SIMP EE Coverage for Windows DISA STIG

JsCat scan results

The following scans were performed on a default installation of Windows with the SIMP Enterprise profile enforced.

Operating System	Role	Pass	Fail	N/A
Windows 2012 R2	Standalone	245	11 (6 false positives)	0
Windows 2012 R2	Domain Controller	258	10 (5 false positives)	0
Windows 2012 R2	Domain Member	245	11 (6 false positives)	0
Windows 2016	Standalone	173	5	25
Windows 2016	Domain Controller	187	8	12
Windows 2016	Domain Member	171	11	21
Windows 2019	Standalone	174	6	25
Windows 2019	Domain Controller	185	8	12
Windows 2019	Domain Member	172	12	21

Windows Coverage Report for DISA STIG

The following report details the status of each STIG Rule in the SIMP EE compliance data.

Mapped controls have enforcement and reporting support.
Unmapped controls are not supported at this time. A reason for the lack of support is provided for each unmapped control.
Paper policy controls refer to organizational policy requirements and cannot be reasonably enforced by SIMP at this time.

Summary

Operating System	Unmapped Controls	Paper Policy	Mapped	Total
Windows 2012 R2	60 (16%)	30 (8%)	284 (75%)	374
Windows 2016	11 (5%)	2 (0%)	190 (93%)	203
Windows 2019	11 (5%)	2 (0%)	192 (93%)	205

Detail

Unmapped Controls

The following controls are not currently enforced:

Windows 2012 R2 (60/374 [16%])

V-1119
- The system must not boot into multiple operating systems (dual-boot).
- Discussing the best approach to enforcement.
V-1120
- File Transfer Protocol (FTP) servers must be configured to prevent anonymous logons.
- Discussing the best approach to enforcement.
V-1121
- File Transfer Protocol (FTP) servers must be configured to prevent access to the system drive.
- Discussing the best approach to enforcement.
V-1128
- Security configuration tools or equivalent processes must be used to configure and maintain platforms for security compliance.
- Discussing the best approach to enforcement.
V-1135
- Nonadministrative user accounts or groups must only have print permissions on printer shares.
- Discussing the best approach to enforcement.
V-2376
- Kerberos user logon restrictions must be enforced.
- Requires a module to manage Group Policy.
V-2377
- The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
- Requires a module to manage Group Policy.
V-2378
- The Kerberos user ticket lifetime must be limited to 10 hours or less.
- Requires a module to manage Group Policy.
V-2379
- The Kerberos policy user ticket renewal maximum lifetime must be limited to 7 days or less.
- Requires a module to manage Group Policy.
V-2380
- The computer clock synchronization tolerance must be limited to 5 minutes or less.
- Requires a module to manage Group Policy.
V-2907
- System files must be monitored for unauthorized changes.
- Discussing the best approach to enforcement.
V-3383
- The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
- Lower priority: this is not a requirement for most customers.
V-3472
- The time service must synchronize with an appropriate DoD time source.
- Discussing the best approach to enforcement.
V-3481
- Media Player must be configured to prevent automatic Codec downloads.
- Requires a module to manage Group Policy, or other method to manage user settings.
V-8316
- Active Directory data files must have proper access control permissions.
- Discussing the best approach to enforcement.
V-8322
- Time synchronization must be enabled on the domain controller.
- Discussing the best approach to enforcement.
V-8326
- The directory server supporting (directly or indirectly) system access or resource authorization must run on a machine dedicated to that function.
- Discussing the best approach to enforcement.
V-8327
- Windows services that are critical for directory server operation must be configured for automatic startup.
- Discussing the best approach to enforcement.
V-14268
- Zone information must be preserved when saving attachments.
- Requires a module to manage Group Policy, or other method to manage user settings.
V-14269
- Mechanisms for removing zone information from file attachments must be hidden.
- Requires a module to manage Group Policy, or other method to manage user settings.
V-14270
- The system must notify antivirus when file attachments are opened.
- Requires a module to manage Group Policy, or other method to manage user settings.
V-14783
- Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data-in-transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
- Discussing the best approach to enforcement.
V-14797
- Anonymous access to the root DSE of a non-public directory must be disabled.
- Requires a module to manage Active Directory permissions.
V-14798
- Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
- Requires a module to manage Active Directory permissions.
V-14820
- Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
- Discussing the best approach to enforcement.
V-14831
- The directory service must be configured to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity.
- Requires a module to manage NTDSUTIL settings.
V-15488
- Active directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), PIV-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
- Requires a module to manage Active Directory accounts.
V-15505
- The HBSS McAfee Agent must be installed.
- Discussing the best approach to enforcement.
V-15727
- Users must be prevented from sharing files in their profiles.
- Requires a module to manage Group Policy, or other method to manage user settings.
V-15823
- Software certificate installation files must be removed from Windows 2012/2012 R2.
- Discussing the best approach to enforcement.
V-16021
- The Windows Help Experience Improvement Program must be disabled.
- Requires a module to manage Group Policy, or other method to manage user settings.
V-16048
- Windows Help Ratings feedback must be turned off.
- Requires a module to manage Group Policy, or other method to manage user settings.
V-26070
- Standard user accounts must only have Read permissions to the Winlogon registry key.
- Discussing the best approach to enforcement.
V-26683
- PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
- Requires a module to manage the Windows certificate store.
V-32272
- The DoD Root CA certificates must be installed in the Trusted Root Store.
- Requires a module to manage the Windows certificate store.
V-32274
- The DoD Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems.
- Requires a module to manage the Windows certificate store.
V-33673
- Active Directory Group Policy objects must have proper access control permissions.
- Requires a module to manage Group Policy permissions.
V-36451
- Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
- Discussing the best approach to enforcement.
V-36656
- A screen saver must be enabled on the system.
- Requires a module to manage Group Policy, or other method to manage user settings.
V-36657
- The screen saver must be password protected.
- Requires a module to manage Group Policy, or other method to manage user settings.
V-36735
- The system must support automated patch management tools to facilitate flaw remediation.
- Discussing the best approach to enforcement.
V-36736
- The system must query the certification authority to determine whether a public key certificate has been revoked before accepting the certificate for authentication purposes.
- Discussing the best approach to enforcement.
V-36776
- Notifications from Windows Push Network Service must be turned off.
- Requires a module to manage Group Policy, or other method to manage user settings.
V-36777
- Toast notifications to the lock screen must be turned off.
- Requires a module to manage Group Policy, or other method to manage user settings.
V-39325
- Active Directory Group Policy objects must be configured with proper audit settings.
- Requires a module to manage Group Policy permissions.
V-39326
- The Active Directory Domain object must be configured with proper audit settings.
- Requires a module to manage Group Policy permissions.
V-39327
- The Active Directory Infrastructure object must be configured with proper audit settings.
- Requires a module to manage Active Directory permissions.
V-39328
- The Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.
- Requires a module to manage Active Directory permissions.
V-39329
- The Active Directory AdminSDHolder object must be configured with proper audit settings.
- Requires a module to manage Active Directory permissions.
V-39330
- The Active Directory RID Manager$ object must be configured with proper audit settings.
- Requires a module to manage Active Directory permissions.
V-39332
- The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
- Requires a module to manage Active Directory permissions.
V-39334
- Domain controllers must have a PKI server certificate.
- Requires a module to manage the Windows certificate store.
V-40237
- The US DoD CCEB Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems.
- Requires a module to manage the Windows certificate store.
V-42420
- A host-based firewall must be installed and enabled on the system.
- Discussing the best approach to enforcement.
V-57637
- The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
- Discussing the best approach to enforcement.
V-57641
- Protection methods such as TLS, encrypted VPNs, or IPSEC must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
- Discussing the best approach to enforcement.
V-57645
- Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
- Discussing the best approach to enforcement.
V-75915
- Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2012 / 2012 R2.
- Discussing the best approach to enforcement.
V-80473
- Windows PowerShell must be updated to a version that supports script block logging on Windows 2012/2012 R2.
- Discussing the best approach to enforcement.
V-102619
- The Windows Explorer Preview pane must be disabled for Windows 2012.
- Requires a module to manage Group Policy, or other method to manage user settings.

Windows 2016 (11/203 [5%])

V-73271
- Software certificate installation files must be removed from Windows Server 2016.
- Discussing the best approach to enforcement.
V-73359
- Kerberos user logon restrictions must be enforced.
- Requires a module to manage Group Policy.
V-73361
- The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
- Requires a module to manage Group Policy.
V-73363
- The Kerberos user ticket lifetime must be limited to 10 hours or less.
- Requires a module to manage Group Policy.
V-73365
- The Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
- Requires a module to manage Group Policy.
V-73367
- The computer clock synchronization tolerance must be limited to 5 minutes or less.
- Requires a module to manage Group Policy.
V-73369
- Permissions on the Active Directory data files must only allow System and Administrators access.
- Discussing the best approach to enforcement.
V-73605
- The DoD Root CA certificates must be installed in the Trusted Root Store.
- Requires a module to manage the Windows certificate store.
V-73607
- The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
- Requires a module to manage the Windows certificate store.
V-73609
- The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
- Requires a module to manage the Windows certificate store.
V-73701
- Windows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
- Lower priority: this is not a requirement for most customers.
  Windows 2019 (11/205 [5%])
V-93029
- Windows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access.
- Discussing the best approach to enforcement.
V-93221
- Windows Server 2019 must have software certificate installation files removed.
- Discussing the best approach to enforcement.
V-93443
- Windows Server 2019 Kerberos user logon restrictions must be enforced.
- Requires a module to manage Group Policy.
V-93445
- Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
- Requires a module to manage Group Policy.
V-93447
- Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less.
- Requires a module to manage Group Policy.
V-93449
- Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
- Requires a module to manage Group Policy.
V-93451
- Windows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less.
- Requires a module to manage Group Policy.
V-93487
- Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.
- Requires a module to manage the Windows certificate store.
V-93489
- Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.
- Requires a module to manage the Windows certificate store.
V-93491
- Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.
- Requires a module to manage the Windows certificate store.
V-93511
- Windows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
- Lower priority: this is not a requirement for most customers.

Paper Policy

The following controls require policy or other administrative documentation that cannot be enforced:

Windows 2012 R2 (30/374 [8%])

V-1070
- Server systems must be located in a controlled access area, accessible only to authorized personnel.
V-1072
- Shared user accounts must not be permitted on the system.
V-1073
- Systems must be maintained at a supported service pack level.
V-1074
- The Windows 2012 / 2012 R2 system must use an anti-virus program.
V-1076
- System-level information must be backed up in accordance with local recovery time and recovery point objectives.
V-1081
- Local volumes must use a format that supports NTFS attributes.
V-1127
- Only administrators responsible for the domain controller must have Administrator rights on the system.
V-1168
- Members of the Backup Operators group must be documented.
V-3245
- Non system-created file shares on a system must limit access to groups that require it.
V-3289
- Servers must have a host-based Intrusion Detection System.
V-3487
- Necessary services must be documented to maintain a baseline to determine if additional, unnecessary services have been added to a system.
V-7002
- Windows 2012/2012 R2 accounts must be configured to require passwords.
V-8317
- Data files owned by users must be on a different logical partition from the directory server data files.
V-36658
- Users with administrative privilege must be documented.
V-36659
- Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
V-36661
- Policy must require application account passwords be at least 15 characters in length.
V-36662
- Windows 2012/2012 R2 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
V-36666
- Policy must require that system administrators (SAs) be trained for the operating systems used by systems under their control.
V-36670
- Audit data must be reviewed on a regular basis.
V-36671
- Audit data must be retained for at least one year.
V-36672
- Audit records must be backed up onto a different system or media than the system being audited.
V-36733
- User-level information must be backed up in accordance with local recovery time and recovery point objectives.
V-36734
- Windows Server 2012 / 2012 R2 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
V-39333
- Domain created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
V-40172
- Backups of system-level information must be protected.
V-40173
- System-related documentation must be backed up in accordance with local recovery time and recovery point objectives.
V-40198
- Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
V-57653
- Windows 2012 / 2012 R2 must automatically remove or disable temporary user accounts after 72 hours.
V-57655
- Windows 2012 / 2012 R2 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
V-57719
- The operating system must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.

Windows 2016 (2/203 [0%])

V-73239
- Systems must be maintained at a supported servicing level.
V-73247
- Local volumes must use a format that supports NTFS attributes.

Windows 2019 (2/205 [0%])

V-92991
- Windows Server 2019 local volumes must use a format that supports NTFS attributes.
V-93215
- Windows Server 2019 must be maintained at a supported servicing level.

Mapped

The following controls are mapped:

Windows 2012 R2 (284/374 [75%])

V-1075
- The shutdown option must not be available from the logon dialog box.
V-1089
- The required legal notice must be configured to display before console logon.
V-1090
- Caching of logon credentials must be limited.
V-1093
- Anonymous enumeration of shares must be restricted.
V-1097
- The number of allowed bad logon attempts must meet minimum requirements.
V-1098
- The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2012.
V-1099
- Windows 2012 account lockout duration must be configured to 15 minutes or greater.
V-1102
- The Act as part of the operating system user right must not be assigned to any groups or accounts.
V-1104
- The maximum password age must meet requirements.
V-1105
- The minimum password age must meet requirements.
V-1107
- The password history must be configured to 24 passwords remembered.
V-1112
- Outdated or unused accounts must be removed from the system or disabled.
V-1113
- The built-in guest account must be disabled.
V-1114
- The built-in guest account must be renamed.
V-1115
- The built-in administrator account must be renamed.
V-1136
- Users must be forcibly disconnected when their logon hours expire.
V-1141
- Unencrypted passwords must not be sent to third-party SMB Servers.
V-1145
- Automatic logons must be disabled.
V-1150
- The built-in Windows password complexity policy must be enabled.
V-1151
- The print driver installation privilege must be restricted to administrators.
V-1152
- Anonymous access to the registry must be restricted.
V-1153
- The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
V-1154
- The Ctrl+Alt+Del security attention sequence for logons must be enabled.
V-1155
- The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
V-1157
- The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
V-1162
- The Windows SMB server must perform SMB packet signing when possible.
V-1163
- Outgoing secure channel traffic must be encrypted when possible.
V-1164
- Outgoing secure channel traffic must be signed when possible.
V-1165
- The computer account password must not be prevented from being reset.
V-1166
- The Windows SMB client must be enabled to perform SMB packet signing when possible.
V-1171
- Ejection of removable NTFS media must be restricted to Administrators.
V-1172
- Users must be warned in advance of their passwords expiring.
V-1173
- The default permissions of global system objects must be increased.
V-1174
- The amount of idle time required before suspending a session must be properly set.
V-2372
- Reversible password encryption must be disabled.
V-2374
- Autoplay must be disabled for all drives.
V-3337
- Anonymous SID/Name translation must not be allowed.
V-3338
- Named pipes that can be accessed anonymously must be configured with limited values on domain controllers.
V-3339
- Unauthorized remotely accessible registry paths must not be configured.
V-3340
- Network shares that can be accessed anonymously must not be allowed.
V-3343
- Solicited Remote Assistance must not be allowed.
V-3344
- Local accounts with blank passwords must be restricted to prevent access from the network.
V-3373
- The maximum age for machine account passwords must be set to requirements.
V-3374
- The system must be configured to require a strong session key.
V-3377
- The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
V-3378
- The system must be configured to use the Classic security model.
V-3379
- The system must be configured to prevent the storage of the LAN Manager hash of passwords.
V-3380
- The system must be configured to force users to log off when their allowed logon hours expire.
V-3381
- The system must be configured to the required LDAP client signing level.
V-3382
- The system must be configured to meet the minimum session security requirement for NTLM SSP-based clients.
V-3385
- The system must be configured to require case insensitivity for non-Windows subsystems.
V-3449
- Remote Desktop Services must limit users to one remote session.
V-3453
- Remote Desktop Services must always prompt a client for passwords upon connection.
V-3454
- Remote Desktop Services must be configured with the client connection encryption set to the required level.
V-3455
- Remote Desktop Services must be configured to use session-specific temporary folders.
V-3456
- Remote Desktop Services must delete temporary folders when a session is terminated.
V-3469
- Group Policies must be refreshed in the background if the user is logged on.
V-3470
- The system must be configured to prevent unsolicited remote assistance offers.
V-3479
- The system must be configured to use Safe DLL Search Mode.
V-3480
- Windows Media Player must be configured to prevent automatic checking for updates.
V-3666
- The system must be configured to meet the minimum session security requirement for NTLM SSP-based servers.
V-4108
- The system must generate an audit event when the audit log reaches a percentage of full threshold.
V-4110
- The system must be configured to prevent IP source routing.
V-4111
- The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
V-4112
- The system must be configured to disable the Internet Router Discovery Protocol (IRDP).
V-4113
- The system must be configured to limit how often keep-alive packets are sent.
V-4116
- The system must be configured to ignore NetBIOS name release requests except from WINS servers.
V-4407
- Domain controllers must require LDAP access signing.
V-4408
- Domain controllers must be configured to allow reset of machine account passwords.
V-4438
- The system must limit how many times unacknowledged TCP data is retransmitted.
V-4442
- The system must be configured to have password protection take effect within a limited time frame when the screen saver becomes active.
V-4443
- Unauthorized remotely accessible registry paths and sub-paths must not be configured.
V-4445
- Optional Subsystems must not be permitted to operate on the system.
V-4447
- The Remote Desktop Session Host must require secure RPC communications.
V-4448
- Group Policy objects must be reprocessed even if they have not changed.
V-6831
- Outgoing secure channel traffic must be encrypted or signed.
V-6832
- The Windows SMB client must be configured to always perform SMB packet signing.
V-6833
- The Windows SMB server must be configured to always perform SMB packet signing.
V-6834
- Anonymous access to Named Pipes and Shares must be restricted.
V-6836
- Passwords must, at a minimum, be 14 characters.
V-6840
- Windows 2012/2012 R2 passwords must be configured to expire.
V-8324
- The time synchronization tool must be configured to enable logging of time source switching.
V-11806
- The system must be configured to prevent the display of the last username on the logon screen.
V-14225
- Windows 2012/2012 R2 password for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization.
V-14228
- Auditing the Access of Global System Objects must be turned off.
V-14229
- Auditing of Backup and Restore Privileges must be turned off.
V-14230
- Audit policy using subcategories must be enabled.
V-14232
- IPSec Exemptions must be limited.
V-14234
- User Account Control approval mode for the built-in Administrator must be enabled.
V-14235
- User Account Control must, at minimum, prompt administrators for consent.
V-14236
- User Account Control must automatically deny standard user requests for elevation.
V-14237
- User Account Control must be configured to detect application installations and prompt for elevation.
V-14239
- User Account Control must only elevate UIAccess applications that are installed in secure locations.
V-14240
- User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
V-14241
- User Account Control must switch to the secure desktop when prompting for elevation.
V-14242
- User Account Control must virtualize file and registry write failures to per-user locations.
V-14243
- Administrator accounts must not be enumerated during elevation.
V-14247
- Passwords must not be saved in the Remote Desktop Client.
V-14249
- Local drives must be prevented from sharing with Remote Desktop Session Hosts. (Remote Desktop Services Role).
V-14253
- Unauthenticated RPC clients must be restricted from connecting to the RPC server.
V-14259
- Printing over HTTP must be prevented.
V-14260
- Downloading print driver packages over HTTP must be prevented.
V-14261
- Windows must be prevented from using Windows Update to search for drivers.
V-15666
- Windows Peer-to-Peer networking services must be turned off.
V-15667
- Network Bridges must be prohibited in Windows.
V-15672
- Event Viewer Events.asp links must be turned off.
V-15674
- The Internet File Association service must be turned off.
V-15682
- Attachments must be prevented from being downloaded from RSS feeds.
V-15683
- File Explorer shell protocol must run in protected mode.
V-15684
- Users must be notified if a web-based program attempts to install software.
V-15685
- Users must be prevented from changing installation options.
V-15686
- Nonadministrators must be prevented from applying vendor-signed updates.
V-15687
- Users must not be presented with Privacy and Installation options on first use of Windows Media Player.
V-15696
- The Mapper I/O network protocol (LLTDIO) driver must be disabled.
V-15697
- The Responder network protocol driver must be disabled.
V-15698
- The configuration of wireless devices using Windows Connect Now must be disabled.
V-15699
- The Windows Connect Now wizards must be disabled.
V-15700
- Remote access to the Plug and Play interface must be disabled for device installation.
V-15701
- A system restore point must be created when a new device driver is installed.
V-15702
- An Error Report must not be sent when a generic device driver is installed.
V-15703
- Users must not be prompted to search Windows Update for device drivers.
V-15704
- Errors in handwriting recognition on tablet PCs must not be reported to Microsoft.
V-15705
- Users must be prompted to authenticate on resume from sleep (on battery).
V-15706
- The user must be prompted to authenticate on resume from sleep (plugged in).
V-15707
- Remote Assistance log files must be generated.
V-15718
- Turning off File Explorer heap termination on corruption must be disabled.
V-15722
- Windows Media Digital Rights Management (DRM) must be prevented from accessing the Internet.
V-15991
- UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
V-15997
- Users must be prevented from mapping local COM ports and redirecting data from the Remote Desktop Session Host to local COM ports. (Remote Desktop Services Role).
V-15998
- Users must be prevented from mapping local LPT ports and redirecting data from the Remote Desktop Session Host to local LPT ports. (Remote Desktop Services Role).
V-15999
- Users must be prevented from redirecting Plug and Play devices to the Remote Desktop Session Host. (Remote Desktop Services Role).
V-16000
- The system must be configured to ensure smart card devices can be redirected to the Remote Desktop session. (Remote Desktop Services Role).
V-16008
- Windows must elevate all applications in User Account Control, not just signed ones.
V-16020
- The Windows Customer Experience Improvement Program must be disabled.
V-18010
- The Debug programs user right must only be assigned to the Administrators group.
V-21950
- The service principal name (SPN) target name validation level must be turned off.
V-21951
- Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.
V-21952
- NTLM must be prevented from falling back to a Null session.
V-21953
- PKU2U authentication using online identities must be prevented.
V-21954
- Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
V-21955
- IPv6 source routing must be configured to the highest protection level.
V-21956
- IPv6 TCP data retransmissions must be configured to prevent resources from becoming exhausted.
V-21960
- Domain users must be required to elevate when setting a networks location.
V-21961
- All Direct Access traffic must be routed through the internal network.
V-21963
- Windows Update must be prevented from searching for point and print drivers.
V-21964
- Device metadata retrieval from the Internet must be prevented.
V-21965
- Device driver searches using Windows Update must be prevented.
V-21967
- Microsoft Support Diagnostic Tool (MSDT) interactive communication with Microsoft must be prevented.
V-21969
- Access to Windows Online Troubleshooting Service (WOTS) must be prevented.
V-21970
- Responsiveness events must be prevented from being aggregated and sent to Microsoft.
V-21971
- The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
V-21973
- Autoplay must be turned off for non-volume devices.
V-21980
- Explorer Data Execution Prevention must be enabled.
V-22692
- The default Autorun behavior must be configured to prevent Autorun commands.
V-26283
- Anonymous enumeration of SAM accounts must not be allowed.
V-26359
- The Windows dialog box title for the legal banner must be configured.
V-26469
- The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
V-26470
- Unauthorized accounts must not have the Access this computer from the network user right on domain controllers.
V-26472
- The Allow log on locally user right must only be assigned to the Administrators group.
V-26473
- The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group.
V-26474
- The Back up files and directories user right must only be assigned to the Administrators group.
V-26478
- The Create a pagefile user right must only be assigned to the Administrators group.
V-26479
- The Create a token object user right must not be assigned to any groups or accounts.
V-26480
- The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-26481
- The Create permanent shared objects user right must not be assigned to any groups or accounts.
V-26482
- The Create symbolic links user right must only be assigned to the Administrators group.
V-26483
- The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
V-26484
- The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
V-26485
- The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
V-26486
- The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
V-26487
- Unauthorized accounts must not have the Enable computer and user accounts to be trusted for delegation user right on domain controllers.
V-26488
- The Force shutdown from a remote system user right must only be assigned to the Administrators group.
V-26489
- The Generate security audits user right must only be assigned to Local Service and Network Service.
V-26490
- The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-26492
- The Increase scheduling priority user right must only be assigned to the Administrators group.
V-26493
- The Load and unload device drivers user right must only be assigned to the Administrators group.
V-26494
- The Lock pages in memory user right must not be assigned to any groups or accounts.
V-26496
- The Manage auditing and security log user right must only be assigned to the Administrators group.
V-26498
- The Modify firmware environment values user right must only be assigned to the Administrators group.
V-26499
- The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
V-26500
- The Profile single process user right must only be assigned to the Administrators group.
V-26504
- The Restore files and directories user right must only be assigned to the Administrators group.
V-26506
- The Take ownership of files or other objects user right must only be assigned to the Administrators group.
V-26529
- The system must be configured to audit Account Logon - Credential Validation successes.
V-26530
- The system must be configured to audit Account Logon - Credential Validation failures.
V-26531
- Windows Server 2012/2012 R2 domain controllers must be configured to audit Account Management - Computer Account Management successes.
V-26533
- The system must be configured to audit Account Management - Other Account Management Events successes.
V-26535
- The system must be configured to audit Account Management - Security Group Management successes.
V-26537
- The system must be configured to audit Account Management - User Account Management successes.
V-26538
- The system must be configured to audit Account Management - User Account Management failures.
V-26539
- The system must be configured to audit Detailed Tracking - Process Creation successes.
V-26540
- The system must be configured to audit Logon/Logoff - Logoff successes.
V-26541
- The system must be configured to audit Logon/Logoff - Logon successes.
V-26542
- The system must be configured to audit Logon/Logoff - Logon failures.
V-26543
- The system must be configured to audit Logon/Logoff - Special Logon successes.
V-26546
- The system must be configured to audit Policy Change - Audit Policy Change successes.
V-26547
- The system must be configured to audit Policy Change - Audit Policy Change failures.
V-26548
- The system must be configured to audit Policy Change - Authentication Policy Change successes.
V-26549
- The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
V-26550
- The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
V-26551
- The system must be configured to audit System - IPsec Driver successes.
V-26552
- The system must be configured to audit System - IPsec Driver failures.
V-26553
- The system must be configured to audit System - Security State Change successes.
V-26555
- The system must be configured to audit System - Security System Extension successes.
V-26557
- The system must be configured to audit System - System Integrity successes.
V-26558
- The system must be configured to audit System - System Integrity failures.
V-26575
- The 6to4 IPv6 transition technology must be disabled.
V-26576
- The IP-HTTPS IPv6 transition technology must be disabled.
V-26577
- The ISATAP IPv6 transition technology must be disabled.
V-26578
- The Teredo IPv6 transition technology must be disabled.
V-26579
- The Application event log size must be configured to 32768 KB or greater.
V-26580
- The Security event log size must be configured to 196608 KB or greater.
V-26581
- The Setup event log size must be configured to 32768 KB or greater.
V-26582
- The System event log size must be configured to 32768 KB or greater.
V-26600
- The Fax service must be disabled if installed.
V-26602
- The Microsoft FTP service must not be installed unless required.
V-26604
- The Peer Networking Identity Manager service must be disabled if installed.
V-26605
- The Simple TCP/IP Services service must be disabled if installed.
V-26606
- The Telnet service must be disabled if installed.
V-28504
- Windows must be prevented from sending an error report when a device driver requests additional software during installation.
V-30016
- Unauthorized accounts must not have the Add workstations to domain user right.
V-32282
- Standard user accounts must only have Read permissions to the Active Setup\Installed Components registry key.
- Discussing the best approach to enforcement.
V-33663
- The system must be configured to audit DS Access - Directory Service Access successes.
V-33664
- The system must be configured to audit DS Access - Directory Service Access failures.
V-33665
- The system must be configured to audit DS Access - Directory Service Changes successes.
V-33666
- The system must be configured to audit DS Access - Directory Service Changes failures.
V-34974
- The Windows Installer Always install with elevated privileges option must be disabled.
V-36439
- Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
V-36667
- The system must be configured to audit Object Access - Removable Storage failures.
V-36668
- The system must be configured to audit Object Access - Removable Storage successes.
V-36673
- IP stateless autoconfiguration limits state must be enabled.
V-36677
- Optional component installation and component repair must be prevented from using Windows Update.
V-36678
- Device driver updates must only search managed servers, not Windows Update.
V-36679
- Early Launch Antimalware, Boot-Start Driver Initialization Policy must be enabled and configured to only Good and Unknown.
V-36680
- Access to the Windows Store must be turned off.
V-36681
- Copying of user input methods to the system account for sign-in must be prevented.
V-36684
- Local users on domain-joined computers must not be enumerated.
V-36687
- App notifications on the lock screen must be turned off.
V-36696
- The detection of compatibility issues for applications and drivers must be turned off.
V-36697
- Trusted app installation must be enabled to allow for signed enterprise line of business apps.
V-36698
- The use of biometrics must be disabled.
V-36700
- The password reveal button must not be displayed.
V-36707
- Windows SmartScreen must be enabled on Windows 2012/2012 R2.
V-36708
- The location feature must be turned off.
V-36709
- Basic authentication for RSS feeds over HTTP must be turned off.
V-36710
- Automatic download of updates from the Windows Store must be turned off.
V-36711
- The Windows Store application must be turned off.
V-36712
- The Windows Remote Management (WinRM) client must not use Basic authentication.
V-36713
- The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
V-36714
- The Windows Remote Management (WinRM) client must not use Digest authentication.
V-36718
- The Windows Remote Management (WinRM) service must not use Basic authentication.
V-36719
- The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
V-36720
- The Windows Remote Management (WinRM) service must not store RunAs credentials.
V-36722
- Permissions for the Application event log must prevent access by nonprivileged accounts.
V-36723
- Permissions for the Security event log must prevent access by nonprivileged accounts.
V-36724
- Permissions for the System event log must prevent access by nonprivileged accounts.
V-36773
- The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
V-39331
- The Active Directory SYSVOL directory must have the proper access control permissions.
V-40177
- Permissions for program file directories must conform to minimum requirements.
V-40178
- Permissions for system drive root directory (usually C:) must conform to minimum requirements.
V-40179
- Permissions for Windows installation directory must conform to minimum requirements.
V-40200
- The system must be configured to audit Object Access - Central Access Policy Staging failures.
V-40202
- The system must be configured to audit Object Access - Central Access Policy Staging successes.
V-40204
- Only the default client printer must be redirected to the Remote Desktop Session Host. (Remote Desktop Services Role).
V-40206
- The Smart Card Removal Policy service must be configured to automatic.
V-43238
- The display of slide shows on the lock screen must be disabled (Windows 2012 R2).
V-43239
- Windows 2012 R2 must include command line data in process creation events.
V-43240
- The network selection user interface (UI) must not be displayed on the logon screen (Windows 2012 R2).
V-43241
- The setting to allow Microsoft accounts to be optional for modern style apps must be enabled (Windows 2012 R2).
V-43245
- Automatically signing in the last interactive user after a system-initiated restart must be disabled (Windows 2012 R2).
V-57633
- The system must be configured to audit Policy Change - Authorization Policy Change successes.
V-57639
- Users must be required to enter a password to access private keys stored on the computer.
V-57721
- Event Viewer must be protected from unauthorized modification and deletion.
V-72753
- WDigest Authentication must be disabled.
V-73519
- The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
V-73523
- The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
V-73805
- The Server Message Block (SMB) v1 protocol must be disabled on Windows 2012 R2.
V-78057
- Windows Server 2012/2012 R2 must be configured to audit Logon/Logoff - Account Lockout successes.
V-78059
- Windows Server 2012/2012 R2 must be configured to audit Logon/Logoff - Account Lockout failures.
V-78061
- Windows Server 2012/2012 R2 must be configured to audit System - Other System Events successes.
V-78063
- Windows Server 2012/2012 R2 must be configured to audit System - Other System Events failures.
V-80475
- PowerShell script block logging must be enabled on Windows 2012/2012 R2.
V-80477
- Windows PowerShell 2.0 must not be installed on Windows 2012/2012 R2.
V-91777
- The password for the krbtgt account on a domain must be reset at least every 180 days.

Windows 2016 (190/203 [93%])

V-73287
- The Fax Server role must not be installed.
V-73289
- The Microsoft FTP service must not be installed unless required.
V-73291
- The Peer Name Resolution Protocol must not be installed.
V-73293
- Simple TCP/IP Services must not be installed.
V-73295
- The Telnet Client must not be installed.
V-73297
- The TFTP Client must not be installed.
V-73299
- The Server Message Block (SMB) v1 protocol must be uninstalled.
V-73301
- Windows PowerShell 2.0 must not be installed.
V-73309
- Windows 2016 account lockout duration must be configured to 15 minutes or greater.
V-73311
- Windows Server 2016 must have the number of allowed bad logon attempts configured to three or less.
V-73313
- Windows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
V-73315
- Windows Server 2016 password history must be configured to 24 passwords remembered.
V-73317
- Windows Server 2016 maximum password age must be configured to 60 days or less.
V-73319
- Windows Server 2016 minimum password age must be configured to at least one day.
V-73321
- Windows Server 2016 minimum password length must be configured to 14 characters.
V-73323
- Windows Server 2016 must have the built-in Windows password complexity policy enabled.
V-73325
- Windows Server 2016 reversible password encryption must be disabled.
V-73405
- Permissions for the Application event log must prevent access by non-privileged accounts.
V-73407
- Permissions for the Security event log must prevent access by non-privileged accounts.
V-73409
- Permissions for the System event log must prevent access by non-privileged accounts.
V-73411
- Event Viewer must be protected from unauthorized modification and deletion.
V-73413
- Windows Server 2016 must be configured to audit Account Logon - Credential Validation successes.
V-73415
- Windows Server 2016 must be configured to audit Account Logon - Credential Validation failures.
V-73419
- Windows Server 2016 must be configured to audit Account Management - Other Account Management Events successes.
V-73423
- Windows Server 2016 must be configured to audit Account Management - Security Group Management successes.
V-73427
- Windows Server 2016 must be configured to audit Account Management - User Account Management successes.
V-73429
- Windows Server 2016 must be configured to audit Account Management - User Account Management failures.
V-73433
- Windows Server 2016 must be configured to audit Detailed Tracking - Process Creation successes.
V-73435
- Windows Server 2016 must be configured to audit DS Access - Directory Service Access successes.
V-73437
- Windows Server 2016 must be configured to audit DS Access - Directory Service Access failures.
V-73439
- Windows Server 2016 must be configured to audit DS Access - Directory Service Changes successes.
V-73441
- Windows Server 2016 must be configured to audit DS Access - Directory Service Changes failures.
V-73443
- Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout successes.
V-73445
- Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout failures.
V-73449
- Windows Server 2016 must be configured to audit Logon/Logoff - Logoff successes.
V-73451
- Windows Server 2016 must be configured to audit Logon/Logoff - Logon successes.
V-73453
- Windows Server 2016 must be configured to audit Logon/Logoff - Logon failures.
V-73455
- Windows Server 2016 must be configured to audit Logon/Logoff - Special Logon successes.
V-73461
- Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change successes.
V-73463
- Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change failures.
V-73465
- Windows Server 2016 must be configured to audit Policy Change - Authentication Policy Change successes.
V-73467
- Windows Server 2016 must be configured to audit Policy Change - Authorization Policy Change successes.
V-73469
- Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
V-73471
- Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
V-73473
- Windows Server 2016 must be configured to audit System - IPsec Driver successes.
V-73475
- Windows Server 2016 must be configured to audit System - IPsec Driver failures.
V-73477
- Windows Server 2016 must be configured to audit System - Other System Events successes.
V-73479
- Windows Server 2016 must be configured to audit System - Other System Events failures.
V-73481
- Windows Server 2016 must be configured to audit System - Security State Change successes.
V-73483
- Windows Server 2016 must be configured to audit System - Security System Extension successes.
V-73487
- Administrator accounts must not be enumerated during elevation.
V-73489
- Windows Server 2016 must be configured to audit System - System Integrity successes.
V-73491
- Windows Server 2016 must be configured to audit System - System Integrity failures.
V-73493
- The display of slide shows on the lock screen must be disabled.
V-73495
- Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
V-73497
- WDigest Authentication must be disabled on Windows Server 2016.
V-73499
- Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
V-73501
- Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
V-73503
- Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
V-73505
- Windows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers.
V-73507
- Insecure logons to an SMB server must be disabled.
V-73509
- Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\SYSVOL and \\NETLOGON shares.
V-73511
- Command line data must be included in process creation events.
V-73521
- Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
V-73525
- Group Policy objects must be reprocessed even if they have not changed.
V-73527
- Downloading print driver packages over HTTP must be prevented.
V-73529
- Printing over HTTP must be prevented.
V-73531
- The network selection user interface (UI) must not be displayed on the logon screen.
V-73533
- Local users on domain-joined computers must not be enumerated.
V-73537
- Users must be prompted to authenticate when the system wakes from sleep (on battery).
V-73539
- Users must be prompted to authenticate when the system wakes from sleep (plugged in).
V-73541
- Unauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC server.
V-73543
- The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
V-73545
- AutoPlay must be turned off for non-volume devices.
V-73547
- The default AutoRun behavior must be configured to prevent AutoRun commands.
V-73549
- AutoPlay must be disabled for all drives.
V-73551
- Windows Telemetry must be configured to Security or Basic.
V-73553
- The Application event log size must be configured to 32768 KB or greater.
V-73555
- The Security event log size must be configured to 196608 KB or greater.
V-73557
- The System event log size must be configured to 32768 KB or greater.
V-73559
- Windows Server 2016 Windows SmartScreen must be enabled.
V-73561
- Explorer Data Execution Prevention must be enabled.
V-73563
- Turning off File Explorer heap termination on corruption must be disabled.
V-73565
- File Explorer shell protocol must run in protected mode.
V-73567
- Passwords must not be saved in the Remote Desktop Client.
V-73569
- Local drives must be prevented from sharing with Remote Desktop Session Hosts.
V-73571
- Remote Desktop Services must always prompt a client for passwords upon connection.
V-73573
- The Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications.
V-73575
- Remote Desktop Services must be configured with the client connection encryption set to High Level.
V-73577
- Attachments must be prevented from being downloaded from RSS feeds.
V-73579
- Basic authentication for RSS feeds over HTTP must not be used.
V-73581
- Indexing of encrypted files must be turned off.
V-73583
- Users must be prevented from changing installation options.
V-73585
- The Windows Installer Always install with elevated privileges option must be disabled.
V-73587
- Users must be notified if a web-based program attempts to install software.
V-73589
- Automatically signing in the last interactive user after a system-initiated restart must be disabled.
V-73591
- PowerShell script block logging must be enabled.
V-73593
- The Windows Remote Management (WinRM) client must not use Basic authentication.
V-73595
- The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
V-73597
- The Windows Remote Management (WinRM) client must not use Digest authentication.
V-73599
- The Windows Remote Management (WinRM) service must not use Basic authentication.
V-73601
- The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
V-73603
- The Windows Remote Management (WinRM) service must not store RunAs credentials.
V-73621
- Local accounts with blank passwords must be restricted to prevent access from the network.
V-73623
- Windows Server 2016 built-in administrator account must be renamed.
V-73625
- Windows Server 2016 built-in guest account must be renamed.
V-73627
- Audit policy using subcategories must be enabled.
V-73629
- Domain controllers must require LDAP access signing.
V-73631
- Domain controllers must be configured to allow reset of machine account passwords.
V-73633
- The setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
V-73635
- The setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.
V-73637
- The setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
V-73639
- The computer account password must not be prevented from being reset.
V-73641
- The maximum age for machine account passwords must be configured to 30 days or less.
V-73643
- Windows Server 2016 must be configured to require a strong session key.
V-73645
- The machine inactivity limit must be set to 15 minutes, locking the system with the screen saver.
V-73651
- Caching of logon credentials must be limited.
V-73653
- The setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
V-73655
- The setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
V-73657
- Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.
V-73661
- The setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
V-73663
- The setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
V-73667
- Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed.
V-73669
- Anonymous enumeration of shares must not be allowed.
V-73673
- Windows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
V-73675
- Anonymous access to Named Pipes and Shares must be restricted.
V-73677
- Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
V-73679
- Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
V-73681
- NTLM must be prevented from falling back to a Null session.
V-73683
- PKU2U authentication using online identities must be prevented.
V-73685
- Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
V-73687
- Windows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords.
V-73691
- The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM.
V-73693
- Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing.
V-73695
- Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
V-73697
- Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
V-73699
- Users must be required to enter a password to access private keys stored on the computer.
V-73705
- The default permissions of global system objects must be strengthened.
V-73707
- User Account Control approval mode for the built-in Administrator must be enabled.
V-73709
- UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
V-73711
- User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.
V-73713
- User Account Control must automatically deny standard user requests for elevation.
V-73715
- User Account Control must be configured to detect application installations and prompt for elevation.
V-73717
- User Account Control must only elevate UIAccess applications that are installed in secure locations.
V-73719
- User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
V-73721
- User Account Control must virtualize file and registry write failures to per-user locations.
V-73729
- The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
V-73731
- The Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.
V-73733
- The Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on member servers.
V-73735
- The Act as part of the operating system user right must not be assigned to any groups or accounts.
V-73737
- The Add workstations to domain user right must only be assigned to the Administrators group.
V-73739
- The Allow log on locally user right must only be assigned to the Administrators group.
V-73741
- The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group.
V-73743
- The Back up files and directories user right must only be assigned to the Administrators group.
V-73745
- The Create a pagefile user right must only be assigned to the Administrators group.
V-73747
- The Create a token object user right must not be assigned to any groups or accounts.
V-73749
- The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-73751
- The Create permanent shared objects user right must not be assigned to any groups or accounts.
V-73753
- The Create symbolic links user right must only be assigned to the Administrators group.
V-73755
- The Debug programs user right must only be assigned to the Administrators group.
V-73757
- The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
V-73759
- The Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems.
- Requires enhancement to upstream module managing Local Security Policies.
V-73761
- The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
V-73763
- The Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.
- Requires enhancement to upstream module managing Local Security Policies.
V-73765
- The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
V-73767
- The Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.
- Requires enhancement to upstream module managing Local Security Policies.
V-73769
- The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
V-73771
- The Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.
- Requires enhancement to upstream module managing Local Security Policies.
V-73773
- The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
V-73775
- The Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems.
- Requires enhancement to upstream module managing Local Security Policies.
V-73777
- The Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
V-73779
- The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on member servers.
V-73781
- The Force shutdown from a remote system user right must only be assigned to the Administrators group.
V-73783
- The Generate security audits user right must only be assigned to Local Service and Network Service.
V-73785
- The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-73787
- The Increase scheduling priority user right must only be assigned to the Administrators group.
V-73789
- The Load and unload device drivers user right must only be assigned to the Administrators group.
V-73791
- The Lock pages in memory user right must not be assigned to any groups or accounts.
V-73793
- The Manage auditing and security log user right must only be assigned to the Administrators group.
V-73795
- The Modify firmware environment values user right must only be assigned to the Administrators group.
V-73797
- The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
V-73799
- The Profile single process user right must only be assigned to the Administrators group.
V-73801
- The Restore files and directories user right must only be assigned to the Administrators group.
V-73803
- The Take ownership of files or other objects user right must only be assigned to the Administrators group.
V-73807
- The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
V-73809
- Windows Server 2016 built-in guest account must be disabled.
V-78123
- The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
V-78125
- The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
V-90359
- Windows 2016 must be configured to audit Object Access - Other Object Access Events successes.
V-90361
- Windows 2016 must be configured to audit Object Access - Other Object Access Events failures.

Windows 2019 (192/205 [93%])

V-92961
- Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.
V-92963
- Windows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
V-92965
- Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
V-92967
- Windows Server 2019 must be configured to audit logon successes.
V-92969
- Windows Server 2019 must be configured to audit logon failures.
V-92971
- Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.
V-92973
- Windows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level.
V-92979
- Windows Server 2019 must be configured to audit Account Management - Security Group Management successes.
V-92981
- Windows Server 2019 must be configured to audit Account Management - User Account Management successes.
V-92983
- Windows Server 2019 must be configured to audit Account Management - User Account Management failures.
V-92987
- Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes.
V-92989
- Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures.
V-92995
- Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.
V-92997
- Windows Server 2019 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers.
V-92999
- Windows Server 2019 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
V-93001
- Windows Server 2019 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
V-93003
- Windows Server 2019 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
V-93005
- Windows Server 2019 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
V-93007
- Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone systems.
V-93009
- Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
V-93011
- Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
- Requires enhancement to upstream module managing Local Security Policies.
V-93013
- Windows Server 2019 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.
- Requires enhancement to upstream module managing Local Security Policies.
V-93015
- Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
V-93017
- Windows Server 2019 Allow log on locally user right must only be assigned to the Administrators group.
V-93039
- Windows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.
V-93041
- Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
V-93045
- Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone systems.
V-93047
- Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone systems.
V-93049
- Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
V-93051
- Windows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts.
V-93053
- Windows Server 2019 Back up files and directories user right must only be assigned to the Administrators group.
V-93055
- Windows Server 2019 Create a pagefile user right must only be assigned to the Administrators group.
V-93057
- Windows Server 2019 Create a token object user right must not be assigned to any groups or accounts.
V-93059
- Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-93061
- Windows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts.
V-93063
- Windows Server 2019 Create symbolic links user right must only be assigned to the Administrators group.
V-93065
- Windows Server 2019 Debug programs: user right must only be assigned to the Administrators group.
V-93067
- Windows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group.
V-93069
- Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service.
V-93071
- Windows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-93073
- Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group.
V-93075
- Windows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group.
V-93077
- Windows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts.
V-93079
- Windows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group.
V-93081
- Windows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group.
V-93083
- Windows Server 2019 Profile single process user right must only be assigned to the Administrators group.
V-93085
- Windows Server 2019 Restore files and directories user right must only be assigned to the Administrators group.
V-93087
- Windows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group.
V-93089
- Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes.
V-93091
- Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes.
V-93093
- Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes.
V-93095
- Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures.
V-93097
- Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes.
V-93099
- Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes.
V-93101
- Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
V-93103
- Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
V-93105
- Windows Server 2019 must be configured to audit System - IPsec Driver successes.
V-93107
- Windows Server 2019 must be configured to audit System - IPsec Driver failures.
V-93109
- Windows Server 2019 must be configured to audit System - Other System Events successes.
V-93111
- Windows Server 2019 must be configured to audit System - Other System Events failures.
V-93113
- Windows Server 2019 must be configured to audit System - Security State Change successes.
V-93115
- Windows Server 2019 must be configured to audit System - Security System Extension successes.
V-93117
- Windows Server 2019 must be configured to audit System - System Integrity successes.
V-93119
- Windows Server 2019 must be configured to audit System - System Integrity failures.
V-93133
- Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes.
V-93135
- Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures.
V-93137
- Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes.
V-93139
- Windows Server 2019 must be configured to audit DS Access - Directory Service Changes failures.
V-93141
- Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less.
V-93143
- Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
V-93145
- Windows Server 2019 account lockout duration must be configured to 15 minutes or greater.
V-93151
- Windows Server 2019 must force audit policy subcategory settings to override audit policy category settings.
V-93153
- Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes.
V-93155
- Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures.
V-93161
- Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes.
V-93163
- Windows Server 2019 must be configured to audit Object Access - Other Object Access Events successes.
V-93165
- Windows Server 2019 must be configured to audit Object Access - Other Object Access Events failures.
V-93171
- Windows Server 2019 must be configured to audit logoff successes.
V-93173
- Windows Server 2019 command line data must be included in process creation events.
V-93175
- Windows Server 2019 PowerShell script block logging must be enabled.
V-93177
- Windows Server 2019 Application event log size must be configured to 32768 KB or greater.
V-93179
- Windows Server 2019 Security event log size must be configured to 196608 KB or greater.
V-93181
- Windows Server 2019 System event log size must be configured to 32768 KB or greater.
V-93189
- Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts.
V-93191
- Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts.
V-93193
- Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts.
V-93195
- Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion.
V-93197
- Windows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group.
V-93199
- Windows Server 2019 must prevent users from changing installation options.
V-93201
- Windows Server 2019 must disable the Windows Installer Always install with elevated privileges option.
V-93233
- Windows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
V-93235
- Windows Server 2019 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
V-93237
- Windows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
V-93239
- Windows Server 2019 insecure logons to an SMB server must be disabled.
V-93241
- Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\SYSVOL and \\NETLOGON shares.
V-93243
- Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials.
V-93249
- Windows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
V-93251
- Windows Server 2019 group policy objects must be reprocessed even if they have not changed.
V-93253
- Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery).
V-93255
- Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in).
V-93257
- Windows Server 2019 Telemetry must be configured to Security or Basic.
V-93259
- Windows Server 2019 Windows Update must not obtain updates from other PCs on the Internet.
V-93261
- Windows Server 2019 Turning off File Explorer heap termination on corruption must be disabled.
V-93263
- Windows Server 2019 File Explorer shell protocol must run in protected mode.
V-93265
- Windows Server 2019 must prevent attachments from being downloaded from RSS feeds.
V-93267
- Windows Server 2019 users must be notified if a web-based program attempts to install software.
V-93269
- Windows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart.
V-93273
- Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords.
V-93275
- Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers.
V-93279
- Windows Server 2019 must prevent local accounts with blank passwords from being used from the network.
V-93281
- Windows Server 2019 built-in administrator account must be renamed.
V-93283
- Windows Server 2019 built-in guest account must be renamed.
V-93285
- Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less.
V-93287
- Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
V-93291
- Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
V-93293
- Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
V-93295
- Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
V-93297
- Windows Server 2019 must prevent NTLM from falling back to a Null session.
V-93299
- Windows Server 2019 must prevent PKU2U authentication using online identities.
V-93301
- Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.
V-93303
- Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing.
V-93305
- Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
V-93307
- Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
V-93309
- Windows Server 2019 default permissions of global system objects must be strengthened.
V-93373
- Windows Server 2019 Autoplay must be turned off for non-volume devices.
V-93375
- Windows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands.
V-93377
- Windows Server 2019 AutoPlay must be disabled for all drives.
V-93383
- Windows Server 2019 must not have the Fax Server role installed.
V-93385
- Windows Server 2019 must not have the Peer Name Resolution Protocol installed.
V-93387
- Windows Server 2019 must not have Simple TCP/IP Services installed.
V-93389
- Windows Server 2019 must not have the TFTP Client installed.
V-93391
- Windows Server 2019 must not the Server Message Block (SMB) v1 protocol installed.
V-93393
- Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.
V-93395
- Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.
V-93397
- Windows Server 2019 must not have Windows PowerShell 2.0 installed.
V-93399
- Windows Server 2019 must prevent the display of slide shows on the lock screen.
V-93401
- Windows Server 2019 must have WDigest Authentication disabled.
V-93403
- Windows Server 2019 downloading print driver packages over HTTP must be turned off.
V-93405
- Windows Server 2019 printing over HTTP must be turned off.
V-93407
- Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen.
V-93409
- Windows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
V-93411
- Windows Server 2019 Windows Defender SmartScreen must be enabled.
V-93413
- Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP.
V-93415
- Windows Server 2019 must prevent Indexing of encrypted files.
V-93419
- Windows Server 2019 local users on domain-joined member servers must not be enumerated.
V-93421
- Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization.
V-93423
- Windows Server 2019 must not have the Telnet Client installed.
V-93425
- Windows Server 2019 must not save passwords in the Remote Desktop Client.
V-93427
- Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection.
V-93429
- Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials.
V-93431
- Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled.
V-93433
- Windows Server 2019 User Account Control must automatically deny standard user requests for elevation.
V-93435
- Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
V-93453
- Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone systems.
V-93455
- Windows Server 2019 computer account password must not be prevented from being reset.
V-93459
- Windows Server 2019 must have the built-in Windows password complexity policy enabled.
V-93463
- Windows Server 2019 minimum password length must be configured to 14 characters.
V-93465
- Windows Server 2019 reversible password encryption must be disabled.
V-93467
- Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords.
V-93469
- Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.
V-93471
- Windows Server 2019 minimum password age must be configured to at least one day.
V-93477
- Windows Server 2019 maximum password age must be configured to 60 days or less.
V-93479
- Windows Server 2019 password history must be configured to 24 passwords remembered.
V-93493
- Windows Server 2019 users must be required to enter a password to access private keys stored on the computer.
V-93495
- Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
V-93497
- Windows Server 2019 must have the built-in guest account disabled.
V-93499
- Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic.
V-93501
- Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic.
V-93503
- Windows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication.
V-93505
- Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication.
V-93507
- Windows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication.
V-93517
- Windows Server 2019 administrator accounts must not be enumerated during elevation.
V-93519
- Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.
V-93521
- Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
V-93523
- Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.
V-93525
- Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation.
V-93527
- Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.
V-93529
- Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.
V-93533
- Windows Server 2019 Remote Desktop Services must prevent drive redirection.
V-93537
- Windows Server 2019 must not allow anonymous enumeration of shares.
V-93539
- Windows Server 2019 must restrict anonymous access to Named Pipes and Shares.
V-93541
- Windows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS servers.
V-93545
- Windows Server 2019 domain controllers must require LDAP access signing.
V-93547
- Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
V-93549
- Windows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.
V-93551
- Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
V-93553
- Windows Server 2019 must be configured to require a strong session key.
V-93555
- Windows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
V-93557
- Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
V-93559
- Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
V-93561
- Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
V-93563
- Windows Server 2019 Explorer Data Execution Prevention must be enabled.