| Vulnerability ID |
Severity |
Description |
|
V-220706
|
High
|
Windows 10 systems must be maintained at a supported servicing level
|
|
V-220832
|
Medium
|
Windows 10 administrator accounts must not be enumerated during elevation
|
|
V-220743
|
Medium
|
The maximum password age must be configured to 60 days or less.
|
|
V-220911
|
Medium
|
The built-in administrator account must be renamed
|
|
V-220745
|
Medium
|
Passwords must, at a minimum, be 14 characters
|
|
V-220744
|
Medium
|
The minimum password age must be configured to at least 1 day
|
|
V-220826
|
Low
|
The Application Compatibility Program Inventory must be prevented from collecting data and sendin...
|
|
V-220912
|
Medium
|
The built-in guest account must be renamed
|
|
V-220971
|
Medium
|
The Deny log on locally user right on workstations must be configured to prevent access from high...
|
|
V-220973
|
Medium
|
The Enable computer and user accounts to be trusted for delegation user right must not be assigne...
|
|
V-220910
|
Medium
|
Local accounts with blank passwords must be restricted to prevent access from the network
|
|
V-220799
|
Medium
|
Local administrator accounts must have their privileged token filtered to prevent elevated privil...
|
|
V-220908
|
Medium
|
The built-in administrator account must be disabled
|
|
V-220909
|
Medium
|
The built-in guest account must be disabled
|
|
V-220708
|
High
|
Local volumes must be formatted using NTFS
|
|
V-220855
|
Medium
|
Indexing of encrypted files must be turned off
|
|
V-220960
|
Medium
|
The Back up files and directories user right must only be assigned to the Administrators group
|
|
V-220766
|
Medium
|
The system must be configured to audit Object Access - Removable Storage successes
|
|
V-220739
|
Medium
|
Windows 10 account lockout duration must be configured to 15 minutes or greater
|
|
V-220810
|
Medium
|
Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials
|
|
V-220859
|
Medium
|
Automatically signing in the last interactive user after a system-initiated restart must be disabled
|
|
V-220746
|
Medium
|
The built-in Microsoft password complexity filter must be enabled
|
|
V-220741
|
Medium
|
The period of time before the bad logon counter is reset must be configured to 15 minutes
|
|
V-220747
|
High
|
Reversible password encryption must be disabled
|
|
V-220917
|
Low
|
The computer account password must not be prevented from being reset
|
|
V-220740
|
Medium
|
The number of allowed bad logon attempts must be configured to 3 or less
|
|
V-220944
|
Medium
|
User Account Control approval mode for the built-in Administrator must be enabled
|
|
V-220947
|
Medium
|
User Account Control must automatically deny elevation requests for standard users
|
|
V-220950
|
Medium
|
User Account Control must run all administrators in Admin Approval Mode, enabling UAC
|
|
V-220948
|
Medium
|
User Account Control must be configured to detect application installations and prompt for elevation
|
|
V-220951
|
Medium
|
User Account Control must virtualize file and registry write failures to per-user locations
|
|
V-220945
|
Medium
|
User Account Control must, at minimum, prompt administrators for consent on the secure desktop
|
|
V-220949
|
Medium
|
User Account Control must only elevate UIAccess applications that are installed in secure locations
|
|
V-220821
|
Medium
|
Users must be prompted for a password on resume from sleep (on battery)
|
|
V-220822
|
Medium
|
The user must be prompted for a password on resume from sleep (plugged in)
|
|
V-220809
|
Medium
|
Command line data must be included in process creation events
|
|
V-220779
|
Medium
|
The Application event log size must be configured to 32768 KB or greater
|
|
V-220780
|
Medium
|
The Security event log size must be configured to 1024000 KB or greater
|
|
V-220781
|
Medium
|
The System event log size must be configured to 32768 KB or greater
|
|
V-220913
|
Medium
|
Audit policy using subcategories must be enabled
|
|
V-220783
|
Medium
|
Windows 10 permissions for the Security event log must prevent access by non-privileged accounts
|
|
V-220784
|
Medium
|
Windows 10 permissions for the System event log must prevent access by non-privileged accounts
|
|
V-220827
|
High
|
Autoplay must be turned off for non-volume devices
|
|
V-220829
|
High
|
Autoplay must be disabled for all drives
|
|
V-220828
|
Medium
|
The default autorun behavior must be configured to prevent autorun commands
|
|
V-220800
|
Medium
|
WDigest Authentication must be disabled
|
|
V-220967
|
High
|
The Debug programs user right must only be assigned to the Administrators group
|
|
V-220812
|
High
|
Credential Guard must be running on Windows 10 domain-joined systems
|
|
V-220923
|
Low
|
Caching of logon credentials must be limited
|
|
V-220814
|
Medium
|
Group Policy objects must be reprocessed even if they have not changed
|
|
V-250319
|
Medium
|
Hardened UNC paths must be defined to require mutual authentication and integrity for at least th...
|
|
V-220820
|
Medium
|
Local users on domain-joined computers must not be enumerated
|
|
V-220918
|
Low
|
The maximum age for machine account passwords must be configured to 30 days or less
|
|
V-220939
|
Medium
|
The system must be configured to the required LDAP client signing level
|
|
V-220727
|
High
|
Structured Exception Handling Overwrite Protection (SEHOP) must be enabled
|
|
V-220839
|
Medium
|
File Explorer shell protocol must run in protected mode
|
|
V-220707
|
High
|
The Windows 10 system must use an anti-virus program
|
|
V-220815
|
Medium
|
Downloading print driver packages over HTTP must be prevented
|
|
V-220813
|
Medium
|
Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers
|
|
V-220718
|
High
|
Internet Information System (IIS) or its subcomponents must not be installed on a workstation
|
|
V-220920
|
Medium
|
The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver
|
|
V-220817
|
Medium
|
Printing over HTTP must be prevented
|
|
V-220823
|
High
|
Solicited Remote Assistance must not be allowed
|
|
V-220836
|
Medium
|
The Windows Defender SmartScreen for Explorer must be enabled
|
|
V-220724
|
Medium
|
A host-based firewall must be installed and enabled on the system
|
|
V-220854
|
Medium
|
Basic authentication for RSS feeds over HTTP must not be used
|
|
V-220819
|
Medium
|
The network selection user interface (UI) must not be displayed on the logon screen
|
|
V-220853
|
Medium
|
Attachments must be prevented from being downloaded from RSS feeds
|
|
V-220921
|
Medium
|
The required legal notice must be configured to display before console logon
|
|
V-220844
|
Medium
|
The Windows Defender SmartScreen filter for Microsoft Edge must be enabled
|
|
V-220841
|
Medium
|
Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified f...
|
|
V-220840
|
Medium
|
Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious we...
|
|
V-220929
|
High
|
Anonymous enumeration of SAM accounts must not be allowed
|
|
V-220930
|
High
|
Anonymous enumeration of shares must be restricted
|
|
V-220802
|
Medium
|
Insecure logons to an SMB server must be disabled
|
|
V-220936
|
Medium
|
Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites
|
|
V-220937
|
High
|
The system must be configured to prevent the storage of the LAN Manager hash of passwords
|
|
V-220731
|
Medium
|
The Server Message Block (SMB) v1 protocol must be disabled on the SMB client
|
|
V-220730
|
Medium
|
The Server Message Block (SMB) v1 protocol must be disabled on the SMB server
|
|
V-220934
|
Medium
|
NTLM must be prevented from falling back to a Null session
|
|
V-220932
|
High
|
Anonymous access to Named Pipes and Shares must be restricted
|
|
V-220933
|
Medium
|
Remote calls to the Security Account Manager (SAM) must be restricted to Administrators
|
|
V-220926
|
Medium
|
Unencrypted passwords must not be sent to third-party SMB Servers
|
|
V-220795
|
Medium
|
IPv6 source routing must be configured to highest protection
|
|
V-220720
|
Medium
|
Simple TCP/IP Services must not be installed on the system
|
|
V-220742
|
Medium
|
The password history must be configured to 24 passwords remembered
|
|
V-220716
|
Medium
|
Accounts must be configured to require password expiration
|
|
V-220860
|
Medium
|
PowerShell script block logging must be enabled on Windows 10
|
|
V-220728
|
Medium
|
The Windows PowerShell 2.0 feature must be disabled on the system
|
|
V-220834
|
Medium
|
Windows Telemetry must not be configured to Full
|
|
V-220850
|
Medium
|
Remote Desktop Services must always prompt a client for passwords upon connection
|
|
V-220852
|
Medium
|
Remote Desktop Services must be configured with the client connection encryption set to the requi...
|
|
V-220848
|
Medium
|
Passwords must not be saved in the Remote Desktop Client
|
|
V-220824
|
Medium
|
Unauthenticated RPC clients must be restricted from connecting to the RPC server
|
|
V-220863
|
Medium
|
The Windows Remote Management (WinRM) client must not allow unencrypted traffic
|
|
V-220862
|
High
|
The Windows Remote Management (WinRM) client must not use Basic authentication
|
|
V-220868
|
Medium
|
The Windows Remote Management (WinRM) client must not use Digest authentication
|
|
V-220865
|
High
|
The Windows Remote Management (WinRM) service must not use Basic authentication
|
|
V-220902
|
Medium
|
Windows 10 Kernel (Direct Memory Access) DMA Protection must be enabled
|
|
V-220811
|
Medium
|
Virtualization Based Security must be enabled on Windows 10 with the platform security level conf...
|
|
V-220857
|
High
|
The Windows Installer Always install with elevated privileges must be disabled
|
|
V-220856
|
Medium
|
Users must be prevented from changing installation options
|
|
V-220858
|
Medium
|
Users must be notified if a web-based program attempts to install software
|
|
V-220726
|
High
|
Data Execution Prevention (DEP) must be configured to at least OptOut
|
|
V-220837
|
Medium
|
Explorer Data Execution Prevention must be enabled
|
|
V-220903
|
Medium
|
The DoD Root CA certificates must be installed in the Trusted Root Store
|
|
V-220721
|
Medium
|
The Telnet Client must not be installed on the system
|
|
V-220722
|
Medium
|
The TFTP Client must not be installed on the system
|
|
V-220700
|
Low
|
Secure Boot must be enabled on Windows 10 systems
|
|
V-220835
|
Low
|
Windows Update must not obtain updates from other PCs on the internet
|
|
V-220867
|
Medium
|
The Windows Remote Management (WinRM) service must not store RunAs credentials
|
|
V-220952
|
Medium
|
Passwords for enabled local Administrator accounts must be changed at least every 60 days
|
|
V-220737
|
High
|
Administrative accounts must not be used with applications that access the Internet, such as web ...
|
|
V-220713
|
Medium
|
Only accounts responsible for the backup operations must be members of the Backup Operators group
|
|
V-220705
|
Medium
|
The operating system must employ a deny-all, permit-by-exception policy to allow the execution of...
|
|
V-220698
|
Medium
|
Windows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use
|
|
V-220699
|
Medium
|
Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configu...
|
|
V-220750
|
Medium
|
The system must be configured to audit Account Management - Security Group Management successes
|
|
V-220752
|
Medium
|
The system must be configured to audit Account Management - User Account Management successes
|
|
V-220751
|
Medium
|
The system must be configured to audit Account Management - User Account Management failures
|
|
V-220756
|
Medium
|
The system must be configured to audit Logon/Logoff - Group Membership successes
|
|
V-220757
|
Medium
|
The system must be configured to audit Logon/Logoff - Logoff successes
|
|
V-220759
|
Medium
|
The system must be configured to audit Logon/Logoff - Logon successes
|
|
V-220758
|
Medium
|
The system must be configured to audit Logon/Logoff - Logon failures
|
|
V-220760
|
Medium
|
The system must be configured to audit Logon/Logoff - Special Logon successes
|
|
V-220763
|
Medium
|
Windows 10 must be configured to audit Object Access - Other Object Access Events successes
|
|
V-220764
|
Medium
|
Windows 10 must be configured to audit Object Access - Other Object Access Events failures
|
|
V-220765
|
Medium
|
The system must be configured to audit Object Access - Removable Storage failures
|
|
V-220767
|
Medium
|
The system must be configured to audit Policy Change - Audit Policy Change successes
|
|
V-220768
|
Medium
|
The system must be configured to audit Policy Change - Authentication Policy Change successes
|
|
V-220769
|
Medium
|
The system must be configured to audit Policy Change - Authorization Policy Change successes
|
|
V-220771
|
Medium
|
The system must be configured to audit Privilege Use - Sensitive Privilege Use successes
|
|
V-220770
|
Medium
|
The system must be configured to audit Privilege Use - Sensitive Privilege Use failures
|
|
V-220773
|
Medium
|
The system must be configured to audit System - Other System Events successes
|
|
V-220774
|
Medium
|
The system must be configured to audit System - Other System Events failures
|
|
V-220775
|
Medium
|
The system must be configured to audit System - Security State Change successes
|
|
V-220776
|
Medium
|
The system must be configured to audit System - Security System Extension successes
|
|
V-220778
|
Medium
|
The system must be configured to audit System - System Integrity successes
|
|
V-220777
|
Medium
|
The system must be configured to audit System - System Integrity failures
|
|
V-220749
|
Medium
|
The system must be configured to audit Account Logon - Credential Validation successes
|
|
V-220748
|
Medium
|
The system must be configured to audit Account Logon - Credential Validation failures
|
|
V-220754
|
Medium
|
The system must be configured to audit Detailed Tracking - Process Creation successes
|
|
V-220755
|
Medium
|
The system must be configured to audit Logon/Logoff - Account Lockout failures
|
|
V-252896
|
Medium
|
PowerShell Transcription must be enabled on Windows 10
|
|
V-220919
|
Medium
|
The system must be configured to require a strong session key
|
|
V-220924
|
Medium
|
The Smart Card removal option must be configured to Force Logoff or Lock Workstation
|
|
V-220935
|
Medium
|
PKU2U authentication using online identities must be prevented
|
|
V-220942
|
Medium
|
The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing
|
|
V-220955
|
Medium
|
Zone information must be preserved when saving attachments
|
|
V-220797
|
Low
|
The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from ...
|
|
V-220798
|
Low
|
The system must be configured to ignore NetBIOS name release requests except from WINS servers
|
|
V-220943
|
Low
|
The default permissions of global system objects must be increased
|
|
V-220922
|
Low
|
The Windows dialog box title for the legal banner must be configured
|
|
V-220838
|
Low
|
Turning off File Explorer heap termination on corruption must be disabled
|
|
V-220928
|
High
|
Anonymous SID/Name translation must not be allowed
|
|
V-220958
|
High
|
The Act as part of the operating system user right must not be assigned to any groups or accounts
|
|
V-220963
|
High
|
The Create a token object user right must not be assigned to any groups or accounts
|
|
V-220733
|
Medium
|
Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10
|
|
V-220957
|
Medium
|
The Access this computer from the network user right must only be assigned to the Administrators ...
|