Hi, i just bother with this term and try to learn how to harden my Windows XP system (Win 7 64bit soon) with that policy. I guess that "default deny" should start with the UAC on highest setting for Windows. In my case, i'm using CIS with highest security settings too. Is there anything more i can do ? Does Windows as OS provide mor possibilities ? Thanks for your thoughts!