security benchmark score details...the information on this page was created locally on your computer...

7/7/2014 Belarc Advisor Security Benchmark Summary

file:///C:/Program%20Files/Belarc/BelarcAdvisor/System/tmp/BenchmarkSummary((acer-PC)).html 1/16

The license associated with the Belarc Advisor product allows for free personal use only. Use oncomputers in a corporate, educational, military or government installation is prohibited. See thelicense agreement for details. The information on this page was created locally on your computerby the Belarc Advisor. Your computer profile was not sent to a web server.

About Belarc

SystemManagementProducts

Back toProfileSummary

Click anybenchmarksetting at rightfordocumentation.

Security Benchmark Score DetailsComputer Name: acer-PC (in WORKGROUP)

Profile Date: 07 July 2014 14:11:38Advisor Version: 8.4Windows Logon: acer

Click here for Belarc's security products,

for large and small companies.

Score: 0.63 of 10 (more on this score...) = Pass = FailBenchmark: USGCB - Windows 7, Version 1.0.1.0

Account Lockout Policy Settings Section Score: 0.63 of 0.63

1. Account Lockout Duration (CCE-9308)

2. Account Lockout Threshold (CCE-9136)

3. Reset Account Lockout Counter After (CCE-9400)

Password Policy Settings Section Score: 0.00 of 0.63

1. Enforce Password History (CCE-8912)

2. Maximum Password Age (CCE-9193)

3. Minimum Password Age (CCE-9330)

4. Minimum Password Length (CCE-9357)

5. Password Complexity (CCE-9370)

6. Reversible Password Encryption (CCE-9260)

User Rights Assignments Section Score: 0.00 of 0.63

1. Access This Computer From The Network (CCE-9253)

2. Act As Part Of The Operating System (CCE-9407)

3. Adjust Memory Quotas For A Process (CCE-9068)

4. Log On Locally (CCE-9345)

5. Log On Through Terminal Services (CCE-9107)

6. Back Up Files and Directories (CCE-9389)

7. Bypass Traverse Checking (CCE-8414)

8. Change the System Time (CCE-8612)

9. Change the time zone (CCE-8423)

10. Create A Pagefile (CCE-9185)

11. Create A Token Object (CCE-9215)

12. Create Global Objects (CCE-8431)

13. Create Permanent Shared Objects (CCE-9254)

Why are securitybenchmarks importantfor IT security? Manycurrent threats are notstopped by perimetersecurity systems suchas firewall and anti-virus systems. Settingand monitoringconfigurations based onconsensus benchmarksis a critical stepbecause this is a pro-active way to avoidmany successfulattacks. The U.S.National SecurityAgency has found thatconfiguring computerswith proper securitysettings blocks 90% ofthe existing threats("Security Benchmarks:A Gold Standard."IA Newsletter,vol. 5 no. 3 Click hereto view) To request acopy of our white paper,"Securing theEnterprise", click here.

What is the USGCBBenchmark? TheUnited StatesGovernmentConfiguration Baseline(USGCB) is a USGovernment OMB-mandated securityconfiguration forWindows 7 and InternetExplorer 8. Developedby DoD, with NISTassistance, thebenchmark is theproduct of DoDconsensus. Click herefor details.

What are FDCCBenchmarks? TheFederal Desktop CoreConfiguration (FDCC) isa US Government OMB-mandated securityconfiguration forWindows Vista and XP. The Windows VistaFDCC is based on DoDcustomization of theMicrosoft SecurityGuides for bothWindows Vista andInternet Explorer 7.0. Microsoft's Vista

http://www.belarc.com/ba5.html?B

http://www.belarc.com/ba5.html?B

http://www.belarc.com/ctadvisor.html?B

http://www.belarc.com/ctsecurity.html?B

http://www.belarc.com/Advisor2/CISWebDocs/Win7-USGCB-V1.0.1.0.htm

http://www.belarc.com/Advisor2/CISWebDocs/Win7-USGCB-V1.0.1.0.htm#S0

http://www.belarc.com/Advisor2/CISWebDocs/Win7-USGCB-V1.0.1.0.htm#S_CCE-9308-8

http://www.belarc.com/cgi-bin/ccerefer?9308













































https://www.thecsiac.com/journal/security-benchmarks-gold-standard

http://www.belarc.com/whitepapers.html

http://usgcb.nist.gov/



14. Create symbolic links (CCE-8460)

15. Debug Programs (CCE-8583)

16. Deny Access To This Computer From The Network (CCE-9244)

17. Deny Logon As A Batch Job (CCE-9212)

18. Deny Logon As A Service (CCE-9098)

19. Deny Logon Locally (CCE-9239)

20. Deny Logon Through Remote Desktop Services (CCE-9274)

21. Force Shutdown From A Remote System (CCE-9336)

22. Generate Security Audits (CCE-9226)

23. Impersonate a Client After Authentication (CCE-8467)

24. Increase a Process Working Set (CCE-9048)

25. Increase Scheduling Priority (CCE-8999)

26. Load And Unload Device Drivers (CCE-9135)

27. Lock Pages In Memory (CCE-9289)

28. Log On As A Batch Job (CCE-9320)

29. Log On As A Service (CCE-9461)

30. Manage Auditing And Security Log (CCE-9223)

31. Modify an object label (CCE-9149)

32. Modify Firmware Environment Values (CCE-9417)

33. Perform Volume Maintenance Tasks (CCE-8475)

34. Profile Single Process (CCE-9388)

35. Profile System Performance (CCE-9419)

36. Remove Computer From Docking Station (CCE-9326)

37. Replace A Process Level Token (CCE-8732)

38. Restore Files And Directories (CCE-9124)

39. Shut Down The System (CCE-9014)

40. Take Ownership Of Files Or Other Objects" (CCE-9309)

Security Options Settings Section Score: 0.00 of 0.63

1. Accounts: Administrator account status (CCE-9199)

2. Accounts: Guest account status (CCE-8714)

3.Accounts: Limit local account use to blank passwords to

console logon only (CCE-9418)

4. Accounts: Rename administrator account (CCE-8484)

5. Accounts: Rename guest account (CCE-9229)

6. Audit: Audit the access of global system objects (CCE-9150)

7.Audit: Audit the use of Backup and Restore privilege (CCE-

8789)

8.Audit: Force audit policy subcategory settings (Windows Vista

or later) to override audit policy category settings (CCE-9432)

9. Devices: Prevent users from installing printer drivers (CCE-9026)

10.Devices: Restrict CD-ROM access to locally logged-on user

only" (CCE-9304)

11.Devices: Restrict floppy access to locally logged-on user

only (CCE-9440)Domain member: Digitally encrypt or sign secure channel data

Security Guide wasproduced through acollaborative effort withDISA, NSA, and NIST,reflecting theconsensusrecommended settingsfrom DISA, NSA, andNIST. The Windows XPFDCC is based on USAir Force customizationof the SpecializedSecurity-LimitedFunctionality (SSLF)recommendations inNIST SP 800-68 andDoD customization ofthe recommendationsin Microsoft's SecurityGuide for InternetExplorer 7.0. Click herefor details.

What is the SecurityBenchmark Score? The Belarc Advisor hasaudited the security ofyour computer using abenchmark appropriateto your operatingsystem. The result is anumber between zeroand ten that gives ameasure of thevulnerability of yoursystem to potentialthreats. The higher thenumber the lessvulnerable your system.

How can you reduceyour securityvulnerability? Thelocal group policy editor(accessed by runningthe gpedit.msccommand) can be usedto configure securitysettings for yourcomputer. Windowshome editions don'tinclude that editor, butmost security settingscan also be made withregistry entriesinstead. Warning:Applying these securitysettings may cause someapplications to stopworking correctly. Backup your system prior toapplying these securitytemplates or apply thetemplates on a testsystem first. For domainmember computers,the benchmarkconfigurations areavailable from thebenchmark creator'sweb site as MicrosoftGroup Policy Object filesthat can be used withActive Directory. Followthe links above to theweb site of yourBenchmark's creator.















































































http://fdcc.nist.gov/



12. (always) (CCE-8974)

13.Domain member: Digitally encrypt secure channel data (when

possible) (CCE-9251)

14.Domain member: Digitally sign secure channel data (when

possible) (CCE-9375)

15.Domain member: Disable machine account password

changes (CCE-9295)

16.Domain member: Maximum machine account password

age (CCE-9123)

17.Domain member: Require strong (Windows 2000 or later) session

key (CCE-9387)

18. Interactive logon: Do not display last user name (CCE-9449)

19. Interactive logon: Do not require CTRL+ALT+DEL (CCE-9317)

20.Interactive logon: Message text for users attempting to log

on (CCE-8973)

21.Interactive logon: Message title for users attempting to log

on (CCE-8740)

22.Interactive logon: Number of previous logons to cache (in case

domain controller is not available) (CCE-8487)

23.Interactive logon: Prompt user to change password before

expiration (CCE-9307)

24.Interactive logon: Require Domain Controller authentication to

unlock workstation (CCE-8818)

25. Interactive logon: Smart card removal behavior (CCE-9067)

26.Microsoft network client: Digitally sign communications

(always) (CCE-9327)

27.Microsoft network client: Digitally sign communications (if

server agrees) (CCE-9344)

28.Microsoft network client: Send unencrypted password to third-

party SMB servers (CCE-9265)

29.Microsoft network server: Amount of idle time required before

suspending session (CCE-9406)

30.Microsoft network server: Digitally sign communications

(always) (CCE-9040)

31.Microsoft network server: Digitally sign communications (if

client agrees) (CCE-8825)

32.Microsoft network server: Disconnect clients when logon hours

expire (CCE-9358)

33.Microsoft network server: SPN Target name validation (CCE-

8503)

34.Network access: Allow anonymous SID-Name translation (CCE-

9531)

35.Network access: Do not allow anonymous enumeration of SAM

accounts (CCE-9249)

36.Network access: Do not allow anonymous enumeration of SAM

accounts and shares (CCE-9156)

37.Network access: Do not allow storage of passwords and

credentials for network authentication (CCE-8654)

38.Network access: Let Everyone permissions apply to anonymous
























































users (CCE-8936)

39.Network access: Named Pipes that can be accessed

anonymously - netlogon, lsarpc, samr, browser (CCE-9218)

40. Network access: Remotely accessible registry paths (CCE-9121)

41.Network access: Remotely accessible registry paths and sub

paths (CCE-9386)

42.Network access: Restrict anonymous access to Named Pipes and

Shares (CCE-9540)

43.Network access: Shares that can be accessed

anonymously (CCE-9196)

44.Network access: Sharing and security model for local

accounts (CCE-9503)

45.Network security: Allow Local System to use computer identity

for NTLM (CCE-9096)

46.Network security: Allow LocalSystem NULL session

fallback (CCE-8804)

47.Network Security: Allow PKU2U authentication requests to this

computer to use online identities (CCE-9770)

48.Network Security: Configure encryption types allowed for

Kerberos (CCE-9532)

49.Network security: Do not store LAN Manager hash value on

next password changes (CCE-8937)

50.Network security: Force logoff when logon hours expire (CCE-

9704)

51.Network security: LAN Manager Authentication Level (CCE-

8806)

52. Network security: LDAP client signing requirements (CCE-9768)

53.Network security: Minimum session security for NTLM SSP

based (including secure RPC) clients (CCE-9534)

54.Network security: Minimum session security for NTLM SSP

based (including secure RPC) servers (CCE-9736)

55.Recovery Console: Allow Automatic Administrative

Logon (CCE-8807)

56.Recovery Console: Allow Floppy Copy and Access to All Drives

and All Folders (CCE-8945)

57.Shutdown: Allow System to be Shut Down Without Having to

Log On (CCE-9707)

58. Shutdown: Clear Virtual Memory Pagefile (CCE-9222)

59.System Cryptography: Use FIPS compliant algorithms for

encryption, hashing, and signing (CCE-9266)

60.System objects: Require case insensitivity for non-Windows

subsystems (CCE-9319)

61.System objects: Strengthen default permissions of internal

system objects (CCE-9191)

62.User Account Control: Admin Approval Mode for the Built-in

Administrator account (CCE-8811)

63.User Account Control: Allow UIAccess application to prompt

for elevation without using the secure desktop (CCE-9301)

64.User Account Control: Behavior of the elevation prompt for

administrators in Admin Approval Mode (CCE-8958)

























































65.User Account Control: Behavior of the elevation prompt for

standard users (CCE-8813)

66.User Account Control: Detect application installations and

prompt for elevation (CCE-9616)

67.User Account Control: Only elevate executables that are signed

and validated (CCE-9021)

68.User Account Control: Only elevate UIAccess applications that

are installed in secure locations (CCE-9801)

69.User Account Control: Run all administrators in Admin Approval

Mode (CCE-9189)

70.User Account Control: Switch to the secure desktop when

prompting for elevation (CCE-9395)

71.User Account Control: Virtualize file and registry write failures to

per-user locations (CCE-8817)

72.MSS: (AutoAdminLogon) Enable Automatic Logon (Not

Recommended) (CCE-9342)

73.MSS: (DisableIPSourceRouting) IP source routing protection

level (protects against packet spoofing) (CCE-9496)

74.MSS: (DisableIPSourceRouting IPv6) IP source routing

protection level (protects against packet spoofing) (CCE-8655)

75.MSS: (EnableICMPRedirect) Allow ICMP redirects to override

OSPF generated routes (CCE-8513)

76.

MSS: (Hidden) Hide computer from the browse list (Not

Recommended except for highly secure environments) (CCE-

8560)

77.MSS: (KeepAliveTime)How often keep-alive packets are sent in

milliseconds (CCE-9426)

78.MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec

Filtering (recommended) (CCE-9439)

79.

MSS: (NoNameReleaseOnDemand) Allow the computer to ignore

NetBIOS name release requests except from WINS servers (CCE-

8562)

80.

MSS: (PerformRouterDiscovery) Allow IRDP to detect and

configure DefaultGateway addresses (could lead to DoS) (CCE-

9458)

81.MSS: (SafeDllSearchMode) Enable Safe DLL search mode

(recommended) (CCE-9348)

82.MSS: (ScreenSaverGracePeriod) The time in seconds before the

screen saver grace period expires (0 recommended) (CCE-8591)

83.

MSS: (TCPMaxDataRetransmissions) How many timesunacknowledged data is retransmitted (3 recommended, 5 is

default) (CCE-9456)

84.

MSS: (TcpMaxDataRetransmissions IPv6) How many timesunacknowledged data is retransmitted (3 recommended, 5 is

default) (CCE-9487)

85.

MSS: (WarningLevel) Percentage threshold for the security

event log at which the system will generate a warning (CCE-

9501)

System Services Settings Section Score: 0.00 of 0.63














































1. Bluetooth Support Service (CCE-10661)

2.Fax Service (CCE-10150)

3. HomeGroup Listener (CCE-10543)

4. Homegroup Provider (CCE-9910)

5. Media Center Extender (CCE-10699)

6. Parental Controls Service (CCE-10311)

Audit Policy Settings Section Score: 0.00 of 0.63

1. Application Group Management (CCE-8822)

2. Computer Account Management (CCE-9498)

3. Distribution Group Management (CCE-9644)

4. Other Account Management Events (CCE-9657)

5. Security Group Management (CCE-9692)

6. User Account Management (CCE-9542)

7. DPAPI Activity (CCE-9735)

8. Process Creation (CCE-9562)

9. Process Termination (CCE-9227)

10. RPC Events (CCE-9492)

11. Detailed Directory Service Replication (CCE-9628)

12. Directory Service Access (CCE-9765)

13. Directory Service Changes (CCE-9734)

14. Directory Service Replication (CCE-9637)

15. Account Lockout (CCE-8853)

16. IPsec Extended Mode (CCE-9661)

17. IPsec Main Mode (CCE-10939)

18. IPsec Quick Mode (CCE-9632)

19. Logoff (CCE-8856)

20. Logon (CCE-9683)

21. Other Logon/Logoff Events (CCE-9622)

22. Special Logon (CCE-9763)

23. Application Generated (CCE-9816)

24. Certification Services (CCE-9460)

25. File Share (CCE-9376)

26. File System (CCE-9217)

27. Filtering Platform Connection (CCE-9728)

28. Filtering Platform Packet Drop (CCE-9133)

29. Handle Manipulation (CCE-9789)

30. Kernel Object (CCE-9803)

31. Other Object Access Events (CCE-9455)

32. Registry (CCE-9737)

33. SAM (CCE-9856)

34. Audit Policy Change (CCE-10021)

35. Authentication Policy Change (CCE-9976)






















































































36. Authorization Policy Change (CCE-9633)

37. Filtering Platform Policy Change (CCE-9902)

38. MPSSVC Rule-Level Policy Change (CCE-9153)

39. Other Policy Change Events (CCE-9596)

40. Non Sensitive Privilege Use (CCE-9190)

41. Other Privilege Use Events (CCE-9988)

42. Sensitive Privilege Use (CCE-9878)

43. IPsec Driver (CCE-9925)

44. Other System Events (CCE-9586)

45. Security State Change (CCE-9850)

46. Security System Extension (CCE-9863)

47. System Integrity (CCE-9520)

Computer Configuration -Administrative Templates - NetworkConnections

Section Score: 0.00 of 0.63

1. Turn on Mapper I/O (LLTDIO) driver (CCE-9783)

2. Turn on Responder (RSPNDR) driver (CCE-10059)

3.Turn Off Microsoft Peer-to-Peer Networking Services (CCE-

10438)

4.Prohibit installation and configuration of Network Bridge on

your DNS domain network (CCE-9953)

5.Require Domain users to elevate when setting a networks

location (CCE-10359)

6. Route all traffic through the internal network (CCE-10509)

7. _6to4 State (CCE-10266)

8. ISATAP State (CCE-10130)

9. Teredo State (CCE-10011)

10. IP HTTPS (CCE-10764)

11.Configuration of Wireless Settings Using Windows Connect

Now (CCE-9879)

12.Prohibit Access of the Windows Connect Now Wizards (CCE-

10778)

13.Extend point and print connection to search Windows update

and use alternate connection if needed (CCE-10782)

Computer Configuration -Administrative Templates - SystemSettings


1. Allow remote access to the PnP interface (CCE-10769)

2.Do not send a Windows Error Report when a generic driver is

installed on a device (CCE-9901)

3.

Prevent creation of a system restore point during device activity

that would normally promp creation of a restore point. (CCE-

10553)

4. Prevent device metadata retrieval from the internet (CCE-10165)

5.Specify search order for device driver source locations (CCE-

9919)

































































6. Registry Policy (CCE-9361)

7. Turn off downloading of print drivers over HTTP (CCE-9195)

8. Turn off event views (Events.asp) links (CCE-9819)

9. Turn off handwriting personalization data sharing (CCE-10645)

10. Turn off handwriting recognition error reporting (CCE-10645)

11.Turn off Internet connection wizard if URL connection is

referring to Microsoft.com (CCE-10649)

12.Turn off Internet download for Web publishing and online

ordering wizards (CCE-9674)

13. Turn off Internet file association service (CCE-10795)

14. Turn off printing over HTTP (CCE-10061)

15.Turn off registration if URL connection is referring to

Microsoft.com (CCE-10160)

16. Turn off Search Companion content file updates (CCE-10140)

17. Turn off the Order Prints picture task (CCE-9823)

18. Turn off the Publish to Web task for files and folders (CCE-9643)

19.Turn off the Windows Messenger Customer Experience

Improvement Program (CCE-9559)

20. Turn Off Windows Error Reporting (CCE-10441)

21. Always Use Classic Logon (CCE-10591)

22. Do not process the run once list (CCE-10154)

23.Require a Password when a Computer Wakes (On Battery) (CCE-

9829)

24.Require a Password when a Computer Wakes (Plugged) (CCE-

9670)

25. Offer Remote Assistance (CCE-9960)

26. Solicited Remote Assistance (CCE-9506)

27. Turn on session logging (CCE-10344)

27. Restrictions for Unauthenticated RPC clients (CCE-9396)

29. RPC Endpoint Mapper Client Authentication (CCE-10181)

Computer Configuration -Administrative Templates - System -Troubleshooting and Diagnostics


1.Microsoft support diagnostic tool: turn on msdt interactive

communication with support provider (CCE-9842)

2.

Troubleshooting: allow user to access online troubleshootingcontent on Microsoft server from the troubleshooting control

panel (CCE-10606)

3. Enable or disable perftrack (CCE-10219)

Computer Configuration -Administrative Templates - WindowsComponents


1. Confidure Windows NTP client (CCE-10500)

2. Turn off program inventory (CCE-10787)

3. Default behavior for autorun (CCE-10527)

































































4. Turn off Autoplay (CCE-9528)

5. Turn off autoplay for non volume devices (CCE-10655)

6. Enumerate administrator accounts on elevation (CCE-9938)

7. Do not allow digital locker to run (CCE-10759)

8. Override the More Gadgets Lnk (CCE-9857)

9.Disable unpacking and installation of gadgets that are not

digitally signed (CCE-10811)

10. Turn Off User Installed Windows Sidebar Gidgets (CCE-10586)

11. Maximum Application Log Size (CCE-9603)

12. Maximum Security Log Size (CCE-9967)

13. Maximum Setup Log Size (CCE-10714)

14. Maximum Setup Log Size (CCE-10156)

15. Turn Off Downloading of Game Information (CCE-10828)

16. Turn off game updates (CCE-10850)

17. Prevent the computer from joining a Homegroup (CCE-10183)

18. Disable remote desktop sharing (CCE-10763)

19. Do not allow passwords to be saved (CCE-10090)

20.Allow users to connect remotely using Remote Desktop

Services (CCE-9985)

21.Always prompt client for password upon connection (CCE-

10103)

22. Set client connection encryption level (CCE-9764)

23.Set a time limit for active but idle Terminal Services

sessions (CCE-10608)

24. Set a time limit for disconnected sessions (CCE-9858)

25. Do not delete temp folders upon exit (CCE-10856)

26. Do not use temporary folders per session (CCE-9864)

27. Turn off downloading of enclosures (CCE-10730)

28. Allow indexing of encrypted files (CCE-10496)

29. Enable indexing uncached Exchange folders (CCE-9866)

30. Prevent Windows anytime upgrade from running (CCE-10137)

31. Configure Microsoft SpyNet Reporting (CCE-9868)

32. Disable Logging (CCE-10157)

33. Disable Windows Error Reporting (CCE-9914)

34. Display Error Notification (CCE-10709)

35. Do Not Send Additional Data (CCE-10824)

36. Turn off data execution prevention for explorer (CCE-9918)

37. Turn off Heap termination on corruption (CCE-9874)

38. Turn off shell protocol protected mode (CCE-10623)

39.Disable IE security prompt for Windows Installer scripts (CCE-

9875)

40. Enable user control over installs (CCE-9876)

41.Prohibit non-administrators from applying vendor signed

updates (CCE-9888)















































































42. Report Logon Server Not Available During User logon (CCE-

9907)

43. Turn off the communities features (CCE-11252)

44.windows_mail_application_manual_launch_permitted_var (CCE-

10882)

45. Prevent Windows Media DRM Internet Access (CCE-9908)

46. Do Not Show First Use Dialog Boxes (CCE-10692)

47. Prevent Automatic Updates (CCE-10602)

48. Configure automatic updates (CCE-9403)

49.

Reschedule automatic updates scheduled installation (CCE-

10205)

50.No auto restart with logged on users for scheduled automatic

updates installations (CCE-9672)

51.Do not display 'Install updates and shut down option' in shut

down windows dialog box (CCE-9464)52. Games are not installed

53. Internet Information Services

54. Simple TCPIP Services

55. Telnet Client

56. Telnet Server

57. TFTP Client

58. Windows Media Center

Security Patches Section Score: 0.00 of 0.63

1. Security Patches Up-To-Date

Windows Firewall Inbound Rules Section Score: 0.00 of 0.63

1.Core Networking - Dynamic Host Configuration Protocol (DHCP-

In) (CCE-14986)

2.Core Networking - Dynamic Host Configuration Protocol

(DHCPV6-In) (CCE-14854)

Windows Firewall with AdvancedSecurity - Domain Profile


1. Log Dropped Packets (CCE-10502)

2. Logged Successful Connections (CCE-10268)

3. Name (CCE-10022)

4. Size Limit (CCE-9747)

5. Display a Notification (CCE-9774)

6. Apply Local Connection Security Rules (CCE-9329)

7. Apply Local Firewall Rules (CCE-9686)

8. Allow Unicast Response (CCE-9069)

9. Firewall state (CCE-9465)

10. Inbound Connections (CCE-9620)

11. Outbound Connections (CCE-9509)

Windows Firewall with AdvancedSecurity - Private Profile























http://www.belarc.com/Advisor2/CISWebDocs/Win7-USGCB-V1.0.1.0.htm#S_









http://www.belarc.com/Advisor2/CISWebDocs/Win7-USGCB-Firewall-V1.0.1.0.htm#S0

http://www.belarc.com/Advisor2/CISWebDocs/Win7-USGCB-Firewall-V1.0.1.0.htm#S_CCE-14986-4

































3. Name (CCE-10386)









Windows Firewall with AdvancedSecurity - Public Profile




3. Name (CCE-9926)









Internet Explorer 8 - Local ComputerPolicy


1. Disable Configuring History - Local Computer (CCE-10387)

2.Disable Changing Automatic Configuration Settings - Local

Computer (CCE-10638)

3.Do Not Allow Users to enable or Disable Add-Ons - Local


4.Make proxy settings per-machine (rather than per-user) - Local

Computer (CCE-9870)

5.Prevent participation in the Customer Experience Improvement

Programs - Local Computer (CCE-10522)

6.Prevent performance of First Run Customize settings - Local


7.Security Zones: Do Not Allow Users to Add/Delete Sites - Local


8.Security Zones: Do Not Allow Users to Change Policies - Local


9.Security Zones: Use Only Machine Settings - Local


10. Turn Off Crash Detection - Local Computer (CCE-10594)

11.Turn Off Managing SmartScreen Filter - Local Computer (CCE-

9973)Turn Off the Security Settings Check Feature - Local












































http://www.belarc.com/Advisor2/CISWebDocs/IE8-USGCB-V1.0.1.0.htm#S0

http://www.belarc.com/Advisor2/CISWebDocs/IE8-USGCB-V1.0.1.0.htm#S_CCE-10387-9

























12. Computer (CCE-10607)

13.Include updated Web site lists from Microsoft - Local


14.Configure Delete Browsing History on exit - Local


15.Prevent Deleting Web sites that the User has Visited - Local


16. Turn off InPrivate Browsing - Local Computer (CCE-9885)

17.Allow Active Content from CDs to Run on User Machine - Local


18.Allow Software to Run or Install Even if the Signature is Invalid -

Local Computer (CCE-10052)

19.

Allow Third-Party Browser Extensions - Local Computer (CCE-

9905)

20.Automatically Check for Internet Explorer Updates - Local


21.Check for Server Certificate Revocation - Local Computer (CCE-

10074)

22.Check for signatures on downloaded programs - Local Computer

- variable (CCE-10055)

23.Intranet Sites: Include all network paths (UNCs) - Local

Computer (CCE-9660)

24.Access Data Sources Across Domains - Internet Zone - Local


25.Allow cut, copy or paste operations from the clipboard via script

- Internet Zone - Local Computer (CCE-10002)

26.Allow drag and drop or copy and paste files - Internet Zone -


27.Allow Font Downloads - Internet Zone - Local Computer (CCE-

10403)

28.Allow installation of desktop items - Internet Zone - Local

Computer (CCE-9790)

29.Allow scripting of Internet Explorer web browser control -

Internet Zone - Local Computer (CCE-9779)

30.Allow script-initiated windows without size or position

constraints - Internet Zone - Local Computer (CCE-9882)

31. Allow Scriptlets - Internet Zone - Local Computer (CCE-10685)

32.Allow status bar updates via script - Internet Zone - Local

Computer (CCE-9750)

33.Automatic prompting for file downloads - Internet Zone - Local


34.Download signed ActiveX controls - Internet Zone - Local

Computer (CCE-9917)

35.Download unsigned ActiveX controls - Internet Zone - Local


36.Include local directory path when uploading files to a server -


37.Initialize and script ActiveX controls not marked as safe -























































38. Java permissions - Internet Zone - Local Computer (CCE-10182)

39.Launching applications and files in an IFRAME - Internet Zone -


40.Launching programs and unsafe files - Internet Zone - Local


41. Logon Options - Internet Zone - Local Computer (CCE-10472)

42.Loose XAML files - Internet Zone - Local Computer (CCE-

10672)

43.Navigate windows and frames across different domains - Internet

Zone - Local Computer (CCE-9865)

44.Only allow approved domains to use ActiveX controls without

prompt - Internet Zone - Local Computer (CCE-9793)

45.Open files based on content, not file extension - Internet Zone -


46.Run .NET Framework-reliant components not signed with

Authenticode - Internet Zone - Local Computer (CCE-10515)

47.Run .NET Framework-reliant components signed with

Authenticode - Internet Zone - Local Computer (CCE-10625)

48.Software channel permissions - Internet Zone - Local


49.Turn Off First-Run Opt-In - Internet Zone - Local


50.Turn on Cross-Site Scripting (XSS) Filter - Internet Zone - Local


51.Turn On Protected Mode - Internet Zone - Local


52.Use Pop-up Blocker - Internet Zone - Local Computer (CCE-

10486)

53.Userdata Persistence - Internet Zone - Local Computer (CCE-

10200)

54.Web sites in less privileged Web content zones can navigate

into this zone - Internet Zone - Local Computer (CCE-10622)

55. Java permissions - Intranet Zone - Local Computer (CCE-10566)

56.Java permissions - Local Machine Zone - Local Computer (CCE-

10319)

57.Download Signed ActiveX Controls - Locked Down Internet


58.Java permissions - Locked Down Internet Zone - Local


59.Java permissions - Locked Down Intranet Zone - Local


60.Java permissions - Locked Down Local Machine - Local


61.Java permissions - Locked Down Restricted Sites Zone - Local


62.Java permissions - Locked Down Trusted Sites Zone - Local
























































63. Access Data Sources Across Domains - Restricted Sites Zone -


64.Allow Active Scripting - Restricted Sites Zone - Local


65.Allow Binary and Script Behaviors - Restricted Sites Zone -


66.Allow cut, copy or paste operations from the clipboard via script

- Restricted SitesZone - Local Computer (CCE-10539)

67.

Allow drag and drop or copy and paste files - Restricted Sites


68.Allow File Downloads - Restricted Sites Zone - Local


69.Allow Font Downloads - Restricted Sites Zone - Local

Computer (CCE-9982)

70.Allow installation of desktop items - Restricted Sites Zone -


71.Allow scripting of Internet Explorer web browser control -

Restricted Sites Zone - Local Computer (CCE-10725)

72.Allow META REFRESH - Restricted Sites Zone - Local


73.Allow script-initiated windows without size or position

constraints - Restricted Sites Zone - Local Computer (CCE-9814)

74.Allow Scriptlets - Restricted Sites Zone - Local Computer (CCE-

10630)

75.Allow status bar updates via script - Restricted Sites Zone -


76.Automatic prompting for file downloads - Restricted Sites Zone -


77.Download signed ActiveX controls - Restricted Sites Zone -


78.Download unsigned ActiveX controls - Restricted Sites Zone -


79.Include local directory path when uploading files to a server -


80.Initialize and script ActiveX controls not marked as safe -


81.Java permissions - Restricted Sites Zone - Local Computer (CCE-

10620)

82.Launching applications and files in an IFRAME - Restricted Sites


83.Launching programs and unsafe files - Restricted Sites Zone -


84.Logon Options - Restricted Sites Zone - Local Computer (CCE-

10651)

85.Loose XAML files - Restricted Sites Zone - Local


86.Navigate sub-frames across different domains - Restricted Sites

Zone - Local Computer (CCE-10642)Only allow approved domains to use ActiveX controls without




















































87. prompt - Restricted Sites Zone - Local Computer (CCE-9832)

88.Open files based on content, not file extension - Restricted Sites


89.

Run .NET Framework-reliant components not signed with

Authenticode - Restricted Sites Zone - Local Computer (CCE-

9898)

90.

Run .NET Framework-reliant components signed with

Authenticode - Restricted Sites Zone - Local Computer (CCE-

9673)

91.Run ActiveX controls and plugins - Restricted Sites Zone - Local

Computer (CCE-9792)

92.Script ActiveX controls marked safe for scripting - Restricted

Sites Zone - Local Computer (CCE-10554)

93.Scripting of Java Applets - Restricted Sites Zone - Local


94.Software channel permissions - Restricted Sites Zone - Local

Computer (CCE-9669)

95.Turn Off First-Run Opt-In - Restricted Sites Zone - Local


96.Turn on Cross-Site Scripting (XSS) Filter - Restricted Sites Zone

- Local Computer (CCE-10105)

97.Turn On Protected Mode - Restricted Sites Zone - Local

Computer (CCE-9945)

98.Use Pop-up Blocker - Restricted Sites Zone - Local


99.Userdata Persistence - Restricted Sites Zone - Local

Computer (CCE-9760)

100.

Web sites in less privileged Web content zones can navigate

into this zone - Restricted Sites Zone - Local Computer (CCE-

10609)

101.Java permissions - Trusted Sites Zone - Local Computer (CCE-

10696)

102.

Turn Off changing the URL to be displayed for checking updates

to Internet Explorer and Internet Tools - Local Computer (CCE-

10595)

103.Turn Off Configuring the Update Check Interval (In Days) -


104.Internet Explorer Processes - Consistent Mime Handling - Local


105.Internet Explorer Processes - Mime Sniffing Safety Feature -


106.Internet Explorer Processes - MK Protocol Security Restriction -


107.Internet Explorer Processes - Protection From Zone Elevation -


108.Internet Explorer Processes - Restrict ActiveX Install - Local


109.Internet Explorer Processes - Restrict File Download - Local


















































110. Internet Explorer Processes - Scripted Window Security

Restrictions - Local Computer (CCE-10604)

Copyright 2000-13, Belarc, Inc. All rights reserved. Legal notice. U.S. Patents 5665951, 6085229 and Patents pending.



http://www.belarc.com/Advisor2/legal_notice.html

security benchmark score details...the information on this page was created locally on your computer...

Documents