.N Windows OS Hardening 	#Policy Name
.L 2 	#Policy structure
.D This policy when configured detects changes to user configured registry keys in Windows NT and Windows 2000 versions. 	#Policy Description
.V 1003128290 	#Policy revision number
.Z 77 	#Policy ID
.Z 77 	#Policy ID
.R EnableICMPRedirect Filter 	#Rule Definition
..D This rule detects changes to the "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect" registry key. 	#Rule Description
..Z 48 	#Rule ID
..T 	#Indirect Rule
..V 0 	#Rule Value
..S 	#Select Clause(s)
...Q Select NT Registry Key 	#NT Registry
....T * 	#Regular text
....T \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect 	#Regular text
....T 3145788 	#Regular text
....C 0 	#Case sensitivity
....Z 47 	#ID of the clause
.R TcpMaxHalfOpen-Changed 	#Rule Definition
..D This rule detects changes to the "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen" registry key. 	#Rule Description
..Z 71 	#Rule ID
..V 50 	#Rule Value
..S 	#Select Clause(s)
...G System Message 	#System Message
....T *HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen* 	#Regular text
....C 1 	#Case sensitivity
....Z 69 	#ID of the clause
..A  	#Action Clause(s)
...E Record to Event Viewer 	#Record Event
....Z 70 	#ID of the clause
.R TcpMaxHalfOpen Filter 	#Rule Definition
..D This rule detects changes to the "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen" registry key. 	#Rule Description
..Z 68 	#Rule ID
..T 	#Indirect Rule
..V 0 	#Rule Value
..S 	#Select Clause(s)
...Q Select NT Registry Key 	#NT Registry
....T * 	#Regular text
....T \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen 	#Regular text
....T 3145788 	#Regular text
....C 0 	#Case sensitivity
....Z 67 	#ID of the clause
.R SynAttackProtect-Changed 	#Rule Definition
..D This rule detects changes to the "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect" registry key. 	#Rule Description
..Z 66 	#Rule ID
..V 50 	#Rule Value
..S 	#Select Clause(s)
...G System Message 	#System Message
....T *HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect* 	#Regular text
....C 1 	#Case sensitivity
....Z 64 	#ID of the clause
..A  	#Action Clause(s)
...E Record to Event Viewer 	#Record Event
....Z 65 	#ID of the clause
.R TcpMaxHalfOpenRetried Filter 	#Rule Definition
..D This rule detects changes to the "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried" registry key. 	#Rule Description
..Z 73 	#Rule ID
..T 	#Indirect Rule
..V 0 	#Rule Value
..S 	#Select Clause(s)
...Q Select NT Registry Key 	#NT Registry
....T * 	#Regular text
....T \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried 	#Regular text
....T 3145788 	#Regular text
....C 0 	#Case sensitivity
....Z 72 	#ID of the clause
.R TcpMaxHalfOpenRetried-Changed 	#Rule Definition
..D This rule detects changes to the "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried" registry key. 	#Rule Description
..Z 76 	#Rule ID
..V 50 	#Rule Value
..S 	#Select Clause(s)
...G System Message 	#System Message
....T *HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried* 	#Regular text
....C 1 	#Case sensitivity
....Z 74 	#ID of the clause
..A  	#Action Clause(s)
...E Record to Event Viewer 	#Record Event
....Z 75 	#ID of the clause
.R PerformRouterDiscovery Filter 	#Rule Definition
..D This rule detects changes to the "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery" registry key. 	#Rule Description
..Z 58 	#Rule ID
..T 	#Indirect Rule
..V 0 	#Rule Value
..S 	#Select Clause(s)
...Q Select NT Registry Key 	#NT Registry
....T * 	#Regular text
....T \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\*\PerformRouterDiscovery 	#Regular text
....T 3145788 	#Regular text
....C 0 	#Case sensitivity
....Z 57 	#ID of the clause
.R PerformRouterDiscovery-Changed 	#Rule Definition
..D This rule detects changes to the "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery" registry key. 	#Rule Description
..Z 61 	#Rule ID
..V 50 	#Rule Value
..S 	#Select Clause(s)
...G System Message 	#System Message
....T *HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\*\PerformRouterDiscovery* 	#Regular text
....C 1 	#Case sensitivity
....Z 59 	#ID of the clause
..A  	#Action Clause(s)
...E Record to Event Viewer 	#Record Event
....Z 60 	#ID of the clause
.R SynAttackProtect Filter 	#Rule Definition
..D This rule detects changes to the "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect" registry key. 	#Rule Description
..Z 63 	#Rule ID
..T 	#Indirect Rule
..V 0 	#Rule Value
..S 	#Select Clause(s)
...Q Select NT Registry Key 	#NT Registry
....T * 	#Regular text
....T \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect 	#Regular text
....T 3145788 	#Regular text
....C 0 	#Case sensitivity
....Z 62 	#ID of the clause
.R EnableICMPRedirect-Changed 	#Rule Definition
..D This rule detects changes to the "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect" registry key. 	#Rule Description
..Z 51 	#Rule ID
..V 50 	#Rule Value
..S 	#Select Clause(s)
...G System Message 	#System Message
....T *HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect* 	#Regular text
....C 1 	#Case sensitivity
....Z 49 	#ID of the clause
..A  	#Action Clause(s)
...E Record to Event Viewer 	#Record Event
....Z 50 	#ID of the clause
.R KeepAliveTime Filter 	#Rule Definition
..D This rule detects changes to the "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime" registry key. 	#Rule Description
..Z 53 	#Rule ID
..T 	#Indirect Rule
..V 0 	#Rule Value
..S 	#Select Clause(s)
...Q Select NT Registry Key 	#NT Registry
....T * 	#Regular text
....T \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime 	#Regular text
....T 3145788 	#Regular text
....C 0 	#Case sensitivity
....Z 52 	#ID of the clause
.R KeepAliveTime-Changed 	#Rule Definition
..D This rule detects changes to the "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime" registry key. 	#Rule Description
..Z 56 	#Rule ID
..V 50 	#Rule Value
..S 	#Select Clause(s)
...G System Message 	#System Message
....T *HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime* 	#Regular text
....C 1 	#Case sensitivity
....Z 54 	#ID of the clause
..A  	#Action Clause(s)
...E Record to Event Viewer 	#Record Event
....Z 55 	#ID of the clause
.R User Desktop Logon Check 	#Rule Definition
..D Detects successful user logon to a system's desktop and sets flag 	#Rule Description
..Z 79 	#Rule ID
..V 20 	#Rule Value
..S 	#Select Clause(s)
...G System Message 	#System Message
....T *ID: 528*:*:*:*:*:*:*	2*:*User32*:*:* 	#Regular text
....C 1 	#Case sensitivity
....Z 80 	#ID of the clause
..A  	#Action Clause(s)
...B Raise Flag User Logon 	#Raise Flag
....L 45 	#Lifetime of flag
....Z 81 	#ID of the clause