CIS Microsoft Windows 10 Stand-alone v3.0.0 L2 NG

Audit Details

Name: CIS Microsoft Windows 10 Stand-alone v3.0.0 L2 NG

Updated: 6/17/2024

Authority: CIS

Plugin: Windows

Revision: 1.1

Estimated Item Count: 109

File Details

Filename: CIS_Microsoft_Windows_10_Stand-alone_v3.0.0_L2_NG.audit

Size: 238 kB

MD5: d2387328e7fab0bdba56fea3127ccfc8
SHA256: bf69c345f9f7c6ed28ec494ae07d68be0b64aafa67396eb71280cd454266e144

Audit Items

DescriptionCategories
2.2.28 (L2) Ensure 'Log on as a batch job' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.29 (L2) Configure 'Log on as a service'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.3.4.1 (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.3.14.1 (L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.1 (L2) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.2 (L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.4 (L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.5 (L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.9 (L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.12 (L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.14 (L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.15 (L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.16 (L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.17 (L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.18 (L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.19 (L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.20 (L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.21 (L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.22 (L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.23 (L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.25 (L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.27 (L2) Ensure 'Server (LanmanServer)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.29 (L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'

CONFIGURATION MANAGEMENT

5.34 (L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.35 (L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.38 (L2) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.39 (L2) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

5.40 (L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'

CONFIGURATION MANAGEMENT

18.1.3 (L2) Ensure 'Allow Online Tips' is set to 'Disabled'

SYSTEM AND INFORMATION INTEGRITY

18.5.4 (L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

18.5.6 (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'

SYSTEM AND COMMUNICATIONS PROTECTION

18.5.8 (L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses' is set to 'Disabled'

CONFIGURATION MANAGEMENT

18.5.11 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

18.5.12 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

18.6.5.1 (L2) Ensure 'Enable Font Providers' is set to 'Disabled'

CONFIGURATION MANAGEMENT

18.6.9.1 (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'

CONFIGURATION MANAGEMENT

18.6.9.2 (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'

CONFIGURATION MANAGEMENT

18.6.10.2 (L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'

CONFIGURATION MANAGEMENT

18.6.19.2.1 (L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')

CONFIGURATION MANAGEMENT

18.6.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'

CONFIGURATION MANAGEMENT

18.6.20.2 (L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'

CONFIGURATION MANAGEMENT

18.8.1.1 (L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'

SYSTEM AND INFORMATION INTEGRITY

18.9.5.1 (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'

SYSTEM AND INFORMATION INTEGRITY

18.9.5.2 (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot' or higher

SYSTEM AND INFORMATION INTEGRITY

18.9.5.3 (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'

SYSTEM AND INFORMATION INTEGRITY

18.9.5.4 (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'

SYSTEM AND INFORMATION INTEGRITY

18.9.5.5 (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'

SYSTEM AND INFORMATION INTEGRITY

18.9.5.6 (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'

SYSTEM AND INFORMATION INTEGRITY

18.9.20.1.1 (L2) Ensure 'Turn off access to the Store' is set to 'Enabled'

CONFIGURATION MANAGEMENT

18.9.20.1.3 (L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'

CONFIGURATION MANAGEMENT