1. Introduction
2. Licensing
3. Installing Sicura Enterprise
4. Server install from RPM
5. Server install from ISO
6. Upgrade Sicura Enterprise
7. Server Installation via Control Repo
8. Enable SIMP Compliance Engine
9. Configure SIMP Compliance Engine
10. Included Compliance Profiles
11. Console install via Puppet
12. Agent Install via Puppet
13. Coverage - CIS, Windows
14. Coverage - CIS, Linux
15. Coverage - CMMC, Windows
16. Coverage - CMMC, Linux
17. Coverage - DISA, Windows
18. Coverage - DISA, Linux
19. Coverage - NIST 800-171 r2, Windows
20. Linux DISA Module Usage
21. Windows CIS module usage
22. Linux CIS Module Usage
23. Linux SSG Module Usage

NIST Coverage Report

Summary

Detail

Unmapped Controls

The following controls are not mapped:

Windows 2012 R2 (6/179 [3%])

• oval:simp.disa.003.004.windows2012R2.V-226070:def:1
  • Title: Active Directory data files must have proper access control permissions.
  • NOTE: Discussing the best approach to enforcement.
• oval:simp.disa.003.004.windows2012R2.V-226268:def:1
  • Title: Standard user accounts must only have Read permissions to the Winlogon registry key.
  • NOTE: Discussing the best approach to enforcement.
• oval:simp.disa.003.004.windows2012.V-225444:def:1
  • Title: Standard user accounts must only have Read permissions to the Winlogon registry key.
  • NOTE: Discussing the best approach to enforcement.
• oval:simp.disa.003.004.windows2012R2.V-226069:def:1
  • Title: The computer clock synchronization tolerance must be limited to 5 minutes or less.
  • NOTE: Requires a module to manage Group Policy.
• oval:simp.disa.003.004.windows2012R2.V-226335:def:1
  • Title: The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
  • NOTE: Lower priority: this is not a requirement for most customers.
• oval:simp.disa.003.004.windows2012.V-225512:def:1
  • Title: The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
  • NOTE: Lower priority: this is not a requirement for most customers.

    Windows 2016 (8/94 [8%])

• oval:simp.disa.002.003.windows2016.V-224970:def:1
  • Title: Permissions on the Active Directory data files must only allow System and Administrators access.
  • NOTE: Discussing the best approach to enforcement.
• oval:simp.disa.002.003.windows2016.V-225059:def:1
  • Title: Windows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
  • NOTE: Lower priority: this is not a requirement for most customers.
• oval:simp.disa.002.003.windows2016.V-224965:def:1
  • Title: Kerberos user logon restrictions must be enforced.
  • NOTE: Requires a module to manage Group Policy.
• oval:simp.disa.002.003.windows2016.V-224966:def:1
  • Title: The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
  • NOTE: Requires a module to manage Group Policy.
• oval:simp.disa.002.003.windows2016.V-224967:def:1
  • Title: The Kerberos user ticket lifetime must be limited to 10 hours or less.
  • NOTE: Requires a module to manage Group Policy.
• oval:simp.disa.002.003.windows2016.V-224968:def:1
  • Title: The Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
  • NOTE: Requires a module to manage Group Policy.
• oval:simp.disa.002.003.windows2016.V-224969:def:1
  • Title: The computer clock synchronization tolerance must be limited to 5 minutes or less.
  • NOTE: Requires a module to manage Group Policy.
• oval:simp.disa.002.003.windows2016.V-225022:def:1
  • Title: The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
  • NOTE: Requires a module to manage the Windows certificate store.

    Windows 2019 (7/93 [7%])

• oval:simp.disa.002.003.windows2019.V-205739:def:1
  • Title: Windows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access.
  • NOTE: Discussing the best approach to enforcement.
• oval:simp.disa.002.003.windows2019.V-205702:def:1
  • Title: Windows Server 2019 Kerberos user logon restrictions must be enforced.
  • NOTE: Requires a module to manage Group Policy.
• oval:simp.disa.002.003.windows2019.V-205703:def:1
  • Title: Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
  • NOTE: Requires a module to manage Group Policy.
• oval:simp.disa.002.003.windows2019.V-205704:def:1
  • Title: Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less.
  • NOTE: Requires a module to manage Group Policy.
• oval:simp.disa.002.003.windows2019.V-205705:def:1
  • Title: Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
  • NOTE: Requires a module to manage Group Policy.
• oval:simp.disa.002.003.windows2019.V-205706:def:1
  • Title: Windows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less.
  • NOTE: Requires a module to manage Group Policy.
• oval:simp.disa.002.003.windows2019.V-205842:def:1
  • Title: Windows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
  • NOTE: Lower priority: this is not a requirement for most customers.

    Windows 2022 (7/94 [7%])

• oval:simp.disa.001.001.windows2022.V-254391:def:1
  • Title: Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access.
  • NOTE: Discussing the best approach to enforcement.
• oval:simp.disa.001.001.windows2022.V-254386:def:1
  • Title: Windows Server 2022 Kerberos user logon restrictions must be enforced.
  • NOTE: Requires a module to manage Group Policy.
• oval:simp.disa.001.001.windows2022.V-254387:def:1
  • Title: Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
  • NOTE: Requires a module to manage Group Policy.
• oval:simp.disa.001.001.windows2022.V-254388:def:1
  • Title: Windows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less.
  • NOTE: Requires a module to manage Group Policy.
• oval:simp.disa.001.001.windows2022.V-254389:def:1
  • Title: Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
  • NOTE: Requires a module to manage Group Policy.
• oval:simp.disa.001.001.windows2022.V-254390:def:1
  • Title: Windows Server 2022 computer clock synchronization tolerance must be limited to five minutes or less.
  • NOTE: Requires a module to manage Group Policy.
• oval:simp.disa.001.001.windows2022.V-254480:def:1
  • Title: Windows Server 2022 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
  • NOTE: Lower priority: this is not a requirement for most customers.

Paper Policy

The following controls require administrative documentation:

Windows 2016 (1/94 [1%])

• oval:simp.disa.002.003.windows2016.V-224831:def:1
  • Title: Local volumes must use a format that supports NTFS attributes.

    Windows 2019 (1/93 [1%])

• oval:simp.disa.002.003.windows2019.V-205663:def:1
  • Title: Windows Server 2019 local volumes must use a format that supports NTFS attributes.

    Windows 2022 (1/94 [1%])

• oval:simp.disa.001.001.windows2022.V-254250:def:1
  • Title: Windows Server 2022 local volumes must use a format that supports NTFS attributes.

Mapped

The following controls are mapped:

Windows 2012 R2 (173/179 [96%])

• oval:simp.disa.003.004.windows2012R2.V-226371:def:1
  • Title: Unauthorized accounts must not have the Access this computer from the network user right on domain controllers.
• oval:simp.disa.003.004.windows2012R2.V-226373:def:1
  • Title: The Allow log on locally user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012R2.V-226381:def:1
  • Title: The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
• oval:simp.disa.003.004.windows2012R2.V-226382:def:1
  • Title: The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
• oval:simp.disa.003.004.windows2012R2.V-226383:def:1
  • Title: The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
• oval:simp.disa.003.004.windows2012R2.V-226384:def:1
  • Title: The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
• oval:simp.disa.003.004.windows2012R2.V-226385:def:1
  • Title: The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
• oval:simp.disa.003.004.windows2012R2.V-226400:def:1
  • Title: The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012.V-225546:def:1
  • Title: The Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on member servers.
• oval:simp.disa.003.004.windows2012.V-225548:def:1
  • Title: The Allow log on locally user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012.V-225549:def:1
  • Title: The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group and other approved groups.
• oval:simp.disa.003.004.windows2012.V-225557:def:1
  • Title: The Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems.
• oval:simp.disa.003.004.windows2012.V-225558:def:1
  • Title: The Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems, and from unauthenticated access on all systems.
• oval:simp.disa.003.004.windows2012.V-225559:def:1
  • Title: The Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.
• oval:simp.disa.003.004.windows2012.V-225560:def:1
  • Title: The Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems, and from unauthenticated access on all systems.
• oval:simp.disa.003.004.windows2012.V-225561:def:1
  • Title: The Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems, and from unauthenticated access on all systems.
• oval:simp.disa.003.004.windows2012R2.V-226087:def:1
  • Title: Windows Server 2012/2012 R2 domain controllers must be configured to audit Account Management - Computer Account Management successes.
• oval:simp.disa.003.004.windows2012R2.V-226088:def:1
  • Title: The system must be configured to audit Account Management - Other Account Management Events successes.
• oval:simp.disa.003.004.windows2012R2.V-226089:def:1
  • Title: The system must be configured to audit Account Management - Security Group Management successes.
• oval:simp.disa.003.004.windows2012R2.V-226090:def:1
  • Title: The system must be configured to audit Account Management - User Account Management successes.
• oval:simp.disa.003.004.windows2012R2.V-226091:def:1
  • Title: The system must be configured to audit Account Management - User Account Management failures.
• oval:simp.disa.003.004.windows2012R2.V-226095:def:1
  • Title: The system must be configured to audit DS Access - Directory Service Access successes.
• oval:simp.disa.003.004.windows2012R2.V-226096:def:1
  • Title: The system must be configured to audit DS Access - Directory Service Access failures.
• oval:simp.disa.003.004.windows2012R2.V-226097:def:1
  • Title: The system must be configured to audit DS Access - Directory Service Changes successes.
• oval:simp.disa.003.004.windows2012R2.V-226098:def:1
  • Title: The system must be configured to audit DS Access - Directory Service Changes failures.
• oval:simp.disa.003.004.windows2012R2.V-226108:def:1
  • Title: The system must be configured to audit Policy Change - Audit Policy Change failures.
• oval:simp.disa.003.004.windows2012R2.V-226109:def:1
  • Title: The system must be configured to audit Policy Change - Authentication Policy Change successes.
• oval:simp.disa.003.004.windows2012R2.V-226111:def:1
  • Title: The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
• oval:simp.disa.003.004.windows2012R2.V-226112:def:1
  • Title: The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
• oval:simp.disa.003.004.windows2012R2.V-226115:def:1
  • Title: Windows Server 2012/2012 R2 must be configured to audit System - Other System Events successes.
• oval:simp.disa.003.004.windows2012R2.V-226116:def:1
  • Title: Windows Server 2012/2012 R2 must be configured to audit System - Other System Events failures.
• oval:simp.disa.003.004.windows2012R2.V-226117:def:1
  • Title: The system must be configured to audit System - Security State Change successes.
• oval:simp.disa.003.004.windows2012R2.V-226118:def:1
  • Title: The system must be configured to audit System - Security System Extension successes.
• oval:simp.disa.003.004.windows2012R2.V-226119:def:1
  • Title: The system must be configured to audit System - System Integrity successes.
• oval:simp.disa.003.004.windows2012R2.V-226120:def:1
  • Title: The system must be configured to audit System - System Integrity failures.
• oval:simp.disa.003.004.windows2012.V-225277:def:1
  • Title: The system must be configured to audit Account Management - Other Account Management Events successes.
• oval:simp.disa.003.004.windows2012.V-225278:def:1
  • Title: The system must be configured to audit Account Management - Security Group Management successes.
• oval:simp.disa.003.004.windows2012.V-225279:def:1
  • Title: The system must be configured to audit Account Management - User Account Management successes.
• oval:simp.disa.003.004.windows2012.V-225280:def:1
  • Title: The system must be configured to audit Account Management - User Account Management failures.
• oval:simp.disa.003.004.windows2012.V-225293:def:1
  • Title: The system must be configured to audit Policy Change - Audit Policy Change failures.
• oval:simp.disa.003.004.windows2012.V-225294:def:1
  • Title: The system must be configured to audit Policy Change - Authentication Policy Change successes.
• oval:simp.disa.003.004.windows2012.V-225296:def:1
  • Title: The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
• oval:simp.disa.003.004.windows2012.V-225297:def:1
  • Title: The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
• oval:simp.disa.003.004.windows2012.V-225300:def:1
  • Title: Windows Server 2012/2012 R2 must be configured to audit System - Other System Events successes.
• oval:simp.disa.003.004.windows2012.V-225301:def:1
  • Title: Windows Server 2012/2012 R2 must be configured to audit System - Other System Events failures.
• oval:simp.disa.003.004.windows2012.V-225302:def:1
  • Title: The system must be configured to audit System - Security State Change successes.
• oval:simp.disa.003.004.windows2012.V-225303:def:1
  • Title: The system must be configured to audit System - Security System Extension successes.
• oval:simp.disa.003.004.windows2012.V-225304:def:1
  • Title: The system must be configured to audit System - System Integrity successes.
• oval:simp.disa.003.004.windows2012.V-225305:def:1
  • Title: The system must be configured to audit System - System Integrity failures.
• oval:simp.disa.003.004.windows2012R2.V-226269:def:1
  • Title: Standard user accounts must only have Read permissions to the Active Setup\Installed Components registry key.
  • NOTE: Discussing the best approach to enforcement.
• oval:simp.disa.003.004.windows2012R2.V-226270:def:1
  • Title: Anonymous access to the registry must be restricted.
• oval:simp.disa.003.004.windows2012R2.V-226370:def:1
  • Title: The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
• oval:simp.disa.003.004.windows2012R2.V-226372:def:1
  • Title: The Act as part of the operating system user right must not be assigned to any groups or accounts.
• oval:simp.disa.003.004.windows2012R2.V-226374:def:1
  • Title: The Back up files and directories user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012R2.V-226375:def:1
  • Title: The Create a pagefile user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012R2.V-226376:def:1
  • Title: The Create a token object user right must not be assigned to any groups or accounts.
• oval:simp.disa.003.004.windows2012R2.V-226377:def:1
  • Title: The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
• oval:simp.disa.003.004.windows2012R2.V-226378:def:1
  • Title: The Create permanent shared objects user right must not be assigned to any groups or accounts.
• oval:simp.disa.003.004.windows2012R2.V-226379:def:1
  • Title: The Create symbolic links user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012R2.V-226380:def:1
  • Title: The Debug programs user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012R2.V-226386:def:1
  • Title: Unauthorized accounts must not have the Enable computer and user accounts to be trusted for delegation user right on domain controllers.
• oval:simp.disa.003.004.windows2012R2.V-226387:def:1
  • Title: The Force shutdown from a remote system user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012R2.V-226388:def:1
  • Title: The Generate security audits user right must only be assigned to Local Service and Network Service.
• oval:simp.disa.003.004.windows2012R2.V-226389:def:1
  • Title: The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
• oval:simp.disa.003.004.windows2012R2.V-226390:def:1
  • Title: The Increase scheduling priority user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012R2.V-226391:def:1
  • Title: The Load and unload device drivers user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012R2.V-226392:def:1
  • Title: The Lock pages in memory user right must not be assigned to any groups or accounts.
• oval:simp.disa.003.004.windows2012R2.V-226394:def:1
  • Title: The Modify firmware environment values user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012R2.V-226395:def:1
  • Title: The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012R2.V-226396:def:1
  • Title: The Profile single process user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012R2.V-226397:def:1
  • Title: The Restore files and directories user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012R2.V-226398:def:1
  • Title: The Take ownership of files or other objects user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012R2.V-226399:def:1
  • Title: Unauthorized accounts must not have the Add workstations to domain user right.
• oval:simp.disa.003.004.windows2012.V-225445:def:1
  • Title: Standard user accounts must only have Read permissions to the Active Setup\Installed Components registry key.
  • NOTE: Discussing the best approach to enforcement.
• oval:simp.disa.003.004.windows2012.V-225447:def:1
  • Title: Anonymous access to the registry must be restricted.
• oval:simp.disa.003.004.windows2012.V-225545:def:1
  • Title: The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
• oval:simp.disa.003.004.windows2012.V-225547:def:1
  • Title: The Act as part of the operating system user right must not be assigned to any groups or accounts.
• oval:simp.disa.003.004.windows2012.V-225550:def:1
  • Title: The Back up files and directories user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012.V-225551:def:1
  • Title: The Create a pagefile user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012.V-225552:def:1
  • Title: The Create a token object user right must not be assigned to any groups or accounts.
• oval:simp.disa.003.004.windows2012.V-225553:def:1
  • Title: The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
• oval:simp.disa.003.004.windows2012.V-225554:def:1
  • Title: The Create permanent shared objects user right must not be assigned to any groups or accounts.
• oval:simp.disa.003.004.windows2012.V-225555:def:1
  • Title: The Create symbolic links user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012.V-225556:def:1
  • Title: The Debug programs user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012.V-225562:def:1
  • Title: Unauthorized accounts must not have the Enable computer and user accounts to be trusted for delegation user right on member servers.
• oval:simp.disa.003.004.windows2012.V-225563:def:1
  • Title: The Force shutdown from a remote system user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012.V-225564:def:1
  • Title: The Generate security audits user right must only be assigned to Local Service and Network Service.
• oval:simp.disa.003.004.windows2012.V-225565:def:1
  • Title: The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
• oval:simp.disa.003.004.windows2012.V-225566:def:1
  • Title: The Increase scheduling priority user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012.V-225567:def:1
  • Title: The Load and unload device drivers user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012.V-225568:def:1
  • Title: The Lock pages in memory user right must not be assigned to any groups or accounts.
• oval:simp.disa.003.004.windows2012.V-225570:def:1
  • Title: The Modify firmware environment values user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012.V-225571:def:1
  • Title: The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012.V-225572:def:1
  • Title: The Profile single process user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012.V-225573:def:1
  • Title: The Restore files and directories user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012.V-225574:def:1
  • Title: The Take ownership of files or other objects user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012R2.V-226296:def:1
  • Title: The amount of idle time required before suspending a session must be properly set.
• oval:simp.disa.003.004.windows2012.V-225473:def:1
  • Title: The amount of idle time required before suspending a session must be properly set.
• oval:simp.disa.003.004.windows2012R2.V-226099:def:1
  • Title: The system must be configured to audit Logon/Logoff - Logoff successes.
• oval:simp.disa.003.004.windows2012R2.V-226100:def:1
  • Title: The system must be configured to audit Logon/Logoff - Logon successes.
• oval:simp.disa.003.004.windows2012R2.V-226101:def:1
  • Title: The system must be configured to audit Logon/Logoff - Logon failures.
• oval:simp.disa.003.004.windows2012R2.V-226224:def:1
  • Title: Users must be prevented from mapping local COM ports and redirecting data from the Remote Desktop Session Host to local COM ports. (Remote Desktop Services Role).
• oval:simp.disa.003.004.windows2012R2.V-226225:def:1
  • Title: Users must be prevented from mapping local LPT ports and redirecting data from the Remote Desktop Session Host to local LPT ports. (Remote Desktop Services Role).
• oval:simp.disa.003.004.windows2012R2.V-226226:def:1
  • Title: The system must be configured to ensure smart card devices can be redirected to the Remote Desktop session. (Remote Desktop Services Role).
• oval:simp.disa.003.004.windows2012R2.V-226227:def:1
  • Title: Users must be prevented from redirecting Plug and Play devices to the Remote Desktop Session Host. (Remote Desktop Services Role).
• oval:simp.disa.003.004.windows2012.V-225284:def:1
  • Title: The system must be configured to audit Logon/Logoff - Logoff successes.
• oval:simp.disa.003.004.windows2012.V-225285:def:1
  • Title: The system must be configured to audit Logon/Logoff - Logon successes.
• oval:simp.disa.003.004.windows2012.V-225286:def:1
  • Title: The system must be configured to audit Logon/Logoff - Logon failures.
• oval:simp.disa.003.004.windows2012.V-225404:def:1
  • Title: Users must be prevented from mapping local COM ports and redirecting data from the Remote Desktop Session Host to local COM ports. (Remote Desktop Services Role).
• oval:simp.disa.003.004.windows2012.V-225405:def:1
  • Title: Users must be prevented from mapping local LPT ports and redirecting data from the Remote Desktop Session Host to local LPT ports. (Remote Desktop Services Role).
• oval:simp.disa.003.004.windows2012.V-225406:def:1
  • Title: The system must be configured to ensure smart card devices can be redirected to the Remote Desktop session. (Remote Desktop Services Role).
• oval:simp.disa.003.004.windows2012.V-225407:def:1
  • Title: Users must be prevented from redirecting Plug and Play devices to the Remote Desktop Session Host. (Remote Desktop Services Role).
• oval:simp.disa.003.004.windows2012R2.V-226202:def:1
  • Title: Remote Desktop Services must be configured with the client connection encryption set to the required level.
• oval:simp.disa.003.004.windows2012R2.V-226222:def:1
  • Title: The Remote Desktop Session Host must require secure RPC communications.
• oval:simp.disa.003.004.windows2012.V-225382:def:1
  • Title: Remote Desktop Services must be configured with the client connection encryption set to the required level.
• oval:simp.disa.003.004.windows2012.V-225402:def:1
  • Title: The Remote Desktop Session Host must require secure RPC communications.
• oval:simp.disa.003.004.windows2012R2.V-226230:def:1
  • Title: Windows 2012 R2 must include command line data in process creation events.
• oval:simp.disa.003.004.windows2012.V-225410:def:1
  • Title: Windows 2012 R2 must include command line data in process creation events.
• oval:simp.disa.003.004.windows2012R2.V-226134:def:1
  • Title: Event Viewer must be protected from unauthorized modification and deletion.
• oval:simp.disa.003.004.windows2012R2.V-226393:def:1
  • Title: The Manage auditing and security log user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012.V-225313:def:1
  • Title: Event Viewer must be protected from unauthorized modification and deletion.
• oval:simp.disa.003.004.windows2012.V-225569:def:1
  • Title: The Manage auditing and security log user right must only be assigned to the Administrators group.
• oval:simp.disa.003.004.windows2012R2.V-226184:def:1
  • Title: Autoplay must be turned off for non-volume devices.
• oval:simp.disa.003.004.windows2012R2.V-226185:def:1
  • Title: The default Autorun behavior must be configured to prevent Autorun commands.
• oval:simp.disa.003.004.windows2012R2.V-226186:def:1
  • Title: Autoplay must be disabled for all drives.
• oval:simp.disa.003.004.windows2012.V-225364:def:1
  • Title: Autoplay must be turned off for non-volume devices.
• oval:simp.disa.003.004.windows2012.V-225365:def:1
  • Title: The default Autorun behavior must be configured to prevent Autorun commands.
• oval:simp.disa.003.004.windows2012.V-225366:def:1
  • Title: Autoplay must be disabled for all drives.
• oval:simp.disa.003.004.windows2012R2.V-226324:def:1
  • Title: Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.
• oval:simp.disa.003.004.windows2012.V-225501:def:1
  • Title: Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.
• oval:simp.disa.003.004.windows2012R2.V-226188:def:1
  • Title: The password reveal button must not be displayed.
• oval:simp.disa.003.004.windows2012.V-225368:def:1
  • Title: The password reveal button must not be displayed.
• oval:simp.disa.003.004.windows2012R2.V-226279:def:1
  • Title: Outgoing secure channel traffic must be encrypted or signed.
• oval:simp.disa.003.004.windows2012R2.V-226280:def:1
  • Title: Outgoing secure channel traffic must be encrypted when possible.
• oval:simp.disa.003.004.windows2012R2.V-226281:def:1
  • Title: Outgoing secure channel traffic must be signed when possible.
• oval:simp.disa.003.004.windows2012R2.V-226284:def:1
  • Title: The system must be configured to require a strong session key.
• oval:simp.disa.003.004.windows2012R2.V-226293:def:1
  • Title: The Windows SMB client must be configured to always perform SMB packet signing.
• oval:simp.disa.003.004.windows2012R2.V-226294:def:1
  • Title: The Windows SMB client must be enabled to perform SMB packet signing when possible.
• oval:simp.disa.003.004.windows2012R2.V-226297:def:1
  • Title: The Windows SMB server must be configured to always perform SMB packet signing.
• oval:simp.disa.003.004.windows2012R2.V-226298:def:1
  • Title: The Windows SMB server must perform SMB packet signing when possible.
• oval:simp.disa.003.004.windows2012R2.V-226350:def:1
  • Title: Domain controllers must require LDAP access signing.
• oval:simp.disa.003.004.windows2012.V-225456:def:1
  • Title: Outgoing secure channel traffic must be encrypted or signed.
• oval:simp.disa.003.004.windows2012.V-225457:def:1
  • Title: Outgoing secure channel traffic must be encrypted when possible.
• oval:simp.disa.003.004.windows2012.V-225458:def:1
  • Title: Outgoing secure channel traffic must be signed when possible.
• oval:simp.disa.003.004.windows2012.V-225461:def:1
  • Title: The system must be configured to require a strong session key.
• oval:simp.disa.003.004.windows2012.V-225470:def:1
  • Title: The Windows SMB client must be configured to always perform SMB packet signing.
• oval:simp.disa.003.004.windows2012.V-225471:def:1
  • Title: The Windows SMB client must be enabled to perform SMB packet signing when possible.
• oval:simp.disa.003.004.windows2012.V-225474:def:1
  • Title: The Windows SMB server must be configured to always perform SMB packet signing.
• oval:simp.disa.003.004.windows2012.V-225475:def:1
  • Title: The Windows SMB server must perform SMB packet signing when possible.
• oval:simp.disa.003.004.windows2012R2.V-226174:def:1
  • Title: The system must be configured to prevent unsolicited remote assistance offers.
• oval:simp.disa.003.004.windows2012R2.V-226175:def:1
  • Title: Solicited Remote Assistance must not be allowed.
• oval:simp.disa.003.004.windows2012R2.V-226200:def:1
  • Title: Local drives must be prevented from sharing with Remote Desktop Session Hosts. (Remote Desktop Services Role).
• oval:simp.disa.003.004.windows2012R2.V-226316:def:1
  • Title: Anonymous enumeration of shares must be restricted.
• oval:simp.disa.003.004.windows2012R2.V-226318:def:1
  • Title: Named pipes that can be accessed anonymously must be configured with limited values on domain controllers.
• oval:simp.disa.003.004.windows2012R2.V-226319:def:1
  • Title: Unauthorized remotely accessible registry paths must not be configured.
• oval:simp.disa.003.004.windows2012R2.V-226320:def:1
  • Title: Unauthorized remotely accessible registry paths and sub-paths must not be configured.
• oval:simp.disa.003.004.windows2012R2.V-226321:def:1
  • Title: Anonymous access to Named Pipes and Shares must be restricted.
• oval:simp.disa.003.004.windows2012R2.V-226322:def:1
  • Title: Network shares that can be accessed anonymously must not be allowed.
• oval:simp.disa.003.004.windows2012R2.V-226323:def:1
  • Title: The system must be configured to use the Classic security model.
• oval:simp.disa.003.004.windows2012.V-225353:def:1
  • Title: The system must be configured to prevent unsolicited remote assistance offers.
• oval:simp.disa.003.004.windows2012.V-225354:def:1
  • Title: Solicited Remote Assistance must not be allowed.
• oval:simp.disa.003.004.windows2012.V-225380:def:1
  • Title: Local drives must be prevented from sharing with Remote Desktop Session Hosts. (Remote Desktop Services Role).
• oval:simp.disa.003.004.windows2012.V-225493:def:1
  • Title: Anonymous enumeration of shares must be restricted.
• oval:simp.disa.003.004.windows2012.V-225495:def:1
  • Title: Named pipes that can be accessed anonymously must be configured to contain no values on member servers.
• oval:simp.disa.003.004.windows2012.V-225496:def:1
  • Title: Unauthorized remotely accessible registry paths must not be configured.
• oval:simp.disa.003.004.windows2012.V-225497:def:1
  • Title: Unauthorized remotely accessible registry paths and sub-paths must not be configured.
• oval:simp.disa.003.004.windows2012.V-225498:def:1
  • Title: Anonymous access to Named Pipes and Shares must be restricted.
• oval:simp.disa.003.004.windows2012.V-225499:def:1
  • Title: Network shares that can be accessed anonymously must not be allowed.
• oval:simp.disa.003.004.windows2012.V-225500:def:1
  • Title: The system must be configured to use the Classic security model.
• oval:simp.disa.003.004.windows2012R2.V-226299:def:1
  • Title: Users must be forcibly disconnected when their logon hours expire.
• oval:simp.disa.003.004.windows2012R2.V-226329:def:1
  • Title: The system must be configured to force users to log off when their allowed logon hours expire.
• oval:simp.disa.003.004.windows2012.V-225476:def:1
  • Title: Users must be forcibly disconnected when their logon hours expire.
• oval:simp.disa.003.004.windows2012.V-225506:def:1
  • Title: The system must be configured to force users to log off when their allowed logon hours expire.

    Windows 2016 (85/94 [90%])

• oval:simp.disa.002.003.windows2016.V-224997:def:1
  • Title: The Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.
• oval:simp.disa.002.003.windows2016.V-224999:def:1
  • Title: The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2016.V-225000:def:1
  • Title: The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
• oval:simp.disa.002.003.windows2016.V-225001:def:1
  • Title: The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
• oval:simp.disa.002.003.windows2016.V-225002:def:1
  • Title: The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
• oval:simp.disa.002.003.windows2016.V-225003:def:1
  • Title: The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
• oval:simp.disa.002.003.windows2016.V-225014:def:1
  • Title: The “Access this computer from the network” user right must only be assigned to the Administrators and Authenticated Users groups on member servers.
• oval:simp.disa.002.003.windows2016.V-225015:def:1
  • Title: The “Deny access to this computer from the network” user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and from unauthenticated access on all systems.
• oval:simp.disa.002.003.windows2016.V-225016:def:1
  • Title: The “Deny log on as a batch job” user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.
• oval:simp.disa.002.003.windows2016.V-225017:def:1
  • Title: The “Deny log on as a service” user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.
• oval:simp.disa.002.003.windows2016.V-225018:def:1
  • Title: The “Deny log on locally” user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.
• oval:simp.disa.002.003.windows2016.V-225072:def:1
  • Title: The Allow log on locally user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2016.V-224883:def:1
  • Title: Windows Server 2016 must be configured to audit Account Management - Other Account Management Events successes.
• oval:simp.disa.002.003.windows2016.V-224888:def:1
  • Title: Windows Server 2016 must be configured to audit Detailed Tracking - Process Creation successes.
• oval:simp.disa.002.003.windows2016.V-224900:def:1
  • Title: Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change successes.
• oval:simp.disa.002.003.windows2016.V-224901:def:1
  • Title: Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change failures.
• oval:simp.disa.002.003.windows2016.V-224902:def:1
  • Title: Windows Server 2016 must be configured to audit Policy Change - Authentication Policy Change successes.
• oval:simp.disa.002.003.windows2016.V-224903:def:1
  • Title: Windows Server 2016 must be configured to audit Policy Change - Authorization Policy Change successes.
• oval:simp.disa.002.003.windows2016.V-224904:def:1
  • Title: Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
• oval:simp.disa.002.003.windows2016.V-224905:def:1
  • Title: Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
• oval:simp.disa.002.003.windows2016.V-224906:def:1
  • Title: Windows Server 2016 must be configured to audit System - IPsec Driver successes.
• oval:simp.disa.002.003.windows2016.V-224907:def:1
  • Title: Windows Server 2016 must be configured to audit System - IPsec Driver failures.
• oval:simp.disa.002.003.windows2016.V-224908:def:1
  • Title: Windows Server 2016 must be configured to audit System - Other System Events successes.
• oval:simp.disa.002.003.windows2016.V-224909:def:1
  • Title: Windows Server 2016 must be configured to audit System - Other System Events failures.
• oval:simp.disa.002.003.windows2016.V-224910:def:1
  • Title: Windows Server 2016 must be configured to audit System - Security State Change successes.
• oval:simp.disa.002.003.windows2016.V-224911:def:1
  • Title: Windows Server 2016 must be configured to audit System - Security System Extension successes.
• oval:simp.disa.002.003.windows2016.V-224912:def:1
  • Title: Windows Server 2016 must be configured to audit System - System Integrity successes.
• oval:simp.disa.002.003.windows2016.V-224913:def:1
  • Title: Windows Server 2016 must be configured to audit System - System Integrity failures.
• oval:simp.disa.002.003.windows2016.V-224987:def:1
  • Title: Windows Server 2016 must be configured to audit DS Access - Directory Service Access successes.
• oval:simp.disa.002.003.windows2016.V-224988:def:1
  • Title: Windows Server 2016 must be configured to audit DS Access - Directory Service Access failures.
• oval:simp.disa.002.003.windows2016.V-224989:def:1
  • Title: Windows Server 2016 must be configured to audit DS Access - Directory Service Changes successes.
• oval:simp.disa.002.003.windows2016.V-224990:def:1
  • Title: Windows Server 2016 must be configured to audit DS Access - Directory Service Changes failures.
• oval:simp.disa.002.003.windows2016.V-224998:def:1
  • Title: The Add workstations to domain user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2016.V-225005:def:1
  • Title: The Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
• oval:simp.disa.002.003.windows2016.V-225013:def:1
  • Title: Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
• oval:simp.disa.002.003.windows2016.V-225020:def:1
  • Title: The “Enable computer and user accounts to be trusted for delegation” user right must not be assigned to any groups or accounts on member servers.
• oval:simp.disa.002.003.windows2016.V-225070:def:1
  • Title: The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
• oval:simp.disa.002.003.windows2016.V-225071:def:1
  • Title: The Act as part of the operating system user right must not be assigned to any groups or accounts.
• oval:simp.disa.002.003.windows2016.V-225073:def:1
  • Title: The Back up files and directories user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2016.V-225074:def:1
  • Title: The Create a pagefile user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2016.V-225076:def:1
  • Title: The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
• oval:simp.disa.002.003.windows2016.V-225077:def:1
  • Title: The Create permanent shared objects user right must not be assigned to any groups or accounts.
• oval:simp.disa.002.003.windows2016.V-225078:def:1
  • Title: The Create symbolic links user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2016.V-225079:def:1
  • Title: The Debug programs user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2016.V-225080:def:1
  • Title: The Force shutdown from a remote system user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2016.V-225081:def:1
  • Title: The Generate security audits user right must only be assigned to Local Service and Network Service.
• oval:simp.disa.002.003.windows2016.V-225082:def:1
  • Title: The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
• oval:simp.disa.002.003.windows2016.V-225083:def:1
  • Title: The Increase scheduling priority user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2016.V-225084:def:1
  • Title: The Load and unload device drivers user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2016.V-225085:def:1
  • Title: The Lock pages in memory user right must not be assigned to any groups or accounts.
• oval:simp.disa.002.003.windows2016.V-225087:def:1
  • Title: The Modify firmware environment values user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2016.V-225088:def:1
  • Title: The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2016.V-225089:def:1
  • Title: The Profile single process user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2016.V-225091:def:1
  • Title: The Create a token object user right must not be assigned to any groups or accounts.
• oval:simp.disa.002.003.windows2016.V-225092:def:1
  • Title: The Restore files and directories user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2016.V-225093:def:1
  • Title: The Take ownership of files or other objects user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2016.V-224892:def:1
  • Title: Windows Server 2016 must be configured to audit Logon/Logoff - Logoff successes.
• oval:simp.disa.002.003.windows2016.V-224893:def:1
  • Title: Windows Server 2016 must be configured to audit Logon/Logoff - Logon successes.
• oval:simp.disa.002.003.windows2016.V-224894:def:1
  • Title: Windows Server 2016 must be configured to audit Logon/Logoff - Logon failures.
• oval:simp.disa.002.003.windows2016.V-225004:def:1
  • Title: The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
• oval:simp.disa.002.003.windows2016.V-225019:def:1
  • Title: The “Deny log on through Remote Desktop Services” user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems.
• oval:simp.disa.002.003.windows2016.V-224947:def:1
  • Title: The Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications.
• oval:simp.disa.002.003.windows2016.V-224948:def:1
  • Title: Remote Desktop Services must be configured with the client connection encryption set to High Level.
• oval:simp.disa.002.003.windows2016.V-224922:def:1
  • Title: Command line data must be included in process creation events.
• oval:simp.disa.002.003.windows2016.V-224957:def:1
  • Title: PowerShell script block logging must be enabled.
• oval:simp.disa.002.003.windows2016.V-224877:def:1
  • Title: Permissions for the Application event log must prevent access by non-privileged accounts.
• oval:simp.disa.002.003.windows2016.V-224878:def:1
  • Title: Permissions for the Security event log must prevent access by non-privileged accounts.
• oval:simp.disa.002.003.windows2016.V-224879:def:1
  • Title: Permissions for the System event log must prevent access by non-privileged accounts.
• oval:simp.disa.002.003.windows2016.V-224880:def:1
  • Title: Event Viewer must be protected from unauthorized modification and deletion.
• oval:simp.disa.002.003.windows2016.V-225086:def:1
  • Title: The Manage auditing and security log user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2016.V-224932:def:1
  • Title: AutoPlay must be turned off for non-volume devices.
• oval:simp.disa.002.003.windows2016.V-224933:def:1
  • Title: The default AutoRun behavior must be configured to prevent AutoRun commands.
• oval:simp.disa.002.003.windows2016.V-224934:def:1
  • Title: AutoPlay must be disabled for all drives.
• oval:simp.disa.002.003.windows2016.V-224995:def:1
  • Title: Domain controllers must require LDAP access signing.
• oval:simp.disa.002.003.windows2016.V-225029:def:1
  • Title: The setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
• oval:simp.disa.002.003.windows2016.V-225030:def:1
  • Title: The setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.
• oval:simp.disa.002.003.windows2016.V-225031:def:1
  • Title: The setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
• oval:simp.disa.002.003.windows2016.V-225034:def:1
  • Title: Windows Server 2016 must be configured to require a strong session key.
• oval:simp.disa.002.003.windows2016.V-225039:def:1
  • Title: The setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
• oval:simp.disa.002.003.windows2016.V-225040:def:1
  • Title: The setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
• oval:simp.disa.002.003.windows2016.V-225042:def:1
  • Title: The setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
• oval:simp.disa.002.003.windows2016.V-225043:def:1
  • Title: The setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
• oval:simp.disa.002.003.windows2016.V-224945:def:1
  • Title: Local drives must be prevented from sharing with Remote Desktop Session Hosts.
• oval:simp.disa.002.003.windows2016.V-225046:def:1
  • Title: Anonymous enumeration of shares must not be allowed.
• oval:simp.disa.002.003.windows2016.V-225048:def:1
  • Title: Anonymous access to Named Pipes and Shares must be restricted.

    Windows 2019 (85/93 [91%])

• oval:simp.disa.002.003.windows2019.V-205665:def:1
  • Title: Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.
• oval:simp.disa.002.003.windows2019.V-205666:def:1
  • Title: Windows Server 2019 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers.
• oval:simp.disa.002.003.windows2019.V-205667:def:1
  • Title: Windows Server 2019 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
• oval:simp.disa.002.003.windows2019.V-205668:def:1
  • Title: Windows Server 2019 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
• oval:simp.disa.002.003.windows2019.V-205669:def:1
  • Title: Windows Server 2019 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
• oval:simp.disa.002.003.windows2019.V-205670:def:1
  • Title: Windows Server 2019 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
• oval:simp.disa.002.003.windows2019.V-205671:def:1
  • Title: Windows Server 2019 “Access this computer from the network” user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone or nondomain-joined systems.
• oval:simp.disa.002.003.windows2019.V-205672:def:1
  • Title: Windows Server 2019 “Deny access to this computer from the network” user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
• oval:simp.disa.002.003.windows2019.V-205673:def:1
  • Title: Windows Server 2019 “Deny log on as a batch job” user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
• oval:simp.disa.002.003.windows2019.V-205674:def:1
  • Title: Windows Server 2019 “Deny log on as a service” user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.
• oval:simp.disa.002.003.windows2019.V-205675:def:1
  • Title: Windows Server 2019 “Deny log on locally” user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
• oval:simp.disa.002.003.windows2019.V-205676:def:1
  • Title: Windows Server 2019 Allow log on locally user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2019.V-205769:def:1
  • Title: Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes.
• oval:simp.disa.002.003.windows2019.V-205770:def:1
  • Title: Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes.
• oval:simp.disa.002.003.windows2019.V-205771:def:1
  • Title: Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes.
• oval:simp.disa.002.003.windows2019.V-205772:def:1
  • Title: Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures.
• oval:simp.disa.002.003.windows2019.V-205773:def:1
  • Title: Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes.
• oval:simp.disa.002.003.windows2019.V-205774:def:1
  • Title: Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes.
• oval:simp.disa.002.003.windows2019.V-205775:def:1
  • Title: Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
• oval:simp.disa.002.003.windows2019.V-205776:def:1
  • Title: Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
• oval:simp.disa.002.003.windows2019.V-205777:def:1
  • Title: Windows Server 2019 must be configured to audit System - IPsec Driver successes.
• oval:simp.disa.002.003.windows2019.V-205778:def:1
  • Title: Windows Server 2019 must be configured to audit System - IPsec Driver failures.
• oval:simp.disa.002.003.windows2019.V-205779:def:1
  • Title: Windows Server 2019 must be configured to audit System - Other System Events successes.
• oval:simp.disa.002.003.windows2019.V-205780:def:1
  • Title: Windows Server 2019 must be configured to audit System - Other System Events failures.
• oval:simp.disa.002.003.windows2019.V-205781:def:1
  • Title: Windows Server 2019 must be configured to audit System - Security State Change successes.
• oval:simp.disa.002.003.windows2019.V-205782:def:1
  • Title: Windows Server 2019 must be configured to audit System - Security System Extension successes.
• oval:simp.disa.002.003.windows2019.V-205783:def:1
  • Title: Windows Server 2019 must be configured to audit System - System Integrity successes.
• oval:simp.disa.002.003.windows2019.V-205784:def:1
  • Title: Windows Server 2019 must be configured to audit System - System Integrity failures.
• oval:simp.disa.002.003.windows2019.V-205791:def:1
  • Title: Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes.
• oval:simp.disa.002.003.windows2019.V-205792:def:1
  • Title: Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures.
• oval:simp.disa.002.003.windows2019.V-205793:def:1
  • Title: Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes.
• oval:simp.disa.002.003.windows2019.V-205794:def:1
  • Title: Windows Server 2019 must be configured to audit DS Access - Directory Service Changes failures.
• oval:simp.disa.002.003.windows2019.V-205744:def:1
  • Title: Windows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.
• oval:simp.disa.002.003.windows2019.V-205745:def:1
  • Title: Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
• oval:simp.disa.002.003.windows2019.V-205747:def:1
  • Title: Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.
• oval:simp.disa.002.003.windows2019.V-205748:def:1
  • Title: Windows Server 2019 “Enable computer and user accounts to be trusted for delegation” user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems.
• oval:simp.disa.002.003.windows2019.V-205749:def:1
  • Title: Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
• oval:simp.disa.002.003.windows2019.V-205750:def:1
  • Title: Windows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts.
• oval:simp.disa.002.003.windows2019.V-205751:def:1
  • Title: Windows Server 2019 Back up files and directories user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2019.V-205752:def:1
  • Title: Windows Server 2019 Create a pagefile user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2019.V-205753:def:1
  • Title: Windows Server 2019 Create a token object user right must not be assigned to any groups or accounts.
• oval:simp.disa.002.003.windows2019.V-205754:def:1
  • Title: Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
• oval:simp.disa.002.003.windows2019.V-205755:def:1
  • Title: Windows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts.
• oval:simp.disa.002.003.windows2019.V-205756:def:1
  • Title: Windows Server 2019 Create symbolic links user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2019.V-205757:def:1
  • Title: Windows Server 2019 Debug programs: user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2019.V-205758:def:1
  • Title: Windows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2019.V-205759:def:1
  • Title: Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service.
• oval:simp.disa.002.003.windows2019.V-205760:def:1
  • Title: Windows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
• oval:simp.disa.002.003.windows2019.V-205761:def:1
  • Title: Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2019.V-205762:def:1
  • Title: Windows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2019.V-205763:def:1
  • Title: Windows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts.
• oval:simp.disa.002.003.windows2019.V-205764:def:1
  • Title: Windows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2019.V-205765:def:1
  • Title: Windows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2019.V-205766:def:1
  • Title: Windows Server 2019 Profile single process user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2019.V-205767:def:1
  • Title: Windows Server 2019 Restore files and directories user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2019.V-205768:def:1
  • Title: Windows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2019.V-205633:def:1
  • Title: Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.
• oval:simp.disa.002.003.windows2019.V-205634:def:1
  • Title: Windows Server 2019 must be configured to audit logon successes.
• oval:simp.disa.002.003.windows2019.V-205635:def:1
  • Title: Windows Server 2019 must be configured to audit logon failures.
• oval:simp.disa.002.003.windows2019.V-205732:def:1
  • Title: Windows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
• oval:simp.disa.002.003.windows2019.V-205733:def:1
  • Title: Windows Server 2019 “Deny log on through Remote Desktop Services” user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
• oval:simp.disa.002.003.windows2019.V-205636:def:1
  • Title: Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.
• oval:simp.disa.002.003.windows2019.V-205637:def:1
  • Title: Windows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level.
• oval:simp.disa.002.003.windows2019.V-205638:def:1
  • Title: Windows Server 2019 command line data must be included in process creation events.
• oval:simp.disa.002.003.windows2019.V-205639:def:1
  • Title: Windows Server 2019 PowerShell script block logging must be enabled.
• oval:simp.disa.002.003.windows2019.V-205640:def:1
  • Title: Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts.
• oval:simp.disa.002.003.windows2019.V-205641:def:1
  • Title: Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts.
• oval:simp.disa.002.003.windows2019.V-205642:def:1
  • Title: Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts.
• oval:simp.disa.002.003.windows2019.V-205643:def:1
  • Title: Windows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group.
• oval:simp.disa.002.003.windows2019.V-205731:def:1
  • Title: Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion.
• oval:simp.disa.002.003.windows2019.V-205804:def:1
  • Title: Windows Server 2019 Autoplay must be turned off for non-volume devices.
• oval:simp.disa.002.003.windows2019.V-205805:def:1
  • Title: Windows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands.
• oval:simp.disa.002.003.windows2019.V-205806:def:1
  • Title: Windows Server 2019 AutoPlay must be disabled for all drives.
• oval:simp.disa.002.003.windows2019.V-205820:def:1
  • Title: Windows Server 2019 domain controllers must require LDAP access signing.
• oval:simp.disa.002.003.windows2019.V-205821:def:1
  • Title: Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
• oval:simp.disa.002.003.windows2019.V-205822:def:1
  • Title: Windows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.
• oval:simp.disa.002.003.windows2019.V-205823:def:1
  • Title: Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
• oval:simp.disa.002.003.windows2019.V-205824:def:1
  • Title: Windows Server 2019 must be configured to require a strong session key.
• oval:simp.disa.002.003.windows2019.V-205825:def:1
  • Title: Windows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
• oval:simp.disa.002.003.windows2019.V-205826:def:1
  • Title: Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
• oval:simp.disa.002.003.windows2019.V-205827:def:1
  • Title: Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
• oval:simp.disa.002.003.windows2019.V-205828:def:1
  • Title: Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
• oval:simp.disa.002.003.windows2019.V-205722:def:1
  • Title: Windows Server 2019 Remote Desktop Services must prevent drive redirection.
• oval:simp.disa.002.003.windows2019.V-205724:def:1
  • Title: Windows Server 2019 must not allow anonymous enumeration of shares.
• oval:simp.disa.002.003.windows2019.V-205725:def:1
  • Title: Windows Server 2019 must restrict anonymous access to Named Pipes and Shares.

    Windows 2022 (86/94 [91%])

• oval:simp.disa.001.001.windows2022.V-254418:def:1
  • Title: Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.
• oval:simp.disa.001.001.windows2022.V-254420:def:1
  • Title: Windows Server 2022 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers.
• oval:simp.disa.001.001.windows2022.V-254421:def:1
  • Title: Windows Server 2022 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
• oval:simp.disa.001.001.windows2022.V-254422:def:1
  • Title: Windows Server 2022 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
• oval:simp.disa.001.001.windows2022.V-254423:def:1
  • Title: Windows Server 2022 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
• oval:simp.disa.001.001.windows2022.V-254424:def:1
  • Title: Windows Server 2022 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
• oval:simp.disa.001.001.windows2022.V-254434:def:1
  • Title: Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone or nondomain-joined systems.
• oval:simp.disa.001.001.windows2022.V-254435:def:1
  • Title: Windows Server 2022 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
• oval:simp.disa.001.001.windows2022.V-254436:def:1
  • Title: Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
• oval:simp.disa.001.001.windows2022.V-254437:def:1
  • Title: Windows Server 2022 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.
• oval:simp.disa.001.001.windows2022.V-254438:def:1
  • Title: Windows Server 2022 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
• oval:simp.disa.001.001.windows2022.V-254493:def:1
  • Title: Windows Server 2022 Allow log on locally user right must only be assigned to the Administrators group.
• oval:simp.disa.001.001.windows2022.V-254302:def:1
  • Title: Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes.
• oval:simp.disa.001.001.windows2022.V-254307:def:1
  • Title: Windows Server 2022 must be configured to audit Detailed Tracking - Process Creation successes.
• oval:simp.disa.001.001.windows2022.V-254319:def:1
  • Title: Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change successes.
• oval:simp.disa.001.001.windows2022.V-254320:def:1
  • Title: Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change failures.
• oval:simp.disa.001.001.windows2022.V-254321:def:1
  • Title: Windows Server 2022 must be configured to audit Policy Change - Authentication Policy Change successes.
• oval:simp.disa.001.001.windows2022.V-254322:def:1
  • Title: Windows Server 2022 must be configured to audit Policy Change - Authorization Policy Change successes.
• oval:simp.disa.001.001.windows2022.V-254323:def:1
  • Title: Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
• oval:simp.disa.001.001.windows2022.V-254324:def:1
  • Title: Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
• oval:simp.disa.001.001.windows2022.V-254325:def:1
  • Title: Windows Server 2022 must be configured to audit System - IPsec Driver successes.
• oval:simp.disa.001.001.windows2022.V-254326:def:1
  • Title: Windows Server 2022 must be configured to audit System - IPsec Driver failures.
• oval:simp.disa.001.001.windows2022.V-254327:def:1
  • Title: Windows Server 2022 must be configured to audit System - Other System Events successes.
• oval:simp.disa.001.001.windows2022.V-254328:def:1
  • Title: Windows Server 2022 must be configured to audit System - Other System Events failures.
• oval:simp.disa.001.001.windows2022.V-254329:def:1
  • Title: Windows Server 2022 must be configured to audit System - Security State Change successes.
• oval:simp.disa.001.001.windows2022.V-254330:def:1
  • Title: Windows Server 2022 must be configured to audit System - Security System Extension successes.
• oval:simp.disa.001.001.windows2022.V-254331:def:1
  • Title: Windows Server 2022 must be configured to audit System - System Integrity successes.
• oval:simp.disa.001.001.windows2022.V-254332:def:1
  • Title: Windows Server 2022 must be configured to audit System - System Integrity failures.
• oval:simp.disa.001.001.windows2022.V-254408:def:1
  • Title: Windows Server 2022 must be configured to audit DS Access - Directory Service Access successes.
• oval:simp.disa.001.001.windows2022.V-254409:def:1
  • Title: Windows Server 2022 must be configured to audit DS Access - Directory Service Access failures.
• oval:simp.disa.001.001.windows2022.V-254410:def:1
  • Title: Windows Server 2022 must be configured to audit DS Access - Directory Service Changes successes.
• oval:simp.disa.001.001.windows2022.V-254411:def:1
  • Title: Windows Server 2022 must be configured to audit DS Access - Directory Service Changes failures.
• oval:simp.disa.001.001.windows2022.V-254419:def:1
  • Title: Windows Server 2022 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.
• oval:simp.disa.001.001.windows2022.V-254426:def:1
  • Title: Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
• oval:simp.disa.001.001.windows2022.V-254433:def:1
  • Title: Windows Server 2022 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.
• oval:simp.disa.001.001.windows2022.V-254440:def:1
  • Title: Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems.
• oval:simp.disa.001.001.windows2022.V-254491:def:1
  • Title: Windows Server 2022 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
• oval:simp.disa.001.001.windows2022.V-254492:def:1
  • Title: Windows Server 2022 Act as part of the operating system user right must not be assigned to any groups or accounts.
• oval:simp.disa.001.001.windows2022.V-254494:def:1
  • Title: Windows Server 2022 back up files and directories user right must only be assigned to the Administrators group.
• oval:simp.disa.001.001.windows2022.V-254495:def:1
  • Title: Windows Server 2022 create a pagefile user right must only be assigned to the Administrators group.
• oval:simp.disa.001.001.windows2022.V-254496:def:1
  • Title: Windows Server 2022 create a token object user right must not be assigned to any groups or accounts.
• oval:simp.disa.001.001.windows2022.V-254497:def:1
  • Title: Windows Server 2022 create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
• oval:simp.disa.001.001.windows2022.V-254498:def:1
  • Title: Windows Server 2022 create permanent shared objects user right must not be assigned to any groups or accounts.
• oval:simp.disa.001.001.windows2022.V-254499:def:1
  • Title: Windows Server 2022 create symbolic links user right must only be assigned to the Administrators group.
• oval:simp.disa.001.001.windows2022.V-254500:def:1
  • Title: Windows Server 2022 debug programs user right must only be assigned to the Administrators group.
• oval:simp.disa.001.001.windows2022.V-254501:def:1
  • Title: Windows Server 2022 force shutdown from a remote system user right must only be assigned to the Administrators group.
• oval:simp.disa.001.001.windows2022.V-254502:def:1
  • Title: Windows Server 2022 generate security audits user right must only be assigned to Local Service and Network Service.
• oval:simp.disa.001.001.windows2022.V-254503:def:1
  • Title: Windows Server 2022 impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
• oval:simp.disa.001.001.windows2022.V-254504:def:1
  • Title: Windows Server 2022 increase scheduling priority: user right must only be assigned to the Administrators group.
• oval:simp.disa.001.001.windows2022.V-254505:def:1
  • Title: Windows Server 2022 load and unload device drivers user right must only be assigned to the Administrators group.
• oval:simp.disa.001.001.windows2022.V-254506:def:1
  • Title: Windows Server 2022 lock pages in memory user right must not be assigned to any groups or accounts.
• oval:simp.disa.001.001.windows2022.V-254508:def:1
  • Title: Windows Server 2022 modify firmware environment values user right must only be assigned to the Administrators group.
• oval:simp.disa.001.001.windows2022.V-254509:def:1
  • Title: Windows Server 2022 perform volume maintenance tasks user right must only be assigned to the Administrators group.
• oval:simp.disa.001.001.windows2022.V-254510:def:1
  • Title: Windows Server 2022 profile single process user right must only be assigned to the Administrators group.
• oval:simp.disa.001.001.windows2022.V-254511:def:1
  • Title: Windows Server 2022 restore files and directories user right must only be assigned to the Administrators group.
• oval:simp.disa.001.001.windows2022.V-254512:def:1
  • Title: Windows Server 2022 take ownership of files or other objects user right must only be assigned to the Administrators group.
• oval:simp.disa.001.001.windows2022.V-254456:def:1
  • Title: Windows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.
• oval:simp.disa.001.001.windows2022.V-254312:def:1
  • Title: Windows Server 2022 must be configured to audit logon successes.
• oval:simp.disa.001.001.windows2022.V-254313:def:1
  • Title: Windows Server 2022 must be configured to audit logon failures.
• oval:simp.disa.001.001.windows2022.V-254425:def:1
  • Title: Windows Server 2022 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
• oval:simp.disa.001.001.windows2022.V-254439:def:1
  • Title: Windows Server 2022 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
• oval:simp.disa.001.001.windows2022.V-254368:def:1
  • Title: Windows Server 2022 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.
• oval:simp.disa.001.001.windows2022.V-254369:def:1
  • Title: Windows Server 2022 Remote Desktop Services must be configured with the client connection encryption set to High Level.
• oval:simp.disa.001.001.windows2022.V-254384:def:1
  • Title: Windows Server 2022 must have PowerShell Transcription enabled.
• oval:simp.disa.001.001.windows2022.V-254341:def:1
  • Title: Windows Server 2022 command line data must be included in process creation events.
• oval:simp.disa.001.001.windows2022.V-254377:def:1
  • Title: Windows Server 2022 PowerShell script block logging must be enabled.
• oval:simp.disa.001.001.windows2022.V-254296:def:1
  • Title: Windows Server 2022 permissions for the Application event log must prevent access by nonprivileged accounts.
• oval:simp.disa.001.001.windows2022.V-254297:def:1
  • Title: Windows Server 2022 permissions for the Security event log must prevent access by nonprivileged accounts.
• oval:simp.disa.001.001.windows2022.V-254298:def:1
  • Title: Windows Server 2022 permissions for the System event log must prevent access by nonprivileged accounts.
• oval:simp.disa.001.001.windows2022.V-254299:def:1
  • Title: Windows Server 2022 Event Viewer must be protected from unauthorized modification and deletion.
• oval:simp.disa.001.001.windows2022.V-254507:def:1
  • Title: Windows Server 2022 manage auditing and security log user right must only be assigned to the Administrators group.
• oval:simp.disa.001.001.windows2022.V-254352:def:1
  • Title: Windows Server 2022 Autoplay must be turned off for nonvolume devices.
• oval:simp.disa.001.001.windows2022.V-254353:def:1
  • Title: Windows Server 2022 default AutoRun behavior must be configured to prevent AutoRun commands.
• oval:simp.disa.001.001.windows2022.V-254354:def:1
  • Title: Windows Server 2022 AutoPlay must be disabled for all drives.
• oval:simp.disa.001.001.windows2022.V-254416:def:1
  • Title: Windows Server 2022 domain controllers must require LDAP access signing.
• oval:simp.disa.001.001.windows2022.V-254450:def:1
  • Title: Windows Server 2022 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
• oval:simp.disa.001.001.windows2022.V-254451:def:1
  • Title: Windows Server 2022 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to Enabled.
• oval:simp.disa.001.001.windows2022.V-254452:def:1
  • Title: Windows Server 2022 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
• oval:simp.disa.001.001.windows2022.V-254455:def:1
  • Title: Windows Server 2022 must be configured to require a strong session key.
• oval:simp.disa.001.001.windows2022.V-254460:def:1
  • Title: Windows Server 2022 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
• oval:simp.disa.001.001.windows2022.V-254461:def:1
  • Title: Windows Server 2022 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
• oval:simp.disa.001.001.windows2022.V-254463:def:1
  • Title: Windows Server 2022 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
• oval:simp.disa.001.001.windows2022.V-254464:def:1
  • Title: Windows Server 2022 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
• oval:simp.disa.001.001.windows2022.V-254366:def:1
  • Title: Windows Server 2022 Remote Desktop Services must prevent drive redirection.
• oval:simp.disa.001.001.windows2022.V-254467:def:1
  • Title: Windows Server 2022 must not allow anonymous enumeration of shares.
• oval:simp.disa.001.001.windows2022.V-254469:def:1
  • Title: Windows Server 2022 must restrict anonymous access to Named Pipes and Shares.