Back

Configure the system account settings and the permission settings in accordance with the organizational standards.


CONTROL ID
01538
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Configure Windows User Account Control in accordance with organizational standards., CC ID: 16437
  • Configure the at.allow file with the users who are permitted to use the at facility, as appropriate., CC ID: 06005
  • Configure the /etc/xinetd.conf file group permissions, as appropriate., CC ID: 05994
  • Create the default adduser.conf file., CC ID: 01581
  • Remove unnecessary accounts., CC ID: 16476
  • Configure user accounts., CC ID: 07036
  • Configure User Rights., CC ID: 07034
  • Configure file permissions and directory permissions to organizational standards., CC ID: 07035
  • Restrict at/cron to authorized users., CC ID: 01572
  • Configure the system to need authentication for single user mode., CC ID: 01577
  • Configure the system to block certain system accounts., CC ID: 01578
  • Verify that there are no accounts with empty password fields., CC ID: 01579
  • Use standards-based encryption for encryption, hashing, and signing., CC ID: 01583
  • Configure symbolic permissions for the passwd file, shadow file, and group files to organizational standards., CC ID: 01584
  • Configure the "dCOM: Machine access restrictions in Security Descriptor Definition Language (sddl)" setting., CC ID: 01726
  • Configure the "dCOM: Machine launch restrictions in Security Descriptor Definition Language (sddl)" setting to organizational standards., CC ID: 01727
  • Configure the root $PATH to not have any "." directories, group directories or world writable directories., CC ID: 01587
  • Configure user home directories to be mode 750 or more restrictive., CC ID: 01588
  • Configure user dot-files to not be group or world-writable., CC ID: 01589
  • Remove .netrc files., CC ID: 01590
  • Configure default UMASK for users., CC ID: 01591
  • Configure the default UMASK for FTP users., CC ID: 01592
  • Configure the "mesg n" as default for all users., CC ID: 01593
  • Configure the system to restrict access to the root user from the su command., CC ID: 01595
  • Establish, implement, and maintain an account lockout policy., CC ID: 01709
  • Configure Restricted groups., CC ID: 01928
  • Configure the run control scripts permissions., CC ID: 02160
  • Configure root to be the Traceroute command owner., CC ID: 02165
  • Coordinate the User ID access restrictions with the site-unique configuration file, the UOSS control file, and the Tape File Configuration Transfer file., CC ID: 02192
  • Refrain from displaying user information when the system is locked., CC ID: 04302
  • Configure systems to prevent dial-up passwords from being saved., CC ID: 04303
  • Configure the "Always prompt client for password upon connection" setting., CC ID: 04317
  • Configure the "Do not allow passwords to be saved" setting., CC ID: 04320
  • Configure the "User Account Control: Admin Approval Mode for the Built-in Administrator account" setting., CC ID: 04388
  • Configure the "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" setting., CC ID: 04389
  • Configure the "User Account Control: Behavior of the elevation prompt for standard users" setting., CC ID: 04390
  • Configure the "User Account Control: Detect application installations and prompt for elevation" setting., CC ID: 04391
  • Configure the "User Account Control: Only elevate executables that are signed and validated" setting., CC ID: 04392
  • Configure the "User Account Control: Only elevate UIAccess applications that are installed in secure locations" setting., CC ID: 04393
  • Configure the "User Account Control: Run all administrators in Admin Approval Mode" setting., CC ID: 04394
  • Configure the "User Account Control: Switch to the secure desktop when prompting for elevation" setting., CC ID: 04395
  • Configure the "User Account Control: Virtualize file and registry write failures to per-user locations" setting., CC ID: 04396
  • Configure the "Enumerate administrator accounts on elevation" setting., CC ID: 04403
  • Configure the "Required trusted path for credential entry" setting., CC ID: 04404
  • Require proper authentication prior to accessing NetWare's eGuide., CC ID: 04450
  • Disable the SAdmin account and SDebug account in NetWare., CC ID: 04458
  • Configure the system to prevent helper applications from changing client rights., CC ID: 04464
  • Delete authenticator hint field contents or authenticator hint field files., CC ID: 04477
  • Configure the "Limit number of simultaneous connections" setting to organizational standards., CC ID: 04511
  • Configure the "Do not allow local administrators to customize permissions" setting to organizational standards., CC ID: 04512
  • Configure the default Distributed Component Object Model authorization level to 'connect' or higher., CC ID: 04528
  • Configure the "Network access: Shares that can be accessed anonymously" setting., CC ID: 04533
  • Configure domain-connected workstations to not have any local user accounts., CC ID: 04535
  • Configure printers to only accept print jobs from known print spoolers., CC ID: 04812
  • Configure print spoolers to accept jobs from authorized users only., CC ID: 04813
  • Prevent Multi-Function Devices from connecting to networks routing restricted data, unless authorized., CC ID: 04815
  • Restrict access to remote file shares., CC ID: 04817
  • Configure Multi-Function Devices to prevent non-printer administrators from altering the global configuration file., CC ID: 04818
  • Configure the user's .forward file to mode 600., CC ID: 04848
  • Configure the GID of accounts other than root and locked system accounts properly., CC ID: 05448
  • Set the smbpasswd executable permissions properly., CC ID: 05459
  • Grant or reject sudo privileges to the wheel group, as appropriate., CC ID: 05539
  • Set the /var/log/pamlog log permissions properly., CC ID: 05562
  • Restrict the audit log permissions., CC ID: 05566
  • Use the pkgchk utility to force default settings and to verify the ownership, group ownership, and access permissions for installed packages., CC ID: 05567
  • Configure role-based access control (RBAC) caching elements to organizational standards., CC ID: 05568
  • Verify all device files are located in an appropriate directory., CC ID: 05571
  • Configure the read-only option for all NFS exports., CC ID: 05572
  • Configure access controls through /etc/login.access and access.conf for non-superusers., CC ID: 05573
  • Enable or disable root login via Secure Shell, as appropriate., CC ID: 05574
  • Verify the ftpusers file restricts access to certain accounts., CC ID: 05575
  • Enable or disable SSH host-based authentication, as appropriate., CC ID: 05576
  • Configure the environmental variable path properly., CC ID: 05577
  • Configure local initialization files and global initialization files to allow or deny write access to the terminal, as appropriate., CC ID: 05578
  • Verify user .shosts files exist or not, as appropriate., CC ID: 05579
  • Set the default umask for the bash shell properly for all users., CC ID: 05580
  • Set the default umask for the csh shell properly for all users., CC ID: 05581
  • Configure the system umask properly., CC ID: 05582
  • Verify console device ownership is restricted to root-only, as appropriate., CC ID: 05583
  • Configure the "Access credential Manager as a trusted caller" User Right properly., CC ID: 05584
  • Restrict the right of modifying an Object label., CC ID: 05585
  • Configure the "User Account Control: Allow UIAccess applications to prompt for elevation" setting., CC ID: 05586
  • Configure the "Do Not Allow New Client Connections" policy for Terminal Services properly., CC ID: 05587
  • Configure the "Remote Control Settings" policy for Terminal Services properly., CC ID: 05588
  • Configure the Cron directory permissions to organizational standards., CC ID: 05997
  • Configure the cron.allow file with the user group permitted to use the cron facility, as appropriate., CC ID: 06002
  • Configure the cron.deny file with the user set permitted to use the cron facility, as appropriate., CC ID: 06003
  • Configure the Cron directories to be owned by an appropriate user and group., CC ID: 06004
  • Configure the at.deny file with the user set permitted to use the at facility, as appropriate., CC ID: 06006
  • Configure the /etc/cron.monthly file to be owned by an appropriate user or group., CC ID: 06007
  • Configure /etc/cron.hourly to be owned by an appropriate user or group., CC ID: 06011
  • Configure /etc/cron.daily to be owned by an appropriate user or group., CC ID: 06012
  • Configure the home directory for the root user, as appropriate., CC ID: 06017
  • Configure the home directory for each user account, as appropriate., CC ID: 06018
  • Configure the home directory permissions for the Superuser account, as appropriate., CC ID: 06020
  • Configure each user home directory to be owned by an appropriate user or group., CC ID: 06021
  • Configure the world-write permissions for all files, as appropriate., CC ID: 06026
  • Configure and assign the correct service permissions for the SNMP Service., CC ID: 06041
  • Configure the service permissions for NetMeeting, as appropriate., CC ID: 06045
  • Configure the "Allow log on through Remote Desktop Services" User Right properly., CC ID: 06062
  • Configure the "Deny log on through Remote Desktop Services" User Right properly., CC ID: 06063
  • Remove all members found in the Windows OS Power Users Group., CC ID: 06573
  • Configure the "sudo" to organizational standards., CC ID: 15325
  • Require users to use the 'sudo' command when accessing the root account., CC ID: 06736
  • Configure the "log all su (switch user) activity" setting to organizational standards., CC ID: 08965
  • Configure the "status" of the "apache" account to organizational standards., CC ID: 09018
  • Configure the "apache" account group membership to organizational standards., CC ID: 09033
  • Configure the "CustomLog" files permissions to organizational standards., CC ID: 09051
  • Configure the "ErrorLog" files permissions to organizational standards., CC ID: 09052
  • Configure the "default webpage" for "all readable apache web document directories" to organizational standards., CC ID: 09071
  • Configure the "ScriptAlias" directories permissions to organizational standards., CC ID: 09078
  • Configure the "ScriptAliasMatch" directories permissions to organizational standards., CC ID: 09081
  • Configure the "DocumentRoot" directories permissions to organizational standards., CC ID: 09084
  • Configure the "Alias" directories permissions to organizational standards., CC ID: 09087
  • Configure the "ServerRoot" directories permissions to organizational standards., CC ID: 09090
  • Configure the "Enable Logging" setting for the "master home directory" to organizational standards., CC ID: 09156
  • Configure the "Read" permission for the "master home directory" to organizational standards., CC ID: 09157
  • Configure the "Write" permission for the "master home directory" to organizational standards., CC ID: 09158
  • Configure the "Script Source Access" permission for the "master home directory" to organizational standards., CC ID: 09159
  • Configure the "Directory Browsing" permission for the "master home directory" to organizational standards., CC ID: 09160
  • Configure the "Log Visits" permission for the "master home directory" to organizational standards., CC ID: 09161
  • Configure the "Index this resource" permission for the "master home directory" to organizational standards., CC ID: 09162
  • Configure the "Execute Permissions" permission for the "master home directory" to organizational standards., CC ID: 09163
  • Configure the "Anonymous Access" permission for the "master home directory" to organizational standards., CC ID: 09164
  • Configure the "Basic Authentication" setting for the "master home directory" to organizational standards., CC ID: 09165
  • Configure the "Integrated Windows Authentication" setting for the "master home directory" to organizational standards., CC ID: 09166
  • Configure the "Read" permission" for the "website home directory" to organizational standards., CC ID: 09168
  • Configure the "Write" privilege for the "website home directory" to organizational standards., CC ID: 09169
  • Configure the "Script Source Access" permission for the "website home directory" to organizational standards., CC ID: 09170
  • Configure the "Directory Browsing" permission for the "website home directory" to organizational standards., CC ID: 09171
  • Configure the "Log Visits" permission for the "website home directory" to organizational standards., CC ID: 09172
  • Configure the "Index this resource" permission for the "website home directory" to organizational standards., CC ID: 09173
  • Configure the "Execute Permissions" permission to organizational standards., CC ID: 09174
  • Configure the "Anonymous Access" permission for the "website home directory" to organizational standards., CC ID: 09175
  • Configure the "file auditing" setting for the "\%SystemRoot%System32Inetsrv" directory to organizational standards., CC ID: 09198
  • Configure the "membership" of the "IUSR" account to organizational standards., CC ID: 09213
  • Configure the "IUSR" account to organizational standards., CC ID: 09214
  • Configure the "file auditing" setting for the "Inetpub" directory to organizational standards., CC ID: 09225
  • Configure the "file auditing" setting for the "Web Root" directory to organizational standards., CC ID: 09226
  • Configure the "file auditing" setting for the "Metaback" directory to organizational standards., CC ID: 09227
  • Configure the "IWAM" account to organizational standards., CC ID: 09228
  • Configure the "Application object owner" accounts to organizational standards., CC ID: 09257
  • Configure the "system tables" permissions to organizational standards., CC ID: 09260
  • Configure the "DDL" permissions to organizational standards., CC ID: 09261
  • Configure the "WITH GRANT OPTION" permissions to organizational standards., CC ID: 09262
  • Configure the "Object" permissions for the "PUBLIC or GUEST" account to organizational standards., CC ID: 09263
  • Configure the "restore database data or other DBMS configurations, features or objects" permissions to organizational standards., CC ID: 09267
  • Configure the "SQL Server Database Service" account to organizational standards., CC ID: 09273
  • Configure the "SQL Server Agent" account to organizational standards., CC ID: 09274
  • Configure the "SQL Server registry keys and sub-keys" permissions to organizational standards., CC ID: 09276
  • Configure the "built-in sa" account to organizational standards., CC ID: 09298
  • Configure the "audit access" setting for the "ErrorDumpDir" directory to organizational standards., CC ID: 09299
  • Configure the "audit access" setting for the "DefaultLog " file to organizational standards., CC ID: 09300
  • Configure the "audit access" setting for the "ErrorLog" File to organizational standards., CC ID: 09301
  • Configure the "audit access" setting for the "SQLPath " directory to organizational standards., CC ID: 09302
  • Configure the "audit access" setting for the " BackupDirectory " directory to organizational standards., CC ID: 09303
  • Configure the "audit access" setting for the "FullTextDefaultPath " directory to organizational standards., CC ID: 09304
  • Configure the "audit access" setting for the "WorkingDirectory " directory to organizational standards., CC ID: 09305
  • Configure the "audit access" setting for the "SQLBinRoot " directory to organizational standards., CC ID: 09306
  • Configure the "audit access" setting for the "SQLDataRoot " directory to organizational standards., CC ID: 09307
  • Configure the "audit access" setting for the "SQLProgramDir " directory to organizational standards., CC ID: 09308
  • Configure the "audit access" setting for the "DataDir " directory to organizational standards., CC ID: 09309
  • Configure the "Analysis Services" account to organizational standards., CC ID: 09318
  • Configure the "Integration Services" account to organizational standards., CC ID: 09319
  • Configure the "Reporting Services" account to organizational standards., CC ID: 09320
  • Configure the "Notification Services" account to organizational standards., CC ID: 09321
  • Configure the "Full Text Search" account to organizational standards., CC ID: 09322
  • Configure the "SQL Server Browser" account to organizational standards., CC ID: 09323
  • Configure the "SQL Server Active Directory Helper" account to organizational standards., CC ID: 09324
  • Configure the "SQL Writer" account to organizational standards., CC ID: 09325
  • Configure the "SQL Server MSSearch" registry key permissions to organizational standards., CC ID: 09327
  • Configure the "SQL Server Agent" registry key permissions to organizational standards., CC ID: 09328
  • Configure the "SQL Server RS" registry key permissions to organizational standards., CC ID: 09330
  • Configure the "Reporting Services Windows Integrated Security" accounts to organizational standards., CC ID: 09347
  • Configure the "permissions" of the "SQL Server Agent proxy" accounts to organizational standards., CC ID: 09352
  • Configure the "default webpage" for "all readable Tomcat Apache web document" directories to organizational standards., CC ID: 09729
  • Configure the "account" setting for "Tomcat" to organizational standards., CC ID: 09792
  • Configure the "specified codebase" permissions to organizational standards., CC ID: 09796
  • Configure the "property read permission" for the "Tomcat web application JVM" to organizational standards., CC ID: 09813
  • Configure the "property write permission" for the "Tomcat web application JVM" to organizational standards., CC ID: 09814
  • Configure the "status of the "Tomcat" account to organizational standards., CC ID: 09815
  • Configure the "user account" for "Oracle WebLogic Server" to organizational standards., CC ID: 09823
  • Configure the "Keystores" permission in "directories" to organizational standards., CC ID: 09901
  • Implement a reference monitor to implement the Access Control policies., CC ID: 10096
  • Configure the "Add Printer wizard - Network scan page (Managed network)" setting to organizational standards., CC ID: 10692
  • Configure the "Add Printer wizard - Network scan page (Unmanaged network)" setting to organizational standards., CC ID: 10693
  • Configure the "All Removable Storage classes: Deny all access" setting to organizational standards., CC ID: 10696
  • Configure the "All Removable Storage: Allow direct access in remote sessions" setting to organizational standards., CC ID: 10697
  • Configure the "Allowrdp files from unknown publishers" setting to organizational standards., CC ID: 10698
  • Configure the "Allowrdp files from valid publishers and user's defaultrdp settings" setting to organizational standards., CC ID: 10699
  • Configure the "Allow admin to install from Remote Desktop Services session" setting to organizational standards., CC ID: 10700
  • Configure the "Allow administrators to override Device Installation Restriction policies" setting to organizational standards., CC ID: 10701
  • Configure the "Allow Applications to Prevent Automatic Sleep (On Battery)" setting to organizational standards., CC ID: 10702
  • Configure the "Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services" setting to organizational standards., CC ID: 10704
  • Configure the "Allow audio and video playback redirection" setting to organizational standards., CC ID: 10705
  • Configure the "Allow audio recording redirection" setting to organizational standards., CC ID: 10706
  • Configure the "Allow automatic configuration of listeners" setting to organizational standards., CC ID: 10707
  • Configure the "Allow Automatic Sleep with Open Network Files (On Battery)" setting to organizational standards., CC ID: 10708
  • Configure the "Allow Automatic Updates immediate installation" setting to organizational standards., CC ID: 10710
  • Configure the "Allow BITS Peercaching" setting to organizational standards., CC ID: 10711
  • Configure the "Allow certificates with no extended key usage certificate attribute" setting to organizational standards., CC ID: 10712
  • Configure the "Allow Corporate redirection of Customer Experience Improvement uploads" setting to organizational standards., CC ID: 10713
  • Configure the "Allow CredSSP authentication" setting for the "WinRM client" to organizational standards., CC ID: 10714
  • Configure the "Allow Cross-Forest User Policy and Roaming User Profiles" setting to organizational standards., CC ID: 10716
  • Configure the "Allow cryptography algorithms compatible with Windows NT 4.0" setting to organizational standards., CC ID: 10717
  • Configure the "Allow Delegating Default Credentials" setting to organizational standards., CC ID: 10718
  • Configure the "Allow Delegating Default Credentials with NTLM-only Server Authentication" setting to organizational standards., CC ID: 10719
  • Configure the "Allow Delegating Fresh Credentials" setting to organizational standards., CC ID: 10720
  • Configure the "Allow Delegating Fresh Credentials with NTLM-only Server Authentication" setting to organizational standards., CC ID: 10721
  • Configure the "Allow Delegating Saved Credentials" setting to organizational standards., CC ID: 10722
  • Configure the "Allow Delegating Saved Credentials with NTLM-only Server Authentication" setting to organizational standards., CC ID: 10723
  • Configure the "Allow desktop composition for remote desktop sessions" setting to organizational standards., CC ID: 10724
  • Configure the "Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries" setting to organizational standards., CC ID: 10725
  • Configure the "Allow domain users to log on using biometrics" setting to organizational standards., CC ID: 10726
  • Configure the "Allow ECC certificates to be used for logon and authentication" setting to organizational standards., CC ID: 10727
  • Configure the "Allow Enhanced Storage certificate provisioning" setting to organizational standards., CC ID: 10728
  • Configure the "Allow installation of devices that match any of these device IDs" setting to organizational standards., CC ID: 10729
  • Configure the "Allow installation of devices using drivers that match these device setup classes" setting to organizational standards., CC ID: 10730
  • Configure the "Allow Integrated Unblock screen to be displayed at the time of logon" setting to organizational standards., CC ID: 10731
  • Configure the "Allow local activation security check exemptions" setting to organizational standards., CC ID: 10732
  • Configure the "Allow logon scripts when NetBIOS or WINS is disabled" setting to organizational standards., CC ID: 10733
  • Configure the "Allow non-administrators to install drivers for these device setup classes" setting to organizational standards., CC ID: 10734
  • Configure the "Allow non-administrators to receive update notifications" setting to organizational standards., CC ID: 10735
  • Configure the "Allow only system backup" setting to organizational standards., CC ID: 10736
  • Configure the "Allow only USB root hub connected Enhanced Storage devices" setting to organizational standards., CC ID: 10737
  • Configure the "Allow or Disallow use of the Offline Files feature" setting to organizational standards., CC ID: 10738
  • Configure the "Allow Print Spooler to accept client connections" setting to organizational standards., CC ID: 10739
  • Configure the "Allow printers to be published" setting to organizational standards., CC ID: 10740
  • Configure the "Allow pruning of published printers" setting to organizational standards., CC ID: 10741
  • Configure the "Allow remote start of unlisted programs" setting to organizational standards., CC ID: 10743
  • Configure the "Allow restore of system to default state" setting to organizational standards., CC ID: 10744
  • Configure the "Allow signature keys valid for Logon" setting to organizational standards., CC ID: 10745
  • Configure the "Allow signed updates from an intranet Microsoft update service location" setting to organizational standards., CC ID: 10746
  • Configure the "Allow the Network Access Protection client to support the 802.1x Enforcement Client component" setting to organizational standards., CC ID: 10747
  • Configure the "Allow time invalid certificates" setting to organizational standards., CC ID: 10748
  • Configure the "Allow time zone redirection" setting to organizational standards., CC ID: 10749
  • Configure the "Allow user name hint" setting to organizational standards., CC ID: 10750
  • Configure the "Allow users to log on using biometrics" setting to organizational standards., CC ID: 10751
  • Configure the "Always render print jobs on the server" setting to organizational standards., CC ID: 10752
  • Configure the "Always use classic logon" setting to organizational standards., CC ID: 10754
  • Configure the "Always use custom logon background" setting to organizational standards., CC ID: 10755
  • Configure the "Apply the default user logon picture to all users" setting to organizational standards., CC ID: 10757
  • Configure the "Assign a default domain for logon" setting to organizational standards., CC ID: 10758
  • Configure the "CD and DVD: Deny execute access" setting to organizational standards., CC ID: 10767
  • Configure the "CD and DVD: Deny read access" setting to organizational standards., CC ID: 10768
  • Configure the "CD and DVD: Deny write access" setting to organizational standards., CC ID: 10769
  • Configure the "Printers preference logging and tracing" setting to organizational standards., CC ID: 10799
  • Configure the "Contact PDC on logon failure" setting to organizational standards., CC ID: 10825
  • Configure the "Custom Classes: Deny read access" setting to organizational standards., CC ID: 10835
  • Configure the "Custom Classes: Deny write access" setting to organizational standards., CC ID: 10836
  • Configure the "Deny Delegating Default Credentials" setting to organizational standards., CC ID: 10848
  • Configure the "Deny Delegating Fresh Credentials" setting to organizational standards., CC ID: 10849
  • Configure the "Deny Delegating Saved Credentials" setting to organizational standards., CC ID: 10850
  • Configure the "Disallow changing of geographic location" setting to organizational standards., CC ID: 10870
  • Configure the "Disallow Interactive Users from generating Resultant Set of Policy data" setting to organizational standards., CC ID: 10871
  • Configure the "Disallow Kerberos authentication" setting for the "WinRM client" to organizational standards., CC ID: 10872
  • Configure the "Disallow locally attached storage as backup target" setting to organizational standards., CC ID: 10874
  • Configure the "Disallow Negotiate authentication" setting for the "WinRM client" to organizational standards., CC ID: 10875
  • Configure the "Disallow network as backup target" setting to organizational standards., CC ID: 10877
  • Configure the "Disallow optical media as backup target" setting to organizational standards., CC ID: 10878
  • Configure the "Disallow run-once backups" setting to organizational standards., CC ID: 10879
  • Configure the "Disallow selection of Custom Locales" setting to organizational standards., CC ID: 10880
  • Configure the "Disallow user override of locale settings" setting to organizational standards., CC ID: 10881
  • Configure the "Display information about previous logons during user logon" setting to organizational standards., CC ID: 10887
  • Configure the "Do not allow adding new targets via manual configuration" setting to organizational standards., CC ID: 10891
  • Configure the "Do not allow additional session logins" setting to organizational standards., CC ID: 10892
  • Configure the "Do not allow changes to initiator CHAP secret" setting to organizational standards., CC ID: 10893
  • Configure the "Do not allow changes to initiator iqn name" setting to organizational standards., CC ID: 10894
  • Configure the "Do not allow client printer redirection" setting to organizational standards., CC ID: 10895
  • Configure the "Do not allow clipboard redirection" setting to organizational standards., CC ID: 10896
  • Configure the "Do not allow color changes" setting to organizational standards., CC ID: 10897
  • Configure the "Do not allow COM port redirection" setting to organizational standards., CC ID: 10898
  • Configure the "Do not allow compression on all NTFS volumes" setting to organizational standards., CC ID: 10899
  • Configure the "Do not allow connections without IPSec" setting to organizational standards., CC ID: 10900
  • Configure the "Do not allow desktop composition" setting to organizational standards., CC ID: 10901
  • Configure the "Do not allow encryption on all NTFS volumes" setting to organizational standards., CC ID: 10902
  • Configure the "Do not allow Flip3D invocation" setting to organizational standards., CC ID: 10903
  • Configure the "Do not allow font smoothing" setting to organizational standards., CC ID: 10904
  • Configure the "Do not allow LPT port redirection" setting to organizational standards., CC ID: 10905
  • Configure the "Do not allow manual configuration of discovered targets" setting to organizational standards., CC ID: 10906
  • Configure the "Do not allow manual configuration of iSNS servers" setting to organizational standards., CC ID: 10907
  • Configure the "Do not allow manual configuration of target portals" setting to organizational standards., CC ID: 10908
  • Configure the "Do not allow non-Enhanced Storage removable devices" setting to organizational standards., CC ID: 10909
  • Configure the "Do not allow password authentication of Enhanced Storage devices" setting to organizational standards., CC ID: 10910
  • Configure the "Do not allow sessions without mutual CHAP" setting to organizational standards., CC ID: 10912
  • Configure the "Do not allow sessions without one way CHAP" setting to organizational standards., CC ID: 10913
  • Configure the "Do not allow smart card device redirection" setting to organizational standards., CC ID: 10914
  • Configure the "Do not allow Snipping Tool to run" setting to organizational standards., CC ID: 10915
  • Configure the "Do not allow Sound Recorder to run" setting to organizational standards., CC ID: 10916
  • Configure the "Do not allow the BITS client to use Windows Branch Cache" setting to organizational standards., CC ID: 10918
  • Configure the "Do not allow the computer to act as a BITS Peercaching client" setting to organizational standards., CC ID: 10919
  • Configure the "Do not allow the computer to act as a BITS Peercaching server" setting to organizational standards., CC ID: 10920
  • Configure the "Do not allow window animations" setting to organizational standards., CC ID: 10921
  • Configure the "Do not allow Windows Media Center to run" setting to organizational standards., CC ID: 10923
  • Configure the "Do not display Initial Configuration Tasks window automatically at logon" setting to organizational standards., CC ID: 10927
  • Configure the "Do not display Manage Your Server page at logon" setting to organizational standards., CC ID: 10928
  • Configure the "Do not display Server Manager automatically at logon" setting to organizational standards., CC ID: 10929
  • Configure the "Do not set default client printer to be default printer in a session" setting to organizational standards., CC ID: 10935
  • Configure the "Execute print drivers in isolated processes" setting to organizational standards., CC ID: 10964
  • Configure the "Expected dial-up delay on logon" setting to organizational standards., CC ID: 10965
  • Configure the "Extend Point and Print connection to search Windows Update" setting to organizational standards., CC ID: 10966
  • Configure the "Filter duplicate logon certificates" setting to organizational standards., CC ID: 10967
  • Configure the "Floppy Drives: Deny execute access" setting to organizational standards., CC ID: 10969
  • Configure the "Floppy Drives: Deny read access" setting to organizational standards., CC ID: 10970
  • Configure the "Floppy Drives: Deny write access" setting to organizational standards., CC ID: 10971
  • Configure the "Limit the maximum number of files allowed in a BITS job" setting to organizational standards., CC ID: 11020
  • Configure the "Netlogon share compatibility" setting to organizational standards., CC ID: 11048
  • Configure the "Only allow local user profiles" setting to organizational standards., CC ID: 11056
  • Configure the "Only use Package Point and print" setting to organizational standards., CC ID: 11057
  • Configure the "Override print driver execution compatibility setting reported by print driver" setting to organizational standards., CC ID: 11059
  • Configure the "Package Point and print - Approved servers" setting to organizational standards., CC ID: 11061
  • Configure the "Pre-populate printer search location text" setting to organizational standards., CC ID: 11065
  • Configure the "Printer browsing" setting to organizational standards., CC ID: 11097
  • Configure the "Provide information about previous logons to client computers" setting to organizational standards., CC ID: 11111
  • Configure the "Prune printers that are not automatically republished" setting to organizational standards., CC ID: 11112
  • Configure the "Redirect only the default client printer" setting to organizational standards., CC ID: 11116
  • Configure the "Removable Disks: Deny execute access" setting to organizational standards., CC ID: 11123
  • Configure the "Removable Disks: Deny read access" setting to organizational standards., CC ID: 11124
  • Configure the "Removable Disks: Deny write access" setting to organizational standards., CC ID: 11125
  • Configure the "Run logon scripts synchronously" setting to organizational standards., CC ID: 11151
  • Configure the "Run these programs at user logon" setting to organizational standards., CC ID: 11155
  • Configure the "Selectively allow the evaluation of a symbolic link" setting to organizational standards., CC ID: 11169
  • Configure the "Specify SHA1 thumbprints of certificates representing trustedrdp publishers" setting to organizational standards., CC ID: 11215
  • Configure the "Tape Drives: Deny execute access" setting to organizational standards., CC ID: 11233
  • Configure the "Tape Drives: Deny read access" setting to organizational standards., CC ID: 11234
  • Configure the "Tape Drives: Deny write access" setting to organizational standards., CC ID: 11235
  • Configure the "Timeout for hung logon sessions during shutdown" setting to organizational standards., CC ID: 11245
  • Configure the "Troubleshooting: Allow users to access and run Troubleshooting Wizards" setting to organizational standards., CC ID: 11247
  • Configure the "Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS)" setting to organizational standards., CC ID: 11248
  • Configure the "Turn off the "Order Prints" picture task" setting to organizational standards., CC ID: 11314
  • Configure the "Use Remote Desktop Easy Print printer driver first" setting to organizational standards., CC ID: 11365


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization must prevent unauthorized media from connecting to the system by physical means, data loss prevent software, or device access control software. (Control: 0342, Australian Government Information Security Manual: Controls)
  • The organization should implement controls to contain the exploit of known vulnerabilities that cannot be patched or a security patch is not available by applying Mandatory Access Control to prevent the exploitable code from being executed; applying firewall rules that limit outbound traffic; or set… (Control: 0941 Bullet 3, Australian Government Information Security Manual: Controls)
  • The organization should harden the registry permissions. (Mitigation Strategy Effectiveness Ranking 25, Strategies to Mitigate Targeted Cyber Intrusions)
  • After installing new software or software updates, file permissions can become incorrectly set, possibly creating security vulnerabilities. Disk Utility should be run to verify and/or repair disk permissions. It will read the Bill of Materials file from the initial Mac OS X installation and compare … (Pg 30, Pg 97, Pg 101, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • Enable Account Policy settings. It also states that if the workstation is not a member of a domain, these policies can be applied locally and will be consistently applied to all local accounts. If the workstation belongs to a domain, any settings applied here will not impact domain accounts. In fact… (§ 2.2.2, The Center for Internet Security Windows XP Professional SP1/SP2 Benchmark, 2.01)
  • Verify that each merchant or service provider has read, write, or execute permissions only on the directories and files it owns or for the necessary system files while on a shared hosting provider. (App A Testing Procedures § A.1.2.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers, 3)
  • Do not use vendor-supplied defaults for system passwords and other security parameters (§ 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Do not use vendor-supplied defaults for system passwords and other security parameters (PCI DSS Requirements § 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • The access control system(s) is configured to enforce permissions assigned to individuals, applications, and systems based on job classification and function. (7.3.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine vendor documentation and system settings to verify that the access control system(s) is configured to enforce permissions assigned to individuals, applications, and systems based on job classification and function. (7.3.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • The access control system(s) is configured to enforce permissions assigned to individuals, applications, and systems based on job classification and function. (7.3.2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The access control system(s) is configured to enforce permissions assigned to individuals, applications, and systems based on job classification and function. (7.3.2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Information used by browser-based applications (e.g., configuration files) should be protected against corruption or unauthorized disclosure by restricting file permissions. (CF.04.02.02b, The Standard of Good Practice for Information Security)
  • Servers should be configured to disable or restrict execute permissions on sensitive commands or scripts (e.g., rlogin, rcp, rsh, remsh, tstp, and trtp). (CF.07.02.03d, The Standard of Good Practice for Information Security)
  • Servers should be configured to disable or restrict powerful utilities (e.g., windows 'registry editor') or 'control panels'. (CF.07.02.03e, The Standard of Good Practice for Information Security)
  • Information used by browser-based applications (e.g., configuration files) should be protected against corruption or unauthorized disclosure by restricting file permissions. (CF.04.02.02b, The Standard of Good Practice for Information Security, 2013)
  • Servers should be configured to disable or restrict execute permissions on sensitive commands or scripts (e.g., rlogin, rcp, rsh, remsh, tstp, and trtp). (CF.07.02.05d, The Standard of Good Practice for Information Security, 2013)
  • Servers should be configured to disable or restrict powerful utilities (e.g., windows 'registry editor') or 'control panels'. (CF.07.02.05e, The Standard of Good Practice for Information Security, 2013)
  • ¶ 9.2 Table Row "Access Control Policy" in safeguard Logical Access Control and Audit should be implemented under normal circumstances for Servers or Workstations with Shared Resources Connected to a Network. (¶ 9.2 Table Row "Access Control Policy", ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • The system should be able to restrict who can change the default value of the security attribute, modify, delete, or query the security attribute, or define another operation on the security attribute. (§ 13.2, § H.2, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • Restrict the ability to modify certain hives or keys in the Windows Registry. (M1024 Restrict Registry Permissions, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • Table F-1: For Windows 2000 Server, the organization must configure the system per the NIST SP 800-53 access policy control requirements. Table F-1: For Windows 2000 Server, the organization must configure the system per the NIST SP 800-53 access enforcement control requirements for files/folders. … (Table F-1, Table F-2, Table F-3, Table F-4, Table F-5, Table F-6, Table F-7, Table F-9, Table F-10, CMS Business Partners Systems Security Manual, Rev. 10)
  • The Site Management Complex (SIMAN) provides an interface to the Unisys security system. The System Administrator should ensure the Master userid and the SIMAN Administrator userid are the only users allowed to modify the SIMAN environment. The following settings should be configured: Accounting and… (§ 2.3.3.3.2, § 2.3.3.4, § 3.1.8.3 thru § 3.1.8.5, § 6.3, § 7.2.2, § 7.2.3, § 8.9.3, Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2, 28 August 2006)
  • Each user of the system requires a unique identifier and should be granted access only to the resources needed to accomplish their tasks. User identification numbers (uids) and group identification numbers (gids) are used to assign certain functions to the users. The system administrator should ensu… (§ 3.1.1, § 3.7, § 3.8.1, § 3.8.2, § 3.10, § 3.11, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1)
  • The security administrator must ensure that User IDs only have access to the files that are required to run the biometric application software. (§ 4.3.3 ¶ BIO4020, DISA Access Control STIG, Version 2, Release 3)
  • Locally attached printers that have been configured to be shared should have the following share permissions set: Users - Print; Administrators - Print, Manage Printers, Manage Documents; SYSTEM - Print, Manage Printers, Manage Documents; and CREATOR OWNER - Print, Manage Printers, Manage Documents. (§ 5.1.4, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • The Access Control Lists (ACLs) for disabled services should be set to Administrators: Full Control; System: Full Control; and Authenticated Users: Read. (§ 5.3.10, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • § 5.9 Configure role based access control. Role Based Access Control (RBAC) assigns user privileges based on least privilege and separation of duty. RBAC allows a system administrator to assign individuals to roles based on their job function. § 8.2 Assign noshell for system accounts. The script w… (§ 5.9, § 8.2, NSA Guide to the Secure Configuration of Solaris 9, Version 1.0)