Feb 12, 2024 Miscellaneous- Audit deprecated.
- Metadata updated.
- References updated.
|
Jan 9, 2024 Functional Update- 18.3.2 Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'
- 18.4.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' - Enabled: Highest protection, source routing is completely disabled
- 18.4.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' - Enabled: Highest protection, source routing is completely disabled
- 18.5.14.1 Ensure 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication' and 'Require Integrity' set for all NETLOGON and SYSVOL shares' - set for all NETLOGON and SYSVOL shares
- 18.8.14.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'
- 18.8.37.2 Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'
- 18.9.27.1.2 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' - Enabled: 32,768 or greater
- 18.9.27.2.2 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' - Enabled: 196,608 or greater
- 18.9.27.4.2 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' - Enabled: 32,768 or greater
- 18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'
- 18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'
|
Dec 8, 2023 Functional Update- 18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
- 18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
- 18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'
- 18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'
- 18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'
- 18.3.3 Ensure 'Configure SMB v1 server' is set to 'Disabled'
- 18.3.4 Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'
- 18.3.5 Ensure 'WDigest Authentication' is set to 'Disabled'
- 18.4.5 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'
- 18.4.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'
- 18.5.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
- 18.5.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'
- 18.8.22.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
- 18.8.22.1.4 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
- 18.8.28.2 Ensure 'Do not display network selection UI' is set to 'Enabled'
- 18.8.28.4 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'
- 18.8.28.5 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
- 18.8.28.6 Ensure 'Turn off picture password sign-in' is set to 'Enabled'
- 18.8.28.7 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
- 18.8.34.6.5 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'
- 18.8.34.6.6 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'
- 18.8.36.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
- 18.8.36.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
- 18.8.37.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'
- 18.8.4.1 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'
- 18.9.102.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
- 18.9.102.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
- 18.9.102.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled'
- 18.9.102.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
- 18.9.102.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
- 18.9.102.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
- 18.9.16.1 Ensure 'Do not display the password reveal button' is set to 'Enabled'
- 18.9.16.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'
- 18.9.31.2 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
- 18.9.31.3 Ensure 'Turn off heap termination on corruption' is set to 'Disabled'
- 18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
- 18.9.65.2.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
- 18.9.66.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
- 18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
- 18.9.91.1 Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'
- 19.7.4.2 Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'
|
Nov 3, 2023 Functional Update- 18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
- 18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
- 18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'
- 18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'
- 18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'
- 18.3.3 Ensure 'Configure SMB v1 server' is set to 'Disabled'
- 18.3.4 Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'
- 18.3.5 Ensure 'WDigest Authentication' is set to 'Disabled'
- 18.4.5 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'
- 18.4.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'
- 18.5.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
- 18.5.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'
- 18.8.22.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
- 18.8.22.1.4 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
- 18.8.28.2 Ensure 'Do not display network selection UI' is set to 'Enabled'
- 18.8.28.4 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'
- 18.8.28.5 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
- 18.8.28.6 Ensure 'Turn off picture password sign-in' is set to 'Enabled'
- 18.8.28.7 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
- 18.8.34.6.5 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'
- 18.8.34.6.6 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'
- 18.8.36.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
- 18.8.36.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
- 18.8.37.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'
- 18.8.4.1 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'
- 18.9.102.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
- 18.9.102.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
- 18.9.102.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled'
- 18.9.102.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
- 18.9.102.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
- 18.9.102.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
- 18.9.16.1 Ensure 'Do not display the password reveal button' is set to 'Enabled'
- 18.9.16.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'
- 18.9.31.2 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
- 18.9.31.3 Ensure 'Turn off heap termination on corruption' is set to 'Disabled'
- 18.9.65.2.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
- 18.9.66.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
- 18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
- 18.9.91.1 Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'
- 19.7.4.2 Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'
- 2.2.17 Ensure 'Force shutdown from a remote system' is set to 'Administrators'
|
Aug 24, 2023 Added- 18.9.108.2.2 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'
Removed- 18.9.108.2.2 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' - Every day'
|
Aug 15, 2023 Functional Update- 18.9.47.4.1.1 Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'
|
Jun 13, 2023 Functional Update- 18.5.14.1 Ensure 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication' and 'Require Integrity' set for all NETLOGON and SYSVOL shares' - set for all NETLOGON and SYSVOL shares
- 18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
|
May 16, 2023 |
May 15, 2023 Functional Update- 18.8.34.6.5 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'
|
Apr 12, 2023 |