Check name
|
Description
|
Formula
|
Remediation
|
19.1.3.1 Ensure 'Enable screen saver' is set to 'Enabled'
|
This check passes if registry value data "HKU\<SID>\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive" is set to 1
|
[Value as String Equal To '1' Where Key/Value Name Matches Pattern '/HKU\\.*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\ScreenSaveActive/' with Missing Data Outcome being 'Manual Review' and Multiple Data Operator being 'AND' ]
|
1. Click Start ; Run.
2. At the command prompt, execute gpedit.msc.
3. Click User Configuration; Administrative Templates; Control Panel; Personalization.
4. Open the Enable screen saver policy.
5. In the Properties dialog box, on the Setting tab, click Enabled.
6. Click Ok.
Alternatively, do the following:
1. Click Start -> Run.
2. In the Run dialog box, type regedit and click Ok.
3. In the Registry Editor, navigate to HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop
4. If the ScreenSaveActive does not exist, do the following:
* Right-click the Desktop key and click New -> String.
* Name as ScreenSaveActive.
5. Right-click ScreenSaveActive and click Modify.
6. In the Value data box, type 1 and click Ok.
7. Close the Registry Editor.
Warning: The system may be damaged severely if the registry is edited incorrectly. Back up any valued data before editing the registry.
|
19.1.3.2 Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'
|
This check passes if registry value data "HKU\<SID>\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE" is set to scrnsave.scr
|
[Value as String Matches Pattern '/scrnsave.scr/' Where Key/Value Name Matches Pattern '/HKU\\.*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\SCRNSAVE.EXE/i' with Missing Data Outcome being 'Manual Review' and Multiple Data Operator being 'AND' ]
|
1. Click Start ; Run.
2. At the command prompt, execute gpedit.msc.
3. Click User Configuration; Administrative Templates; Control Panel; Personalization.
4. Open the Force specific screen saver policy.
5. In the Properties dialog box, on the Setting tab, click Enabled.
6. in the Screen saver executable name field: type scrnsave.scr
7. Click Ok.
Alternatively, do the following:
1. Click Start -> Run.
2. In the Run dialog box, type regedit and click Ok.
3. In the Registry Editor, navigate to HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop
4. If the scrnsave.exe does not exist, do the following:
* Right-click the Desktop key and click New -> String.
* Name as scrnsave.exe.
5. Right-click scrnsave.exe and click Modify.
6. In the Value data box, type scrnsave.scr and click Ok.
7. Close the Registry Editor.
Warning: The system may be damaged severely if the registry is edited incorrectly. Back up any valued data before editing the registry.
|
19.1.3.3 Ensure 'Password protect the screen saver' is set to 'Enabled'
|
This check passes if registry value data "HKU\<SID>\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure" is set to 1
|
[Value as String Equal To '1' Where Key/Value Name Matches Pattern '/HKU\\.*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\ScreenSaverIsSecure/' with Missing Data Outcome being 'Manual Review' and Multiple Data Operator being 'AND' ]
|
1. Click Start ; Run.
2. At the command prompt, execute gpedit.msc.
3. Click User Configuration; Administrative Templates; Control Panel; Personalization.
4. Open the Password protect screen saver policy.
5. In the Properties dialog box, on the Setting tab, click Enabled.
6. Click Ok.
Alternatively, do the following:
1. Click Start -> Run.
2. In the Run dialog box, type regedit and click Ok.
3. In the Registry Editor, navigate to HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop
4. If the ScreenSaverIsSecure does not exist, do the following:
* Right-click the Desktop key and click New -> String.
* Name as ScreenSaverIsSecure.
5. Right-click ScreenSaveActive and click Modify.
6. In the Value data box, type 1 and click Ok.
7. Close the Registry Editor.
Warning: The system may be damaged severely if the registry is edited incorrectly. Back up any valued data before editing the registry.
|
19.1.3.4 Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'
|
This check passes if registry value data "HKU\<SID>\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut" is set to 900 or less, but not 0 (zero)
|
[Value as String Matches Pattern '/^([1-9]|[1-9][0-9]|[1-8][0-9][0-9]|900)$/' Where Key/Value Name Matches Pattern '/HKU\\.*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\ScreenSaveTimeOut/' with Missing Data Outcome being 'Manual Review' and Multiple Data Operator being 'AND' ]
|
1. Click Start ; Run.
2. At the command prompt, execute gpedit.msc.
3. Click User Configuration ; Administrative Templates; Control Panel; Personalization.
4. Open the Screen saver timeout policy.
5. In the Properties dialog box, on the Setting tab, click Enabled.
6. In the Seconds field, ensure value is 900 or less, but not 0 (zero)
7. Click Ok.
Alternatively, do the following:
1. Click Start -> Run.
2. In the Run dialog box, type regedit and click Ok.
3. In the Registry Editor, navigate to HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop
4. If the ScreenSaveTimeOut does not exist, do the following:
* Right-click the Desktop key and click New -> String.
* Name as ScreenSaveTimeOut
5. Right-click ScreenSaveTimeOut and click Modify.
6. In the Value data box, type 900 or less, but not 0 (zero), and click Ok.
7. Close the Registry Editor.
Warning: The system may be damaged severely if the registry is edited incorrectly. Back up any valued data before editing the registry.
|
19.7.4.1 Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'
|
This check passes if registry value data "HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation" is not configured or set to 2
|
[Value as DWORD Equal To '2' Where Key/Value Name Matches Pattern '/HKU\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments\\SaveZoneInformation/' with Missing Data Outcome being 'Manual Review' and Multiple Data Operator being 'AND' ]
|
1. Click Start ; Run.
2. At the command prompt, execute gpedit.msc.
3. Click User Configuration; Administrative Templates; Windows Components; Attachment Manager.
4. Open the Do not preserve zone information in file attachments policy.
5. In the Properties dialog box, on the Setting tab, click Disabled or Not Configured.
6. Click Ok.
Alternatively, do the following:
1. Click Start -> Run.
2. In the Run dialog box, type regedit and click Ok.
3. In the Registry Editor, navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
4. If the SaveZoneInformation does exist, do the following:
5. Right-click SaveZoneInformation and click Modify.
6. In the Value data box, type 2 and click Ok.
7. Close the Registry Editor.
Warning: The system may be damaged severely if the registry is edited incorrectly. Back up any valued data before editing the registry.
|
19.7.4.2 Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'
|
This check passes if registry value data "HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus" is set to 3
|
[Value as DWORD Equal To '3' Where Key/Value Name Matches Pattern '/HKU\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments\\ScanWithAntiVirus/' with Missing Data Outcome being 'Manual Review' and Multiple Data Operator being 'AND' ]
|
1. Click Start ; Run.
2. At the command prompt, execute gpedit.msc.
3. Click User Configuration; Administrative Templates; Windows Components; Attachment Manager.
4. Open the Notify antivirus programs when opening attachments policy.
5. In the Properties dialog box, on the Setting tab, click Enabled.
6. Click Ok.
Alternatively, do the following:
1. Click Start -> Run.
2. In the Run dialog box, type regedit and click Ok.
3. In the Registry Editor, navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
4. If the ScanWithAntiVirus does not exist, do the following:
* Right-click the Attachments key and click New -> DWORD (32-bit) Value.
* Name as ScanWithAntiVirus
5. Right-click ScanWithAntiVirus and click Modify.
6. In the Value data box, type 3 and click Ok.
7. Close the Registry Editor.
Warning: The system may be damaged severely if the registry is edited incorrectly. Back up any valued data before editing the registry.
|
19.7.37.1 Ensure 'Always install with elevated privileges' is set to 'Disabled'
|
This check passes if registry value data "HKLM\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated" is either not configured or set to 0 and if registry key value data "HKU\<SID>\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated" is either not configured or set to 0.
|
[Windows Installer: Always install with elevated privileges Not Equal To '[Enabled]' with Missing Data Outcome being 'Pass' and Multiple Data Operator being 'AND' ] AND [Value as DWORD Equal To '0' Where Key/Value Name Matches Pattern '/HKU\\.*\\Software\\Policies\\Microsoft\\Windows\\Installer\\AlwaysInstallElevated/' with Missing Data Outcome being 'Manual Review' and Multiple Data Operator being 'AND' ]
|
1. Click Start ; Run.
2. At the command prompt, execute gpedit.msc.
3. Click User Configuration; Administrative Templates; Windows Components; Windows Installer.
4. Open the Always install with elevated privileges policy.
5. In the Properties dialog box, on the Setting tab, click Disabled or Not Configured.
6. Click Ok.
7. Click Computer Configuration ; Administrative Templates; Windows Components; Windows Installer.
8. Open the Always install with elevated privileges policy.
9. In the Properties dialog box, on the Setting tab, click Disabled or Not Configured.
10. Click Ok
Alternatively, do the following:
1. Click Start -> Run.
2. In the Run dialog box, type regedit and click Ok.
3. In the Registry Editor, navigate to HKCU\Software\Policies\Microsoft\Windows\Installer
4. If the AlwaysInstallElevated does exist, do the following:
5. Right-click AlwaysInstallElevated and click Modify.
6. In the Value data box, type 0 and click Ok.
7. Navigate to HKLM\Software\Policies\Microsoft\Windows\Installer
8. If the AlwaysInstallElevated does exist, do the following:
9. Right-click AlwaysInstallElevated and click Modify.
10. In the Value data box, type 0 and click Ok.
11. Close the Registry Editor.
Warning: The system may be damaged severely if the registry is edited incorrectly. Back up any valued data before editing the registry.
|