diff --git a/core/mondoo-windows-security.mql.yaml b/core/mondoo-windows-security.mql.yaml index c0f61cce..e4a523cb 100644 --- a/core/mondoo-windows-security.mql.yaml +++ b/core/mondoo-windows-security.mql.yaml @@ -166,7 +166,7 @@ queries: user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center. **Note #2:** - As of the publication of this benchmark, Microsoft currently has a maximum limit of 24 saved passwords. For more information, please visit [Enforce password history (Windows 10) - Windows security \| Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/enforce-password-history#:~:text=The%20Enforce%20password%20history%20policy,a%20long%20period%20of%20time.) + As of the publication of this benchmark, Microsoft currently has a maximum limit of 24 saved passwords. For more information, please visit [Enforce password history (Windows 10) - Windows security \| Microsoft Docs](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/enforce-password-history#:~:text=The%20Enforce%20password%20history%20policy,a%20long%20period%20of%20time.) remediation: |- To establish the recommended configuration via GP, set the following UI path to `24 or more password(s)`: @@ -604,7 +604,7 @@ queries: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy. **Note #2:** - If your organization is using Azure Advanced Threat Protection (APT), the service account, “AATP Service” will need to be added to the recommendation configuration. For more information on adding the “AATP Service” account please see [Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity \| Microsoft Docs](https://docs.microsoft.com/en-us/defender-for-identity/install-step8-samr). + If your organization is using Azure Advanced Threat Protection (APT), the service account, “AATP Service” will need to be added to the recommendation configuration. For more information on adding the “AATP Service” account please see [Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity \| Microsoft Docs](https://learn.microsoft.com/en-us/defender-for-identity/install-step8-samr). remediation: |- To establish the recommended configuration via GP, set the following UI path to `Administrators: Remote Access: Allow`: @@ -770,7 +770,7 @@ queries: **Note #4:** If your organization uses Azure Files, please note that Microsoft did not introduce AES 256 Kerberos encryption support for it until AD DS authentication module v0.2.2. Please see this link for more information: - [Azure Files on-premises AD DS Authentication support for AES 256 Kerberos encryption \| Microsoft Docs](https://docs.microsoftcom/en-us/azure/storage/files/storage-troubleshoot-windows-file-connection-problems#azure-files-on-premises-ad-ds-authentication-support-for-aes-256-kerberos-encryption) + [Azure Files on-premises AD DS Authentication support for AES 256 Kerberos encryption \| Microsoft Docs](https://learn.microsoftcom/en-us/azure/storage/files/storage-troubleshoot-windows-file-connection-problems#azure-files-on-premises-ad-ds-authentication-support-for-aes-256-kerberos-encryption) query: | registrykey.property(path: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters', name: 'SupportedEncryptionTypes') { value == 2147483640