Properties in the custom CIS property class

ACCESS_THIS_COMPUTER_
FROM_NETWORK

Additional users on the network that are allowed to connect to this computer.

Separate multiple account names with commas.

For Member Server: BUILTIN\Administrators,
NT AUTHORITY\Authenticated Users

For Domain Controller:
BUILTIN\Administrators,
NT AUTHORITY\Authenticated Users,
NT AUTHORITY
\ENTERPRISE DOMAIN CONTROLLERS

ACCOUNT_LOCKOUT_THRESHOLD

The number of failed logon attempts allowed before a user is locked out of an account

For Enterprise Client (EC) security: 15
for SSLF: 10

ADD_WORKSTATION_TO_DOMAIN

Users that are allowed to add computer workstations to a specific domain

For Domain Controller: BUILTIN\Administrators
No default value for Member Server

ANONYMOUS_ENUMERATION_
OF_SAM_ ACCOUNTS_AND_SHARES

Anonymous enumeration of SAM accounts and shares

1

ANONYMOUS_NAMED_PIPES

The communication sessions, or pipes, that will have attributes and permissions that allow anonymous access

For Domain Controller with SSLF:
netlogon,lsarpc,samr,browser

For Member Server with SSLF: browser

No default value for EC security

BYPASS-SERVER-CHECKING

Users with no Traverse Folder access permission that are allowed to pass through folders as they browse NTFS or the registry

None for Domain Controller with EC

For Member Server with EC: NT AUTHORITY\\\\\\\\\
LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE,BUILTIN\Administrators,NT AUTHORITY\\\\\\\\\
Authenticated Users,BUILTIN\Backup Operators

For Domain Controller with SSLF: NT AUTHORITY\\\\\\\\\
LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE,NT AUTHORITY\Authenticated Users

For Member Server with SSLF: NT AUTHORITY\\\\\\\\\
LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE,BUILTIN\Administrators,NT AUTHORITY\\\\\\\\\
Authenticated Users

CIS_LEGAL_NOTICE_TEXT

The text message that displays when a user logs on

No default value; replace with the legal text title
of your organization

CIS_LEGAL_TITLE_TEXT

The text that appears in the title bar of the windows that are displayed when a user logs on to the system

No default value; replace with the legal text title
of your organization

DEBUG_PROGRAMS

User accounts that are allowed to attach a debugger to any process or the kernel.
A debugger allows a user to view and manipulate the memory and execution context of any process.

On Member Server with EC: BUILTIN\Administrators
Otherwise, no default value

DO_NOT_ALLOW_ANONYMOUS_ENUM_
OF_SAM_ACCOUNTS_AND_SHARES

Do not allow anonymous enumeration of SAM accounts and shares

1

FORCE_SHUTDOWN_FROM_
REMOTE_SYSTEM

Do not allow anonymous enumeration of SAM accounts and shares

FORCE_STRONG_KEY_PROTECT

Force strong key for protection

GENERATE_SECURITY_AUDITS

Users that are allowed to produce audit records in the Security log

NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\\\\\\\\\
NETWORK SERVICE

No default value on Domain Controller
with EC security

IS_REM_SSLF

Used in the remediation of auditpol rules.

LAN_MANAGER_AUTHENTICATION_LEVEL

LAN Manager autentication

MANAGE_AUDITING_AND_SECURITY_LOG

Name of group that manages the auditing and security log

Administrators

MAX_USER_TICKET_LIFETIME

Maximum lifetime for user ticket renewal

Set as per the Windows DC or MS computer

MIN_PASSWORD_LENGTH

The minimum number of characters that a user password must contain

For Enterprise Client (EC) security: 8
For SSLF: 12

MIN_SESSION_SECURITY_FOR_
NTLM_SSP_BASED_SERVERS

Minimum time of security session for NTLM SSP

8

MODIFY_FIRMWARE_ENVIRONMENT
_VALUES

Modify fireware environment values

NETWORK_ACCESS_DO_NOT_
ALLOW_ANONYMOUS_SAM_ACCOUNTS

Do not allow anonymous enumeration of SAM accounts for network access

1

NETWORK_LAN_MANAGER_
AUTHENTICATION_
LEVEL

LAN Manager Autentication for network

NW_ACCESS_ALLOW_ANONYMOUS_
SIDNAME_TRANSLATION

Allow Anonymous SID/Name Translation for network access

0

PERFORM_VOLUME_
MAINTENANCE_TASKS

Users that are allowed to manage the system's volume or disk configuration

No default for EC
For SSLF: BUILTIN\Administrators

REMOTELY_ACCESSIBLE_
REGISTRY_PATHS

The registry paths that can be accessed remotely

No default for EC
For SSLF: System\CurrentControlSet\\\\\
Control\ProductOptions,
System\CurrentControlSet\\\\\\\\\
Control\Server Applications, Software\\\\\\\\\
Microsoft\Windows NT\CurrentVersion

REMOVE_COMPUTER_FROM_
DOCKING_STATION

Remove computer from the docking station

Administrators

RESTORE_FILES_DIRS

Users that are allowed to bypass file, directory, registry, and other persistent object permissions when restoring backed-up data

No default for SSLF
For EC security: BUILTIN\Backup Operators

STRONG_PROTECTION_USER_KEY

Force strong key protection for user keys stored on the computer

Set as per the Windows DC or MS computer

SHUTDOWN_IF_UNABLE_
TO_LOG_SECURITY_ALERTS

Security Options Audit: Shutdown system immediately if unable to log security alerts.

1

Unix System Accounts

Unix System Accounts

root,rdsmon,rdsroot,bin,daemon,adm,
lp,sync,shutdown,halt,
mail,news,uucp,operator,games,
gopher,nobody,rpm,dbu