Nessus Report

Report generated by Nessus™

Windows CIS - By compliance status, detailed findings

Mon, 11 Dec 2017 13:12:03 Eastern Standard Time

TABLE OF CONTENTS
Vulnerabilities by Plugin
34220 (22) - Netstat Portscanner (WMI)
Synopsis
Remote open ports can be enumerated via WMI.
Description
Using the WMI interface, Nessus was able to run 'netstat' on the remote host to enumerate the open ports.
See Also
Solution
n/a
Risk Factor
None
Plugin Information:
Published: 2008/09/16, Modified: 2017/12/04
Plugin Output

192.168.1.114 (tcp/0)


Nessus was able to find 22 open ports.

192.168.1.114 (udp/123)

Port 123/udp was found to be open

192.168.1.114 (tcp/135)

Port 135/tcp was found to be open

192.168.1.114 (udp/137)

Port 137/udp was found to be open

192.168.1.114 (udp/138)

Port 138/udp was found to be open

192.168.1.114 (tcp/139)

Port 139/tcp was found to be open

192.168.1.114 (tcp/445)

Port 445/tcp was found to be open

192.168.1.114 (udp/500)

Port 500/udp was found to be open

192.168.1.114 (udp/1900)

Port 1900/udp was found to be open

192.168.1.114 (tcp/3389)

Port 3389/tcp was found to be open

192.168.1.114 (udp/3702)

Port 3702/udp was found to be open

192.168.1.114 (udp/4500)

Port 4500/udp was found to be open

192.168.1.114 (udp/5355)

Port 5355/udp was found to be open

192.168.1.114 (tcp/5357)

Port 5357/tcp was found to be open

192.168.1.114 (tcp/49152)

Port 49152/tcp was found to be open

192.168.1.114 (tcp/49153)

Port 49153/tcp was found to be open

192.168.1.114 (tcp/49154)

Port 49154/tcp was found to be open

192.168.1.114 (tcp/49155)

Port 49155/tcp was found to be open

192.168.1.114 (tcp/49188)

Port 49188/tcp was found to be open

192.168.1.114 (tcp/49189)

Port 49189/tcp was found to be open

192.168.1.114 (udp/51642)

Port 51642/udp was found to be open

192.168.1.114 (udp/51843)

Port 51843/udp was found to be open
Compliance 'FAILED'
2.2.28 Ensure 'Log on as a batch job' is set to 'admins'
Info
This policy setting allows accounts to log on using the task scheduler service. Because the task scheduler is often used for administrative purposes, it may be needed in enterprise environments. However, its use should be restricted in high security environments to prevent misuse of system resources or to prevent attackers from using the right to launch malicious code after gaining user level access to a computer. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers. The recommended state for this setting is: admins. The Log on as a batch job user right presents a low-risk vulnerability. For most organizations, the default settings are sufficient.
Solution
To implement the recommended configuration state, set the following Group Policy setting to admins- Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a batch job Impact- If you configure the Log on as a batch job setting through domain-based Group Policies, the computer will not be able to assign the user right to accounts that are used for scheduled jobs in the Task Scheduler. If you install optional components such as ASP.NET or IIS, you might need to assign this user right to additional accounts that are required by those components. For example, IIS requires assignment of this user right to the IIS_WPG group and the IUSR_<ComputerName>, ASPNET, and IWAM_<ComputerName> accounts. If this user right is not assigned to this group and these accounts, IIS will be unable to run some COM objects that are necessary for proper functionality.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 AC-6
CSF PR.AC-4
ISO/IEC-27001 A.9.2.5
CSCV6 5.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Policy Value
'admins'
Hosts

192.168.1.114

'performance log users' && 'backup operators' && 'admins'
2.2.29 Ensure 'Log on as a service' is set to 'No One'
Info
This policy setting allows accounts to launch network services or to register a process as a service running on the system. This user right should be restricted on any computer in a high security environment, but because many applications may require this privilege, it should be carefully evaluated and tested before configuring it in an enterprise environment. On Windows Vista-based computers, no users or groups have this privilege by default. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers. The recommended state for this setting is: No One. Log on as a service is a powerful user right because it allows accounts to launch network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced by the fact that only users with administrative privileges can install and configure services. An attacker who has already attained that level of access could configure the service to run with the Local System account.
Solution
To implement the recommended configuration state, set the following Group Policy setting to No One- Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service Impact- On most computers, this is the default configuration and there will be no negative impact. However, if you have installed optional components such as ASP.NET or IIS, you may need to assign the Log on as a service user right to additional accounts that are required by those components. IIS requires that this user right be explicitly granted to the ASPNET user account.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 AC-6
CSF PR.AC-4
ISO/IEC-27001 A.9.2.5
CSCV6 5.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Policy Value
''
Hosts

192.168.1.114

'all services'
2.3.4.2 Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'
Info
For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only admins can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect admins. It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, in a high security environment, you should allow only admins, not users, to do this, because printer driver installation may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices- Prevent users from installing printer drivers Impact- Only admins will be able to install a printer driver as part of connecting to a shared printer. The ability to add a local printer will not be affected.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 AC-6
800-171 3.1.7
CSF PR.AC-4
CSCV6 5.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Policy Value
1
Hosts

192.168.1.114

0
2.3.7.5 Ensure 'Interactive logon: Number of previous logons to cache (domain controller is not available)' is set to '4 or fewer logon(s)'
Info
This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a domain controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords. The recommended state for this setting is: 4 or fewer logon(s). The number that is assigned to this policy setting indicates the number of users whose logon information the servers will cache locally. If the number is set to 10, then the server caches logon information for 10 users. When an eleventh user logs on to the computer, the server overwrites the oldest cached logon session. Users who access the server console will have their logon credentials cached on that server. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to attempt to determine user passwords. To mitigate this type of attack, Windows encrypts the information and obscures its physical location.
Solution
To establish the recommended configuration via GP, set the following UI path to 4 or fewer logon(s)- Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon- Number of previous logons to cache (in case domain controller is not available) Impact- Users will be unable to log on to any computers if there is no domain controller available to authenticate them. Organizations may want to configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's logon information will still be in the cache, even if a member of the IT department has recently logged on to their computer to perform system maintenance. This method allows users to log on to their computers when they are not connected to the organization's network.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 IA-5
CSF PR.AC-1
CSCV6 16
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Policy Value
[0..4]
Hosts

192.168.1.114

10
18.3.4 Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'
Info
When you dial a phonebook or VPN entry in Dial-Up Networking, you can use the 'Save Password' option so that your Dial-Up Networking password is cached and you will not need to enter it on successive dial attempts. For security, admins may want to prevent users from caching passwords. The recommended state for this setting is: Enabled. An attacker who steals a mobile user's computer could automatically connect to the organization's network if the Save This Password check box is selected for the dial-up networking entry used to connect to your organization's network.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS-(DisableSavePassword) Prevent the dial-up password from being saved Note- This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is included with Microsoft Security Compliance Manager (SCM). Impact- Users will not be able to automatically store their logon credentials for dial-up and VPN connections.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 IA-5
800-171 3.5.2
CSF PR.AC-1
ITSG-33 IA-5
CSCV6 9
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Policy Value
1
Hosts

192.168.1.114

NULL
18.4.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'
Info
The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6 address and port number. The protocol operates in the context of clouds . A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. The recommended state for this setting is: Enabled. This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled - Computer Configuration\Policies\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Turn off Microsoft Peer-to-Peer Networking Services Impact- If you enable this setting, peer-to-peer protocols will be turned off. If you disable this setting or do not configure it, the peer-to-peer protocols will be turned on. This setting turns off Microsoft Peer-to-Peer Networking Services in its entirety, and will cause all dependent applications to stop working.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
CIP 007-6-R1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
CSCV6 9.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Policy Value
1
Hosts

192.168.1.114

0
18.8.39.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'
Info
This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled. When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended.
Solution
To establish the recommended configuration via GP, set the following UI path to Disabled- Computer Configuration\Policies\Administrative Templates\System\Troubleshooting and Diagnostics\Windows Performance PerfTrack\Enable/Disable PerfTrack Impact- If you disable this policy setting, responsiveness events are not processed.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 AC-6
800-171 3.1.7
CSF PR.AC-4
CSCV6 13
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Policy Value
0
Hosts

192.168.1.114

NULL
18.9.52.3.2.1 Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'
Info
This policy setting allows you to configure remote access to computers by using Remote Desktop Services. If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services. If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections. If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed. Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication. You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider. The recommended state for this setting is: Disabled. Any account with the Allow log on through Remote Desktop Services user right can log on to the remote console of the computer. If you do not restrict access to legitimate users who need to log on to the console of the computer, unauthorized users could download and execute malicious code to elevate their privileges.
Solution
To establish the recommended configuration via GP, set the following UI path to Disabled- Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow users to connect remotely by using Remote Desktop Services Impact- If this setting is enabled legitimate users will be unable to use Terminal Services or Remote Desktop, this could make it more difficult for help desk technicians to troubleshoot and resolve problems remotely. It would also make it impossible to use Remote Desktop Services for hosting shared applications.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
CIP 007-6-R1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
CSCV6 9.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Policy Value
1
Hosts

192.168.1.114

0
18.9.82.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'
Info
This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec.
Solution
To implement the recommended configuration state, set the following Group Policy setting to Disabled. Computer Configuration\Administrative Templates\Windows Components\Windows Remote Shell\Allow Remote Shell Access Impact- If you disable or do not configure this policy setting, remote access is not allowed to all supported shells to execute scripts and commands.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 AC-6
CSF PR.AC-4
ITSG-33 AC-6
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Policy Value
0
Hosts

192.168.1.114

NULL
18.9.86.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled'
Info
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port.
Solution
To implement the recommended configuration state, set the following Group Policy setting to Disabled: Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow remote server management through WinRM
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 AC-17
800-171 3.1.15
800-171 3.1.2
CSF PR.AC-3
CSF PR.PT-4
ITSG-33 AC-17
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Policy Value
0
Hosts

192.168.1.114

NULL
19.6.5.1.1 Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'
Info
This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it. The recommended state for this setting is: Enabled. Large enterprise environments may not want to have information collected from managed client computers.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- User Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication Settings\Turn off Help Experience Improvement Program Impact- If you enable this policy setting, users cannot participate in the Help Experience Improvement program.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 AC-6
800-171 3.1.7
CSF PR.AC-4
CSCV6 13
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Policy Value
1
Hosts

192.168.1.114

Non-compliant items:
HKU\S-1-5-21-536066148-3557968269-4150644726-500\Software\Policies\Microsoft\Assistance\Client\1.0 - 2
19.7.41.2.1 Ensure 'Prevent Codec Download' is set to 'Enabled'
Info
This setting controls whether Windows Media Player is allowed to download additional codecs for decoding media files it does not already understand. The recommended state for this setting is: Enabled. This has some potential for risk if a malicious data file is opened in Media Player that requires an additional codec to be installed. If a special codec is required for a necessary job function, then that codec should be tested and supplied by the IT department in the organization.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- User Configuration\Policies\Administrative Templates\Windows Components\Windows Media Player\Playback\Prevent Codec Download Impact- If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player is not available.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 SC-18
800-171 3.13.13
CSF DE.CM-5
ITSG-33 SC-18
CSCV6 2
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Policy Value
1
Hosts

192.168.1.114

Non-compliant items:
HKU\S-1-5-21-536066148-3557968269-4150644726-500\Software\Policies\Microsoft\Windowsmediaplayer - 2
Compliance 'SKIPPED'
Compliance 'PASSED'
18.9.69.3.1 Ensure 'Join Microsoft MAPS' is set to 'Disabled'
Info
This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are:(0x0) Disabled (default)(0x1) Basic membership(0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However Microsoft will not use this information to identify you or contact you.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 AC-6
800-171 3.1.7
CSF PR.AC-4
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Policy Value
0
Hosts

192.168.1.114

NULL
Compliance 'INFO', 'WARNING', 'ERROR'
2.3.14.1 Ensure 'System crypto: Force strong key protection for user keys stored on the computer' is set to 'User is prompted' or higher
Info
This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used. If you configure this policy setting so that users must provide a password#x2014;distinct from their domain password#x2014;every time that they use a key, then it will be more difficult for an attacker to access locally stored keys, even an attacker who discovers logon passwords. The recommended state for this setting is: User is prompted when the key is first used. Configuring this setting to User must enter a password each time they use a key also conforms with the benchmark. If a user's account is compromised or their computer is inadvertently left unsecured the malicious user can use the keys stored for the user to access protected resources. You can configure this policy setting so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user's computer and determines their logon password.
Solution
To establish the recommended configuration via GP, set the following UI path to User is prompted when the key is first used (configuring to User must enter a password each time they use a key also conforms with the benchmark)- Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography- Force strong key protection for user keys stored on the computer Impact- Users will have to enter their password every time they access a key that is stored on their computer. For example, if users use an S-MIME certificate to digitally sign their e-mail they will be forced to enter the password for that certificate every time they send a signed e-mail message. For some organizations the overhead that is involved using this configuration may be too high. For end user computers that are used to access sensitive data this setting could be set to 'User is prompted when the key is first used,' but Microsoft does not recommend enforcing this setting on servers due to the significant impact on manageability. For example, if this setting is configured to 'User is prompted when the key is first used' you may not be able to configure Remote Desktop Services to use SSL certificates. More information is available in the Windows PKI TechNet Blog here- What is a strong key protection in Windows?.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 IA-5
CSF PR.AC-1
ITSG-33 IA-5
CSCV6 16.14
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_QUERY_VALUE: an error happened while querying the value

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Cryptography
reg_item: ForceKeyProtection
18.3.6 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'
Info
This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended) . An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- 300,000 or 5 minutes (recommended) - Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS- (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note- This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is included with Microsoft Security Compliance Manager (SCM). Impact- Keep-alive packets are not sent by default by Windows. However, some applications may configure the TCP stack flag that requests keep-alive packets. For such configurations, you can lower this value from the default setting of two hours to five minutes to disconnect inactive sessions more quickly.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 SC-7
800-171 3.13.1
ITSG-33 SC-7
CSCV6 9
CSCV6 9.2
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_QUERY_VALUE: an error happened while querying the value

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\System\Currentcontrolset\Services\Tcpip\Parameters
reg_item: KeepAliveTime
18.3.8 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses' is set to 'Disabled'
Info
This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled. An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer.
Solution
To establish the recommended configuration via GP, set the following UI path to Disabled- Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS- (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note- This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is included with Microsoft Security Compliance Manager (SCM). Impact- If you disable this entry, Windows Server 2003 (which supports the IRDP) cannot automatically detect and configure default gateway addresses on the computer.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 SC-7
800-171 3.13.1
ITSG-33 SC-7
CSCV6 9
CSCV6 9.2
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_QUERY_VALUE: an error happened while querying the value

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\System\Currentcontrolset\Services\Tcpip\Parameters
reg_item: PerformRouterDiscovery
18.3.11 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
Info
This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3. A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- 3- Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS-(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note- This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is included with Microsoft Security Compliance Manager (SCM). Impact- TCP starts a retransmission timer when each outbound segment is passed to the IP. If no acknowledgment is received for the data in a given segment before the timer expires, then the segment is retransmitted up to three times.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 SC-7
800-171 3.13.1
ITSG-33 SC-7
CSCV6 9
CSCV6 9.2
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_QUERY_VALUE: an error happened while querying the value

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\System\Currentcontrolset\Services\Tcpip6\Parameters
reg_item: tcpmaxdataretransmissions
18.3.12 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
Info
This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3. A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- 3- Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS-(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note- This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is included with Microsoft Security Compliance Manager (SCM). Impact- TCP starts a retransmission timer when each outbound segment is passed to the IP. If no acknowledgment is received for the data in a given segment before the timer expires, then the segment is retransmitted up to three times.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 SC-7
800-171 3.13.1
ITSG-33 SC-7
CSCV6 9
CSCV6 9.2
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_QUERY_VALUE: an error happened while querying the value

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\System\Currentcontrolset\Services\Tcpip\Parameters
reg_item: tcpmaxdataretransmissions
18.4.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' - AllowLLTDIOOnPublicNet
Info
This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled. To help protect from potentially discovering and connecting to unauthorized devices, We are recommending that this setting be disabled to guarantee the prevention of responding to network traffic for network topology discovery.
Solution
To implement the recommended configuration state, set the following Group Policy setting to Disabled- Computer Configuration\Policies\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) driver Impact- If you disable or do not configure this policy setting, the default behavior of LLTDIO will apply.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
CIP 007-6-R1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
CSCV6 9
CSCV6 9.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Lltd
reg_item: AllowLLTDIOOnPublicNet
18.4.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' - AllowLLTDIOOndomain
Info
This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled. To help protect from potentially discovering and connecting to unauthorized devices, We are recommending that this setting be disabled to guarantee the prevention of responding to network traffic for network topology discovery.
Solution
To implement the recommended configuration state, set the following Group Policy setting to Disabled- Computer Configuration\Policies\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) driver Impact- If you disable or do not configure this policy setting, the default behavior of LLTDIO will apply.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
CIP 007-6-R1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
CSCV6 9
CSCV6 9.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Lltd
reg_item: AllowLLTDIOOndomain
18.4.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' - EnableLLTDIO
Info
This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled. To help protect from potentially discovering and connecting to unauthorized devices, We are recommending that this setting be disabled to guarantee the prevention of responding to network traffic for network topology discovery.
Solution
To implement the recommended configuration state, set the following Group Policy setting to Disabled- Computer Configuration\Policies\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) driver Impact- If you disable or do not configure this policy setting, the default behavior of LLTDIO will apply.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
CIP 007-6-R1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
CSCV6 9
CSCV6 9.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Lltd
reg_item: EnableLLTDIO
18.4.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' - ProhibitLLTDIOOnPrivateNet
Info
This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled. To help protect from potentially discovering and connecting to unauthorized devices, We are recommending that this setting be disabled to guarantee the prevention of responding to network traffic for network topology discovery.
Solution
To implement the recommended configuration state, set the following Group Policy setting to Disabled- Computer Configuration\Policies\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) driver Impact- If you disable or do not configure this policy setting, the default behavior of LLTDIO will apply.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
CIP 007-6-R1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
CSCV6 9
CSCV6 9.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Lltd
reg_item: ProhibitLLTDIOOnPrivateNet
18.4.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' - AllowRspndrOnPublicNet
Info
This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled. To help protect from potentially discovering and connecting to unauthorized devices, We are recommending that this setting be disabled to guarantee the prevention of responding to network traffic for network topology discovery.
Solution
To implement the recommended configuration state, set the following Group Policy setting to Disabled- Computer Configuration\Policies\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) driver Impact- If you disable or do not configure this policy setting, the default behavior of RSPNDR will apply.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
CIP 007-6-R1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
CSCV6 9
CSCV6 9.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Lltd
reg_item: AllowRspndrOnPublicNet
18.4.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' - AllowRspndrOndomain
Info
This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled. To help protect from potentially discovering and connecting to unauthorized devices, We are recommending that this setting be disabled to guarantee the prevention of responding to network traffic for network topology discovery.
Solution
To implement the recommended configuration state, set the following Group Policy setting to Disabled- Computer Configuration\Policies\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) driver Impact- If you disable or do not configure this policy setting, the default behavior of RSPNDR will apply.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
CIP 007-6-R1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
CSCV6 9
CSCV6 9.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Lltd
reg_item: AllowRspndrOndomain
18.4.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' - EnableRspndr
Info
This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled. To help protect from potentially discovering and connecting to unauthorized devices, We are recommending that this setting be disabled to guarantee the prevention of responding to network traffic for network topology discovery.
Solution
To implement the recommended configuration state, set the following Group Policy setting to Disabled- Computer Configuration\Policies\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) driver Impact- If you disable or do not configure this policy setting, the default behavior of RSPNDR will apply.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
CIP 007-6-R1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
CSCV6 9
CSCV6 9.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Lltd
reg_item: EnableRspndr
18.4.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' - ProhibitRspndrOnPrivateNet
Info
This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled. To help protect from potentially discovering and connecting to unauthorized devices, We are recommending that this setting be disabled to guarantee the prevention of responding to network traffic for network topology discovery.
Solution
To implement the recommended configuration state, set the following Group Policy setting to Disabled- Computer Configuration\Policies\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) driver Impact- If you disable or do not configure this policy setting, the default behavior of RSPNDR will apply.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
CIP 007-6-R1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
CSCV6 9
CSCV6 9.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Lltd
reg_item: ProhibitRspndrOnPrivateNet
18.4.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')
Info
Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255) Since the vast majority of private corporate networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed.
Solution
To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD)- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters-DisabledComponents Note- Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not 'undo' the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state. Impact- Connectivity to other systems using IPv6 will no longer operate, and software that depends on IPv6 will cease to function. Examples of Microsoft applications that may use IPv6 include- Remote Assistance, HomeGroup, DirectAccess, Windows Mail. This registry change is documented in Microsoft Knowledge Base article 929852- How to disable IPv6 or its components in Windows. Note- This registry change does not take effect until the next reboot.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 SC-7
800-171 3.13.1
ITSG-33 SC-7
CSCV6 9
CSCV6 9.2
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_QUERY_VALUE: an error happened while querying the value

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\System\Currentcontrolset\Services\Tcpip6\Parameters
reg_item: DisabledComponents
18.4.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableFlashConfigRegistrar
Info
This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over In-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled. This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings.
Solution
To establish the recommended configuration via GP, set the following UI path to Disabled - Computer Configuration\Policies\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now Impact- If you enable this policy setting additional choices are available to turn off the operations over a specific medium. If you disable this policy setting operations are disabled over all media. If you do not configure this policy setting operations are enabled over all media.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
CIP 007-6-R1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
CSCV6 15.4
CSCV6 9.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Wcn\Registrars
reg_item: DisableFlashConfigRegistrar
18.4.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableInBand802DOT11Registrar
Info
This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over In-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled. This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings.
Solution
To establish the recommended configuration via GP, set the following UI path to Disabled - Computer Configuration\Policies\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now Impact- If you enable this policy setting additional choices are available to turn off the operations over a specific medium. If you disable this policy setting operations are disabled over all media. If you do not configure this policy setting operations are enabled over all media.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
CIP 007-6-R1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
CSCV6 15.4
CSCV6 9.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Wcn\Registrars
reg_item: DisableInBand802DOT11Registrar
18.4.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableUPnPRegistrar
Info
This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over In-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled. This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings.
Solution
To establish the recommended configuration via GP, set the following UI path to Disabled - Computer Configuration\Policies\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now Impact- If you enable this policy setting additional choices are available to turn off the operations over a specific medium. If you disable this policy setting operations are disabled over all media. If you do not configure this policy setting operations are enabled over all media.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
CIP 007-6-R1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
CSCV6 15.4
CSCV6 9.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Wcn\Registrars
reg_item: DisableUPnPRegistrar
18.4.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableWPDRegistrar
Info
This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over In-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled. This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings.
Solution
To establish the recommended configuration via GP, set the following UI path to Disabled - Computer Configuration\Policies\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now Impact- If you enable this policy setting additional choices are available to turn off the operations over a specific medium. If you disable this policy setting operations are disabled over all media. If you do not configure this policy setting operations are enabled over all media.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
CIP 007-6-R1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
CSCV6 15.4
CSCV6 9.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Wcn\Registrars
reg_item: DisableWPDRegistrar
18.4.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - EnableRegistrars
Info
This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over In-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled. This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings.
Solution
To establish the recommended configuration via GP, set the following UI path to Disabled - Computer Configuration\Policies\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now Impact- If you enable this policy setting additional choices are available to turn off the operations over a specific medium. If you disable this policy setting operations are disabled over all media. If you do not configure this policy setting operations are enabled over all media.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
CIP 007-6-R1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
CSCV6 15.4
CSCV6 9.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Wcn\Registrars
reg_item: EnableRegistrars
18.4.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'
Info
This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled. Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled - Computer Configuration\Policies\Administrative Templates\Network\Network\Windows Connect Now\Prohibit access of the Windows Connect Now wizards Impact- If you enable this policy setting the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks including 'Set up a wireless router or access point' and 'Add a wireless device' are disabled. If you disable or do not configure this policy setting users can access the wizard tasks including 'Set up a wireless router or access point' and 'Add a wireless device.'
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-6
PCI-DSSV3.1 2.2.4
PCI-DSSV3.2 2.2.4
800-171 3.4.2
CSF PR.IP-1
ITSG-33 CM-6
CSCV6 15.4
CSCV6 3.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Wcn\Ui
reg_item: DisableWcnUi
18.8.20.1.1 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
Info
This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled. Users might download drivers that include malicious code.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off downloading of print drivers over HTTP Impact- This policy setting does not prevent the client computer from printing to printers on the intranet or the Internet over HTTP. It only prohibits drivers that are not already installed locally from downloading.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 SC-7
800-171 3.13.1
CSF PR.DS-5
CSF PR.PT-4
ITSG-33 SC-7
CSCV6 2
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows Nt\Printers
reg_item: DisableWebPnPDownload
18.8.20.1.2 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
Info
This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled. A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off handwriting personalization data sharing Note- This Group Policy setting is provided by the Group Policy template 'ShapeCollector.admx/adml' that is included with the Microsoft Windows 7/2008R2, 8/2012, 8.1/2012R2 and Windows 10 Administrative Templates. Impact- If you enable this policy, Tablet PC users cannot choose to share writing samples from the handwriting recognition personalization tool with Microsoft.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 AC-6
800-171 3.1.7
CSF PR.AC-4
CSCV6 13
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Tabletpc
reg_item: PreventHandwritingDataSharing
18.8.20.1.3 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
Info
Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled. A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off handwriting recognition error reporting Impact- If you enable this policy, users cannot start the handwriting recognition error reporting tool or send error reports to Microsoft.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 SI-11
ITSG-33 SI-11
CSCV6 13
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Handwritingerrorreports
reg_item: PreventHandwritingErrorReports
18.8.20.1.4 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
Info
This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled. In an Enterprise environment we want to lower the risk of a user unknowingly exposing sensitive data.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Impact- If you enable this policy setting, the 'Choose a list of Internet Service Providers' path in the Internet Connection Wizard causes the wizard to exit. This prevents users from retrieving the list of ISPs, which resides on Microsoft servers.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 AC-6
800-171 3.1.7
CSF PR.AC-4
CSCV6 13
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Internet Connection Wizard
reg_item: ExitOnMSICW
18.8.20.1.5 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
Info
This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled. Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Internet download for Web publishing and online ordering wizards Impact- If this policy setting is enabled, Windows is prevented from downloading providers; only the service providers cached in the local registry will display.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-6
PCI-DSSV3.1 2.2.4
PCI-DSSV3.2 2.2.4
800-171 3.4.2
CSF PR.IP-1
ITSG-33 CM-6
CSCV6 3.1
CSCV6 7
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_QUERY_VALUE: an error happened while querying the value

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Microsoft\Windows\Currentversion\Policies\Explorer
reg_item: NoWebServices
18.8.20.1.6 Ensure 'Turn off Internet File Association service' is set to 'Enabled'
Info
This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association. When a user opens a file that has an extension that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application. The recommended state for this setting is: Enabled. This service#x2019;s purpose is to help find an appropriate application for a file whose type is unrecognized by the computer. That could pose a security risk if the unrecognized file is malicious code, even if the application to be discovered is itself innocent. Corporate environments tend to be very managed, where the IT staff decide which applications should and should not be installed.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Internet File Association service Impact- If you enable this policy setting, the link and the dialog for using the Web service to open an unhandled file association are removed.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-6
PCI-DSSV3.1 2.2.4
PCI-DSSV3.2 2.2.4
800-171 3.4.2
CSF PR.IP-1
ITSG-33 CM-6
CSCV6 3.1
CSCV6 7
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_QUERY_VALUE: an error happened while querying the value

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Microsoft\Windows\Currentversion\Policies\Explorer
reg_item: NoInternetOpenWith
18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
Info
This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled. Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise environments.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off printing over HTTP Impact- If you enable this policy setting, the client computer will not be able to print to Internet printers over HTTP. This policy setting affects the client side of Internet printing only. Regardless of how it is configured, a computer could act as an Internet Printing server and make its shared printers available through HTTP.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
PCI-DSSV3.1 12.3.7
PCI-DSSV3.2 12.3.7
800-171 3.4.8
CSF PR.IP-1
CSF PR.PT-3
ISO/IEC-27001 A.12.5.1
ISO/IEC-27001 A.12.6.2
CSCV6 13.1
CSCV6 2.2
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows Nt\Printers
reg_item: DisableHTTPPrinting
18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
Info
This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled. Users in a corporate environment should not be registering their own copies of Windows, providing their own PII in the process.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Registration if URL connection is referring to Microsoft.com Impact- If you enable this policy setting, it blocks users from connecting to Microsoft.com for online registration and users cannot register their copy of Windows online.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 AC-6
800-171 3.1.7
CSF PR.AC-4
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Registration Wizard Control
reg_item: NoRegistration
18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
Info
This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled. There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Search Companion content file updates Impact- Internet searches will still send the search text and information about the search to Microsoft and the chosen search provider. If you select Classic Search, the Search Companion feature will be unavailable. You can select Classic Search by clicking Start, Search, Change Preferences, and then Change Internet Search Behavior.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
PCI-DSSV3.1 12.3.7
PCI-DSSV3.2 12.3.7
800-171 3.4.8
CSF PR.IP-1
CSF PR.PT-3
ISO/IEC-27001 A.12.5.1
ISO/IEC-27001 A.12.6.2
CSCV6 13
CSCV6 2.2
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Searchcompanion
reg_item: DisableContentFileUpdates
18.8.20.1.10 Ensure 'Turn off the 'Order Prints' picture task' is set to 'Enabled'
Info
This policy setting specifies whether the 'Order Prints Online' task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled. In an Enterprise environment we want to lower the risk of a user unknowingly exposing sensitive data.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the 'Order Prints' picture task Impact- If you enable this policy setting, the task 'Order Prints Online' is removed from Picture Tasks in File Explorer folders.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-6
PCI-DSSV3.1 2.2.4
PCI-DSSV3.2 2.2.4
800-171 3.4.2
CSF PR.IP-1
ITSG-33 CM-6
CSCV6 13
CSCV6 3.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_QUERY_VALUE: an error happened while querying the value

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Microsoft\Windows\Currentversion\Policies\Explorer
reg_item: NoOnlinePrintsWizard
18.8.20.1.11 Ensure 'Turn off the 'Publish to Web' task for files and folders' is set to 'Enabled'
Info
This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The recommended state for this setting is: Enabled. Users may publish confidential or sensitive information to a public service outside of the control of the organization.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the 'Publish to Web' task for files and folders Impact- The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-6
PCI-DSSV3.1 2.2.4
PCI-DSSV3.2 2.2.4
800-171 3.4.2
CSF PR.IP-1
ITSG-33 CM-6
CSCV6 13
CSCV6 3.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_QUERY_VALUE: an error happened while querying the value

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Microsoft\Windows\Currentversion\Policies\Explorer
reg_item: NoPublishingWizard
18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
Info
This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. The recommended state for this setting is: Enabled. Large enterprise environments may not want to have information collected from managed client computers.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the Windows Messenger Customer Experience Improvement Program Impact- Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
PCI-DSSV3.1 12.3.7
PCI-DSSV3.2 12.3.7
800-171 3.4.8
CSF PR.IP-1
CSF PR.PT-3
ISO/IEC-27001 A.12.5.1
ISO/IEC-27001 A.12.6.2
CSCV6 13
CSCV6 2.2
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Messenger\Client
reg_item: CEIP
18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
Info
This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. The recommended state for this setting is: Enabled. Large enterprise environments may not want to have information collected from managed client computers.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Windows Customer Experience Improvement Program Impact- Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 AC-6
800-171 3.1.7
CSF PR.AC-4
CSCV6 13
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Sqmclient\Windows
reg_item: CEIPEnable
18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
Info
This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled. If a Windows Error occurs in a secure, managed corporate environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Windows Error Reporting Impact- If you enable this policy setting, users are not given the option to report errors.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 SI-11
ITSG-33 SI-11
CSCV6 13
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting
reg_item: Disabled
18.8.39.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'
Info
This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled. Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information.
Solution
To establish the recommended configuration via GP, set the following UI path to Disabled- Computer Configuration\Policies\Administrative Templates\System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Microsoft Support Diagnostic Tool- Turn on MSDT interactive communication with support provider Impact- If you disable this policy setting, MSDT cannot run in support mode, and no data can be collected or sent to the support provider.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 SI-11
ITSG-33 SI-11
CSCV6 13
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy
reg_item: DisableQueryRemoteServer
18.8.44.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled'
Info
This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled. A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Administrative Templates\System\Windows Time Service\Time Providers\Enable Windows NTP Client Impact- If you enable this policy setting, you can set the local computer clock to synchronize time with NTP servers.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-6
PCI-DSSV3.1 2.2.4
PCI-DSSV3.2 2.2.4
800-171 3.4.2
CSF PR.IP-1
ITSG-33 CM-6
CSCV6 3.1
CSCV6 6.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient
reg_item: Enabled
18.8.44.1.2 Ensure 'Enable Windows NTP Server' is set to 'Disabled'
Info
This policy setting allows you to specify whether the Windows NTP Server is enabled. The recommended state for this setting is: Disabled. The configuration of proper time synchronization is critically important in a corporate environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging.
Solution
To establish the recommended configuration via GP, set the following UI path to Disabled- Computer Configuration\Policies\Administrative Templates\System\Windows Time Service\Time Providers\Enable Windows NTP Server Impact- If you disable or do not configure this policy setting, your computer cannot service NTP requests from other computers.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-6
PCI-DSSV3.1 2.2.4
PCI-DSSV3.2 2.2.4
800-171 3.4.2
CSF PR.IP-1
ITSG-33 CM-6
CSCV6 3.1
CSCV6 9.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver
reg_item: Enabled
18.9.37.1 Ensure 'Turn off location' is set to 'Enabled'
Info
This policy setting turns off the location feature for this computer. The recommended state for this setting is: Enabled. This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it#x2019;s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Administrative Templates\Windows Components\Location and Sensors\Turn off location Impact- If you enable this policy setting, the location feature is turned off, and all programs on this computer are prevented from using location information from the location feature.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 AC-6
800-171 3.1.7
CSF PR.AC-4
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Locationandsensors
reg_item: DisableLocation
18.9.52.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled'
Info
This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled. In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow COM port redirection Impact- If you enable this policy setting, users cannot redirect server data to the local COM port.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
CIP 007-6-R1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
CSCV6 9.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_QUERY_VALUE: an error happened while querying the value

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows Nt\Terminal Services
reg_item: fDisableCcm
18.9.52.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled'
Info
This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled. In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow LPT port redirection Impact- If you enable this policy setting, users in a Remote Desktop Services session cannot redirect server data to the local LPT port.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
CIP 007-6-R1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
CSCV6 9.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_QUERY_VALUE: an error happened while querying the value

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows Nt\Terminal Services
reg_item: fDisableLPT
18.9.52.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'
Info
This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled. In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow supported Plug and Play device redirection Impact- If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-7
CIP 007-6-R1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
CSCV6 9.1
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_QUERY_VALUE: an error happened while querying the value

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows Nt\Terminal Services
reg_item: fDisablePNPRedir
18.9.52.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'
Info
This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less. This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktops session that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- 15 minutes or less- Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for active but idle Remote Desktop Services sessions Impact- If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 AC-12
HIPAA 164.312(a)(2)(iii)
PCI-DSSV3.1 12.3.8
PCI-DSSV3.1 8.1.8
PCI-DSSV3.2 12.3.8
PCI-DSSV3.2 8.1.8
800-171 3.1.11
CN-L3 7.1.2.2(d)
CN-L3 7.1.3.7(b)
ITSG-33 AC-12
CSCV6 16.4
CSCV6 16.5
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_QUERY_VALUE: an error happened while querying the value

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows Nt\Terminal Services
reg_item: MaxIdleTime
18.9.52.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'
Info
This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute. This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktops session that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled- 1 minute- Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for disconnected sessions Impact- If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 AC-12
HIPAA 164.312(a)(2)(iii)
PCI-DSSV3.1 12.3.8
PCI-DSSV3.1 8.1.8
PCI-DSSV3.2 12.3.8
PCI-DSSV3.2 8.1.8
800-171 3.1.11
CN-L3 7.1.2.2(d)
CN-L3 7.1.3.7(b)
ITSG-33 AC-12
CSCV6 16.4
CSCV6 16.5
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_QUERY_VALUE: an error happened while querying the value

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows Nt\Terminal Services
reg_item: MaxDisconnectionTime
18.9.74.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'
Info
This policy setting allows Web-based programs to install software on the computer without notifying the user. The recommended state for this setting is: Disabled. Suppressing the system warning can pose a security risk and increase the attack surface on the system.
Solution
To establish the recommended configuration via GP, set the following UI path to Disabled - Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Installer\Prevent Internet Explorer security prompt for Windows Installer scripts Impact- If you disable or do not configure this policy setting by default when a script hosted by an Internet browser tries to install a program on the system the system warns users and allows them to select or refuse the installation. If you enable this policy setting the warning is suppressed and allows the installation to proceed. This policy setting is designed for enterprises that use Web-based tools to distribute programs to their employees. However because this policy setting can pose a security risk it should be applied cautiously.
See Also
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Workstation_Benchmark_v3.0.1.pdf
References
800-53 CM-11
CSF DE.CM-3
CSCV6 7
LEVEL 2S
Audit File
CIS_MS_Windows_7_L2_v3.0.1.audit
Hosts

192.168.1.114

REG_ERROR_OPEN_KEY: an error happened while opening the key

Windows error code: ERROR_FILE_NOT_FOUND
reg_key: HKLM\Software\Policies\Microsoft\Windows\Installer
reg_item: SafeForScripting
© 2017 Tenable™, Inc. All rights reserved.