STIGQter STIGQter: STIG Summary: Windows 10 Security Technical Implementation Guide

Version: 1

Release: 19 Benchmark Date: 25 Oct 2019

CheckedNameTitle
SV-77809r3_ruleDomain-joined systems must use Windows 10 Enterprise Edition 64-bit version.
SV-77811r1_ruleUsers must be prevented from changing installation options.
SV-77813r5_ruleWindows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
SV-77815r1_ruleThe Windows Installer Always install with elevated privileges must be disabled.
SV-77819r1_ruleUsers must be notified if a web-based program attempts to install software.
SV-77823r1_ruleAutomatically signing in the last interactive user after a system-initiated restart must be disabled.
SV-77825r1_ruleThe Windows Remote Management (WinRM) client must not use Basic authentication.
SV-77827r4_ruleWindows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.
SV-77829r1_ruleThe Windows Remote Management (WinRM) client must not allow unencrypted traffic.
SV-77831r2_ruleThe Windows Remote Management (WinRM) client must not use Digest authentication.
SV-77833r2_ruleWindows 10 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
SV-77835r3_ruleThe operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
SV-77837r1_ruleThe Windows Remote Management (WinRM) service must not use Basic authentication.
SV-77839r9_ruleWindows 10 systems must be maintained at a supported servicing level.
SV-77841r4_ruleThe Windows 10 system must use an anti-virus program.
SV-77843r2_ruleLocal volumes must be formatted using NTFS.
SV-77845r1_ruleAlternate operating systems must not be permitted on the same system.
SV-77847r1_ruleNon system-created file shares on a system must limit access to groups that require it.
SV-77849r1_ruleUnused accounts must be disabled or removed from the system after 35 days of inactivity.
SV-77851r2_ruleOnly accounts responsible for the administration of a system must have Administrator rights on the system.
SV-77853r1_ruleOnly accounts responsible for the backup operations must be members of the Backup Operators group.
SV-77855r3_ruleOnly authorized user accounts must be allowed to create or run virtual machines on Windows 10 systems.
SV-77857r2_ruleStandard local user accounts must not exist on a system in a domain.
SV-77859r1_ruleThe Windows Remote Management (WinRM) service must not allow unencrypted traffic.
SV-77861r1_ruleAccounts must be configured to require password expiration.
SV-77863r2_rulePermissions for system files and directories must conform to minimum requirements.
SV-77865r1_ruleThe Windows Remote Management (WinRM) service must not store RunAs credentials.
SV-77867r1_ruleInternet Information System (IIS) or its subcomponents must not be installed on a workstation.
SV-77871r1_ruleSimple Network Management Protocol (SNMP) must not be installed on the system.
SV-77873r1_ruleSimple TCP/IP Services must not be installed on the system.
SV-77875r1_ruleThe Telnet Client must not be installed on the system.
SV-77879r1_ruleThe TFTP Client must not be installed on the system.
SV-77883r2_ruleSoftware certificate installation files must be removed from Windows 10.
SV-77889r1_ruleA host-based firewall must be installed and enabled on the system.
SV-77893r2_ruleInbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts.
SV-77895r2_ruleWindows 10 account lockout duration must be configured to 15 minutes or greater.
SV-77899r1_ruleThe number of allowed bad logon attempts must be configured to 3 or less.
SV-77903r1_ruleThe period of time before the bad logon counter is reset must be configured to 15 minutes.
SV-77905r2_ruleThe password history must be configured to 24 passwords remembered.
SV-77909r1_ruleThe maximum password age must be configured to 60 days or less.
SV-77911r1_ruleThe minimum password age must be configured to at least 1 day.
SV-77913r1_rulePasswords must, at a minimum, be 14 characters.
SV-77917r1_ruleThe built-in Microsoft password complexity filter must be enabled.
SV-77919r1_ruleReversible password encryption must be disabled.
SV-77921r1_ruleThe system must be configured to audit Account Logon - Credential Validation failures.
SV-77925r1_ruleThe system must be configured to audit Account Logon - Credential Validation successes.
SV-77931r1_ruleThe system must be configured to audit Account Management - Other Account Management Events successes.
SV-77935r1_ruleThe system must be configured to audit Account Management - Security Group Management successes.
SV-77937r1_ruleThe system must be configured to audit Account Management - User Account Management failures.
SV-77939r1_ruleThe system must be configured to audit Account Management - User Account Management successes.
SV-77941r1_ruleThe system must be configured to audit Detailed Tracking - PNP Activity successes.
SV-77943r1_ruleThe system must be configured to audit Detailed Tracking - Process Creation successes.
SV-77945r3_ruleThe system must be configured to audit Logon/Logoff - Account Lockout successes.
SV-77947r2_ruleThe system must be configured to audit Logon/Logoff - Group Membership successes.
SV-77951r1_ruleThe system must be configured to audit Logon/Logoff - Logoff successes.
SV-77953r1_ruleThe system must be configured to audit Logon/Logoff - Logon failures.
SV-77957r1_ruleThe system must be configured to audit Logon/Logoff - Logon successes.
SV-77959r1_ruleThe system must be configured to audit Logon/Logoff - Special Logon successes.
SV-77961r2_ruleThe system must be configured to audit Object Access - Removable Storage failures.
SV-77963r2_ruleThe system must be configured to audit Object Access - Removable Storage successes.
SV-77965r2_ruleThe system must be configured to audit Policy Change - Audit Policy Change failures.
SV-77969r2_ruleThe system must be configured to audit Policy Change - Audit Policy Change successes.
SV-77971r1_ruleThe system must be configured to audit Policy Change - Authentication Policy Change successes.
SV-77973r1_ruleThe system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
SV-77977r1_ruleThe system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
SV-77981r1_ruleThe system must be configured to audit System - IPSec Driver failures.
SV-77985r1_ruleThe system must be configured to audit System - IPSec Driver successes.
SV-77989r2_ruleThe system must be configured to audit System - Other System Events successes.
SV-77993r2_ruleThe system must be configured to audit System - Other System Events failures.
SV-77997r1_ruleThe system must be configured to audit System - Security State Change successes.
SV-78003r1_ruleThe system must be configured to audit System - Security System Extension successes.
SV-78005r1_ruleThe system must be configured to audit System - System Integrity failures.
SV-78007r1_ruleThe system must be configured to audit System - System Integrity successes.
SV-78009r1_ruleThe Application event log size must be configured to 32768 KB or greater.
SV-78013r2_ruleThe Security event log size must be configured to 1024000 KB or greater.
SV-78017r1_ruleThe System event log size must be configured to 32768 KB or greater.
SV-78023r2_ruleWindows 10 permissions for the Application event log must prevent access by non-privileged accounts.
SV-78027r2_ruleWindows 10 permissions for the Security event log must prevent access by non-privileged accounts.
SV-78031r2_ruleWindows 10 permissions for the System event log must prevent access by non-privileged accounts.
SV-78035r1_ruleCamera access from the lock screen must be disabled.
SV-78039r1_ruleThe display of slide shows on the lock screen must be disabled.
SV-78045r1_ruleIPv6 source routing must be configured to highest protection.
SV-78049r1_ruleThe system must be configured to prevent IP source routing.
SV-78053r1_ruleThe system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
SV-78057r1_ruleThe system must be configured to ignore NetBIOS name release requests except from WINS servers.
SV-78059r2_ruleInsecure logons to an SMB server must be disabled.
SV-78067r1_ruleHardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
SV-78069r4_ruleThe DoD Root CA certificates must be installed in the Trusted Root Store.
SV-78071r2_ruleSimultaneous connections to the Internet or a Windows domain must be limited.
SV-78073r3_ruleThe External Root CA certificates must be installed in the Trusted Root Store on unclassified systems.
SV-78075r1_ruleConnections to non-domain networks when connected to a domain authenticated network must be blocked.
SV-78077r5_ruleThe DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
SV-78079r4_ruleThe US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
SV-78081r2_ruleWi-Fi Sense must be disabled.
SV-78083r2_ruleDefault permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
SV-78085r6_ruleVirtualization Based Security must be enabled on Windows 10 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
SV-78087r2_ruleLocal administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
SV-78089r8_ruleCredential Guard must be running on Windows 10 domain-joined systems.
SV-78091r1_ruleThe built-in administrator account must be disabled.
SV-78097r1_ruleEarly Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
SV-78099r1_ruleGroup Policy objects must be reprocessed even if they have not changed.
SV-78101r1_ruleThe built-in guest account must be disabled.
SV-78105r1_ruleDownloading print driver packages over HTTP must be prevented.
SV-78107r1_ruleLocal accounts with blank passwords must be restricted to prevent access from the network.
SV-78109r1_ruleThe built-in administrator account must be renamed.
SV-78111r1_ruleWeb publishing and online ordering wizards must be prevented from downloading a list of providers.
SV-78113r1_rulePrinting over HTTP must be prevented.
SV-78115r1_ruleThe built-in guest account must be renamed.
SV-78117r1_ruleSystems must at least attempt device authentication using certificates.
SV-78119r1_ruleThe network selection user interface (UI) must not be displayed on the logon screen.
SV-78123r1_ruleLocal users on domain-joined computers must not be enumerated.
SV-78125r1_ruleAudit policy using subcategories must be enabled.
SV-78129r1_ruleOutgoing secure channel traffic must be encrypted or signed.
SV-78133r1_ruleOutgoing secure channel traffic must be encrypted when possible.
SV-78135r1_ruleUsers must be prompted for a password on resume from sleep (on battery).
SV-78137r1_ruleOutgoing secure channel traffic must be signed when possible.
SV-78139r1_ruleThe user must be prompted for a password on resume from sleep (plugged in).
SV-78141r1_ruleSolicited Remote Assistance must not be allowed.
SV-78143r1_ruleThe computer account password must not be prevented from being reset.
SV-78147r1_ruleUnauthenticated RPC clients must be restricted from connecting to the RPC server.
SV-78149r2_ruleThe setting to allow Microsoft accounts to be optional for modern style apps must be enabled.
SV-78151r1_ruleThe maximum age for machine account passwords must be configured to 30 days or less.
SV-78153r1_ruleThe Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
SV-78155r1_ruleThe system must be configured to require a strong session key.
SV-78157r1_ruleAutoplay must be turned off for non-volume devices.
SV-78159r2_ruleThe machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
SV-78161r1_ruleThe default autorun behavior must be configured to prevent autorun commands.
SV-78163r1_ruleAutoplay must be disabled for all drives.
SV-78165r2_ruleThe required legal notice must be configured to display before console logon.
SV-78167r3_ruleEnhanced anti-spoofing for facial recognition must be enabled on Window 10.
SV-78169r1_ruleAdministrator accounts must not be enumerated during elevation.
SV-78171r1_ruleThe Windows dialog box title for the legal banner must be configured.
SV-78173r3_ruleWindows Telemetry must not be configured to Full.
SV-78175r6_ruleThe Windows Defender SmartScreen for Explorer must be enabled.
SV-78177r1_ruleCaching of logon credentials must be limited.
SV-78179r1_ruleExplorer Data Execution Prevention must be enabled.
SV-78181r3_ruleTurning off File Explorer heap termination on corruption must be disabled.
SV-78185r1_ruleFile Explorer shell protocol must run in protected mode.
SV-78187r1_ruleThe Smart Card removal option must be configured to Force Logoff or Lock Workstation.
SV-78189r6_ruleUsers must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge.
SV-78191r6_ruleUsers must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge.
SV-78193r1_ruleThe Windows SMB client must be configured to always perform SMB packet signing.
SV-78195r4_ruleInPrivate browsing in Microsoft Edge must be disabled.
SV-78197r1_ruleThe Windows SMB client must be enabled to perform SMB packet signing when possible.
SV-78199r4_ruleThe password manager function in the Edge browser must be disabled.
SV-78201r1_ruleUnencrypted passwords must not be sent to third-party SMB Servers.
SV-78203r6_ruleThe Windows Defender SmartScreen filter for Microsoft Edge must be enabled.
SV-78207r5_ruleThe use of a hardware security device with Windows Hello for Business must be enabled.
SV-78209r1_ruleThe Windows SMB server must be configured to always perform SMB packet signing.
SV-78211r6_ruleWindows 10 must be configured to require a minimum pin length of six characters or greater.
SV-78213r1_ruleThe Windows SMB server must perform SMB packet signing when possible.
SV-78219r1_rulePasswords must not be saved in the Remote Desktop Client.
SV-78221r1_ruleLocal drives must be prevented from sharing with Remote Desktop Session Hosts.
SV-78223r1_ruleRemote Desktop Services must always prompt a client for passwords upon connection.
SV-78227r1_ruleThe Remote Desktop Session Host must require secure RPC communications.
SV-78229r1_ruleAnonymous SID/Name translation must not be allowed.
SV-78231r1_ruleRemote Desktop Services must be configured with the client connection encryption set to the required level.
SV-78233r1_ruleAttachments must be prevented from being downloaded from RSS feeds.
SV-78235r1_ruleAnonymous enumeration of SAM accounts must not be allowed.
SV-78237r1_ruleBasic authentication for RSS feeds over HTTP must not be used.
SV-78239r1_ruleAnonymous enumeration of shares must be restricted.
SV-78241r1_ruleIndexing of encrypted files must be turned off.
SV-78245r1_ruleThe system must be configured to prevent anonymous users from having the same rights as the Everyone group.
SV-78249r1_ruleAnonymous access to Named Pipes and Shares must be restricted.
SV-78253r1_ruleServices using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.
SV-78255r1_ruleNTLM must be prevented from falling back to a Null session.
SV-78257r1_rulePKU2U authentication using online identities must be prevented.
SV-78285r1_ruleKerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
SV-78287r1_ruleThe system must be configured to prevent the storage of the LAN Manager hash of passwords.
SV-78291r1_ruleThe LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
SV-78293r1_ruleThe system must be configured to the required LDAP client signing level.
SV-78295r1_ruleThe system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
SV-78297r1_ruleThe system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
SV-78301r1_ruleThe system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
SV-78305r1_ruleThe default permissions of global system objects must be increased.
SV-78307r1_ruleUser Account Control approval mode for the built-in Administrator must be enabled.
SV-78309r1_ruleUser Account Control must, at minimum, prompt administrators for consent on the secure desktop.
SV-78311r1_ruleUser Account Control must automatically deny elevation requests for standard users.
SV-78315r1_ruleUser Account Control must be configured to detect application installations and prompt for elevation.
SV-78317r1_ruleUser Account Control must only elevate UIAccess applications that are installed in secure locations.
SV-78319r1_ruleUser Account Control must run all administrators in Admin Approval Mode, enabling UAC.
SV-78321r1_ruleUser Account Control must virtualize file and registry write failures to per-user locations.
SV-78329r1_ruleToast notifications to the lock screen must be turned off.
SV-78331r2_ruleZone information must be preserved when saving attachments.
SV-78333r1_ruleThe Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
SV-78335r3_ruleThe Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups.
SV-78337r1_ruleThe Act as part of the operating system user right must not be assigned to any groups or accounts.
SV-78341r2_ruleThe Allow log on locally user right must only be assigned to the Administrators and Users groups.
SV-78343r1_ruleThe Back up files and directories user right must only be assigned to the Administrators group.
SV-78345r1_ruleThe Change the system time user right must only be assigned to Administrators and Local Service.
SV-78347r1_ruleThe Create a pagefile user right must only be assigned to the Administrators group.
SV-78349r1_ruleThe Create a token object user right must not be assigned to any groups or accounts.
SV-78351r1_ruleThe Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
SV-78353r1_ruleThe Create permanent shared objects user right must not be assigned to any groups or accounts.
SV-78355r2_ruleThe Create symbolic links user right must only be assigned to the Administrators group.
SV-78359r1_ruleThe Debug programs user right must only be assigned to the Administrators group.
SV-78361r3_ruleThe Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
SV-78363r1_ruleThe Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
SV-78365r2_ruleThe Deny log on as a service user right on Windows 10 domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
SV-78367r2_ruleThe Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
SV-78369r4_ruleThe Deny log on through Remote Desktop Services user right on Windows 10 workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
SV-78371r1_ruleThe Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts.
SV-78373r1_ruleThe Force shutdown from a remote system user right must only be assigned to the Administrators group.
SV-78377r1_ruleThe Generate security audits user right must only be assigned to Local Service and Network Service.
SV-78379r1_ruleThe Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
SV-78381r2_ruleThe Increase scheduling priority user right on Windows 10 must only be assigned to Administrators and Window Manager\Window Manager Group.
SV-78407r1_ruleThe Load and unload device drivers user right must only be assigned to the Administrators group.
SV-78415r1_ruleThe Lock pages in memory user right must not be assigned to any groups or accounts.
SV-78417r1_ruleThe Manage auditing and security log user right must only be assigned to the Administrators group.
SV-78421r1_ruleThe Modify firmware environment values user right must only be assigned to the Administrators group.
SV-78423r1_ruleThe Perform volume maintenance tasks user right must only be assigned to the Administrators group.
SV-78425r1_ruleThe Profile single process user right must only be assigned to the Administrators group.
SV-78429r1_ruleThe Restore files and directories user right must only be assigned to the Administrators group.
SV-78431r1_ruleThe Take ownership of files or other objects user right must only be assigned to the Administrators group.
SV-80171r3_ruleWindows Update must not obtain updates from other PCs on the Internet.
SV-83409r1_ruleCommand line data must be included in process creation events.
SV-83411r2_rulePowerShell script block logging must be enabled on Windows 10.
SV-83439r2_ruleData Execution Prevention (DEP) must be configured to at least OptOut.
SV-83445r4_ruleStructured Exception Handling Overwrite Protection (SEHOP) must be enabled.
SV-85259r2_ruleThe Windows PowerShell 2.0 feature must be disabled on the system.
SV-85261r2_ruleThe Server Message Block (SMB) v1 protocol must be disabled on the system.
SV-86383r2_ruleThe system must be configured to audit Logon/Logoff - Account Lockout failures.
SV-86385r1_ruleThe system must be configured to audit Policy Change - Authorization Policy Change successes.
SV-86387r1_ruleWDigest Authentication must be disabled.
SV-86389r1_ruleInternet connection sharing must be disabled.
SV-86393r3_ruleRemote calls to the Security Account Manager (SAM) must be restricted to Administrators.
SV-86395r2_ruleMicrosoft consumer experiences must be turned off.
SV-86953r1_ruleRun as different user must be removed from context menus.
SV-87403r1_ruleBluetooth must be turned off unless approved by the organization.
SV-87405r1_ruleBluetooth must be turned off when not in use.
SV-87407r1_ruleThe system must notify the user when a Bluetooth device attempts to connect.
SV-89083r1_ruleWindows 10 must be configured to audit Object Access - Other Object Access Events failures.
SV-89085r1_ruleWindows 10 must be configured to audit Object Access - Other Object Access Events successes.
SV-89087r2_ruleWindows 10 must be configured to prioritize ECC Curves with longer key lengths first.
SV-89089r4_ruleWindows 10 must be configured to prevent Microsoft Edge browser data from being cleared on exit.
SV-89091r2_ruleWindows 10 must be configured to disable Windows Game Recording and Broadcasting.
SV-89373r2_ruleWindows 10 must be configured to enable Remote host allows delegation of non-exportable credentials.
SV-89393r2_ruleThe Secondary Logon service must be disabled on Windows 10.
SV-89395r1_ruleWindows 10 must be configured to audit Object Access - File Share successes.
SV-89397r1_ruleThe Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
SV-89399r1_ruleThe Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
SV-89701r1_ruleWindows 10 must be configured to audit Object Access - File Share failures.
SV-91201r1_ruleOrphaned security identifiers (SIDs) must be removed from user rights on Windows 10.
SV-91779r3_ruleWindows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
SV-91781r2_ruleSecure Boot must be enabled on Windows 10 systems.
SV-91787r3_ruleWindows 10 Exploit Protection system-level mitigation, Data Execution Prevention (DEP), must be on.
SV-91791r4_ruleWindows 10 Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on.
SV-91793r3_ruleWindows 10 Exploit Protection system-level mitigation, Control flow guard (CFG), must be on.
SV-91797r3_ruleWindows 10 Exploit Protection system-level mitigation, Validate exception chains (SEHOP), must be on.
SV-91799r3_ruleWindows 10 Exploit Protection system-level mitigation, Validate heap integrity, must be on.
SV-91885r3_ruleExploit Protection mitigations in Windows 10 must be configured for Acrobat.exe.
SV-91887r3_ruleExploit Protection mitigations in Windows 10 must be configured for AcroRd32.exe.
SV-91891r3_ruleExploit Protection mitigations in Windows 10 must be configured for chrome.exe.
SV-91897r3_ruleExploit Protection mitigations in Windows 10 must be configured for EXCEL.EXE.
SV-91901r3_ruleExploit Protection mitigations in Windows 10 must be configured for firefox.exe.
SV-91905r3_ruleExploit Protection mitigations in Windows 10 must be configured for FLTLDR.EXE.
SV-91909r3_ruleExploit Protection mitigations in Windows 10 must be configured for GROOVE.EXE.
SV-91913r3_ruleExploit Protection mitigations in Windows 10 must be configured for iexplore.exe.
SV-91917r3_ruleExploit Protection mitigations in Windows 10 must be configured for INFOPATH.EXE.
SV-91919r3_ruleExploit Protection mitigations in Windows 10 must be configured for java.exe, javaw.exe, and javaws.exe.
SV-91923r3_ruleExploit Protection mitigations in Windows 10 must be configured for lync.exe.
SV-91927r3_ruleExploit Protection mitigations in Windows 10 must be configured for MSACCESS.EXE.
SV-91929r3_ruleExploit Protection mitigations in Windows 10 must be configured for MSPUB.EXE.
SV-91931r3_ruleExploit Protection mitigations in Windows 10 must be configured for OneDrive.exe.
SV-91935r3_ruleExploit Protection mitigations in Windows 10 must be configured for OIS.EXE.
SV-91939r3_ruleExploit Protection mitigations in Windows 10 must be configured for OUTLOOK.EXE.
SV-91941r3_ruleExploit Protection mitigations in Windows 10 must be configured for plugin-container.exe.
SV-91943r3_ruleExploit Protection mitigations in Windows 10 must be configured for POWERPNT.EXE.
SV-91945r3_ruleExploit Protection mitigations in Windows 10 must be configured for PPTVIEW.EXE.
SV-91951r3_ruleExploit Protection mitigations in Windows 10 must be configured for VISIO.EXE.
SV-91955r3_ruleExploit Protection mitigations in Windows 10 must be configured for VPREVIEW.EXE.
SV-91959r3_ruleExploit Protection mitigations in Windows 10 must be configured for WINWORD.EXE.
SV-91963r3_ruleExploit Protection mitigations in Windows 10 must be configured for wmplayer.exe.
SV-91965r3_ruleExploit Protection mitigations in Windows 10 must be configured for wordpad.exe.
SV-92835r1_ruleAdministrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
SV-96851r1_ruleThe use of personal accounts for OneDrive synchronization must be disabled.
SV-96853r1_ruleWindows 10 must be configured to prevent certificate error overrides in Microsoft Edge.
SV-96859r1_ruleIf Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics.
SV-98853r2_ruleOneDrive must only allow synchronizing of accounts for DoD organization instances.
SV-104549r1_ruleWindows 10 must be configured to prevent Windows apps from being activated by voice while the system is locked.
SV-104689r1_ruleWindows 10 systems must use a BitLocker PIN for pre-boot authentication.
SV-104691r1_ruleWindows 10 systems must use a BitLocker PIN with a minimum length of 6 digits for pre-boot authentication.