CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

Impact:

None - this is also the default configuration for Windows 8.1 and newer.

Default Value:

OnWindows 8.0 and older: Enabled. (Lsass.exe retains a copy of the user's plaintext password in memory, where it is at risk of theft.) OnWindows 8.1 and newer: Disabled. (Lsass.exe does not retain a copy of the user's plaintext password in memory.)

References:

1. CCE-35815-0

CIS Controls:

Version 6

16.14 Encrypt/Hash All Authentication Files And Monitor Their Access Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.

Version 7

16.4 Encrypt or Hash all Authentication Credentials Encrypt or hash with a salt all authentication credentials when stored.

539 | P a g e