This is an old revision of the document!
Please Note: The following settings are just recommendations from CeRTNA. If your organizational policy uses slightly different settings, the security auditor will accept your settings as long as they are deemed to be reasonable and secure.
Path (Windows 10): Control Panel\Administrative Tools\Local Security Policy\Account Policies\Password Policy
Path (Windows 11): Control Panel\Windows Tools\Local Security Policy\Account Policies\Password Policy
| Setting | Value |
|---|---|
| Enforce password history | 5 |
| Maximum password age | 30 |
| Minimum password age | 1 |
| Minimum password length | 8 |
| Password must meet complexity requirements | Enabled |
| Store passwords using reversible encryption | Disabled |
Path (Windows 10): Control Panel\Administrative Tools\Local Security Policy\Account Policies\Account Lockout Policy
Path (Windows 11): Control Panel\Windows Tools\Local Security Policy\Account Policies\Account Lockout Policy
| Setting | Value |
|---|---|
| Account lockout duration | 60 mins |
| Account lockout threshold | 3 invalid logon attempts |
| Reset account lockout counter after | 60 mins |
Path (Windows 10): Control Panel\Administrative Tools\Local Security Policy\Local Policies\Audit Policy Path (Windows 11): Control Panel\Windows Tools\Local Security Policy\Local Policies\Audit Policy
- Select all items for audit of success and failure.
Path (Windows 10): Control Panel\Administrative Tools\Local Security Policy\Local Policies\Security Options (s= Path (Windows 11): Control Panel\Windows Tools\Local Security Policy\Local Policies\Security Options (s=
| Setting | Value |
|---|---|
| Accounts:Guest account status | Disabled |
| Accounts:Rename administrator account | {New Name} |
| Accounts:Rename administrator account | {New Name} |
Path (Win10): Control Panel\System and Security\Windows Defender Firewall\Customize Settings (See note) Path (Win11): Control Panel\System\Privacy & security\Windows Security
| Setting | Value |
|---|---|
| Private network settings | Turn on Windows Defender Firewall |
| Public network settings | Turn on Windows Defender Firewall |
| Setting | Value |
|---|---|
| Private network settings | Turn on Windows Firewall |
| Public network settings | Turn on Windows Firewall |
Note: CeRTNA does not require any custom firewall rules to be applied. The only requirement is that a local workstation based firewall is enabled with the default settings. Organizations that have a product like Symantec Endpoint Protection will use the Symantec Endpoint Protection firewall, which will disable the Windows Firewall. Regardless of the local firewall that is used, you will need to show the auditor that the firewall for private and public networks is enabled.
Path (Windows 10): Control Panel\System\Windows Update Path (Windows 11): Control Panel\System\Windows Update
By default Windows 10/11 Updates are enabled. Verify the Windows Update History to show that the updates are being applied.
Control Panel\All Control Panel Items\Power Options\System Settings
| Setting | Value |
|---|---|
| Require a password on wakeup | Selected |
Path (Windows 10): Control Panel\Settings\Lock Screen\Screen saver settings Path (Windows 11): Control Panel\System\Personalization\Lock Screen
| Setting | Value |
|---|---|
| On resume, display logon screen | Enabled |