_LAPS_AdmPwd_GPO_Extension__CSE_is_installed_MS_only:def:1
- Title: (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)
oval:simp.cis.1.0.0.windows2022.18.2.3_L1_Ensure_Enable_Local_Admin_Password_Management_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Enable Local Admin Password Management’ is set to ‘Enabled’ (MS only)
oval:simp.cis.1.0.0.windows2022.18.2.4_L1_Ensure_Password_Settings_Password_Complexity_is_set_to_Enabled_Large_letters__small_letters__numbers__special_characters_MS_only:def:1
- Title: (L1) Ensure ‘Password Settings: Password Complexity’ is set to ‘Enabled: Large letters + small letters + numbers + special characters’ (MS only)
oval:simp.cis.1.0.0.windows2022.18.2.5_L1_Ensure_Password_Settings_Password_Length_is_set_to_Enabled_15_or_more_MS_only:def:1
- Title: (L1) Ensure ‘Password Settings: Password Length’ is set to ‘Enabled: 15 or more’ (MS only)
oval:simp.cis.1.0.0.windows2022.1.1.7_L1_Ensure_Store_passwords_using_reversible_encryption_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Store passwords using reversible encryption’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.2.3.8.3_L1_Ensure_Microsoft_network_client_Send_unencrypted_password_to_third-party_SMB_servers_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Microsoft network client: Send unencrypted password to third-party SMB servers’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.2.3.11.5_L1_Ensure_Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Network security: Do not store LAN Manager hash value on next password change’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.3.7_L1_Ensure_WDigest_Authentication_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘WDigest Authentication’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.4.1_L1_Ensure_MSS_AutoAdminLogon_Enable_Automatic_Logon_not_recommended_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.1.2.3_L1_Ensure_Reset_account_lockout_counter_after_is_set_to_15_or_more_minutes:def:1
- Title: (L1) Ensure ‘Reset account lockout counter after’ is set to ‘15 or more minute(s)’
oval:simp.cis.1.0.0.windows2022.2.3.5.3_L1_Ensure_Domain_controller_LDAP_server_channel_binding_token_requirements_is_set_to_Always_DC_Only:def:1
- Title: (L1) Ensure ‘Domain controller: LDAP server channel binding token requirements’ is set to ‘Always’ (DC Only)
oval:simp.cis.1.0.0.windows2022.18.8.4.2_L1_Ensure_Remote_host_allows_delegation_of_non-exportable_credentials_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Remote host allows delegation of non-exportable credentials’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.102.1.1_L1_Ensure_Allow_Basic_authentication_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow Basic authentication’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.9.102.1.3_L1_Ensure_Disallow_Digest_authentication_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Disallow Digest authentication’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.102.2.1_L1_Ensure_Allow_Basic_authentication_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow Basic authentication’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.8.3.1_L1_Ensure_Include_command_line_in_process_creation_events_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Include command line in process creation events’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.100.1_L1_Ensure_Turn_on_PowerShell_Script_Block_Logging_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn on PowerShell Script Block Logging’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.8.22.1.1_L1_Ensure_Turn_off_downloading_of_print_drivers_over_HTTP_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off downloading of print drivers over HTTP’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.90.1_L1_Ensure_Allow_user_control_over_installs_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow user control over installs’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.5.11.2_L1_Ensure_Prohibit_installation_and_configuration_of_Network_Bridge_on_your_DNS_domain_network_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Prohibit installation and configuration of Network Bridge on your DNS domain network’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.2.2.2_L1_Ensure_Access_this_computer_from_the_network_is_set_to_Administrators_Authenticated_Users_ENTERPRISE_DOMAIN_CONTROLLERS_DC_only:def:1
- Title: (L1) Ensure ‘Access this computer from the network’ is set to ‘Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS’ (DC only)
oval:simp.cis.1.0.0.windows2022.2.2.3_L1_Ensure_Access_this_computer_from_the_network__is_set_to_Administrators_Authenticated_Users_MS_only:def:1
- Title: (L1) Ensure ‘Access this computer from the network’ is set to ‘Administrators, Authenticated Users’ (MS only)
oval:simp.cis.1.0.0.windows2022.5.1_L1_Ensure_Print_Spooler_Spooler_is_set_to_Disabled_DC_only:def:1
- Title: (L1) Ensure ‘Print Spooler (Spooler)’ is set to ‘Disabled’ (DC only)
oval:simp.cis.1.0.0.windows2022.5.2_L2_Ensure_Print_Spooler_Spooler_is_set_to_Disabled_MS_only:def:1
- Title: (L2) Ensure ‘Print Spooler (Spooler)’ is set to ‘Disabled’ (MS only)
oval:simp.cis.1.0.0.windows2022.18.1.3_L2_Ensure_Allow_Online_Tips_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow Online Tips’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.3.2_L1_Ensure_Configure_SMB_v1_client_driver_is_set_to_Enabled_Disable_driver_recommended:def:1
- Title: (L1) Ensure ‘Configure SMB v1 client driver’ is set to ‘Enabled: Disable driver (recommended)’
oval:simp.cis.1.0.0.windows2022.18.3.3_L1_Ensure_Configure_SMB_v1_server_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Configure SMB v1 server’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.3.6_L1_Ensure_NetBT_NodeType_configuration_is_set_to_Enabled_P-node_recommended:def:1
- Title: (L1) Ensure ‘NetBT NodeType configuration’ is set to ‘Enabled: P-node (recommended)’
oval:simp.cis.1.0.0.windows2022.18.4.2_L1_Ensure_MSS_DisableIPSourceRouting_IPv6_IP_source_routing_protection_level_protects_against_packet_spoofing_is_set_to_Enabled_Highest_protection_source_routing_is_completely_disabled:def:1
- Title: (L1) Ensure ‘MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)’ is set to ‘Enabled: Highest protection, source routing is completely disabled’
oval:simp.cis.1.0.0.windows2022.18.4.3_L1_Ensure_MSS_DisableIPSourceRouting_IP_source_routing_protection_level_protects_against_packet_spoofing_is_set_to_Enabled_Highest_protection_source_routing_is_completely_disabled:def:1
- Title: (L1) Ensure ‘MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)’ is set to ‘Enabled: Highest protection, source routing is completely disabled’
oval:simp.cis.1.0.0.windows2022.18.4.4_L1_Ensure_MSS_EnableICMPRedirect_Allow_ICMP_redirects_to_override_OSPF_generated_routes_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.4.5_L2_Ensure_MSS_KeepAliveTime_How_often_keep-alive_packets_are_sent_in_milliseconds_is_set_to_Enabled_300000_or_5_minutes_recommended:def:1
- Title: (L2) Ensure ‘MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds’ is set to ‘Enabled: 300,000 or 5 minutes (recommended)’
oval:simp.cis.1.0.0.windows2022.18.4.6_L1_Ensure_MSS_NoNameReleaseOnDemand_Allow_the_computer_to_ignore_NetBIOS_name_release_requests_except_from_WINS_servers_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.4.7_L2_Ensure_MSS_PerformRouterDiscovery_Allow_IRDP_to_detect_and_configure_Default_Gateway_addresses_could_lead_to_DoS_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.4.10_L2_Ensure_MSS_TcpMaxDataRetransmissions_IPv6_How_many_times_unacknowledged_data_is_retransmitted_is_set_to_Enabled_3:def:1
- Title: (L2) Ensure ‘MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted’ is set to ‘Enabled: 3’
oval:simp.cis.1.0.0.windows2022.18.4.11_L2_Ensure_MSS_TcpMaxDataRetransmissions_How_many_times_unacknowledged_data_is_retransmitted_is_set_to_Enabled_3:def:1
- Title: (L2) Ensure ‘MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted’ is set to ‘Enabled: 3’
oval:simp.cis.1.0.0.windows2022.18.5.4.2_L1_Ensure_Turn_off_multicast_name_resolution_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off multicast name resolution’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.5.8.1_L1_Ensure_Enable_insecure_guest_logons_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Enable insecure guest logons’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.5.9.1_L2_Ensure_Turn_on_Mapper_IO_LLTDIO_driver_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Turn on Mapper I/O (LLTDIO) driver’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.5.9.2_L2_Ensure_Turn_on_Responder_RSPNDR_driver_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Turn on Responder (RSPNDR) driver’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.5.10.2_L2_Ensure_Turn_off_Microsoft_Peer-to-Peer_Networking_Services_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Microsoft Peer-to-Peer Networking Services’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.5.11.3_L1_Ensure_Prohibit_use_of_Internet_Connection_Sharing_on_your_DNS_domain_network_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Prohibit use of Internet Connection Sharing on your DNS domain network’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.5.19.2.1_L2_Disable_IPv6_Ensure_TCPIP6_Parameter_DisabledComponents_is_set_to_0xff_255:def:1
- Title: (L2) Disable IPv6 (Ensure TCPIP6 Parameter ‘DisabledComponents’ is set to ‘0xff (255)’)
oval:simp.cis.1.0.0.windows2022.18.5.20.2_L2_Ensure_Prohibit_access_of_the_Windows_Connect_Now_wizards_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Prohibit access of the Windows Connect Now wizards’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.7.1.1_L2_Ensure_Turn_off_notifications_network_usage_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off notifications network usage’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.8.21.4_L1_Ensure_Continue_experiences_on_this_device_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Continue experiences on this device’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.8.22.1.2_L2_Ensure_Turn_off_handwriting_personalization_data_sharing_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off handwriting personalization data sharing’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.8.22.1.3_L2_Ensure_Turn_off_handwriting_recognition_error_reporting_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off handwriting recognition error reporting’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.8.22.1.4_L2_Ensure_Turn_off_Internet_Connection_Wizard_if_URL_connection_is_referring_to_Microsoft.com_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.8.22.1.5_L1_Ensure_Turn_off_Internet_download_for_Web_publishing_and_online_ordering_wizards_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off Internet download for Web publishing and online ordering wizards’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.8.22.1.7_L2_Ensure_Turn_off_Registration_if_URL_connection_is_referring_to_Microsoft.com_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Registration if URL connection is referring to Microsoft.com’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.8.22.1.8_L2_Ensure_Turn_off_Search_Companion_content_file_updates_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Search Companion content file updates’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.8.22.1.9_L2_Ensure_Turn_off_the_Order_Prints_picture_task_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off the “Order Prints” picture task’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.8.22.1.10_L2_Ensure_Turn_off_the_Publish_to_Web_task_for_files_and_folders_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off the “Publish to Web” task for files and folders’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.8.22.1.11_L2_Ensure_Turn_off_the_Windows_Messenger_Customer_Experience_Improvement_Program_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off the Windows Messenger Customer Experience Improvement Program’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.8.22.1.12_L2_Ensure_Turn_off_Windows_Customer_Experience_Improvement_Program_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Windows Customer Experience Improvement Program’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.8.22.1.13_L2_Ensure_Turn_off_Windows_Error_Reporting_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Windows Error Reporting’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.8.31.2_L2_Ensure_Allow_upload_of_User_Activities_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow upload of User Activities’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.8.34.6.1_L2_Ensure_Allow_network_connectivity_during_connected-standby_on_battery_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow network connectivity during connected-standby (on battery)’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.8.34.6.2_L2_Ensure_Allow_network_connectivity_during_connected-standby_plugged_in_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow network connectivity during connected-standby (plugged in)’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.8.36.1_L1_Ensure_Configure_Offer_Remote_Assistance_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Configure Offer Remote Assistance’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.8.36.2_L1_Ensure_Configure_Solicited_Remote_Assistance_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Configure Solicited Remote Assistance’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.8.37.1_L1_Ensure_Enable_RPC_Endpoint_Mapper_Client_Authentication_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Enable RPC Endpoint Mapper Client Authentication’ is set to ‘Enabled’ (MS only)
oval:simp.cis.1.0.0.windows2022.18.8.37.2_L2_Ensure_Restrict_Unauthenticated_RPC_clients_is_set_to_Enabled_Authenticated_MS_only:def:1
- Title: (L2) Ensure ‘Restrict Unauthenticated RPC clients’ is set to ‘Enabled: Authenticated’ (MS only)
oval:simp.cis.1.0.0.windows2022.18.8.48.5.1_L2_Ensure_Microsoft_Support_Diagnostic_Tool_Turn_on_MSDT_interactive_communication_with_support_provider_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.8.48.11.1_L2_Ensure_EnableDisable_PerfTrack_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Enable/Disable PerfTrack’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.8.50.1_L2_Ensure_Turn_off_the_advertising_ID_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off the advertising ID’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.14.2_L1_Ensure_Turn_off_Microsoft_consumer_experiences_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Turn off Microsoft consumer experiences’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.17.1_L1_Ensure_Allow_Diagnostic_Data_is_set_to_Enabled_Diagnostic_data_off_not_recommended_or_Enabled_Send_required_diagnostic_data:def:1
- Title: (L1) Ensure ‘Allow Diagnostic Data’ is set to ‘Enabled: Diagnostic data off (not recommended)’ or ‘Enabled: Send required diagnostic data’
oval:simp.cis.1.0.0.windows2022.18.9.17.2_L2_Ensure_Configure_Authenticated_Proxy_usage_for_the_Connected_User_Experience_and_Telemetry_service_is_set_to_Enabled_Disable_Authenticated_Proxy_usage:def:1
- Title: (L2) Ensure ‘Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service’ is set to ‘Enabled: Disable Authenticated Proxy usage’
oval:simp.cis.1.0.0.windows2022.18.9.17.4_L1_Ensure_Do_not_show_feedback_notifications_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Do not show feedback notifications’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.41.1_L2_Ensure_Turn_off_location_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off location’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.45.1_L2_Ensure_Allow_Message_Service_Cloud_Sync_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow Message Service Cloud Sync’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.9.47.4.1_L1_Ensure_Configure_local_setting_override_for_reporting_to_Microsoft_MAPS_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Configure local setting override for reporting to Microsoft MAPS’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.9.47.4.2_L2_Ensure_Join_Microsoft_MAPS_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Join Microsoft MAPS’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.9.64.1_L2_Ensure_Turn_off_Push_To_Install_service_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Push To Install service’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.65.3.2.1_L2_Ensure_Restrict_Remote_Desktop_Services_users_to_a_single_Remote_Desktop_Services_session_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Restrict Remote Desktop Services users to a single Remote Desktop Services session’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.65.3.3.2_L2_Ensure_Do_not_allow_COM_port_redirection_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Do not allow COM port redirection’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.65.3.3.3_L1_Ensure_Do_not_allow_drive_redirection_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Do not allow drive redirection’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.65.3.3.5_L2_Ensure_Do_not_allow_LPT_port_redirection_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Do not allow LPT port redirection’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.65.3.3.6_L2_Ensure_Do_not_allow_supported_Plug_and_Play_device_redirection_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Do not allow supported Plug and Play device redirection’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.67.2_L2_Ensure_Allow_Cloud_Search_is_set_to_Enabled_Disable_Cloud_Search:def:1
- Title: (L2) Ensure ‘Allow Cloud Search’ is set to ‘Enabled: Disable Cloud Search’
oval:simp.cis.1.0.0.windows2022.18.9.72.1_L2_Ensure_Turn_off_KMS_Client_Online_AVS_Validation_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off KMS Client Online AVS Validation’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.18.9.89.1_L2_Ensure_Allow_suggested_apps_in_Windows_Ink_Workspace_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow suggested apps in Windows Ink Workspace’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.9.89.2_L1_Ensure_Allow_Windows_Ink_Workspace_is_set_to_Enabled_On_but_disallow_access_above_lock_OR_Disabled_but_not_Enabled_On:def:1
- Title: (L1) Ensure ‘Allow Windows Ink Workspace’ is set to ‘Enabled: On, but disallow access above lock’ OR ‘Disabled’ but not ‘Enabled: On’
oval:simp.cis.1.0.0.windows2022.18.9.102.2.2_L2_Ensure_Allow_remote_server_management_through_WinRM_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow remote server management through WinRM’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.9.103.1_L2_Ensure_Allow_Remote_Shell_Access_is_set_to_Disabled:def:1
- Title: (L2) Ensure ‘Allow Remote Shell Access’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.19.6.6.1.1_L2_Ensure_Turn_off_Help_Experience_Improvement_Program_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off Help Experience Improvement Program’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.0.0.windows2022.19.7.8.3_L2_Ensure_Do_not_use_diagnostic_data_for_tailored_experiences_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Do not use diagnostic data for tailored experiences’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.0.0.windows2022.19.7.8.4_L2_Ensure_Turn_off_all_Windows_spotlight_features_is_set_to_Enabled:def:1
- Title: (L2) Ensure ‘Turn off all Windows spotlight features’ is set to ‘Enabled’
- NOTE: This is a per-user setting that SIMP cannot directly enforce at this time.
- NOTE: Group Policy templates enforcing this setting that can be imported to Active Directory are provided on the Domain Controllers.
oval:simp.cis.1.0.0.windows2022.9.1.1_L1_Ensure_Windows_Firewall_Domain_Firewall_state_is_set_to_On_recommended:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Firewall state’ is set to ‘On (recommended)’
oval:simp.cis.1.0.0.windows2022.9.1.2_L1_Ensure_Windows_Firewall_Domain_Inbound_connections_is_set_to_Block_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Inbound connections’ is set to ‘Block (default)’
oval:simp.cis.1.0.0.windows2022.9.1.3_L1_Ensure_Windows_Firewall_Domain_Outbound_connections_is_set_to_Allow_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Outbound connections’ is set to ‘Allow (default)’
oval:simp.cis.1.0.0.windows2022.9.1.4_L1_Ensure_Windows_Firewall_Domain_Settings_Display_a_notification_is_set_to_No:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Settings: Display a notification’ is set to ‘No’
oval:simp.cis.1.0.0.windows2022.9.1.5_L1_Ensure_Windows_Firewall_Domain_Logging_Name_is_set_to_SystemRootSystem32logfilesfirewalldomainfw.log:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Logging: Name’ is set to ‘%SystemRoot%\System32\logfiles\firewall\domainfw.log’
oval:simp.cis.1.0.0.windows2022.9.1.6_L1_Ensure_Windows_Firewall_Domain_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Logging: Size limit (KB)’ is set to ‘16,384 KB or greater’
oval:simp.cis.1.0.0.windows2022.9.1.7_L1_Ensure_Windows_Firewall_Domain_Logging_Log_dropped_packets_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Logging: Log dropped packets’ is set to ‘Yes’
oval:simp.cis.1.0.0.windows2022.9.1.8_L1_Ensure_Windows_Firewall_Domain_Logging_Log_successful_connections_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Domain: Logging: Log successful connections’ is set to ‘Yes’
oval:simp.cis.1.0.0.windows2022.9.2.1_L1_Ensure_Windows_Firewall_Private_Firewall_state_is_set_to_On_recommended:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Firewall state’ is set to ‘On (recommended)’
oval:simp.cis.1.0.0.windows2022.9.2.2_L1_Ensure_Windows_Firewall_Private_Inbound_connections_is_set_to_Block_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Inbound connections’ is set to ‘Block (default)’
oval:simp.cis.1.0.0.windows2022.9.2.3_L1_Ensure_Windows_Firewall_Private_Outbound_connections_is_set_to_Allow_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Outbound connections’ is set to ‘Allow (default)’
oval:simp.cis.1.0.0.windows2022.9.2.4_L1_Ensure_Windows_Firewall_Private_Settings_Display_a_notification_is_set_to_No:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Settings: Display a notification’ is set to ‘No’
oval:simp.cis.1.0.0.windows2022.9.2.5_L1_Ensure_Windows_Firewall_Private_Logging_Name_is_set_to_SystemRootSystem32logfilesfirewallprivatefw.log:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Logging: Name’ is set to ‘%SystemRoot%\System32\logfiles\firewall\privatefw.log’
oval:simp.cis.1.0.0.windows2022.9.2.6_L1_Ensure_Windows_Firewall_Private_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Logging: Size limit (KB)’ is set to ‘16,384 KB or greater’
oval:simp.cis.1.0.0.windows2022.9.2.7_L1_Ensure_Windows_Firewall_Private_Logging_Log_dropped_packets_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Logging: Log dropped packets’ is set to ‘Yes’
oval:simp.cis.1.0.0.windows2022.9.2.8_L1_Ensure_Windows_Firewall_Private_Logging_Log_successful_connections_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Private: Logging: Log successful connections’ is set to ‘Yes’
oval:simp.cis.1.0.0.windows2022.9.3.1_L1_Ensure_Windows_Firewall_Public_Firewall_state_is_set_to_On_recommended:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Firewall state’ is set to ‘On (recommended)’
oval:simp.cis.1.0.0.windows2022.9.3.2_L1_Ensure_Windows_Firewall_Public_Inbound_connections_is_set_to_Block_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Inbound connections’ is set to ‘Block (default)’
oval:simp.cis.1.0.0.windows2022.9.3.3_L1_Ensure_Windows_Firewall_Public_Outbound_connections_is_set_to_Allow_default:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Outbound connections’ is set to ‘Allow (default)’
oval:simp.cis.1.0.0.windows2022.9.3.4_L1_Ensure_Windows_Firewall_Public_Settings_Display_a_notification_is_set_to_No:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Settings: Display a notification’ is set to ‘No’
oval:simp.cis.1.0.0.windows2022.9.3.5_L1_Ensure_Windows_Firewall_Public_Settings_Apply_local_firewall_rules_is_set_to_No:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Settings: Apply local firewall rules’ is set to ‘No’
oval:simp.cis.1.0.0.windows2022.9.3.6_L1_Ensure_Windows_Firewall_Public_Settings_Apply_local_connection_security_rules_is_set_to_No:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Settings: Apply local connection security rules’ is set to ‘No’
oval:simp.cis.1.0.0.windows2022.9.3.7_L1_Ensure_Windows_Firewall_Public_Logging_Name_is_set_to_SystemRootSystem32logfilesfirewallpublicfw.log:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Logging: Name’ is set to ‘%SystemRoot%\System32\logfiles\firewall\publicfw.log’
oval:simp.cis.1.0.0.windows2022.9.3.8_L1_Ensure_Windows_Firewall_Public_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Logging: Size limit (KB)’ is set to ‘16,384 KB or greater’
oval:simp.cis.1.0.0.windows2022.9.3.9_L1_Ensure_Windows_Firewall_Public_Logging_Log_dropped_packets_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Logging: Log dropped packets’ is set to ‘Yes’
oval:simp.cis.1.0.0.windows2022.9.3.10_L1_Ensure_Windows_Firewall_Public_Logging_Log_successful_connections_is_set_to_Yes:def:1
- Title: (L1) Ensure ‘Windows Firewall: Public: Logging: Log successful connections’ is set to ‘Yes’
oval:simp.cis.1.0.0.windows2022.1.1.2_L1_Ensure_Maximum_password_age_is_set_to_365_or_fewer_days_but_not_0:def:1
- Title: (L1) Ensure ‘Maximum password age’ is set to ‘365 or fewer days, but not 0’
oval:simp.cis.1.0.0.windows2022.1.1.3_L1_Ensure_Minimum_password_age_is_set_to_1_or_more_days:def:1
- Title: (L1) Ensure ‘Minimum password age’ is set to ‘1 or more day(s)’
oval:simp.cis.1.0.0.windows2022.18.2.2_L1_Ensure_Do_not_allow_password_expiration_time_longer_than_required_by_policy_is_set_to_Enabled_MS_only:def:1
- Title: (L1) Ensure ‘Do not allow password expiration time longer than required by policy’ is set to ‘Enabled’ (MS only)
oval:simp.cis.1.0.0.windows2022.18.2.6_L1_Ensure_Password_Settings_Password_Age_Days_is_set_to_Enabled_30_or_fewer_MS_only:def:1
- Title: (L1) Ensure ‘Password Settings: Password Age (Days)’ is set to ‘Enabled: 30 or fewer’ (MS only)
oval:simp.cis.1.0.0.windows2022.17.1.1_L1_Ensure_Audit_Credential_Validation_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit Credential Validation’ is set to ‘Success and Failure’
oval:simp.cis.1.0.0.windows2022.2.2.19_L1_Ensure_Debug_programs_is_set_to_Administrators:def:1
- Title: (L1) Ensure ‘Debug programs’ is set to ‘Administrators’
oval:simp.cis.1.0.0.windows2022.2.3.5.4_L1_Ensure_Domain_controller_LDAP_server_signing_requirements_is_set_to_Require_signing_DC_only:def:1
- Title: (L1) Ensure ‘Domain controller: LDAP server signing requirements’ is set to ‘Require signing’ (DC only)
oval:simp.cis.1.0.0.windows2022.2.3.6.1_L1_Ensure_Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Domain member: Digitally encrypt or sign secure channel data (always)’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.2.3.6.2_L1_Ensure_Domain_member_Digitally_encrypt_secure_channel_data_when_possible_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Domain member: Digitally encrypt secure channel data (when possible)’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.2.3.11.4_L1_Ensure_Network_security_Configure_encryption_types_allowed_for_Kerberos_is_set_to_AES128_HMAC_SHA1_AES256_HMAC_SHA1_Future_encryption_types:def:1
- Title: (L1) Ensure ‘Network security: Configure encryption types allowed for Kerberos’ is set to ‘AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types’
oval:simp.cis.1.0.0.windows2022.18.5.4.1_L1_Ensure_Configure_DNS_over_HTTPS_DoH_name_resolution_is_set_to_Enabled_Allow_DoH_or_higher:def:1
- Title: (L1) Ensure ‘Configure DNS over HTTPS (DoH) name resolution’ is set to ‘Enabled: Allow DoH’ or higher
oval:simp.cis.1.0.0.windows2022.18.9.102.1.2_L1_Ensure_Allow_unencrypted_traffic_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow unencrypted traffic’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.9.102.2.3_L1_Ensure_Allow_unencrypted_traffic_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow unencrypted traffic’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.9.67.3_L1_Ensure_Allow_indexing_of_encrypted_files_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Allow indexing of encrypted files’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.8.21.2_L1_Ensure_Configure_registry_policy_processing_Do_not_apply_during_periodic_background_processing_is_set_to_Enabled_FALSE:def:1
- Title: (L1) Ensure ‘Configure registry policy processing: Do not apply during periodic background processing’ is set to ‘Enabled: FALSE’
oval:simp.cis.1.0.0.windows2022.18.8.21.3_L1_Ensure_Configure_registry_policy_processing_Process_even_if_the_Group_Policy_objects_have_not_changed_is_set_to_Enabled_TRUE:def:1
- Title: (L1) Ensure ‘Configure registry policy processing: Process even if the Group Policy objects have not changed’ is set to ‘Enabled: TRUE’
oval:simp.cis.1.0.0.windows2022.18.8.21.5_L1_Ensure_Turn_off_background_refresh_of_Group_Policy_is_set_to_Disabled:def:1
- Title: (L1) Ensure ‘Turn off background refresh of Group Policy’ is set to ‘Disabled’
oval:simp.cis.1.0.0.windows2022.18.9.47.5.3.1_L1_Ensure_Prevent_users_and_apps_from_accessing_dangerous_websites_is_set_to_Enabled_Block:def:1
- Title: (L1) Ensure ‘Prevent users and apps from accessing dangerous websites’ is set to ‘Enabled: Block’
oval:simp.cis.1.0.0.windows2022.2.3.9.4_L1_Ensure_Microsoft_network_server_Disconnect_clients_when_logon_hours_expire_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Microsoft network server: Disconnect clients when logon hours expire’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.2.3.11.6_L1_Ensure_Network_security_Force_logoff_when_logon_hours_expire_is_set_to_Enabled:def:1
- Title: (L1) Ensure ‘Network security: Force logoff when logon hours expire’ is set to ‘Enabled’
oval:simp.cis.1.0.0.windows2022.17.5.3_L1_Ensure_Audit_Logoff_is_set_to_include_Success:def:1
- Title: (L1) Ensure ‘Audit Logoff’ is set to include ‘Success’
oval:simp.cis.1.0.0.windows2022.17.5.4_L1_Ensure_Audit_Logon_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit Logon’ is set to ‘Success and Failure’
oval:simp.cis.1.0.0.windows2022.17.5.5_L1_Ensure_Audit_Other_LogonLogoff_Events_is_set_to_Success_and_Failure:def:1
- Title: (L1) Ensure ‘Audit Other Logon/Logoff Events’ is set to ‘Success and Failure’
oval:simp.cis.1.0.0.windows2022.17.5.6_L1_Ensure_Audit_Special_Logon_is_set_to_include_Success:def:1
- Title: (L1) Ensure ‘Audit Special Logon’ is set to include ‘Success’

CMMC Coverage Report

Summary

Detail

Mapped

Windows 2012 R2 (178/178 [100%])

Windows 2016 (320/320 [100%])

Windows 2019 (209/209 [100%])

Windows 2022 (207/207 [100%])