Back

Configure Least Functionality and Least Privilege settings to organizational standards.


CONTROL ID
07599
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Prohibit directories from having read/write capability, as appropriate., CC ID: 16313
  • Configure "Block public access (bucket settings)" to organizational standards., CC ID: 15444
  • Configure S3 Bucket Policies to organizational standards., CC ID: 15431
  • Configure "Allow suggested apps in Windows Ink Workspace" to organizational standards., CC ID: 15417
  • Configure "Allow Cloud Search" to organizational standards., CC ID: 15416
  • Configure "Configure Watson events" to organizational standards., CC ID: 15414
  • Configure "Allow Clipboard synchronization across devices" to organizational standards., CC ID: 15412
  • Configure "Prevent users from modifying settings" to organizational standards., CC ID: 15411
  • Configure "Prevent users from sharing files within their profile" to organizational standards., CC ID: 15408
  • Configure "Manage preview builds" to organizational standards., CC ID: 15405
  • Configure "Turn off Help Experience Improvement Program" to organizational standards., CC ID: 15403
  • Configure "Sign-in and lock last interactive user automatically after a restart" to organizational standards., CC ID: 15402
  • Configure "Hardened UNC Paths" to organizational standards., CC ID: 15400
  • Configure "Turn off all Windows spotlight features" to organizational standards., CC ID: 15397
  • Configure "Allow Message Service Cloud Sync" to organizational standards., CC ID: 15396
  • Configure "Configure local setting override for reporting to Microsoft MAPS" to organizational standards., CC ID: 15394
  • Configure "Configure Windows spotlight on lock screen" to organizational standards., CC ID: 15391
  • Configure "Do not suggest third-party content in Windows spotlight" to organizational standards., CC ID: 15389
  • Configure "Enable Font Providers" to organizational standards., CC ID: 15388
  • Configure "Disallow copying of user input methods to the system account for sign-in" to organizational standards., CC ID: 15386
  • Configure "Do not display network selection UI" to organizational standards., CC ID: 15381
  • Configure "Turn off KMS Client Online AVS Validation" to organizational standards., CC ID: 15380
  • Configure "Allow Telemetry" to organizational standards., CC ID: 15378
  • Configure "Allow users to enable online speech recognition services" to organizational standards., CC ID: 15377
  • Configure "Prevent enabling lock screen camera" to organizational standards., CC ID: 15373
  • Configure "Continue experiences on this device" to organizational standards., CC ID: 15372
  • Configure "Prevent the usage of OneDrive for file storage" to organizational standards., CC ID: 15369
  • Configure "Do not use diagnostic data for tailored experiences" to organizational standards., CC ID: 15367
  • Configure "Network access: Restrict clients allowed to make remote calls to SAM" to organizational standards., CC ID: 15365
  • Configure "Turn off Microsoft consumer experiences" to organizational standards., CC ID: 15363
  • Configure "Allow Use of Camera" to organizational standards., CC ID: 15362
  • Configure "Allow Online Tips" to organizational standards., CC ID: 15360
  • Configure "Turn off cloud optimized content" to organizational standards., CC ID: 15357
  • Configure "Apply UAC restrictions to local accounts on network logons" to organizational standards., CC ID: 15356
  • Configure "Toggle user control over Insider builds" to organizational standards., CC ID: 15354
  • Configure "Allow network connectivity during connected-standby (plugged in)" to organizational standards., CC ID: 15353
  • Configure "Do not show feedback notifications" to organizational standards., CC ID: 15350
  • Configure "Prevent enabling lock screen slide show" to organizational standards., CC ID: 15349
  • Configure "Turn off the advertising ID" to organizational standards., CC ID: 15348
  • Configure "Allow Windows Ink Workspace" to organizational standards., CC ID: 15346
  • Configure "Allow a Windows app to share application data between users" to organizational standards., CC ID: 15345
  • Configure "Turn off handwriting personalization data sharing" to organizational standards., CC ID: 15339
  • Configure the "Devices: Prevent users from installing printer drivers" to organizational standards., CC ID: 07600
  • Configure the "Log on as a service" to organizational standards., CC ID: 07609
  • Configure "Restore files and directories" to organizational standards., CC ID: 07610
  • Configure the "Back up files and directories" to organizational standards., CC ID: 07629
  • Configure the "Change the system time" to organizational standards., CC ID: 07633
  • Configure the "Network access: Do not allow anonymous enumeration of SAM accounts" to organizational standards., CC ID: 07635
  • Configure the "Perform volume maintenance tasks" to organizational standards., CC ID: 07653
  • Configure the "Create global objects" to organizational standards., CC ID: 07659
  • Configure the "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies" to organizational standards., CC ID: 07660
  • Configure the "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" to organizational standards., CC ID: 07671
  • Configure the "Network access: Named Pipes that can be accessed anonymously" to organizational standards., CC ID: 07676
  • Configure the "Change the time zone" to organizational standards., CC ID: 07677
  • Configure the "Adjust memory quotas for a process" to organizational standards., CC ID: 07685
  • Configure the "Add workstations to domain" to organizational standards., CC ID: 07689
  • Configure the "Take ownership of files or other objects" to organizational standards., CC ID: 07691
  • Configure the "Access this computer from the network" to organizational standards., CC ID: 07706
  • Configure the "MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments)" to organizational standards., CC ID: 07710
  • Configure the "Shutdown: Allow system to be shut down without having to log on" to organizational standards., CC ID: 07717
  • Configure the "System objects: Require case insensitivity for non-Windows subsystems" to organizational standards., CC ID: 07718
  • Configure the "Domain controller: Allow server operators to schedule tasks" to organizational standards., CC ID: 07722
  • Configure the "Debug programs" to organizational standards., CC ID: 07729
  • Configure the "Increase scheduling priority" to organizational standards., CC ID: 07739
  • Configure the "Load and unload device drivers" to organizational standards., CC ID: 07745
  • Configure the "Modify an object label" to organizational standards., CC ID: 07755
  • Configure the "Deny log on as a service" to organizational standards., CC ID: 07762
  • Configure the "Recovery console: Allow automatic administrative logon" to organizational standards., CC ID: 07770
  • Configure the "Create a token object" to organizational standards., CC ID: 07774
  • Configure the "Create symbolic links" to organizational standards., CC ID: 07778
  • Configure the "Deny access to this computer from the network" to organizational standards., CC ID: 07779
  • Configure the "Deny log on locally" to organizational standards., CC ID: 07781
  • Configure the "Manage auditing and security log" to organizational standards., CC ID: 07783
  • Configure the "Lock pages in memory" to organizational standards., CC ID: 07784
  • Configure the "Shutdown: Clear virtual memory pagefile" to organizational standards., CC ID: 07787
  • Configure the "Increase a process working set" to organizational standards., CC ID: 07788
  • Configure the "Generate security audits" to organizational standards., CC ID: 07796
  • Configure the "Remove computer from docking station" to organizational standards., CC ID: 07802
  • Configure the "System settings: Optional subsystems" to organizational standards., CC ID: 07804
  • Configure the "Shut down the system" to organizational standards., CC ID: 07808
  • Configure the "Bypass traverse checking" to organizational standards., CC ID: 07809
  • Configure the "Always install with elevated privileges" to organizational standards., CC ID: 07811
  • Configure the "Allow log on through Remote Desktop Services" to organizational standards., CC ID: 07813
  • Configure the "MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)" to organizational standards., CC ID: 07814
  • Configure the "Create permanent shared objects" to organizational standards., CC ID: 07818
  • Configure the "Devices: Allow undock without having to log on" to organizational standards., CC ID: 07821
  • Configure the "Devices: Restrict floppy access to locally logged-on user only" to organizational standards., CC ID: 07823
  • Configure the "Log on as a batch job" to organizational standards., CC ID: 07838
  • Configure the "MSS: (AutoShareServer) Enable Administrative Shares (recommended except for highly secure environments)" to organizational standards., CC ID: 07841
  • Configure the "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" to organizational standards., CC ID: 07842
  • Configure the "Replace a process level token" to organizational standards., CC ID: 07845
  • Configure the "Modify firmware environment values" to organizational standards., CC ID: 07847
  • Configure the "Deny log on through Remote Desktop Services" to organizational standards., CC ID: 07854
  • Configure the "Devices: Allowed to format and eject removable media" to organizational standards., CC ID: 07862
  • Configure the "Profile single process" to organizational standards., CC ID: 07866
  • Configure the "Turn off Autoplay" to organizational standards., CC ID: 07867
  • Configure the "Devices: Restrict CD-ROM access to locally logged-on user only" to organizational standards., CC ID: 07871
  • Configure the "Deny log on as a batch job" to organizational standards., CC ID: 07876
  • Configure the "Create a pagefile" to organizational standards., CC ID: 07878
  • Configure the "Profile system performance" to organizational standards., CC ID: 07879
  • Configure the "Impersonate a client after authentication" to organizational standards., CC ID: 07882
  • Configure the "MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)" to organizational standards., CC ID: 07886
  • Configure the "Force shutdown from a remote system" to organizational standards., CC ID: 07889
  • Configure the "Act as part of the operating system" to organizational standards., CC ID: 07891
  • Configure the "Allow log on locally" to organizational standards., CC ID: 07894
  • Configure the "Synchronize directory service data" to organizational standards., CC ID: 07897
  • Configure the "Access Credential Manager as a trusted caller" to organizational standards., CC ID: 07898
  • Configure the "Enable computer and user accounts to be trusted for delegation" to organizational standards., CC ID: 07900
  • Configure the "Recovery console: Allow floppy copy and access to all drives and all folders" to organizational standards., CC ID: 07901
  • Configure the "Software channel permissions" to organizational standards., CC ID: 07910
  • Configure the "Allow drag and drop or copy and paste files" to organizational standards., CC ID: 07915
  • Configure the "Disable Per-User Installation of ActiveX Controls" to organizational standards., CC ID: 07918
  • Configure the "Download signed ActiveX controls" to organizational standards., CC ID: 07921
  • Configure the "Disable "Configuring History"" to organizational standards., CC ID: 07922
  • Configure the "Turn off ActiveX opt-in prompt" to organizational standards., CC ID: 07928
  • Configure the "Allow installation of desktop items" to organizational standards., CC ID: 07931
  • Configure the "Only allow approved domains to use ActiveX controls without prompt" to organizational standards., CC ID: 07936
  • Configure the "Initialize and script ActiveX controls not marked as safe" to organizational standards., CC ID: 07945
  • Configure the "Allow file downloads" to organizational standards., CC ID: 07960
  • Configure the "Turn off the Security Settings Check feature" to organizational standards., CC ID: 07979
  • Configure the "Disable the Advanced page" to organizational standards., CC ID: 07981
  • Configure the "Intranet Sites: Include all network paths (UNCs)" to organizational standards., CC ID: 07986
  • Configure the "Disable changing Automatic Configuration settings" to organizational standards., CC ID: 07992
  • Configure the "Turn off "Delete Browsing History" functionality" to organizational standards., CC ID: 07993
  • Configure the "Allow META REFRESH" to organizational standards., CC ID: 07998
  • Configure the "Prevent Deleting Temporary Internet Files" to organizational standards., CC ID: 08000
  • Configure the "Security Zones: Do not allow users to change policies" to organizational standards., CC ID: 08001
  • Configure the "Only use the ActiveX Installer Service for installation of ActiveX Controls" to organizational standards., CC ID: 08003
  • Configure the "Prevent "Fix settings" functionality" to organizational standards., CC ID: 08010
  • Configure the "XAML browser applications" to organizational standards., CC ID: 08011
  • Configure the "Run .NET Framework-reliant components signed with Authenticode" to organizational standards, CC ID: 08014
  • Configure the "Access data sources across domains" to organizational standards., CC ID: 08018
  • Configure the "Allow script-initiated windows without size or position constraints" to organizational standards., CC ID: 08020
  • Configure the "Disable Save this program to disk option" to organizational standards., CC ID: 08021
  • Configure the "Security Zones: Do not allow users to add/delete sites" to organizational standards., CC ID: 08061
  • Configure the "Script ActiveX controls marked safe for scripting" to organizational standards., CC ID: 08067
  • Configure the "Prevent Deleting Cookies" to organizational standards., CC ID: 08069
  • Configure the "Allow binary and script behaviors" to organizational standards., CC ID: 08070
  • Configure the "Launching applications and files in an IFRAME" to organizational standards., CC ID: 08078
  • Configure the "Allow status bar updates via script" to organizational standards., CC ID: 08081
  • Configure the "Turn off Crash Detection" to organizational standards., CC ID: 08085
  • Configure the "Security Zones: Use only machine settings" to organizational standards., CC ID: 08088
  • Configure the "Web sites in less privileged Web content zones can navigate into this zone" to organizational standards., CC ID: 08089
  • Configure the "Disable the Security page" to organizational standards., CC ID: 08090
  • Configure the "Automatically check for Internet Explorer updates" to organizational standards., CC ID: 08094
  • Configure the "Navigate windows and frames across different domains" to organizational standards., CC ID: 08107
  • Configure the "Allow active scripting" setting to organizational standards., CC ID: 08115
  • Configure the "Allow font downloads" to organizational standards., CC ID: 08116
  • Configure the "Disable changing proxy settings" to organizational standards., CC ID: 08126
  • Configure the "Disable changing connection settings" to organizational standards., CC ID: 08129
  • Configure the "Run .NET Framework-reliant components not signed with Authenticode" to organizational standards, CC ID: 08130
  • Configure the "Turn off printing over HTTP" to organizational standards., CC ID: 08162
  • Configure the "Registry policy processing" to organizational standards., CC ID: 08169
  • Configure the "Disable remote Desktop Sharing" to organizational standards., CC ID: 08186
  • Configure the "Report operating system errors" to organizational standards., CC ID: 08187
  • Configure the "Enumerate administrator accounts on elevation" to organizational standards., CC ID: 08190
  • Configure the "Turn off Windows Update device driver searching" to organizational standards., CC ID: 08193
  • Configure the "Do not allow drive redirection" to organizational standards., CC ID: 08199
  • Configure the "Turn off the Windows Messenger Customer Experience Improvement Program" to organizational standards., CC ID: 08204
  • Configure the "Turn off downloading of print drivers over HTTP" to organizational standards., CC ID: 08218
  • Configure the "Do not process the run once list" to organizational standards., CC ID: 08219
  • Configure the "Deny log on through Terminal Services" to organizational standards., CC ID: 08220
  • Configure the "Offer Remote Assistance" to organizational standards., CC ID: 08222
  • Configure the "Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box" to organizational standards., CC ID: 08228
  • Configure the "Allow users to connect remotely using Remote Desktop Services" to organizational standards., CC ID: 08234
  • Configure the "MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments)" to organizational standards., CC ID: 08247
  • Configure the "MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames" to organizational standards., CC ID: 08253
  • Configure the "Solicited Remote Assistance" to organizational standards., CC ID: 08265
  • Configure "Turn off the "Publish to Web" task for files and folders" to organizational standards., CC ID: 08285
  • Configure the "Do not allow Windows Messenger to be run" to organizational standards., CC ID: 08288
  • Configure the "Allow log on through Terminal Services" to organizational standards., CC ID: 08291
  • Configure the "Require trusted path for credential entry." to organizational standards, CC ID: 08293
  • Configure the "Turn off Search Companion content file updates" to organizational standards., CC ID: 08302
  • Configure the "Prevent access to registry editing tools" to organizational standards., CC ID: 08331
  • Configure the "Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet" to organizational standards., CC ID: 08347
  • Configure the "Turn on SmartScreen Filter scan" to organizational standards., CC ID: 08357
  • Configure the "Disallow WinRM from storing RunAs credentials" to organizational standards., CC ID: 08362
  • Configure the "Turn off URL Suggestions" to organizational standards., CC ID: 08372
  • Configure the "Prevent users from bypassing SmartScreen Filter's application reputation warnings about files that are not commonly downloaded from the Internet" to organizational standards., CC ID: 08385
  • Configure the "Prevent access to Delete Browsing History" to organizational standards., CC ID: 08387
  • Configure the "Turn off InPrivate Browsing" to organizational standards., CC ID: 08421
  • Configure the "Turn off Windows Location Provider" to organizational standards., CC ID: 08427
  • Configure the "Turn on Suggested Sites" to organizational standards., CC ID: 08434
  • Configure the "Turn off access to the Store" to organizational standards., CC ID: 08436
  • Configure the "Point and Print Restrictions" to organizational standards., CC ID: 08441
  • Configure the "Prevent changing proxy settings" to organizational standards., CC ID: 08447
  • Configure the "Allow deleting browsing history on exit" to organizational standards., CC ID: 08456
  • Configure the "Allow scripting of Internet Explorer WebBrowser controls" to organizational standards., CC ID: 08464
  • Configure the "Turn off Managing SmartScreen Filter for Internet Explorer 9" to organizational standards., CC ID: 08472
  • Configure the "Check Administrator Group Membership" to organizational standards., CC ID: 08473
  • Configure the "Check if AppLocker is Enabled" to organizational standards., CC ID: 08475
  • Configure the "Prevent the computer from joining a homegroup" to organizational standards., CC ID: 08486
  • Configure the "Disable Browser Geolocation" to organizational standards., CC ID: 08491
  • Configure the "Allow Remote Shell Access" to organizational standards., CC ID: 08496
  • Configure the "Turn Off the Display (Plugged In)" to organizational standards., CC ID: 08502
  • Configure the "Do not enumerate connected users on domain-joined computers" to organizational standards., CC ID: 08507
  • Configure the "Enable dragging of content from different domains across windows" to organizational standards., CC ID: 08517
  • Configure the "Turn off first-run prompt" to organizational standards., CC ID: 08521
  • Configure the "Allow Scriptlets" to organizational standards., CC ID: 08523
  • Configure the "Turn on ActiveX Filtering" to organizational standards., CC ID: 08524
  • Configure the "Userdata persistence" to organizational standards., CC ID: 08533
  • Configure the "Enable dragging of content from different domains within a window" to organizational standards., CC ID: 08535
  • Configure the "Turn off app notifications on the lock screen" to organizational standards., CC ID: 08536
  • Configure the "Allow updates to status bar via script" to organizational standards., CC ID: 08540
  • Configure the "Enumerate local users on domain-joined computers" to organizational standards., CC ID: 08546
  • Configure the "Prevent deleting websites that the user has visited" to organizational standards., CC ID: 08547
  • Configure the "Install new versions of Internet Explorer automatically" to organizational standards., CC ID: 08551
  • Configure the "Make proxy settings per-machine (rather than per-user)" to organizational standards., CC ID: 08553
  • Configure the "Disable external branding of Internet Explorer" to organizational standards., CC ID: 08555
  • Configure the "Include local path when user is uploading files to a server" to organizational standards., CC ID: 08557
  • Configure the "Configure Solicited Remote Assistance" to organizational standards., CC ID: 08561
  • Configure the "Allow loading of XAML files" to organizational standards., CC ID: 08562
  • Configure the "Do not display the password reveal button" to organizational standards., CC ID: 08567
  • Configure the "Prevent running First Run wizard" to organizational standards., CC ID: 08572
  • Configure the "Turn off location" to organizational standards., CC ID: 08575
  • Configure the "Turn on Enhanced Protected Mode" to organizational standards., CC ID: 08577
  • Configure the "Turn off browser geolocation" to organizational standards., CC ID: 08580
  • Configure the "Do not display the reveal password button" to organizational standards., CC ID: 08583
  • Configure the "Include updated website lists from Microsoft" to organizational standards., CC ID: 08593
  • Configure the "Turn off Event Viewer "Events.asp" links" to organizational standards., CC ID: 08604
  • Configure the "Configure Offer Remote Assistance" to organizational standards., CC ID: 08605
  • Configure the "Prevent specifying the update check interval (in days)" to organizational standards., CC ID: 08608
  • Configure the "Turn Off the Display (On Battery)" to organizational standards., CC ID: 08609
  • Configure the "Prevent participation in the Customer Experience Improvement Program" to organizational standards., CC ID: 08611
  • Configure the "Add a specific list of search providers to the user's search provider list" setting to organizational standards., CC ID: 10420
  • Configure the "Admin-approved behaviors" setting to organizational standards., CC ID: 10421
  • Configure the "Allow the display of image download placeholders" setting to organizational standards., CC ID: 10422
  • Configure the "Allow the printing of background colors and images" setting to organizational standards., CC ID: 10423
  • Configure the "Audio/Video Player" setting to organizational standards., CC ID: 10424
  • Configure the "Auto-hide the Toolbars" setting to organizational standards., CC ID: 10425
  • Configure the "Binary Behavior Security Restriction: All Processes" setting to organizational standards., CC ID: 10426
  • Configure the "Binary Behavior Security Restriction: Internet Explorer Processes" setting to organizational standards., CC ID: 10427
  • Configure the "Binary Behavior Security Restriction: Process List" setting to organizational standards., CC ID: 10428
  • Configure the "Carpoint" setting to organizational standards., CC ID: 10429
  • Configure the "Configure new tab page default behavior" setting to organizational standards., CC ID: 10430
  • Configure the "Customize Command Labels" setting to organizational standards., CC ID: 10431
  • Configure the "Customize User Agent String" setting to organizational standards., CC ID: 10432
  • Configure the "Deploy default Accelerators" setting to organizational standards., CC ID: 10433
  • Configure the "Deploy non-default Accelerators" setting to organizational standards., CC ID: 10434
  • Configure the "DHTML Edit Control" setting to organizational standards., CC ID: 10435
  • Configure the "Disable caching of Auto-Proxy scripts" setting to organizational standards., CC ID: 10436
  • Configure the "Disable changing accessibility settings" setting to organizational standards., CC ID: 10437
  • Configure the "Disable changing Calendar and Contact settings" setting to organizational standards., CC ID: 10438
  • Configure the "Disable changing color settings" setting to organizational standards., CC ID: 10439
  • Configure the "Disable changing default browser check" setting to organizational standards., CC ID: 10440
  • Configure the "Disable changing font settings" setting to organizational standards., CC ID: 10441
  • Configure the "Disable changing home page settings" setting to organizational standards., CC ID: 10442
  • Configure the "Disable changing language settings" setting to organizational standards., CC ID: 10443
  • Configure the "Disable changing link color settings" setting to organizational standards., CC ID: 10444
  • Configure the "Disable changing Messaging settings" setting to organizational standards., CC ID: 10445
  • Configure the "Disable changing ratings settings" setting to organizational standards., CC ID: 10446
  • Configure the "Disable changing secondary home page settings" setting to organizational standards., CC ID: 10447
  • Configure the "Disable changing Temporary Internet files settings" setting to organizational standards., CC ID: 10448
  • Configure the "Disable Context menu" setting to organizational standards., CC ID: 10449
  • Configure the "Disable customizing browser toolbar buttons" setting to organizational standards., CC ID: 10450
  • Configure the "Disable customizing browser toolbars" setting to organizational standards., CC ID: 10451
  • Configure the "Disable Import/Export Settings wizard" setting to organizational standards., CC ID: 10452
  • Configure the "Disable Open in New Window menu option" setting to organizational standards., CC ID: 10453
  • Configure the "Disable the Connections page" setting to organizational standards., CC ID: 10454
  • Configure the "Disable the Content page" setting to organizational standards., CC ID: 10455
  • Configure the "Disable the General page" setting to organizational standards., CC ID: 10456
  • Configure the "Disable the Programs page" setting to organizational standards., CC ID: 10457
  • Configure the "Disable toolbars and extensions when InPrivate Browsing starts" setting to organizational standards., CC ID: 10458
  • Configure the "Display error message on proxy script download failure" setting to organizational standards., CC ID: 10459
  • Configure the "Do not collect InPrivate Filtering data" setting to organizational standards., CC ID: 10460
  • Configure the "Do not save encrypted pages to disk" setting to organizational standards., CC ID: 10461
  • Configure the "Empty Temporary Internet Files folder when browser is closed" setting to organizational standards., CC ID: 10462
  • Configure the "Enforce Full Screen Mode" setting to organizational standards., CC ID: 10463
  • Configure the "File menu: Disable closing the browser and Explorer windows" setting to organizational standards., CC ID: 10464
  • Configure the "File menu: Disable New menu option" setting to organizational standards., CC ID: 10465
  • Configure the "File menu: Disable Open menu option" setting to organizational standards., CC ID: 10466
  • Configure the "File menu: Disable Save As Web Page Complete" setting to organizational standards., CC ID: 10467
  • Configure the "File menu: Disable Save As.. menu option" setting to organizational standards., CC ID: 10468
  • Configure the "File size limits for Internet zone" setting to organizational standards., CC ID: 10469
  • Configure the "File size limits for Intranet zone" setting to organizational standards., CC ID: 10470
  • Configure the "File size limits for Local Machine zone" setting to organizational standards., CC ID: 10471
  • Configure the "File size limits for Restricted Sites zone" setting to organizational standards., CC ID: 10472
  • Configure the "File size limits for Trusted Sites zone" setting to organizational standards., CC ID: 10473
  • Configure the "Help menu: Remove 'Send Feedback' menu option" setting to organizational standards., CC ID: 10474
  • Configure the "Help menu: Remove 'Tour' menu option" setting to organizational standards., CC ID: 10475
  • Configure the "Hide Favorites menu" setting to organizational standards., CC ID: 10476
  • Configure the "Hide the Command Bar" setting to organizational standards., CC ID: 10477
  • Configure the "Hide the Status Bar" setting to organizational standards., CC ID: 10478
  • Configure the "InPrivate Filtering Threshold" setting to organizational standards., CC ID: 10479
  • Configure the "Internet Zone Restricted Protocols" setting to organizational standards., CC ID: 10480
  • Configure the "Internet Zone Template" setting to organizational standards., CC ID: 10481
  • Configure the "Intranet Sites: Include all local (intranet) sites not listed in other zones" setting to organizational standards., CC ID: 10482
  • Configure the "Intranet Sites: Include all sites that bypass the proxy server" setting to organizational standards., CC ID: 10483
  • Configure the "Intranet Zone Restricted Protocols" setting to organizational standards., CC ID: 10484
  • Configure the "Intranet Zone Template" setting to organizational standards., CC ID: 10485
  • Configure the "Investor" setting to organizational standards., CC ID: 10486
  • Configure the "Local Machine Zone Restricted Protocols" setting to organizational standards., CC ID: 10487
  • Configure the "Local Machine Zone Template" setting to organizational standards., CC ID: 10488
  • Configure the "Lock all Toolbars" setting to organizational standards., CC ID: 10489
  • Configure the "Locked-Down Internet Zone Template" setting to organizational standards., CC ID: 10490
  • Configure the "Locked-Down Intranet Zone Template" setting to organizational standards., CC ID: 10491
  • Configure the "Locked-Down Local Machine Zone Template" setting to organizational standards., CC ID: 10492
  • Configure the "Locked-Down Restricted Sites Zone Template" setting to organizational standards., CC ID: 10493
  • Configure the "Locked-Down Trusted Sites Zone Template" setting to organizational standards., CC ID: 10494
  • Configure the "Maximum number of connections per server (HTTP 1.0)" setting to organizational standards., CC ID: 10495
  • Configure the "Maximum number of connections per server (HTTP 1.1)" setting to organizational standards., CC ID: 10496
  • Configure the "Menu Controls" setting to organizational standards., CC ID: 10497
  • Configure the "Microsoft Agent" setting to organizational standards., CC ID: 10498
  • Configure the "Microsoft Chat" setting to organizational standards., CC ID: 10499
  • Configure the "Microsoft Scriptlet Component" setting to organizational standards., CC ID: 10500
  • Configure the "Microsoft Survey Control" setting to organizational standards., CC ID: 10501
  • Configure the "Moving the menu bar above the navigation bar" setting to organizational standards., CC ID: 10502
  • Configure the "MSNBC" setting to organizational standards., CC ID: 10503
  • Configure the "NetShow File Transfer Control" setting to organizational standards., CC ID: 10504
  • Configure the "Network Protocol Lockdown: All Processes" setting to organizational standards., CC ID: 10505
  • Configure the "Network Protocol Lockdown: Internet Explorer Processes" setting to organizational standards., CC ID: 10506
  • Configure the "Network Protocol Lockdown: Process List" setting to organizational standards., CC ID: 10507
  • Configure the "Play animations in web pages" setting to organizational standards., CC ID: 10508
  • Configure the "Play sounds in web pages" setting to organizational standards., CC ID: 10509
  • Configure the "Pop-up allow list" setting to organizational standards., CC ID: 10510
  • Configure the "Prevent configuration of search from the Address bar" setting to organizational standards., CC ID: 10511
  • Configure the "Prevent Deleting Favorites Site Data" setting to organizational standards., CC ID: 10512
  • Configure the "Prevent Deleting Form Data" setting to organizational standards., CC ID: 10513
  • Configure the "Prevent Deleting InPrivate Filtering data" setting to organizational standards., CC ID: 10514
  • Configure the "Prevent Deleting Passwords" setting to organizational standards., CC ID: 10515
  • Configure the "Prevent Internet Explorer Search box from displaying" setting to organizational standards., CC ID: 10516
  • Configure the "Prevent setting of the code download path for each machine" setting to organizational standards., CC ID: 10517
  • Configure the "Prevent the configuration of cipher strength update information URLs" setting to organizational standards., CC ID: 10518
  • Configure the "Prevent the use of Windows colors" setting to organizational standards., CC ID: 10519
  • Configure the "Prevent users from choosing default text size" setting to organizational standards., CC ID: 10520
  • Configure the "Prevent users from configuring background color" setting to organizational standards., CC ID: 10521
  • Configure the "Prevent users from configuring text color" setting to organizational standards., CC ID: 10522
  • Configure the "Prevent users from configuring the color of links that have already been clicked" setting to organizational standards., CC ID: 10523
  • Configure the "Prevent users from configuring the color of links that have not yet been clicked" setting to organizational standards., CC ID: 10524
  • Configure the "Prevent users from configuring the hover color" setting to organizational standards., CC ID: 10525
  • Configure the "Restrict changing the default search provider" setting to organizational standards., CC ID: 10526
  • Configure the "Restrict search providers to a specific list of providers" setting to organizational standards., CC ID: 10527
  • Configure the "Restricted Sites Zone Restricted Protocols" setting to organizational standards., CC ID: 10528
  • Configure the "Restricted Sites Zone Template" setting to organizational standards., CC ID: 10529
  • Configure the "Send internationalized domain names" setting to organizational standards., CC ID: 10530
  • Configure the "Set location of Stop and Refresh buttons" setting to organizational standards., CC ID: 10531
  • Configure the "Set tab process growth" setting to organizational standards., CC ID: 10532
  • Configure the "Flash" setting to organizational standards., CC ID: 10533
  • Configure the "Tools menu: Disable Internet Options.. menu option" setting to organizational standards., CC ID: 10534
  • Configure the "Trusted Sites Zone Restricted Protocols" setting to organizational standards., CC ID: 10535
  • Configure the "Trusted Sites Zone Template" setting to organizational standards., CC ID: 10536
  • Configure the "Turn off Accelerators" setting to organizational standards., CC ID: 10537
  • Configure the "Turn off Automatic Crash Recovery Prompt" setting to organizational standards., CC ID: 10538
  • Configure the "Turn off automatic image resizing" setting to organizational standards., CC ID: 10539
  • Configure the "Turn off ClearType" setting to organizational standards., CC ID: 10540
  • Configure the "Turn off Compatibility View button" setting to organizational standards., CC ID: 10541
  • Configure the "Turn off Compatibility View" setting to organizational standards., CC ID: 10542
  • Configure the "Turn off configuration of default behavior of new tab creation" setting to organizational standards., CC ID: 10543
  • Configure the "Turn off configuration of tabbed browsing pop-up behavior" setting to organizational standards., CC ID: 10544
  • Configure the "Turn off configuration of window reuse" setting to organizational standards., CC ID: 10545
  • Configure the "Turn off configuring underline links" setting to organizational standards., CC ID: 10546
  • Configure the "Turn off Cross Document Messaging" setting to organizational standards., CC ID: 10547
  • Configure the "Turn off Data URI Support" setting to organizational standards., CC ID: 10548
  • Configure the "Turn off Developer Tools" setting to organizational standards., CC ID: 10549
  • Configure the "Turn off displaying the Internet Explorer Help Menu" setting to organizational standards., CC ID: 10550
  • Configure the "Turn off Favorites bar" setting to organizational standards., CC ID: 10551
  • Configure the "Turn off friendly http error messages" setting to organizational standards., CC ID: 10552
  • Configure the "Turn off InPrivate Filtering" setting to organizational standards., CC ID: 10553
  • Configure the "Turn off Managing Pop-up Allow list" setting to organizational standards., CC ID: 10554
  • Configure the "Turn off managing Pop-up filter level" setting to organizational standards., CC ID: 10555
  • Configure the "Turn off page zooming functionality" setting to organizational standards., CC ID: 10556
  • Configure the "Turn off picture display" setting to organizational standards., CC ID: 10557
  • Configure the "Turn off pop-up management" setting to organizational standards., CC ID: 10558
  • Configure the "Turn off Print Menu" setting to organizational standards., CC ID: 10559
  • Configure the "Turn off Quick Tabs functionality" setting to organizational standards., CC ID: 10560
  • Configure the "Turn off Reopen Last Browsing Session" setting to organizational standards., CC ID: 10561
  • Configure the "Turn off sending URLs as UTF-8 (requires restart)" setting to organizational standards., CC ID: 10562
  • Configure the "Turn off smart image dithering" setting to organizational standards., CC ID: 10563
  • Configure the "Turn off smooth scrolling" setting to organizational standards., CC ID: 10564
  • Configure the "Turn off suggestions for all user-installed providers" setting to organizational standards., CC ID: 10565
  • Configure the "Turn off Tab Grouping" setting to organizational standards., CC ID: 10566
  • Configure the "Turn off tabbed browsing" setting to organizational standards., CC ID: 10567
  • Configure the "Turn off the activation of the quick pick menu" setting to organizational standards., CC ID: 10568
  • Configure the "Turn off the auto-complete feature for web addresses" setting to organizational standards., CC ID: 10569
  • Configure the "Turn off the XDomainRequest Object" setting to organizational standards., CC ID: 10570
  • Configure the "Turn off toolbar upgrade tool" setting to organizational standards., CC ID: 10571
  • Configure the "Turn off Windows Search AutoComplete" setting to organizational standards., CC ID: 10572
  • Configure the "Turn on automatic detection of the intranet" setting to organizational standards., CC ID: 10573
  • Configure the "Turn on Automatic Signup" setting to organizational standards., CC ID: 10574
  • Configure the "Turn on Caret Browsing support" setting to organizational standards., CC ID: 10575
  • Configure the "Turn on Compatibility Logging" setting to organizational standards., CC ID: 10576
  • Configure the "Turn on Information bar notification for intranet content" setting to organizational standards., CC ID: 10577
  • Configure the "Turn on inline AutoComplete for Web addresses" setting to organizational standards., CC ID: 10578
  • Configure the "Turn on Internet Explorer 7 Standards Mode" setting to organizational standards., CC ID: 10579
  • Configure the "Turn on Internet Explorer Standards Mode for Local Intranet" setting to organizational standards., CC ID: 10580
  • Configure the "Turn on menu bar by default" setting to organizational standards., CC ID: 10581
  • Configure the "Turn on the display of a notification about every script error" setting to organizational standards., CC ID: 10582
  • Configure the "Turn on the hover color option" setting to organizational standards., CC ID: 10583
  • Configure the "Use Automatic Detection for dial-up connections" setting to organizational standards., CC ID: 10584
  • Configure the "Use HTTP 1.1 through proxy connections" setting to organizational standards., CC ID: 10585
  • Configure the "Use HTTP 1.1" setting to organizational standards., CC ID: 10586
  • Configure the "Use large Icons for Command Buttons" setting to organizational standards., CC ID: 10587
  • Configure the "Use Policy Accelerators" setting to organizational standards., CC ID: 10588
  • Configure the "Use Policy List of Internet Explorer 7 sites" setting to organizational standards., CC ID: 10589
  • Configure the "Use UTF-8 for mailto links" setting to organizational standards., CC ID: 10590
  • Configure the "View menu: Disable Full Screen menu option" setting to organizational standards., CC ID: 10591
  • Configure the "View menu: Disable Source menu option" setting to organizational standards., CC ID: 10592
  • Configure the "MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended)" setting to organizational standards., CC ID: 10607
  • Configure the "AutoRun" setting to organizational standards., CC ID: 10608
  • Implement hardware-based write-protect for system firmware components., CC ID: 10659
  • Configure the "Disable binding directly to IPropertySetStorage without intermediate layers." setting to organizational standards., CC ID: 10861
  • Configure the "Disable delete notifications on all volumes" setting to organizational standards., CC ID: 10862
  • Configure the "Disable IE security prompt for Windows Installer scripts" setting to organizational standards., CC ID: 10863
  • Configure the "Disable or enable software Secure Attention Sequence" setting to organizational standards., CC ID: 10865
  • Configure the "Disable text prediction" setting to organizational standards., CC ID: 10867
  • Configure the "Disable Windows Error Reporting" machine setting should be configured correctly. to organizational standards., CC ID: 10868
  • Configure the "Disable Windows Installer" setting to organizational standards., CC ID: 10869
  • Configure the "Display a custom message when installation is prevented by a policy setting" setting to organizational standards., CC ID: 10886
  • Configure the "Enable/Disable PerfTrack" setting to organizational standards., CC ID: 10953
  • Configure the "Enforce disk quota limit" setting to organizational standards., CC ID: 10956
  • Configure the "Limit audio playback quality" setting to organizational standards., CC ID: 11006
  • Configure the "Limit disk space used by offline files" setting to organizational standards., CC ID: 11007
  • Configure the "Limit maximum color depth" setting to organizational standards., CC ID: 11008
  • Configure the "Limit maximum display resolution" setting to organizational standards., CC ID: 11009
  • Configure the "Limit maximum number of monitors" setting to organizational standards., CC ID: 11010
  • Configure the "Limit outstanding packets" setting to organizational standards., CC ID: 11012
  • Configure the "Limit reservable bandwidth" setting to organizational standards., CC ID: 11013
  • Configure the "Limit the age of files in the BITS Peercache" setting to organizational standards., CC ID: 11014
  • Configure the "Limit the BITS Peercache size" setting to organizational standards., CC ID: 11015
  • Configure the "Limit the maximum BITS job download time" setting to organizational standards., CC ID: 11016
  • Configure the "Limit the maximum number of BITS jobs for each user" setting to organizational standards., CC ID: 11018
  • Configure the "Limit the maximum number of BITS jobs for this computer" setting to organizational standards., CC ID: 11019
  • Configure the "Limit the maximum number of ranges that can be added to the file in a BITS job" setting to organizational standards., CC ID: 11021
  • Configure the "Limit the size of the entire roaming user profile cache" setting to organizational standards., CC ID: 11022
  • Configure the "Microsoft Support Diagnostic Tool: Restrict tool download" setting to organizational standards., CC ID: 11044
  • Configure the "Prevent access to 16-bit applications" setting to organizational standards., CC ID: 11066
  • Configure the "Prevent Automatic Updates" setting to organizational standards., CC ID: 11067
  • Configure the "Prevent Back-ESC mapping" setting to organizational standards., CC ID: 11068
  • Configure the "Prevent backing up to local disks" setting to organizational standards., CC ID: 11069
  • Configure the "Prevent backing up to optical media (CD/DVD)" setting to organizational standards., CC ID: 11071
  • Configure the "Prevent display of the user interface for critical errors" setting to organizational standards., CC ID: 11074
  • Configure the "Prevent flicks" setting to organizational standards., CC ID: 11075
  • Configure the "Prevent Flicks Learning Mode" setting to organizational standards., CC ID: 11076
  • Configure the "Prevent Input Panel tab from appearing" setting to organizational standards., CC ID: 11077
  • Configure the "Prevent launch an application" setting to organizational standards., CC ID: 11081
  • Configure the "Prevent license upgrade" setting to organizational standards., CC ID: 11082
  • Configure the "Prevent Media Sharing" setting to organizational standards., CC ID: 11083
  • Configure the "Prevent plaintext PINs from being returned by Credential Manager" setting to organizational standards., CC ID: 11084
  • Configure the "Prevent press and hold" setting to organizational standards., CC ID: 11085
  • Configure the "Prevent Quick Launch Toolbar Shortcut Creation" setting to organizational standards., CC ID: 11086
  • Configure the "Prevent restoring local previous versions" setting to organizational standards., CC ID: 11087
  • Configure the "Prevent restoring previous versions from backups" setting to organizational standards., CC ID: 11088
  • Configure the "Prevent Roaming Profile changes from propagating to the server" setting to organizational standards., CC ID: 11090
  • Configure the "Prevent Video Smoothing" setting to organizational standards., CC ID: 11091
  • Configure the "Prevent Windows Anytime Upgrade from running." setting to organizational standards., CC ID: 11092
  • Configure the "Prohibit Access of the Windows Connect Now wizards" setting to organizational standards., CC ID: 11100
  • Configure the "Prohibit Flyweight Patching" setting to organizational standards., CC ID: 11101
  • Configure the "Prohibit installing or uninstalling color profiles" setting to organizational standards., CC ID: 11103
  • Configure the "Prohibit patching" setting to organizational standards., CC ID: 11104
  • Configure the "Prohibit removal of updates" setting to organizational standards., CC ID: 11105
  • Configure the "Prohibit rollback" setting to organizational standards., CC ID: 11106
  • Configure the "Prohibit Use of Restart Manager" setting to organizational standards., CC ID: 11107
  • Configure the "Restrict Internet communication" setting to organizational standards., CC ID: 11140
  • Configure the "Restrict potentially unsafe HTML Help functions to specified folders" setting to organizational standards., CC ID: 11141
  • Configure the "Restrict system locales" setting to organizational standards., CC ID: 11143
  • Configure the "Restrict these programs from being launched from Help" setting to organizational standards., CC ID: 11144
  • Configure the "Restrict unpacking and installation of gadgets that are not digitally signed." setting to organizational standards., CC ID: 11145
  • Configure the "Restrict user locales" setting to organizational standards., CC ID: 11146
  • Configure the "Terminate session when time limits are reached" setting to organizational standards., CC ID: 11241
  • Configure the "Turn off access to all Windows Update features" setting to organizational standards., CC ID: 11254
  • Configure the "Turn off access to the OEM and Microsoft branding section" setting to organizational standards., CC ID: 11255
  • Configure the "Turn off access to the performance center core section" setting to organizational standards., CC ID: 11256
  • Configure the "Turn off access to the solutions to performance problems section" setting to organizational standards., CC ID: 11257
  • Configure the "Turn off Active Help" setting to organizational standards., CC ID: 11258
  • Configure the "Turn off Application Compatibility Engine" setting to organizational standards., CC ID: 11261
  • Configure the "Turn off Application Telemetry" setting to organizational standards., CC ID: 11262
  • Configure the "Turn off AutoComplete integration with Input Panel" setting to organizational standards., CC ID: 11263
  • Configure the "Turn off automatic learning" setting to organizational standards., CC ID: 11264
  • Configure the "Turn off Automatic Root Certificates Update" setting to organizational standards., CC ID: 11265
  • Configure the "Turn off automatic termination of applications that block or cancel shutdown" setting to organizational standards., CC ID: 11266
  • Configure the "Turn off automatic wake" setting to organizational standards., CC ID: 11267
  • Configure the "Turn Off Boot and Resume Optimizations" setting to organizational standards., CC ID: 11269
  • Configure the "Turn off Configuration" setting to organizational standards., CC ID: 11271
  • Configure the "Turn off creation of System Restore Checkpoints" setting to organizational standards., CC ID: 11273
  • Configure the "Turn off Data Execution Prevention for HTML Help Executible" setting to organizational standards., CC ID: 11274
  • Configure the "Turn off downloading of game information" setting to organizational standards., CC ID: 11276
  • Configure the "Turn off Fair Share CPU Scheduling" setting to organizational standards., CC ID: 11277
  • Configure the "Turn off game updates" setting to organizational standards., CC ID: 11279
  • Configure the "Turn off hardware buttons" setting to organizational standards., CC ID: 11280
  • Configure the "Turn off location scripting" setting to organizational standards., CC ID: 11287
  • Configure the "Turn off Multicast Bootstrap" setting for "IPv6 Global" to organizational standards., CC ID: 11290
  • Configure the "Turn off Multicast Bootstrap" setting for "IPv6 Site Local" to organizational standards., CC ID: 11292
  • Configure the "Turn off Multicast Name Resolution" setting to organizational standards., CC ID: 11293
  • Configure the "Turn Off Non Volatile Cache Feature" setting to organizational standards., CC ID: 11294
  • Configure the "Turn off numerical sorting in Windows Explorer" setting to organizational standards., CC ID: 11295
  • Configure the "Turn off pen feedback" setting to organizational standards., CC ID: 11297
  • Configure the "Turn off PNRP cloud creation" setting for "IPv6 Global" to organizational standards., CC ID: 11298
  • Configure the "Turn off PNRP cloud creation" setting for "IPv6 Site Local" to organizational standards., CC ID: 11300
  • Configure the "Turn off Problem Steps Recorder" setting to organizational standards., CC ID: 11301
  • Configure the "Turn off Program Compatibility Assistant" setting to organizational standards., CC ID: 11302
  • Configure the "Turn off Program Inventory" setting to organizational standards., CC ID: 11303
  • Configure the "Turn off Real-Time Monitoring" setting to organizational standards., CC ID: 11304
  • Configure the "Turn off restore functionality" setting to organizational standards., CC ID: 11306
  • Configure the "Turn off Routinely Taking Action" setting to organizational standards., CC ID: 11308
  • Configure the "Turn off sensors" setting to organizational standards., CC ID: 11309
  • Configure the "Turn Off Solid State Mode" setting to organizational standards., CC ID: 11310
  • Configure the "Turn off SwitchBack Compatibility Engine" setting to organizational standards., CC ID: 11311
  • Configure the "Turn off System Restore" setting to organizational standards., CC ID: 11312
  • Configure the "Turn off Tablet PC touch input" setting to organizational standards., CC ID: 11313
  • Configure the "Turn off the ability to back up data files" setting to organizational standards., CC ID: 11315
  • Configure the "Turn off the ability to create a system image" setting to organizational standards., CC ID: 11316
  • Configure the "Turn off the communities features" setting to organizational standards., CC ID: 11317
  • Configure the "Turn off Touch Panning" setting to organizational standards., CC ID: 11320
  • Configure the "Turn off tracking of last play time of games in the Games folder" setting to organizational standards., CC ID: 11321
  • Configure the "Turn off Windows Customer Experience Improvement Program" setting to organizational standards., CC ID: 11323
  • Configure the "Turn off Windows Defender" setting to organizational standards., CC ID: 11324
  • Configure the "Turn off Windows HotStart" setting to organizational standards., CC ID: 11325
  • Configure the "Turn off Windows Installer RDS Compatibility" setting to organizational standards., CC ID: 11326
  • Configure the "Turn off Windows Mobility Center" setting to organizational standards., CC ID: 11327
  • Configure the "Turn off Windows presentation settings" setting to organizational standards., CC ID: 11329
  • Configure the "Turn off Windows SideShow" setting to organizational standards., CC ID: 11330
  • Configure the "Turn off Windows Startup Sound" setting to organizational standards., CC ID: 11331


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • For files critical to the operation or business operation of computer systems, it is necessary to identify the access authority holders as well as to limit them to the minimum extent necessary in order to prevent unauthorized use and tampering. (P25.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Windows Script Host (cscript.exe and wscript.exe) (Control: ISM-1491; Revision: 3; Bullet 1, Australian Government Information Security Manual, June 2023)
  • Command Prompt (cmd.exe) (Control: ISM-1491; Revision: 3; Bullet 3, Australian Government Information Security Manual, June 2023)
  • Windows Management Instrumentation (wmic.exe) (Control: ISM-1491; Revision: 3; Bullet 4, Australian Government Information Security Manual, June 2023)
  • User accounts with unconstrained delegation are reviewed at least annually, and those without an associated Kerberos SPN or demonstrated business requirement are removed. (Control: ISM-1843; Revision: 0, Australian Government Information Security Manual, June 2023)
  • PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe) (Control: ISM-1491; Revision: 3; Bullet 2, Australian Government Information Security Manual, June 2023)
  • Unprivileged users are prevented from running script execution engines, including: (Control: ISM-1491; Revision: 3, Australian Government Information Security Manual, June 2023)
  • Microsoft Hypertext Markup Language (HTML) Application Host (mshta.exe). (Control: ISM-1491; Revision: 3; Bullet 5, Australian Government Information Security Manual, June 2023)
  • Server applications are configured to run as a separate account with the minimum privileges needed to perform their functions. (Control: ISM-1249; Revision: 3, Australian Government Information Security Manual, June 2023)
  • Windows Script Host (cscript.exe and wscript.exe) (Control: ISM-1491; Revision: 3; Bullet 1, Australian Government Information Security Manual, September 2023)
  • Command Prompt (cmd.exe) (Control: ISM-1491; Revision: 3; Bullet 3, Australian Government Information Security Manual, September 2023)
  • Windows Management Instrumentation (wmic.exe) (Control: ISM-1491; Revision: 3; Bullet 4, Australian Government Information Security Manual, September 2023)
  • User accounts with unconstrained delegation are reviewed at least annually, and those without an associated Kerberos SPN or demonstrated business requirement are removed. (Control: ISM-1843; Revision: 0, Australian Government Information Security Manual, September 2023)
  • PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe) (Control: ISM-1491; Revision: 3; Bullet 2, Australian Government Information Security Manual, September 2023)
  • Unprivileged users are prevented from running script execution engines, including: (Control: ISM-1491; Revision: 3, Australian Government Information Security Manual, September 2023)
  • Microsoft Hypertext Markup Language (HTML) Application Host (mshta.exe). (Control: ISM-1491; Revision: 3; Bullet 5, Australian Government Information Security Manual, September 2023)
  • Server applications are configured to run as a separate account with the minimum privileges needed to perform their functions. (Control: ISM-1249; Revision: 3, Australian Government Information Security Manual, September 2023)
  • How does the organisation prevent administrator accounts from being used to carry out everyday tasks like browsing the web or accessing email? (A7.7., Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications. (CIS Control 4: Controlled Use of Administrative Privileges, CIS Controls, 7.1)
  • The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications. (CIS Control 4: Controlled Use of Administrative Privileges, CIS Controls, V7)
  • The organization's systems are configured to provide only essential capabilities to implement the principle of least functionality. (PR.PT-3.1, CRI Profile, v1.2)
  • The principle of least functionality is incorporated by configuring systems to provide only essential capabilities. (PR.PT-3, CRI Profile, v1.2)
  • The organization's systems are configured to provide only essential capabilities to implement the principle of least functionality. (PR.PT-3.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • When required and appropriate, one or more system components (software applications,embedded devices, host devices and network devices) shall provide the capability for the system to enforce the concept of least privilege. Individual system components shall provide the granularity of permissions and… (4.4 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Components shall provide the capability to identify and authenticate all human users according to ISA‑62443‑3‑3[11]SR 1.1on all interfaces capable of human user access. This capability shall enforce such identification and authentication on all interfaces that provide human user access to the … (5.3.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • The agency shall configure the application, service, or information system to provide only essential capabilities and shall specifically prohibit and/or restrict the use of specified functions, ports, protocols, and/or services. (§ 5.7.1.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The principle of least functionality is incorporated by configuring systems to provide only essential capabilities (PR.PT-3, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • The principle of least functionality is incorporated by configuring systems to provide only essential capabilities (PR.PT-3, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • The principle of least functionality is incorporated by configuring systems to provide only essential capabilities. (PR.PT-P2, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization employs [Assignment: organization-defined information system components] with minimal functionality and information storage. (SC-25 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components]. (SC-25 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components]. (SC-25 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)