Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions security/SecurityBaseline_WindowsServer_2025-2606.csv
Original file line number Diff line number Diff line change
Expand Up @@ -180,7 +180,7 @@
"FWPrivateLocalConnSecRules","CCE-36063-6","Windows Firewall: Private: Settings: Apply local connection security rules","HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile","AllowLocalIPsecPolicyMerge","REG_DWORD",,,,"1","1","1","Range(0, 1)","Equals(1)","Equals(1)","Equals(1)","Critical","Domain Controller, Member Server, Workgroup Member","Registry","Configures Windows Defender Firewall 'Windows Firewall: Private: Settings: Apply local connection security rules' to enforce network security boundaries.","9.3.5","4.5 (IG1, IG2, IG3)","NA","SC-7","Controls whether local IPsec/connection-security rules merge with Group Policy for the Private profile. The baseline keeps local merge enabled.","Low - Preserves local connection-security rules; minimal compatibility impact."
"FWPrivateLogSuccessConn","AZ-WIN-202232","Windows Firewall: Private: Logging: Log successful connections","HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging","LogSuccessfulConnections","REG_DWORD",,,,"1","1","1","Range(0, 1)","Equals(1)","Equals(1)","Equals(1)","Warning","Domain Controller, Member Server, Workgroup Member","Registry","Configures Windows Defender Firewall 'Windows Firewall: Private: Logging: Log successful connections' to enforce network security boundaries.","9.2.7","4.5 (IG1, IG2, IG3)","NA","SC-7","Enables firewall logging of successful connections for the Private profile, supporting later detection and incident investigation of network activity. Disabled, this forensic record is unavailable.","Low - Logging only; negligible performance or compatibility impact."
"FWPublicLocalConnSecRules","CCE-36268-1","Windows Firewall: Public: Settings: Apply local connection security rules","HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile","AllowLocalIPsecPolicyMerge","REG_DWORD",,,,"1","1","1","Range(0, 1)","Equals(1)","Equals(1)","Equals(1)","Critical","Domain Controller, Member Server, Workgroup Member","Registry","Configures Windows Defender Firewall 'Windows Firewall: Public: Settings: Apply local connection security rules' to enforce network security boundaries.","9.3.5","4.5 (IG1, IG2, IG3)","NA","SC-7","Controls whether local IPsec/connection-security rules merge with Group Policy for the Public profile. The baseline keeps local merge enabled.","Low - Preserves local connection-security rules; minimal compatibility impact."
"GroupPolicyDisableBackgroundPolicy","CCE-14437-8","Turn off background refresh of Group Policy","HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System","DisableBkGndGroupPolicy","REG_DWORD",,,,"0","0",,"Range(0, 1)","Equals(0)","Equals(0)",,"Warning","Domain Controller, Member Server","Registry","Configures 'Turn off background refresh of Group Policy' per security baseline requirements to enforce organizational security policy.","18.9.19.5","4.1 (IG1, IG2, IG3)","NA","CM-2, CM-6","Group Policy processing control 'Turn off background refresh of Group Policy'. Ensures security-relevant policy is reapplied reliably (including unchanged GPOs) so drift or local tampering is corrected at refresh.","Low - Standard GP processing behavior; minimal impact."
"GroupPolicyDisableBackgroundPolicy","CCE-14437-8","Turn off background refresh of Group Policy","HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System","DisableBkGndGroupPolicy","REG_DWORD",,,,,,,"OneOf(Equals('0'), Equals('1'), Equals(null))","OneOf(Equals(0), Equals(null))","OneOf(Equals(0), Equals(null))",,"Warning","Domain Controller, Member Server","Registry","Configures 'Turn off background refresh of Group Policy' per security baseline requirements to enforce organizational security policy.","18.9.19.5","4.1 (IG1, IG2, IG3)","NA","CM-2, CM-6","Group Policy processing control 'Turn off background refresh of Group Policy'. Ensures security-relevant policy is reapplied reliably (including unchanged GPOs) so drift or local tampering is corrected at refresh.","Low - Standard GP processing behavior; minimal impact."
"GroupPolicyEnableCDP","AZ-WIN-00170","Continue experiences on this device","HKLM:\SOFTWARE\Policies\Microsoft\Windows\System","EnableCdp","REG_DWORD",,,,"0","0","0","Range(0, 1)","Equals(0)","Equals(0)","Equals(0)","Warning","Domain Controller, Member Server, Workgroup Member","Registry","Configures 'Continue experiences on this device' per security baseline requirements to enforce organizational security policy.","18.9.19.4","4.8 (IG2, IG3)","NA","CM-6","Disables the Connected Devices Platform 'Continue experiences / Shared Experiences' feature (EnableCdp set to 0), so the device neither advertises nor accepts cross-device activity handoff and nearby sharing. This reduces device-discovery broadcasts and the cross-device app-handoff surface.","Low - Disables cross-device handoff and Nearby Sharing; affects only consumer continuity features, no server functional impact."
"GroupPolicyRegCSENoBackgroundPolicy","CCE-36169-1","Configure registry policy processing: Do not apply during periodic background processing","HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}","NoBackgroundPolicy","REG_DWORD",,,,"0","0","0","Range(0, 1)","Equals(0)","Equals(0)","Equals(0)","Critical","Domain Controller, Member Server, Workgroup Member","Registry","Configures 'Configure registry policy processing: Do not apply during periodic background processing' per security baseline requirements to enforce organizational security policy.","9.1.3","4.5 (IG1, IG2, IG3)","NA","CM-6","Group Policy processing control 'Configure registry policy processing: Do not apply during periodic background processing'. Ensures security-relevant policy is reapplied reliably (including unchanged GPOs) so drift or local tampering is corrected at refresh.","Low - Standard GP processing behavior; minimal impact."
"GroupPolicyRegCSENoGPOListChanges","CCE-36169-1a","Configure registry policy processing: Process even if the Group Policy objects have not changed","HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}","NoGPOListChanges","REG_DWORD",,,,"0","0","0","Range(0, 1)","Equals(0)","Equals(0)","Equals(0)","Critical","Domain Controller, Member Server, Workgroup Member","Registry","Configures 'Configure registry policy processing: Process even if the Group Policy objects have not changed' per security baseline requirements to enforce organizational security policy.","9.1.3","4.5 (IG1, IG2, IG3)","WN25-CC-000140","CM-6","Group Policy processing control 'Configure registry policy processing: Process even if the Group Policy objects have not changed'. Ensures security-relevant policy is reapplied reliably (including unchanged GPOs) so drift or local tampering is corrected at refresh.","Low - Standard GP processing behavior; minimal impact."
Expand Down Expand Up @@ -358,5 +358,5 @@
"WinRMDisallowRunAsCreds","CCE-36000-8","Remote management (WinRM) Disallow WinRM from storing RunAs credentials","HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service","DisableRunAs","REG_DWORD",,,,"1","1","1","Range(0, 1)","Equals(1)","Equals(1)","Equals(1)","Critical","Domain Controller, Member Server, Workgroup Member","Registry","Configures 'Remote management (WinRM) Disallow WinRM from storing RunAs credentials' per security baseline requirements to enforce organizational security policy.","18.10.90.2.4","Not Mapped","WN25-CC-000520","SC-11","Prevents WinRM from storing RunAs credentials, reducing exposure of cached secrets on the host.","Low - WinRM hardening; validate remote-management tooling still authenticates."
"WinRMIPv4Filter",,"Allow remote server management through WinRM-IPv4Filter","HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service","IPv4Filter","REG_SZ",,,,"*","*","*","OneOf(Equals('*'), AllOf(Pattern('^(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?(\s*,\s*(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)*$')))","OneOf(Equals('*'), AllOf(Pattern('^(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?(\s*,\s*(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)*$')))","OneOf(Equals('*'), AllOf(Pattern('^(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?(\s*,\s*(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)*$')))","OneOf(Equals('*'), AllOf(Pattern('^(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?(\s*,\s*(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)*$')))","Informational","Domain Controller, Member Server, Workgroup Member","Registry","Configures 'Allow remote server management through WinRM-IPv4Filter' per security baseline requirements to enforce organizational security policy.","18.10.90.2.2","4.8 (IG2, IG3)","NA","AC-17, AC-2, AC-6, CM-6","Defines the IP filter for WinRM remote management, scoping which hosts may connect.","Low - WinRM hardening; validate remote-management tooling still authenticates."
"WinRMIPv6Filter",,"Allow remote server management through WinRM-IPv6Filter","HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service","IPv6Filter","REG_SZ",,,,"*","*","*","OneOf(Equals('*'), AllOf(Pattern('^[\da-fA-F\:]([\da-fA-F\:\/])*(,\s*[\da-fA-F\:][\da-fA-F\:\/]*)*$')))","OneOf(Equals('*'), AllOf(Pattern('^[\da-fA-F\:]([\da-fA-F\:\/])*(,\s*[\da-fA-F\:][\da-fA-F\:\/]*)*$')))","OneOf(Equals('*'), AllOf(Pattern('^[\da-fA-F\:]([\da-fA-F\:\/])*(,\s*[\da-fA-F\:][\da-fA-F\:\/]*)*$')))","OneOf(Equals('*'), AllOf(Pattern('^[\da-fA-F\:]([\da-fA-F\:\/])*(,\s*[\da-fA-F\:][\da-fA-F\:\/]*)*$')))","Informational","Domain Controller, Member Server, Workgroup Member","Registry","Configures 'Allow remote server management through WinRM-IPv6Filter' per security baseline requirements to enforce organizational security policy.","18.10.90.2.2","4.8 (IG2, IG3)","NA","AC-17, AC-2, AC-6, CM-6","Defines the IP filter for WinRM remote management, scoping which hosts may connect.","Low - WinRM hardening; validate remote-management tooling still authenticates."
"WinVerifyTrustMitigation1","AZ-WIN-202401","WinVerifyTrust Signature Validation vulnerability Mitigation 1","HKLM:\SOFTWARE\Microsoft\Cryptography\Wintrust\Config","EnableCertPaddingCheck","REG_SZ",,,,"1","1","1","Range(0, 1)","Equals(1)","Equals(1)","Equals(1)","Important","Domain Controller, Member Server, Workgroup Member","Registry","Configures 'WinVerifyTrust Signature Validation vulnerability Mitigation 1' per security baseline requirements to enforce organizational security policy.","18.4.4","Not Mapped","NA","CM-6","Enables the WinVerifyTrust certificate-padding check (CVE-2013-3900 mitigation), so signed binaries with appended unsigned data are no longer treated as validly signed.","Low - Strengthens signature validation; rare impact on legitimately signed binaries."
"WinVerifyTrustMitigation2","AZ-WIN-202402","WinVerifyTrust Signature Validation vulnerability Mitigation 2","HKLM:\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Wintrust\Config","EnableCertPaddingCheck","REG_SZ",,,,"1","1","1","Range(0, 1)","Equals(1)","Equals(1)","Equals(1)","Important","Domain Controller, Member Server, Workgroup Member","Registry","Configures 'WinVerifyTrust Signature Validation vulnerability Mitigation 2' per security baseline requirements to enforce organizational security policy.","18.4.4","Not Mapped","NA","CM-6","Enables the WinVerifyTrust certificate-padding check (CVE-2013-3900 mitigation), so signed binaries with appended unsigned data are no longer treated as validly signed.","Low - Strengthens signature validation; rare impact on legitimately signed binaries."
"WinVerifyTrustMitigation1","AZ-WIN-202401","WinVerifyTrust Signature Validation vulnerability Mitigation 1","HKLM:\SOFTWARE\Microsoft\Cryptography\Wintrust\Config","EnableCertPaddingCheck","REG_DWORD",,,,"1","1","1","Range(0, 1)","Equals(1)","Equals(1)","Equals(1)","Important","Domain Controller, Member Server, Workgroup Member","Registry","Configures 'WinVerifyTrust Signature Validation vulnerability Mitigation 1' per security baseline requirements to enforce organizational security policy.","18.4.4","Not Mapped","NA","CM-6","Enables the WinVerifyTrust certificate-padding check (CVE-2013-3900 mitigation), so signed binaries with appended unsigned data are no longer treated as validly signed.","Low - Strengthens signature validation; rare impact on legitimately signed binaries."
"WinVerifyTrustMitigation2","AZ-WIN-202402","WinVerifyTrust Signature Validation vulnerability Mitigation 2","HKLM:\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Wintrust\Config","EnableCertPaddingCheck","REG_DWORD",,,,"1","1","1","Range(0, 1)","Equals(1)","Equals(1)","Equals(1)","Important","Domain Controller, Member Server, Workgroup Member","Registry","Configures 'WinVerifyTrust Signature Validation vulnerability Mitigation 2' per security baseline requirements to enforce organizational security policy.","18.4.4","Not Mapped","NA","CM-6","Enables the WinVerifyTrust certificate-padding check (CVE-2013-3900 mitigation), so signed binaries with appended unsigned data are no longer treated as validly signed.","Low - Strengthens signature validation; rare impact on legitimately signed binaries."