User Rights Assignment Debug Programs Registry Cleaner

Here is a solution for this.

This failure often is caused by a system or domain policy removing the SeDebugPrivelege security privilege from the administrator account running setup. Verify that the account running has this privilege.

The AccessChk tool will print all privleges for an account (http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx) by running: accesschk.exe -a \ *

Alternatively, we can check this through your group policy editor as mentioned below:

Open Group Policy... Start | Run | Type: gpedit.msc | OK | Navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Debug programs

The account through which we are trying to run the setup should be here ( besides the local admin on that machine). I included that here, restarted the server ( this is mandatory, gpupdate /force will not work) and ran the setup and it was successful this time.

SQL Server 2008 setup needs this privilege to start up the SQL Server process and listen to an event that signals back to setup that SQL Server successfully started.

Windows Server 2012 / 2012 R2 Member Server Security Technical Implementation Guide



Overview

STIG Description
The Windows Server 2012 / 2012 R2 Member Server Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Findings (MAC III - Administrative Sensitive)

Finding IDSeverityTitleDescription
V-36718HighThe Windows Remote Management (WinRM) service must not use Basic authentication.Basic authentication uses plain text passwords that could be used to compromise a system.
V-36712HighThe Windows Remote Management (WinRM) client must not use Basic authentication.Basic authentication uses plain text passwords that could be used to compromise a system.
V-6834HighAnonymous access to Named Pipes and Shares must be restricted.Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defined in "Network access: Named Pipes that can ...
V-18010HighUnauthorized accounts must not have the Debug programs user right.Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Debug programs" user right can attach a debugger to any process or ...
V-1093HighAnonymous enumeration of shares must be restricted.Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential points to attack the system.
V-26283HighAnonymous enumeration of SAM accounts must not be allowed.Anonymous enumeration of SAM accounts allows anonymous log on users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.
V-1121HighFTP servers must be configured to prevent access to the system drive.The FTP service allows remote users to access shared files and directories which could provide access to system resources and compromise the system, especially if the user can gain access to the ...
V-1127HighOnly administrators responsible for the member server must have Administrator rights on the system.An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify required security restrictions on that machine and ...
V-26070HighStandard user accounts must only have Read permissions to the Winlogon registry key.Permissions on the Winlogon registry key must only allow privileged accounts to change registry values. If standard users have these permissions, there is a potential for programs to run with ...
V-1152HighAnonymous access to the registry must be restricted.The registry is integral to the function, security, and stability of the Windows system. Some processes may require anonymous access to the registry. This must be limited to properly protect the ...
V-1153HighThe LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, is retained in later Windows versions for ...
V-2372HighReversible password encryption must be disabled.Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords. For this reason, this policy must never be enabled.
V-2374HighAutoplay must be disabled for all drives.Allowing Autoplay to execute may introduce malicious code to a system. Autoplay begins reading from a drive as soon media is inserted into the drive. As a result, the setup file of programs or ...
V-22692HighThe default Autorun behavior must be configured to prevent Autorun commands.Allowing Autorun commands to execute may introduce malicious code to a system. Configuring this setting prevents Autorun commands from executing.
V-40175HighThe antivirus program signature files must be kept updated.Virus scan programs are a primary line of defense against the introduction of viruses and malicious code that can destroy data and even render a computer inoperable. Utilizing the virus scan ...
V-36451HighPolicy must require that administrative accounts not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.Using applications that access the Internet or have potential Internet sources using administrative privileges exposes a system to compromise. If a flaw in an application is exploited while ...
V-3338HighNamed pipes that can be accessed anonymously must be configured to contain no values on member servers.Named pipes that can be accessed anonymously provide the potential for gaining unauthorized system access. Pipes are internal system communications processes. They are identified internally by ...
V-3339HighUnauthorized remotely accessible registry paths must not be configured.The registry is integral to the function, security, and stability of the Windows system. Some processes may require remote access to the registry. This setting controls which registry paths are ...
V-3337HighAnonymous SID/Name translation must not be allowed.Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must be able to perform such translations.
V-3343HighSolicited Remote Assistance must not be allowed.Remote assistance allows another user to view or take control of the local session of a user. Solicited assistance is help that is specifically requested by the local user. This may allow ...
V-3340HighNetwork shares that can be accessed anonymously must not be allowed.Anonymous access to network shares provides the potential for gaining unauthorized system access by network users. This could lead to the exposure or corruption of sensitive data.
V-3344HighLocal accounts with blank passwords must be restricted to prevent access from the network.An account without a password can allow unauthorized access to a system as only the username would be required. Password policies should prevent accounts with blank passwords from existing on a ...
V-1102HighUnauthorized accounts must not have the Act as part of the operating system user right.Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Act as part of the operating system" user right can assume the ...
V-1074HighAn approved DoD antivirus program must be installed and used.Virus scan programs are a primary line of defense against the introduction of viruses and malicious code that can destroy data and even render a computer inoperable. Utilizing a virus scan ...
V-1073HighSystems must be maintained at a supported service pack level.Systems at unsupported service packs or releases will not receive security updates for new vulnerabilities, which leave them subject to exploitation. Systems must be maintained at a service pack ...
V-34974HighThe Windows Installer Always install with elevated privileges option must be disabled.Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain ...
V-26479HighUnauthorized accounts must not have the Create a token object user right.Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Create a token object" user right allows a process to create an access token. ...
V-36659HighUsers with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session that has been granted full privileges.
V-1081HighLocal volumes must be formatted using NTFS.The ability to set access permissions and auditing is critical to maintaining the security and proper access controls of a system. To support this, volumes must be formatted using the NTFS file ...
V-32282HighStandard user accounts must only have Read permissions to the Active Setup\Installed Components registry key.Permissions on the Active Setup\Installed Components registry key must only allow privileged accounts to add or change registry values. If standard user accounts have these permissions, there is ...
V-3379HighThe system must be configured to prevent the storage of the LAN Manager hash of passwords.The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether or not a LAN Manager ...
V-7002HighAccounts must require passwords.The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources. ...
V-21973HighAutoplay must be turned off for non-volume devices.Allowing Autoplay to execute may introduce malicious code to a system. Autoplay begins reading from a drive as soon as media is inserted into the drive. As a result, the setup file of programs ...
V-4443HighUnauthorized remotely accessible registry paths and sub-paths must not be configured.The registry is integral to the function, security, and stability of the Windows system. Some processes may require remote access to the registry. This setting controls which registry paths and ...
V-36719MediumThe Windows Remote Management (WinRM) service must not allow unencrypted traffic.Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.
V-36714MediumThe Windows Remote Management (WinRM) client must not use Digest authentication.Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks.
V-36713MediumThe Windows Remote Management (WinRM) client must not allow unencrypted traffic.Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.
V-36711MediumThe Windows Store application must be turned off.Uncontrolled installation of applications can introduce various issues, including system instability, and provide access to sensitive information. Installation of applications must be controlled ...
V-16000MediumThe system must be configured to ensure smart card devices can be redirected to the Remote Desktop session. (Remote Desktop Services Role).Enabling the redirection of smart card devices allows their use within Remote Desktop sessions.
V-16008MediumWindows must elevate all applications in User Account Control, not just signed ones.User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures whether Windows elevates ...
V-26503MediumUnauthorized accounts must not have the Replace a process level token user right.Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Replace a process level token" user right allows one process or service to start ...
V-26501MediumUnauthorized accounts must not have the Profile system performance user right.Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Profile system performance" user right can monitor system processes ...
V-26500MediumUnauthorized accounts must not have the Profile single process user right.Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Profile single process" user right can monitor nonsystem processes ...
V-1168MediumMembers of the Backup Operators group must be documented.Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to circumvent the file access restrictions ...
V-26505MediumUnauthorized accounts must not have the Shut down the system user right.Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Shut down the system" user right can interactively shut down a ...
V-26504MediumUnauthorized accounts must not have the Restore files and directories user right.Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Restore files and directories" user right can circumvent file and ...
V-1164MediumOutgoing secure channel traffic must be signed when possible.Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, outgoing ...
V-1166MediumThe Windows SMB client must be enabled to perform SMB packet signing when possible.The server message block (SMB) protocol provides the basis for many network operations. If this policy is enabled, the SMB client will request packet signing when communicating with an SMB ...
V-1163MediumOutgoing secure channel traffic must be encrypted when possible.Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure ...
V-1162MediumThe Windows SMB server must perform SMB packet signing when possible.The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the ...
V-26469MediumUnauthorized accounts must not have the Access Credential Manager as a trusted caller user right.Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Access Credential Manager as a trusted caller" user right may be ...
V-6836MediumPasswords must, at a minimum, be 14 characters.Information systems not protected with strong password schemes (including passwords of minimum length) provide the opportunity for anyone to crack the password, thus gaining access to the system ...
V-6832MediumThe Windows SMB client must be configured to always perform SMB packet signing.The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the ...
V-6833MediumThe Windows SMB server must be configured to always perform SMB packet signing.The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the ...
V-6831MediumOutgoing secure channel traffic must be encrypted or signed.Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure ...
V-1099MediumThe lockout duration must be configured to require an administrator to unlock an account.The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that an account will remain locked after the specified ...
V-1098MediumThe period of time before the bad logon counter is reset must meet minimum requirements.The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that must pass after failed logon attempts before the ...
V-3449MediumRemote Desktop Services must limit users to one remote session.Allowing multiple Remote Desktop Services sessions could consume resources. There is also potential to make a secondary connection to a system with compromised credentials.
V-1097MediumThe number of allowed bad logon attempts must meet minimum requirements.The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the ...
V-36439MediumLocal administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.A compromised local administrator account can provide means for an attacker to move laterally between domain systems. With User Account Control enabled, filtering the privileged token for local ...
V-6840MediumSystem mechanisms must be implemented to enforce automatic expiration of passwords.Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.
V-14270MediumThe system must notify antivirus when file attachments are opened.Attaching malicious files is a known avenue of attack. This setting configures the system to notify antivirus programs when a user opens a file attachment.
V-14241MediumUser Account Control must switch to the secure desktop when prompting for elevation.User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting ensures that the elevation prompt ...
V-14240MediumUser Account Control must run all administrators in Admin Approval Mode, enabling UAC.User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC.
V-36698MediumThe use of biometrics must be disabled.Allowing biometrics may bypass required authentication methods. Biometrics may only be used as an additional authentication factor where an enhanced strength of identity credential is necessary ...
V-14242MediumUser Account Control must virtualize file and registry write failures to per-user locations.User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures non-UAC-compliant ...
V-14247MediumPasswords must not be saved in the Remote Desktop Client.Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving ...
V-14249MediumLocal drives must be prevented from sharing with Remote Desktop Session Hosts. (Remote Desktop Services Role).Preventing users from sharing the local drives on their client computers to Remote Session Hosts that they access helps reduce possible exposure of sensitive data.
V-57633MediumThe system must be configured to audit Policy Change - Authorization Policy Change successes.Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...
V-57635MediumThe system must be configured to audit Policy Change - Authorization Policy Change failures.Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...
V-57637MediumThe operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of ...
V-57639MediumUsers must be required to enter a password to access private keys stored on the computer.If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key ...
V-1120MediumFTP servers must be configured to prevent anonymous logons.The FTP (File Transfer Protocol) service allows remote users to access shared files and directories. Allowing anonymous FTP connections makes user auditing difficult. Using accounts that have ...
V-15666MediumWindows Peer-to-Peer networking services must be turned off.Peer-to-Peer applications can allow unauthorized access to a system and exposure of sensitive data. This setting will turn off the Microsoft Peer-to-Peer Networking Service.
V-15667MediumNetwork Bridges must be prohibited in Windows.A Network Bridge can connect two or more network segments, allowing unauthorized access or exposure of sensitive data. This setting prevents a Network Bridge from being installed and configured.
V-40198MediumMembers of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to circumvent the file access restrictions ...
V-21980MediumExplorer Data Execution Prevention must be enabled.Data Execution Prevention (DEP) provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will prevent Data Execution Prevention ...
V-26494MediumUnauthorized accounts must not have the Lock pages in memory user right.Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Lock pages in memory" user right allows physical memory to be assigned to ...
V-26497MediumUnauthorized accounts must not have the Modify an object label user right.Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Modify an object label" user right can change the integrity label ...
V-26496MediumUnauthorized accounts must not have the Manage auditing and security log user right.Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Manage auditing and security log" user right can manage the ...
V-26558MediumThe system must be configured to audit System - System Integrity failures.Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...
V-26490MediumUnauthorized accounts must not have the Impersonate a client after authentication user right.Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Impersonate a client after authentication" user right allows a program to ...
V-26493MediumUnauthorized accounts must not have the Load and unload device drivers user right.Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Load and unload device drivers" user right allows device drivers to dynamically ...
V-26492MediumUnauthorized accounts must not have the Increase scheduling priority user right.Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Increase scheduling priority" user right can change a scheduling ...
V-26554MediumThe system must be configured to audit System - Security State Change failures.Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...
V-26556MediumThe system must be configured to audit System - Security System Extension failures.Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...
V-26557MediumThe system must be configured to audit System - System Integrity successes.Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...
V-26499MediumUnauthorized accounts must not have the Perform volume maintenance tasks user right.Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Perform volume maintenance tasks" user right can manage volume and ...
V-26498MediumUnauthorized accounts must not have the Modify firmware environment values user right.Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Modify firmware environment values" user right can change hardware ...
V-26552MediumThe system must be configured to audit System - IPsec Driver failures.Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...
V-26553MediumThe system must be configured to audit System - Security State Change successes.Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...
V-15700MediumRemote access to the Plug and Play interface must be disabled for device installation.Remote access to the Plug and Play interface could potentially allow connections by unauthorized devices. This setting configures remote access to the Plug and Play interface and must be disabled.
V-15706MediumThe user must be prompted to authenticate on resume from sleep (plugged in).Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep (plugged in).
V-15705MediumUsers must be prompted to authenticate on resume from sleep (on battery).Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep (on battery).
V-16048MediumWindows Help Ratings feedback must be turned off.Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive ...
V-26555MediumThe system must be configured to audit System - Security System Extension successes.Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...
V-26506MediumUnauthorized accounts must not have the Take ownership of files or other objects user right.Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Take ownership of files or other objects" user right can take ...
V-26550MediumThe system must be configured to audit Privilege Use - Sensitive Privilege Use failures.Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...
V-26551MediumThe system must be configured to audit System - IPsec Driver successes.Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. ...
V-3385MediumThe system must be configured to require case insensitivity for non-Windows subsystems.This setting controls the behavior of non-Windows subsystems when dealing with the case of arguments or commands. Case sensitivity could lead to the access of files or commands that must be ...
V-3383MediumThe system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.This setting ensures that the system uses algorithms that are FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms meet specific standards established by the U.S. ...
V-3382MediumThe system must be configured to meet the minimum session security requirement for NTLM SSP-based clients.Microsoft has implemented a variety of security support providers for use with RPC sessions. All of the options must be enabled to ensure the maximum security level.
V-3381MediumThe system must be configured to the required LDAP client signing level.This setting controls the signing requirements for LDAP clients. This setting must be set to Negotiate signing or Require signing, depending on the environment and type of LDAP server in use.
V-3380MediumThe system must be configured to force users to log off when their allowed logon hours expire.Limiting logon hours can help protect data by only allowing access during specified times. This setting controls whether or not users are forced to log off when their allowed logon hours expire. ...
V-26600MediumThe Fax service must be disabled if installed.Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.
V-26602MediumThe Microsoft FTP service must not be installed.Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.
V-26604MediumThe Peer Networking Identity Manager service must be disabled if installed.Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.
V-26605MediumThe Simple TCP/IP Services service must be disabled if installed.Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.
V-26606MediumThe Telnet service must be disabled if installed.Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.
V-36670MediumAudit data must be reviewed on a regular basis.To be of value, audit logs from critical systems must be reviewed on a regular basis. Critical systems should be reviewed on a daily basis to identify security breaches and potential weaknesses ...
V-36671MediumAudit data must be retained for at least one year.Audit records are essential for investigating system activity after the fact. Retention periods for audit data are determined based on the sensitivity of the data handled by the system.
V-36672MediumAudit records must be backed up onto a different system or media than the system being audited.Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.
V-57719MediumThe operating system must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.
V-36708MediumThe location feature must be turned off.The location service on systems may allow sensitive data to be used by applications on the system. This should be turned off unless explicitly allowed for approved systems/applications.
V-36709MediumBasic authentication for RSS feeds over HTTP must be turned off.Basic authentication uses plain text passwords that could be used to compromise a system.
V-36700MediumThe password reveal button must not be displayed.Visible passwords may be seen by nearby persons, compromising them. The password reveal button can be used to display an entered password and must not be allowed.
V-36679MediumEarly Launch Antimalware, Boot-Start Driver Initialization Policy must be enabled and configured to only Good and Unknown.Compromised boot drivers can introduce malware prior to some protection mechanisms that load after initialization. The Early Launch Antimalware driver can limit allowed drivers based on ...
V-15697MediumThe Responder network protocol driver must be disabled.The Responder network protocol driver allows a computer to be discovered and located on a network. Disabling this helps protect the system from potentially being discovered and connected to by ...
V-15696MediumThe Mapper I/O network protocol (LLTDIO) driver must be disabled.The Mapper I/O network protocol (LLTDIO) driver allows the discovery of the connected network and allows various options to be enabled. Disabling this helps protect the system from potentially ...
V-15699MediumThe Windows Connect Now wizards must be disabled.Windows Connect Now provides wizards for tasks such as "Set up a wireless router or access point" and must not be available to users. Functions such as these may allow unauthorized connections to ...
V-15698MediumThe configuration of wireless devices using Windows Connect Now must be disabled.Windows Connect Now allows the discovery and configuration of devices over wireless. Wireless devices must be managed. If a rogue device is connected to a system, there is potential for ...
V-1150MediumThe built-in Windows password complexity policy must be enabled.The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at least 3 of the 4 types of characters ...
V-1154MediumThe Ctrl+Alt+Del security attention sequence for logons must be enabled.Disabling the Ctrl+Alt+Del security attention sequence can compromise system security. Because only Windows responds to the Ctrl+Alt+Del security sequence, a user can be assured that any ...
V-1155MediumThe Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems.Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Deny access to this computer from the network" user right defines the accounts ...
V-1157MediumThe Smart Card removal option must be configured to Force Logoff or Lock Workstation.Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.
V-15991MediumUIAccess applications must not be allowed to prompt for elevation without using the secure desktop.User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting prevents User Interface ...
V-15997MediumUsers must be prevented from mapping local COM ports and redirecting data from the Remote Desktop Session Host to local COM ports. (Remote Desktop Services Role).Preventing the redirection of Remote Desktop session data to a client computer's COM ports helps reduce possible exposure of sensitive data.
V-14225MediumPasswords for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization.The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. Passwords for the built-in Administrator account must be changed at least ...
V-15998MediumUsers must be prevented from mapping local LPT ports and redirecting data from the Remote Desktop Session Host to local LPT ports. (Remote Desktop Services Role).Preventing the redirection of Remote Desktop session data to a client computer's LPT ports helps reduce possible exposure of sensitive data.
V-15999MediumUsers must be prevented from redirecting Plug and Play devices to the Remote Desktop Session Host. (Remote Desktop Services Role).Preventing the redirection of Plug and Play devices in Remote Desktop sessions helps reduce possible exposure of sensitive data.
V-3453MediumRemote Desktop Services must always prompt a client for passwords upon connection.This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in ...
V-3456MediumRemote Desktop Services must delete temporary folders when a session is terminated.Remote desktop session temporary folders must always be deleted after a session is over to prevent hard disk clutter and potential leakage of information. This setting controls the deletion of ...
V-3455MediumRemote Desktop Services must be configured to use session-specific temporary folders.

0 Thoughts to “User Rights Assignment Debug Programs Registry Cleaner

Leave a comment

L'indirizzo email non verrà pubblicato. I campi obbligatori sono contrassegnati *