Product:
BigFix Compliance
Title:
Updated Universal Checklist for Windows Workstation to support more recent versions of CIS and DISA benchmarks.
Published Sites:
Universal Checklist for Windows Workstation, site version 2
(The site version is provided for air-gap customers.)
Details: Universal Checklist for Windows Workstation
● Total Fixlets: 656
● Total New Fixlets: 31
● Total Updated Fixlets:32
● Total Deleted Fixlets: 2
● Fixlets with Remediation: 632
● Parameterized Fixlets : 532
● Benchmark Sources: CIS and DISA STIGs
● Applies To: Windows Workstation 10 & 11
ADDED
● Ensure 'Require IPPS for IPP printers' is set to 'Enabled'
● Ensure 'Enable / disable CLFS logfile authentication' is set to 'Enabled'
● Ensure 'Allow Recall to be enabled' is set to 'Disabled'
● Ensure 'Set TLS/SSL security policy for IPP printers: Disallow invalid certificate authority' is set to 'Enabled: Checked'
● Ensure 'Set TLS/SSL security policy for IPP printers: Disallow non-server certificates' is set to 'Enabled: Checked'
● Ensure 'Set TLS/SSL security policy for IPP printers: Disallow invalid certificate common name' is set to 'Enabled: Checked'
● Ensure 'Set TLS/SSL security policy for IPP printers: Disallow invalid certificate date' is set to 'Enabled: Checked'
● Ensure 'Disable HTTP proxy features: Disable WPAD' is set to 'Enabled: Checked'
● Ensure 'Disable HTTP proxy features: Disable proxy authentication' is set to 'Enabled: Disable authentication over loopback interfaces'
● Windows Workstation must be configured to audit file system failures.
● Windows Workstation must be configured to audit file system successes.
● Windows Workstation must be configured to audit handle manipulation failures.
● Windows Workstation must be configured to audit handle manipulation successes.
● Windows Workstation must be configured to audit registry failures.
● Windows Workstation must be configured to audit registry successes.
● The Secondary Logon service must be disabled on Windows 10.
● Windows Telemetry must not be configured to Full.
● Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE, RESTRICTED SERVICES\PrintSpoolerService'
● Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE, RESTRICTED SERVICES\PrintSpoolerService'
● Ensure 'Windows Firewall: Domain: Logging: Name' is configured
● Ensure 'Windows Firewall: Private: Logging: Name' is configured
● Ensure 'Windows Firewall: Public: Logging: Name' is configured
● Ensure 'Prevent automatic download of applications associated with device metadata' is set to 'Enabled'
● Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' or 'Passphrase'
● Ensure 'Post-authentication actions: Actions' is set to 'Enabled: Reset the password and logoff the managed account' or higher (B)
● Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny'
● Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'
● Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled' or 'Not Installed'
● Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled' or 'Not Installed'
● Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled' or 'Not Installed'
● Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled' or 'Not Installed'
REMOVED
● Data Execution Prevention (DEP) must be configured to at least OptOut.
● The built-in administrator account must be disabled.
UPDATED
● Ensure 'Account lockout duration' is set to '15 or more minute(s)'
● Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'
● Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'
● Configure 'Accounts: Rename administrator account'
● Configure 'Accounts: Rename guest account'
● Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'
● Ensure 'Enable Certificate Padding' is set to 'Enabled'
● Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'
● Ensure 'Limit Dump Collection' is set to 'Enabled'
● Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'
● Ensure 'Allow widgets' is set to 'Disabled'
● Credential Guard must be running on Windows Workstation domain-joined systems.
● Windows Workstation must be configured to prevent certificate error overrides in Microsoft Edge.
● Windows Workstation must be configured to audit Other Policy Change Events Successes.
● Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'
● Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'
● Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'
● Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'
● Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'
● Ensure 'Disable OneSettings Downloads' is set to 'Enabled'
● Ensure 'Always install with elevated privileges' is set to 'Disabled' FROM User Section
● Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'
● Ensure 'Turn off Windows Copilot' is set to 'Enabled'
● Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
● Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
● Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'
● Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires' is set to 'Enabled: 5 or fewer seconds'
● Ensure 'WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc)' is set to 'Disabled'
● Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'
● Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'
● Ensure 'Require additional authentication at startup' is set to 'Enabled'
● Ensure 'Turn on Basic feed authentication over HTTP' is set to 'Disabled'
Actions to take:
● To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigFix Compliance product, and you must be using BigFix version 10 and later.
● If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see
Using the Synchronize Custom Checks wizard
Use the SCM Synchronize Custom Checks wizard to update any custom checks in your deployment whose external sources have since been updated by HCL. You can use any additional functionality or bug fixes ...
More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:
BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
BigFix Compliance SCM Checklists:
https://forum.bigfix.com/t/universal-compliance-checklist/54703
We hope you find this latest release of SCM content useful and effective. Thank you!
– The BigFix Compliance team