Properties in the custom CIS property class
The following CIS properties are included in the custom CIS property class. Tailor these property values to the unique needs of your local system.
Property | Description | Default value |
---|---|---|
ACCESS_THIS_COMPUTER_ | Additional users on the network that are allowed to connect to this computer. | For Member Server: BUILTIN\Administrators, |
ACCOUNT_LOCKOUT_THRESHOLD | The number of failed logon attempts allowed before a user is locked out of an account | For Enterprise Client (EC) security: 15 |
ADD_WORKSTATION_TO_DOMAIN | Users that are allowed to add computer workstations to a specific domain | For Domain Controller: BUILTIN\Administrators |
ANONYMOUS_ENUMERATION_ | Anonymous enumeration of SAM accounts and shares | 1 |
ANONYMOUS_NAMED_PIPES | The communication sessions, or pipes, that will have attributes and permissions that allow anonymous access | For Domain Controller with SSLF: |
BYPASS-SERVER-CHECKING | Users with no Traverse Folder access permission that are allowed to pass through folders as they browse NTFS or the registry | None for Domain Controller with EC |
CIS_LEGAL_NOTICE_TEXT | The text message that displays when a user logs on | No default value; replace with the legal text title |
CIS_LEGAL_TITLE_TEXT | The text that appears in the title bar of the windows that are displayed when a user logs on to the system | No default value; replace with the legal text title |
DEBUG_PROGRAMS | User accounts that are allowed to attach a debugger to any process or the kernel. | On Member Server with EC: BUILTIN\Administrators |
DO_NOT_ALLOW_ANONYMOUS_ENUM_ | Do not allow anonymous enumeration of SAM accounts and shares | 1 |
FORCE_SHUTDOWN_FROM_ | Do not allow anonymous enumeration of SAM accounts and shares | |
FORCE_STRONG_KEY_PROTECT | Force strong key for protection | |
GENERATE_SECURITY_AUDITS | Users that are allowed to produce audit records in the Security log | NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\\\\\\\\\ |
IS_REM_SSLF | Used in the remediation of auditpol rules. | |
LAN_MANAGER_AUTHENTICATION_LEVEL | LAN Manager autentication | |
MANAGE_AUDITING_AND_SECURITY_LOG | Name of group that manages the auditing and security log | Administrators |
MAX_USER_TICKET_LIFETIME | Maximum lifetime for user ticket renewal | Set as per the Windows DC or MS computer |
MIN_PASSWORD_LENGTH | The minimum number of characters that a user password must contain | For Enterprise Client (EC) security: 8 |
MIN_SESSION_SECURITY_FOR_ | Minimum time of security session for NTLM SSP | 8 |
MODIFY_FIRMWARE_ENVIRONMENT | Modify fireware environment values | |
NETWORK_ACCESS_DO_NOT_ | Do not allow anonymous enumeration of SAM accounts for network access | 1 |
NETWORK_LAN_MANAGER_ | LAN Manager Autentication for network | |
NW_ACCESS_ALLOW_ANONYMOUS_ | Allow Anonymous SID/Name Translation for network access | 0 |
PERFORM_VOLUME_ | Users that are allowed to manage the system's volume or disk configuration | No default for EC |
REMOTELY_ACCESSIBLE_ | The registry paths that can be accessed remotely | No default for EC |
REMOVE_COMPUTER_FROM_ | Remove computer from the docking station | Administrators |
RESTORE_FILES_DIRS | Users that are allowed to bypass file, directory, registry, and other persistent object permissions when restoring backed-up data | No default for SSLF |
STRONG_PROTECTION_USER_KEY | Force strong key protection for user keys stored on the computer | Set as per the Windows DC or MS computer |
SHUTDOWN_IF_UNABLE_ | Security Options Audit: Shutdown system immediately if unable to log security alerts. | 1 |
Unix System Accounts | Unix System Accounts | root,rdsmon,rdsroot,bin,daemon,adm, |
Note
The CIS Properties custom property class is provided with the following out-of-the-box instances, which store default property values
for different server configurations:
- ENTERPRISE_MEMBER_SERVER, for a Member Server with Enterprise Client (EC) security
- ENTERPRISE_DOMAIN_CONTROLLER, for a Domain Controller with Enterprise Client (EC) security
- SSLF_MEMBER_SERVER, for a Member Server with Specialized Security — Limited Functionality (SSLF)
- SSLF_DOMAIN_CONTROLLER, for a Domain Controller with SSLF
Comments
Log in or register to comment.