Coverage - DISA, Windows
Current revisions
Operating System |
Source Benchmark version |
Windows 11 |
V2 R3 |
Windows 2016 |
V2 R6 |
Windows 2019 |
V3 R1 |
Windows 2022 |
V2 R1 |
Windows Coverage Report for DISA STIG
The following report details the status of each STIG Rule in the SIMP EE compliance data.
Mapped
controls have enforcement and reporting support.
Unmapped
controls are not supported at this time. A reason for the lack of support is provided for each unmapped control.
Paper policy
controls refer to organizational policy requirements and cannot be reasonably enforced by SIMP at this time.
Summary
Detail
Unmapped Controls
The following controls are not mapped:
Windows 11 (9/210 [4%])
- V-253254
- Title: Domain-joined systems must use Windows 11 Enterprise Edition 64-bit version.
- NOTE: The product cannot control which architecture is being used.
- V-253259
- Title: Windows 11 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.
- NOTE: The product cannot enable BitLocker without a compatible TPM or user-specified password.
- V-253263
- Title: Windows 11 systems must be maintained at a supported servicing level.
- NOTE: The product will not automatically update windows versions, this could have far-reaching consequences for customers.
- V-253265
- Title: Local volumes must be formatted using NTFS.
- NOTE: The product will not automatically format customer’s drives, this could cause massive data loss.
- V-253427
- Title: The DoD Root CA certificates must be installed in the Trusted Root Store.
- NOTE: Requires a module to manage the Windows certificate store.
- V-253428
- Title: The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems.
- NOTE: Requires a module to manage the Windows certificate store.
- V-253429
- Title: The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
- NOTE: Requires a module to manage the Windows certificate store.
- V-253430
- Title: The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
- NOTE: Requires a module to manage the Windows certificate store.
- V-253470
- Title: Windows 11 must use multifactor authentication for local and network access to privileged and nonprivileged accounts.
- NOTE: The way in which multifactor authentication will be set up will vary between different organizations, the product cannot infer how this will be done.
Windows 2016 (12/201 [5%])
- V-224828
- Title: Systems must be maintained at a supported servicing level.
- NOTE: The product will not automatically apply updates to existing systems to avoid potential issues from updating without testing.
- V-224831
- Title: Local volumes must use a format that supports NTFS attributes.
- NOTE: The product will not automatically reformat disks.
- V-224965
- Title: Kerberos user logon restrictions must be enforced.
- NOTE: Requires a module to manage Group Policy.
- V-224966
- Title: The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
- NOTE: Requires a module to manage Group Policy.
- V-224967
- Title: The Kerberos user ticket lifetime must be limited to 10 hours or less.
- NOTE: Requires a module to manage Group Policy.
- V-224968
- Title: The Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
- NOTE: Requires a module to manage Group Policy.
- V-224969
- Title: The computer clock synchronization tolerance must be limited to 5 minutes or less.
- NOTE: Requires a module to manage Group Policy.
- V-224970
- Title: Permissions on the Active Directory data files must only allow System and Administrators access.
- NOTE: Discussing the best approach to enforcement.
- V-225021
- Title: The DoD Root CA certificates must be installed in the Trusted Root Store.
- NOTE: Requires a module to manage the Windows certificate store.
- V-225022
- Title: The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
- NOTE: Requires a module to manage the Windows certificate store.
- V-225023
- Title: The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
- NOTE: Requires a module to manage the Windows certificate store.
- V-225059
- Title: Windows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
- NOTE: Lower priority: this is not a requirement for most customers.
Windows 2019 (12/203 [5%])
- V-205648
- Title: Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.
- NOTE: Requires a module to manage the Windows certificate store.
- V-205649
- Title: Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.
- NOTE: Requires a module to manage the Windows certificate store.
- V-205650
- Title: Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.
- NOTE: Requires a module to manage the Windows certificate store.
- V-205663
- Title: Windows Server 2019 local volumes must use a format that supports NTFS attributes.
- NOTE: The product will not automatically reformat disks.
- V-205702
- Title: Windows Server 2019 Kerberos user logon restrictions must be enforced.
- NOTE: Requires a module to manage Group Policy.
- V-205703
- Title: Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
- NOTE: Requires a module to manage Group Policy.
- V-205704
- Title: Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less.
- NOTE: Requires a module to manage Group Policy.
- V-205705
- Title: Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
- NOTE: Requires a module to manage Group Policy.
- V-205706
- Title: Windows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less.
- NOTE: Requires a module to manage Group Policy.
- V-205739
- Title: Windows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access.
- NOTE: Discussing the best approach to enforcement.
- V-205842
- Title: Windows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
- NOTE: Lower priority: this is not a requirement for most customers.
- V-205849
- Title: Windows Server 2019 must be maintained at a supported servicing level.
- NOTE: The product will not automatically apply updates to existing systems to avoid potential issues from updating without testing.
Windows 2022 (12/204 [5%])
- V-254247
- Title: Windows Server 2022 must be maintained at a supported servicing level.
- NOTE: The product will not automatically apply updates to existing systems to avoid potential issues from updating without testing.
- V-254250
- Title: Windows Server 2022 local volumes must use a format that supports NTFS attributes.
- NOTE: The product will not automatically reformat disks.
- V-254386
- Title: Windows Server 2022 Kerberos user logon restrictions must be enforced.
- NOTE: Requires a module to manage Group Policy.
- V-254387
- Title: Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
- NOTE: Requires a module to manage Group Policy.
- V-254388
- Title: Windows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less.
- NOTE: Requires a module to manage Group Policy.
- V-254389
- Title: Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
- NOTE: Requires a module to manage Group Policy.
- V-254390
- Title: Windows Server 2022 computer clock synchronization tolerance must be limited to five minutes or less.
- NOTE: Requires a module to manage Group Policy.
- V-254391
- Title: Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access.
- NOTE: Discussing the best approach to enforcement.
- V-254442
- Title: Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.
- NOTE: Requires a module to manage the Windows certificate store.
- V-254443
- Title: Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.
- NOTE: Requires a module to manage the Windows certificate store.
- V-254444
- Title: Windows Server 2022 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.
- NOTE: Requires a module to manage the Windows certificate store.
- V-254480
- Title: Windows Server 2022 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
- NOTE: Lower priority: this is not a requirement for most customers.
Paper Policy
The following controls require administrative documentation:
Mapped
The following controls are mapped:
Windows 11 (201/210 [95%])
- V-253260
- Title: Windows 11 systems must use a BitLocker PIN for pre-boot authentication.
- V-253261
- Title: Windows 11 systems must use a BitLocker PIN with a minimum length of six digits for pre-boot authentication.
- V-253275
- Title: Internet Information System (IIS) or its subcomponents must not be installed on a workstation.
- V-253277
- Title: Simple TCP/IP Services must not be installed on the system.
- V-253278
- Title: The Telnet Client must not be installed on the system.
- V-253279
- Title: The TFTP Client must not be installed on the system.
- V-253283
- Title: Data Execution Prevention (DEP) must be configured to at least OptOut.
- NOTE: For the changes made from this rule to take effect, a reboot is required.
- V-253284
- Title: Structured Exception Handling Overwrite Protection (SEHOP) must be enabled.
- V-253285
- Title: The Windows PowerShell 2.0 feature must be disabled on the system.
- V-253286
- Title: The Server Message Block (SMB) v1 protocol must be disabled on the system.
- V-253287
- Title: The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
- V-253288
- Title: The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
- V-253289
- Title: The Secondary Logon service must be disabled on Windows 11.
- V-253297
- Title: Windows 11 account lockout duration must be configured to 15 minutes or greater.
- V-253298
- Title: The number of allowed bad logon attempts must be configured to three or less.
- V-253299
- Title: The period of time before the bad logon counter is reset must be configured to 15 minutes.
- V-253300
- Title: The password history must be configured to 24 passwords remembered.
- V-253301
- Title: The maximum password age must be configured to 60 days or less.
- V-253302
- Title: The minimum password age must be configured to at least 1 day.
- V-253303
- Title: Passwords must, at a minimum, be 14 characters.
- V-253304
- Title: The built-in Microsoft password complexity filter must be enabled.
- V-253305
- Title: Reversible password encryption must be disabled.
- V-253306
- Title: The system must be configured to audit Account Logon - Credential Validation failures.
- V-253307
- Title: The system must be configured to audit Account Logon - Credential Validation successes.
- V-253308
- Title: The system must be configured to audit Account Management - Security Group Management successes.
- V-253309
- Title: The system must be configured to audit Account Management - User Account Management failures.
- V-253310
- Title: The system must be configured to audit Account Management - User Account Management successes.
- V-253312
- Title: The system must be configured to audit Detailed Tracking - Process Creation successes.
- V-253313
- Title: The system must be configured to audit Logon/Logoff - Account Lockout failures.
- V-253315
- Title: The system must be configured to audit Logon/Logoff - Logoff successes.
- V-253316
- Title: The system must be configured to audit Logon/Logoff - Logon failures.
- V-253317
- Title: The system must be configured to audit Logon/Logoff - Logon successes.
- V-253318
- Title: The system must be configured to audit Logon/Logoff - Special Logon successes.
- V-253319
- Title: Windows 11 must be configured to audit Object Access - File Share failures.
- V-253320
- Title: Windows 11 must be configured to audit Object Access - File Share successes.
- V-253321
- Title: Windows 11 must be configured to audit Object Access - Other Object Access Events successes.
- V-253322
- Title: Windows 11 must be configured to audit Object Access - Other Object Access Events failures.
- V-253325
- Title: The system must be configured to audit Policy Change - Audit Policy Change successes.
- V-253326
- Title: The system must be configured to audit Policy Change - Authentication Policy Change successes.
- V-253327
- Title: The system must be configured to audit Policy Change - Authorization Policy Change successes.
- V-253328
- Title: The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
- V-253329
- Title: The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
- V-253330
- Title: The system must be configured to audit System - IPsec Driver failures.
- V-253331
- Title: The system must be configured to audit System - Other System Events successes.
- V-253332
- Title: The system must be configured to audit System - Other System Events failures.
- V-253333
- Title: The system must be configured to audit System - Security State Change successes.
- V-253334
- Title: The system must be configured to audit System - Security System Extension successes.
- V-253335
- Title: The system must be configured to audit System - System Integrity failures.
- V-253336
- Title: The system must be configured to audit System - System Integrity successes.
- V-253337
- Title: The Application event log size must be configured to 32768 KB or greater.
- V-253338
- Title: The Security event log size must be configured to 1024000 KB or greater.
- V-253339
- Title: The System event log size must be configured to 32768 KB or greater.
- V-253340
- Title: Windows 11 permissions for the Application event log must prevent access by non-privileged accounts.
- V-253341
- Title: Windows 11 permissions for the Security event log must prevent access by non-privileged accounts.
- V-253342
- Title: Windows 11 permissions for the System event log must prevent access by non-privileged accounts.
- V-253343
- Title: Windows 11 must be configured to audit Other Policy Change Events Successes.
- V-253344
- Title: Windows 11 must be configured to audit Other Policy Change Events Failures.
- V-253345
- Title: Windows 11 must be configured to audit other Logon/Logoff Events Successes.
- V-253346
- Title: Windows 11 must be configured to audit other Logon/Logoff Events Failures.
- V-253347
- Title: Windows 11 must be configured to audit Detailed File Share Failures.
- V-253348
- Title: Windows 11 must be configured to audit MPSSVC Rule-Level Policy Change Successes.
- V-253349
- Title: Windows 11 must be configured to audit MPSSVC Rule-Level Policy Change Failures.
- V-253352
- Title: The display of slide shows on the lock screen must be disabled.
- V-253353
- Title: IPv6 source routing must be configured to highest protection.
- V-253354
- Title: The system must be configured to prevent IP source routing.
- V-253355
- Title: The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
- V-253356
- Title: The system must be configured to ignore NetBIOS name release requests except from WINS servers.
- V-253357
- Title: Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
- V-253358
- Title: WDigest Authentication must be disabled.
- V-253359
- Title: Run as different user must be removed from context menus.
- V-253360
- Title: Insecure logons to an SMB server must be disabled.
- V-253361
- Title: Internet connection sharing must be disabled.
- V-253362
- Title: Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\SYSVOL and \\NETLOGON shares.
- V-253364
- Title: Simultaneous connections to the internet or a Windows domain must be limited.
- V-253365
- Title: Connections to non-domain networks when connected to a domain authenticated network must be blocked.
- V-253366
- Title: Wi-Fi Sense must be disabled.
- V-253367
- Title: Command line data must be included in process creation events.
- V-253368
- Title: Windows 11 must be configured to enable Remote host allows delegation of non-exportable credentials.
- V-253372
- Title: Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers.
- V-253373
- Title: Group Policy objects must be reprocessed even if they have not changed.
- V-253374
- Title: Downloading print driver packages over HTTP must be prevented.
- V-253375
- Title: Web publishing and online ordering wizards must be prevented from downloading a list of providers.
- V-253376
- Title: Printing over HTTP must be prevented.
- V-253377
- Title: Systems must at least attempt device authentication using certificates.
- V-253378
- Title: The network selection user interface (UI) must not be displayed on the logon screen.
- V-253379
- Title: Local users on domain-joined computers must not be enumerated.
- V-253380
- Title: Users must be prompted for a password on resume from sleep (on battery).
- V-253381
- Title: The user must be prompted for a password on resume from sleep (plugged in).
- V-253382
- Title: Solicited Remote Assistance must not be allowed.
- V-253383
- Title: Unauthenticated RPC clients must be restricted from connecting to the RPC server.
- V-253384
- Title: The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.
- V-253385
- Title: The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
- V-253386
- Title: Autoplay must be turned off for non-volume devices.
- V-253387
- Title: The default autorun behavior must be configured to prevent autorun commands.
- V-253388
- Title: Autoplay must be disabled for all drives.
- V-253389
- Title: Enhanced anti-spoofing for facial recognition must be enabled on Windows 11.
- V-253390
- Title: Microsoft consumer experiences must be turned off.
- V-253391
- Title: Administrator accounts must not be enumerated during elevation.
- V-253393
- Title: Windows Telemetry must not be configured to Full.
- V-253394
- Title: Windows Update must not obtain updates from other PCs on the internet.
- V-253395
- Title: The Microsoft Defender SmartScreen for Explorer must be enabled.
- V-253396
- Title: Explorer Data Execution Prevention must be enabled.
- V-253397
- Title: File Explorer heap termination on corruption must be disabled.
- V-253398
- Title: File Explorer shell protocol must run in protected mode.
- V-253399
- Title: Windows 11 must be configured to disable Windows Game Recording and Broadcasting.
- V-253400
- Title: The use of a hardware security device with Windows Hello for Business must be enabled.
- V-253401
- Title: Windows 11 must be configured to require a minimum pin length of six characters or greater.
- V-253402
- Title: Passwords must not be saved in the Remote Desktop Client.
- V-253403
- Title: Local drives must be prevented from sharing with Remote Desktop Session Hosts.
- V-253404
- Title: Remote Desktop Services must always prompt a client for passwords upon connection.
- V-253405
- Title: The Remote Desktop Session Host must require secure RPC communications.
- V-253406
- Title: Remote Desktop Services must be configured with the client connection encryption set to the required level.
- V-253407
- Title: Attachments must be prevented from being downloaded from RSS feeds.
- V-253408
- Title: Basic authentication for RSS feeds over HTTP must not be used.
- V-253409
- Title: Indexing of encrypted files must be turned off.
- V-253410
- Title: Users must be prevented from changing installation options.
- V-253411
- Title: The Windows Installer feature “Always install with elevated privileges” must be disabled.
- V-253412
- Title: Users must be notified if a web-based program attempts to install software.
- V-253413
- Title: Automatically signing in the last interactive user after a system-initiated restart must be disabled.
- V-253414
- Title: PowerShell script block logging must be enabled on Windows 11.
- V-253415
- Title: PowerShell Transcription must be enabled on Windows 11.
- V-253416
- Title: The Windows Remote Management (WinRM) client must not use Basic authentication.
- V-253417
- Title: The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
- V-253418
- Title: The Windows Remote Management (WinRM) service must not use Basic authentication.
- V-253419
- Title: The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
- V-253420
- Title: The Windows Remote Management (WinRM) service must not store RunAs credentials.
- V-253421
- Title: The Windows Remote Management (WinRM) client must not use Digest authentication.
- V-253422
- Title: Windows 11 must be configured to prevent Windows apps from being activated by voice while the system is locked.
- V-253423
- Title: The convenience PIN for Windows 11 must be disabled.
- V-253424
- Title: Windows Ink Workspace must be configured to disallow access above the lock.
- V-253426
- Title: Windows 11 Kernel (Direct Memory Access) DMA Protection must be enabled.
- V-253432
- Title: The built-in administrator account must be disabled.
- V-253433
- Title: The built-in guest account must be disabled.
- V-253434
- Title: Local accounts with blank passwords must be restricted to prevent access from the network.
- V-253435
- Title: The built-in administrator account must be renamed.
- V-253436
- Title: The built-in guest account must be renamed.
- V-253437
- Title: Audit policy using subcategories must be enabled.
- V-253438
- Title: Outgoing secure channel traffic must be encrypted or signed.
- V-253439
- Title: Outgoing secure channel traffic must be encrypted.
- V-253440
- Title: Outgoing secure channel traffic must be signed.
- V-253441
- Title: The computer account password must not be prevented from being reset.
- V-253442
- Title: The maximum age for machine account passwords must be configured to 30 days or less.
- V-253443
- Title: The system must be configured to require a strong session key.
- V-253444
- Title: The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
- V-253447
- Title: Caching of logon credentials must be limited.
- V-253448
- Title: The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
- V-253449
- Title: The Windows SMB client must be configured to always perform SMB packet signing.
- V-253450
- Title: Unencrypted passwords must not be sent to third-party SMB Servers.
- V-253451
- Title: The Windows SMB server must be configured to always perform SMB packet signing.
- V-253453
- Title: Anonymous enumeration of SAM accounts must not be allowed.
- V-253454
- Title: Anonymous enumeration of shares must be restricted.
- V-253455
- Title: The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
- V-253456
- Title: Anonymous access to Named Pipes and Shares must be restricted.
- V-253457
- Title: Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
- V-253458
- Title: NTLM must be prevented from falling back to a Null session.
- V-253459
- Title: PKU2U authentication using online identities must be prevented.
- V-253460
- Title: Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
- V-253461
- Title: The system must be configured to prevent the storage of the LAN Manager hash of passwords.
- V-253462
- Title: The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
- V-253463
- Title: The system must be configured to the required LDAP client signing level.
- V-253464
- Title: The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
- V-253465
- Title: The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
- V-253466
- Title: The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
- V-253467
- Title: The default permissions of global system objects must be increased.
- V-253468
- Title: User Account Control approval mode for the built-in Administrator must be enabled.
- V-253469
- Title: User Account Control must prompt administrators for consent on the secure desktop.
- V-253471
- Title: User Account Control must automatically deny elevation requests for standard users.
- V-253472
- Title: User Account Control must be configured to detect application installations and prompt for elevation.
- V-253473
- Title: User Account Control must only elevate UIAccess applications that are installed in secure locations.
- V-253474
- Title: User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
- V-253475
- Title: User Account Control must virtualize file and registry write failures to per-user locations.
- V-253479
- Title: The “Access Credential Manager as a trusted caller” user right must not be assigned to any groups or accounts.
- V-253480
- Title: The “Access this computer from the network” user right must only be assigned to the Administrators and Remote Desktop Users groups.
- V-253481
- Title: The “Act as part of the operating system” user right must not be assigned to any groups or accounts.
- V-253482
- Title: The “Allow log on locally” user right must only be assigned to the Administrators and Users groups.
- V-253483
- Title: The “Back up files and directories” user right must only be assigned to the Administrators group.
- V-253484
- Title: The “Change the system time” user right must only be assigned to Administrators and Local Service.
- V-253485
- Title: The “Create a pagefile” user right must only be assigned to the Administrators group.
- V-253486
- Title: The “Create a token object” user right must not be assigned to any groups or accounts.
- V-253487
- Title: The “Create global objects” user right must only be assigned to Administrators, Service, Local Service, and Network Service.
- V-253488
- Title: The “Create permanent shared objects” user right must not be assigned to any groups or accounts.
- V-253489
- Title: The “Create symbolic links” user right must only be assigned to the Administrators group.
- V-253490
- Title: The “Debug programs” user right must only be assigned to the Administrators group.
- V-253491
- Title: The “Deny access to this computer from the network” user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
- V-253492
- Title: The “Deny log on as a batch job” user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
- V-253493
- Title: The “Deny log on as a service” user right on Windows 11 domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
- V-253494
- Title: The “Deny log on locally” user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
- V-253495
- Title: The “Deny log on through Remote Desktop Services” user right on Windows 11 workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
- V-253496
- Title: The “Enable computer and user accounts to be trusted for delegation” user right must not be assigned to any groups or accounts.
- V-253497
- Title: The “Force shutdown from a remote system” user right must only be assigned to the Administrators group.
- V-253498
- Title: The “Impersonate a client after authentication” user right must only be assigned to Administrators, Service, Local Service, and Network Service.
- V-253499
- Title: The “Load and unload device drivers” user right must only be assigned to the Administrators group.
- V-253500
- Title: The “Lock pages in memory” user right must not be assigned to any groups or accounts.
- V-253501
- Title: The “Manage auditing and security log” user right must only be assigned to the Administrators group.
- V-253502
- Title: The “Modify firmware environment values” user right must only be assigned to the Administrators group.
- V-253503
- Title: The “Perform volume maintenance tasks” user right must only be assigned to the Administrators group.
- V-253504
- Title: The “Profile single process” user right must only be assigned to the Administrators group.
- V-253505
- Title: The “Restore files and directories” user right must only be assigned to the Administrators group.
- V-253506
- Title: The “Take ownership of files or other objects” user right must only be assigned to the Administrators group.
- V-256893
- Title: Internet Explorer must be disabled for Windows 11.
- V-257770
- Title: Windows 11 must have command line process auditing events enabled for failures.
Windows 2016 (189/201 [94%])
- V-224850
- Title: The Fax Server role must not be installed.
- V-224851
- Title: The Microsoft FTP service must not be installed unless required.
- V-224852
- Title: The Peer Name Resolution Protocol must not be installed.
- V-224853
- Title: Simple TCP/IP Services must not be installed.
- V-224854
- Title: The Telnet Client must not be installed.
- V-224855
- Title: The TFTP Client must not be installed.
- V-224856
- Title: The Server Message Block (SMB) v1 protocol must be uninstalled.
- V-224857
- Title: The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
- V-224858
- Title: The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
- V-224859
- Title: Windows PowerShell 2.0 must not be installed.
- V-224866
- Title: Windows 2016 account lockout duration must be configured to 15 minutes or greater.
- V-224867
- Title: Windows Server 2016 must have the number of allowed bad logon attempts configured to three or less.
- V-224868
- Title: Windows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
- V-224869
- Title: Windows Server 2016 password history must be configured to 24 passwords remembered.
- V-224870
- Title: Windows Server 2016 maximum password age must be configured to 60 days or less.
- V-224871
- Title: Windows Server 2016 minimum password age must be configured to at least one day.
- V-224872
- Title: Windows Server 2016 minimum password length must be configured to 14 characters.
- V-224873
- Title: Windows Server 2016 must have the built-in Windows password complexity policy enabled.
- V-224874
- Title: Windows Server 2016 reversible password encryption must be disabled.
- V-224877
- Title: Permissions for the Application event log must prevent access by non-privileged accounts.
- V-224878
- Title: Permissions for the Security event log must prevent access by non-privileged accounts.
- V-224879
- Title: Permissions for the System event log must prevent access by non-privileged accounts.
- V-224880
- Title: Event Viewer must be protected from unauthorized modification and deletion.
- V-224881
- Title: Windows Server 2016 must be configured to audit Account Logon - Credential Validation successes.
- V-224882
- Title: Windows Server 2016 must be configured to audit Account Logon - Credential Validation failures.
- V-224883
- Title: Windows Server 2016 must be configured to audit Account Management - Other Account Management Events successes.
- V-224884
- Title: Windows Server 2016 must be configured to audit Account Management - Security Group Management successes.
- V-224885
- Title: Windows Server 2016 must be configured to audit Account Management - User Account Management successes.
- V-224886
- Title: Windows Server 2016 must be configured to audit Account Management - User Account Management failures.
- V-224888
- Title: Windows Server 2016 must be configured to audit Detailed Tracking - Process Creation successes.
- V-224890
- Title: Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout failures.
- V-224892
- Title: Windows Server 2016 must be configured to audit Logon/Logoff - Logoff successes.
- V-224893
- Title: Windows Server 2016 must be configured to audit Logon/Logoff - Logon successes.
- V-224894
- Title: Windows Server 2016 must be configured to audit Logon/Logoff - Logon failures.
- V-224895
- Title: Windows Server 2016 must be configured to audit Logon/Logoff - Special Logon successes.
- V-224896
- Title: Windows 2016 must be configured to audit Object Access - Other Object Access Events successes.
- V-224897
- Title: Windows 2016 must be configured to audit Object Access - Other Object Access Events failures.
- V-224900
- Title: Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change successes.
- V-224901
- Title: Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change failures.
- V-224902
- Title: Windows Server 2016 must be configured to audit Policy Change - Authentication Policy Change successes.
- V-224903
- Title: Windows Server 2016 must be configured to audit Policy Change - Authorization Policy Change successes.
- V-224904
- Title: Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
- V-224905
- Title: Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
- V-224906
- Title: Windows Server 2016 must be configured to audit System - IPsec Driver successes.
- V-224907
- Title: Windows Server 2016 must be configured to audit System - IPsec Driver failures.
- V-224908
- Title: Windows Server 2016 must be configured to audit System - Other System Events successes.
- V-224909
- Title: Windows Server 2016 must be configured to audit System - Other System Events failures.
- V-224910
- Title: Windows Server 2016 must be configured to audit System - Security State Change successes.
- V-224911
- Title: Windows Server 2016 must be configured to audit System - Security System Extension successes.
- V-224912
- Title: Windows Server 2016 must be configured to audit System - System Integrity successes.
- V-224913
- Title: Windows Server 2016 must be configured to audit System - System Integrity failures.
- V-224914
- Title: The display of slide shows on the lock screen must be disabled.
- V-224915
- Title: WDigest Authentication must be disabled on Windows Server 2016.
- V-224916
- Title: Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
- V-224917
- Title: Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
- V-224918
- Title: Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
- V-224919
- Title: Windows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers.
- V-224920
- Title: Insecure logons to an SMB server must be disabled.
- V-224921
- Title: Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\SYSVOL and \\NETLOGON shares.
- V-224922
- Title: Command line data must be included in process creation events.
- V-224924
- Title: Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
- V-224925
- Title: Group Policy objects must be reprocessed even if they have not changed.
- V-224926
- Title: Downloading print driver packages over HTTP must be prevented.
- V-224927
- Title: Printing over HTTP must be prevented.
- V-224928
- Title: The network selection user interface (UI) must not be displayed on the logon screen.
- V-224929
- Title: Users must be prompted to authenticate when the system wakes from sleep (on battery).
- V-224930
- Title: Users must be prompted to authenticate when the system wakes from sleep (plugged in).
- V-224931
- Title: The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
- V-224932
- Title: AutoPlay must be turned off for non-volume devices.
- V-224933
- Title: The default AutoRun behavior must be configured to prevent AutoRun commands.
- V-224934
- Title: AutoPlay must be disabled for all drives.
- V-224935
- Title: Administrator accounts must not be enumerated during elevation.
- V-224936
- Title: Windows Telemetry must be configured to Security or Basic.
- V-224937
- Title: The Application event log size must be configured to 32768 KB or greater.
- V-224938
- Title: The Security event log size must be configured to 196608 KB or greater.
- V-224939
- Title: The System event log size must be configured to 32768 KB or greater.
- V-224940
- Title: Windows Server 2016 Windows SmartScreen must be enabled.
- V-224941
- Title: Explorer Data Execution Prevention must be enabled.
- V-224942
- Title: Turning off File Explorer heap termination on corruption must be disabled.
- V-224943
- Title: File Explorer shell protocol must run in protected mode.
- V-224944
- Title: Passwords must not be saved in the Remote Desktop Client.
- V-224945
- Title: Local drives must be prevented from sharing with Remote Desktop Session Hosts.
- V-224946
- Title: Remote Desktop Services must always prompt a client for passwords upon connection.
- V-224947
- Title: The Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications.
- V-224948
- Title: Remote Desktop Services must be configured with the client connection encryption set to High Level.
- V-224949
- Title: Attachments must be prevented from being downloaded from RSS feeds.
- V-224951
- Title: Basic authentication for RSS feeds over HTTP must not be used.
- V-224952
- Title: Indexing of encrypted files must be turned off.
- V-224953
- Title: Users must be prevented from changing installation options.
- V-224954
- Title: The Windows Installer Always install with elevated privileges option must be disabled.
- V-224955
- Title: Users must be notified if a web-based program attempts to install software.
- V-224956
- Title: Automatically signing in the last interactive user after a system-initiated restart must be disabled.
- V-224957
- Title: PowerShell script block logging must be enabled.
- V-224958
- Title: The Windows Remote Management (WinRM) client must not use Basic authentication.
- V-224959
- Title: The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
- V-224960
- Title: The Windows Remote Management (WinRM) client must not use Digest authentication.
- V-224961
- Title: The Windows Remote Management (WinRM) service must not use Basic authentication.
- V-224962
- Title: The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
- V-224963
- Title: The Windows Remote Management (WinRM) service must not store RunAs credentials.
- V-224987
- Title: Windows Server 2016 must be configured to audit DS Access - Directory Service Access successes.
- V-224988
- Title: Windows Server 2016 must be configured to audit DS Access - Directory Service Access failures.
- V-224989
- Title: Windows Server 2016 must be configured to audit DS Access - Directory Service Changes successes.
- V-224995
- Title: Domain controllers must require LDAP access signing.
- V-224996
- Title: Domain controllers must be configured to allow reset of machine account passwords.
- V-224997
- Title: The Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and
Enterprise Domain Controllers groups on domain controllers.
- V-224998
- Title: The Add workstations to domain user right must only be assigned to the Administrators group.
- V-224999
- Title: The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group.
- V-225000
- Title: The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
- V-225001
- Title: The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
- V-225002
- Title: The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
- V-225003
- Title: The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
- V-225004
- Title: The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
- V-225005
- Title: The Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
- V-225008
- Title: Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
- V-225009
- Title: Local users on domain-joined computers must not be enumerated.
- V-225010
- Title: Unauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC server.
- V-225011
- Title: Caching of logon credentials must be limited.
- V-225013
- Title: Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
- V-225014
- Title: The “Access this computer from the network” user right must only be assigned to the Administrators and Authenticated Users groups on member servers.
- V-225015
- Title: The “Deny access to this computer from the network” user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and from unauthenticated access on all systems.
- V-225016
- Title: The “Deny log on as a batch job” user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.
- V-225017
- Title: The “Deny log on as a service” user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.
- V-225018
- Title: The “Deny log on locally” user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.
- V-225019
- Title: The “Deny log on through Remote Desktop Services” user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems.
- V-225020
- Title: The “Enable computer and user accounts to be trusted for delegation” user right must not be assigned to any groups or accounts on member servers.
- V-225024
- Title: Windows Server 2016 built-in guest account must be disabled.
- V-225025
- Title: Local accounts with blank passwords must be restricted to prevent access from the network.
- V-225026
- Title: Windows Server 2016 built-in administrator account must be renamed.
- V-225027
- Title: Windows Server 2016 built-in guest account must be renamed.
- V-225028
- Title: Audit policy using subcategories must be enabled.
- V-225029
- Title: The setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
- V-225030
- Title: The setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.
- V-225031
- Title: The setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
- V-225032
- Title: The computer account password must not be prevented from being reset.
- V-225033
- Title: The maximum age for machine account passwords must be configured to 30 days or less.
- V-225034
- Title: Windows Server 2016 must be configured to require a strong session key.
- V-225035
- Title: The machine inactivity limit must be set to 15 minutes, locking the system with the screen saver.
- V-225038
- Title: The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
- V-225039
- Title: The setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
- V-225040
- Title: The setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
- V-225041
- Title: Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.
- V-225042
- Title: The setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
- V-225043
- Title: The setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
- V-225045
- Title: Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed.
- V-225046
- Title: Anonymous enumeration of shares must not be allowed.
- V-225047
- Title: Windows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
- V-225048
- Title: Anonymous access to Named Pipes and Shares must be restricted.
- V-225049
- Title: Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
- V-225050
- Title: NTLM must be prevented from falling back to a Null session.
- V-225051
- Title: PKU2U authentication using online identities must be prevented.
- V-225052
- Title: Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
- V-225053
- Title: Windows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords.
- V-225054
- Title: The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM.
- V-225055
- Title: Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing.
- V-225056
- Title: Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
- V-225057
- Title: Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
- V-225058
- Title: Users must be required to enter a password to access private keys stored on the computer.
- V-225060
- Title: The default permissions of global system objects must be strengthened.
- V-225061
- Title: User Account Control approval mode for the built-in Administrator must be enabled.
- V-225062
- Title: UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
- V-225063
- Title: User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.
- V-225064
- Title: User Account Control must automatically deny standard user requests for elevation.
- V-225065
- Title: User Account Control must be configured to detect application installations and prompt for elevation.
- V-225066
- Title: User Account Control must only elevate UIAccess applications that are installed in secure locations.
- V-225067
- Title: User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
- V-225068
- Title: User Account Control must virtualize file and registry write failures to per-user locations.
- V-225070
- Title: The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
- V-225071
- Title: The Act as part of the operating system user right must not be assigned to any groups or accounts.
- V-225072
- Title: The Allow log on locally user right must only be assigned to the Administrators group.
- V-225073
- Title: The Back up files and directories user right must only be assigned to the Administrators group.
- V-225074
- Title: The Create a pagefile user right must only be assigned to the Administrators group.
- V-225076
- Title: The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
- V-225077
- Title: The Create permanent shared objects user right must not be assigned to any groups or accounts.
- V-225078
- Title: The Create symbolic links user right must only be assigned to the Administrators group.
- V-225079
- Title: The Debug programs user right must only be assigned to the Administrators group.
- V-225080
- Title: The Force shutdown from a remote system user right must only be assigned to the Administrators group.
- V-225081
- Title: The Generate security audits user right must only be assigned to Local Service and Network Service.
- V-225082
- Title: The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
- V-225083
- Title: The Increase scheduling priority user right must only be assigned to the Administrators group.
- V-225084
- Title: The Load and unload device drivers user right must only be assigned to the Administrators group.
- V-225085
- Title: The Lock pages in memory user right must not be assigned to any groups or accounts.
- V-225086
- Title: The Manage auditing and security log user right must only be assigned to the Administrators group.
- V-225087
- Title: The Modify firmware environment values user right must only be assigned to the Administrators group.
- V-225088
- Title: The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
- V-225089
- Title: The Profile single process user right must only be assigned to the Administrators group.
- V-225091
- Title: The Create a token object user right must not be assigned to any groups or accounts.
- V-225092
- Title: The Restore files and directories user right must only be assigned to the Administrators group.
- V-225093
- Title: The Take ownership of files or other objects user right must only be assigned to the Administrators group.
- V-257502
- Title: Windows Server 2016 must have PowerShell Transcription enabled.
Windows 2019 (191/203 [94%])
- V-205625
- Title: Windows Server 2019 must be configured to audit Account Management - Security Group Management successes.
- V-205626
- Title: Windows Server 2019 must be configured to audit Account Management - User Account Management successes.
- V-205627
- Title: Windows Server 2019 must be configured to audit Account Management - User Account Management failures.
- V-205629
- Title: Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less.
- V-205630
- Title: Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
- V-205633
- Title: Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.
- V-205634
- Title: Windows Server 2019 must be configured to audit logon successes.
- V-205635
- Title: Windows Server 2019 must be configured to audit logon failures.
- V-205636
- Title: Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.
- V-205637
- Title: Windows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level.
- V-205638
- Title: Windows Server 2019 command line data must be included in process creation events.
- V-205639
- Title: Windows Server 2019 PowerShell script block logging must be enabled.
- V-205640
- Title: Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts.
- V-205641
- Title: Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts.
- V-205642
- Title: Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts.
- V-205643
- Title: Windows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group.
- V-205644
- Title: Windows Server 2019 must force audit policy subcategory settings to override audit policy category settings.
- V-205651
- Title: Windows Server 2019 users must be required to enter a password to access private keys stored on the computer.
- V-205652
- Title: Windows Server 2019 must have the built-in Windows password complexity policy enabled.
- V-205653
- Title: Windows Server 2019 reversible password encryption must be disabled.
- V-205654
- Title: Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords.
- V-205655
- Title: Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.
- V-205656
- Title: Windows Server 2019 minimum password age must be configured to at least one day.
- V-205659
- Title: Windows Server 2019 maximum password age must be configured to 60 days or less.
- V-205660
- Title: Windows Server 2019 password history must be configured to 24 passwords remembered.
- V-205662
- Title: Windows Server 2019 minimum password length must be configured to 14 characters.
- V-205665
- Title: Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and
Enterprise Domain Controllers groups on domain controllers.
- V-205666
- Title: Windows Server 2019 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers.
- V-205667
- Title: Windows Server 2019 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
- V-205668
- Title: Windows Server 2019 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
- V-205669
- Title: Windows Server 2019 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
- V-205670
- Title: Windows Server 2019 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
- V-205671
- Title: Windows Server 2019 “Access this computer from the network” user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone or nondomain-joined systems.
- V-205672
- Title: Windows Server 2019 “Deny access to this computer from the network” user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
- V-205673
- Title: Windows Server 2019 “Deny log on as a batch job” user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
- V-205674
- Title: Windows Server 2019 “Deny log on as a service” user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.
- V-205675
- Title: Windows Server 2019 “Deny log on locally” user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
- V-205676
- Title: Windows Server 2019 Allow log on locally user right must only be assigned to the Administrators group.
- V-205678
- Title: Windows Server 2019 must not have the Fax Server role installed.
- V-205679
- Title: Windows Server 2019 must not have the Peer Name Resolution Protocol installed.
- V-205680
- Title: Windows Server 2019 must not have Simple TCP/IP Services installed.
- V-205681
- Title: Windows Server 2019 must not have the TFTP Client installed.
- V-205682
- Title: Windows Server 2019 must not have the Server Message Block (SMB) v1 protocol installed.
- V-205683
- Title: Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.
- V-205684
- Title: Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.
- V-205685
- Title: Windows Server 2019 must not have Windows PowerShell 2.0 installed.
- V-205686
- Title: Windows Server 2019 must prevent the display of slide shows on the lock screen.
- V-205687
- Title: Windows Server 2019 must have WDigest Authentication disabled.
- V-205688
- Title: Windows Server 2019 downloading print driver packages over HTTP must be turned off.
- V-205689
- Title: Windows Server 2019 printing over HTTP must be turned off.
- V-205690
- Title: Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen.
- V-205691
- Title: Windows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
- V-205692
- Title: Windows Server 2019 Windows Defender SmartScreen must be enabled.
- V-205693
- Title: Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP.
- V-205694
- Title: Windows Server 2019 must prevent Indexing of encrypted files.
- V-205696
- Title: Windows Server 2019 local users on domain-joined member servers must not be enumerated.
- V-205697
- Title: Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization.
- V-205698
- Title: Windows Server 2019 must not have the Telnet Client installed.
- V-205708
- Title: Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
- V-205709
- Title: Windows Server 2019 must have the built-in guest account disabled.
- V-205711
- Title: Windows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication.
- V-205712
- Title: Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication.
- V-205713
- Title: Windows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication.
- V-205714
- Title: Windows Server 2019 administrator accounts must not be enumerated during elevation.
- V-205715
- Title: Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.
- V-205716
- Title: Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
- V-205717
- Title: Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.
- V-205718
- Title: Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation.
- V-205719
- Title: Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.
- V-205720
- Title: Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.
- V-205722
- Title: Windows Server 2019 Remote Desktop Services must prevent drive redirection.
- V-205724
- Title: Windows Server 2019 must not allow anonymous enumeration of shares.
- V-205725
- Title: Windows Server 2019 must restrict anonymous access to Named Pipes and Shares.
- V-205730
- Title: Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures.
- V-205731
- Title: Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion.
- V-205732
- Title: Windows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
- V-205733
- Title: Windows Server 2019 “Deny log on through Remote Desktop Services” user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
- V-205744
- Title: Windows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.
- V-205745
- Title: Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
- V-205747
- Title: Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.
- V-205748
- Title: Windows Server 2019 “Enable computer and user accounts to be trusted for delegation” user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems.
- V-205749
- Title: Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
- V-205750
- Title: Windows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts.
- V-205751
- Title: Windows Server 2019 Back up files and directories user right must only be assigned to the Administrators group.
- V-205752
- Title: Windows Server 2019 Create a pagefile user right must only be assigned to the Administrators group.
- V-205753
- Title: Windows Server 2019 Create a token object user right must not be assigned to any groups or accounts.
- V-205754
- Title: Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
- V-205755
- Title: Windows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts.
- V-205756
- Title: Windows Server 2019 Create symbolic links user right must only be assigned to the Administrators group.
- V-205757
- Title: Windows Server 2019 Debug programs: user right must only be assigned to the Administrators group.
- V-205758
- Title: Windows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group.
- V-205759
- Title: Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service.
- V-205760
- Title: Windows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
- V-205761
- Title: Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group.
- V-205762
- Title: Windows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group.
- V-205763
- Title: Windows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts.
- V-205764
- Title: Windows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group.
- V-205765
- Title: Windows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group.
- V-205766
- Title: Windows Server 2019 Profile single process user right must only be assigned to the Administrators group.
- V-205767
- Title: Windows Server 2019 Restore files and directories user right must only be assigned to the Administrators group.
- V-205768
- Title: Windows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group.
- V-205769
- Title: Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes.
- V-205770
- Title: Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes.
- V-205771
- Title: Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes.
- V-205772
- Title: Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures.
- V-205773
- Title: Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes.
- V-205774
- Title: Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes.
- V-205775
- Title: Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
- V-205776
- Title: Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
- V-205777
- Title: Windows Server 2019 must be configured to audit System - IPsec Driver successes.
- V-205778
- Title: Windows Server 2019 must be configured to audit System - IPsec Driver failures.
- V-205779
- Title: Windows Server 2019 must be configured to audit System - Other System Events successes.
- V-205780
- Title: Windows Server 2019 must be configured to audit System - Other System Events failures.
- V-205781
- Title: Windows Server 2019 must be configured to audit System - Security State Change successes.
- V-205782
- Title: Windows Server 2019 must be configured to audit System - Security System Extension successes.
- V-205783
- Title: Windows Server 2019 must be configured to audit System - System Integrity successes.
- V-205784
- Title: Windows Server 2019 must be configured to audit System - System Integrity failures.
- V-205791
- Title: Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes.
- V-205792
- Title: Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures.
- V-205793
- Title: Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes.
- V-205795
- Title: Windows Server 2019 account lockout duration must be configured to 15 minutes or greater.
- V-205796
- Title: Windows Server 2019 Application event log size must be configured to 32768 KB or greater.
- V-205797
- Title: Windows Server 2019 Security event log size must be configured to 196608 KB or greater.
- V-205798
- Title: Windows Server 2019 System event log size must be configured to 32768 KB or greater.
- V-205801
- Title: Windows Server 2019 must prevent users from changing installation options.
- V-205802
- Title: Windows Server 2019 must disable the Windows Installer Always install with elevated privileges option.
- V-205804
- Title: Windows Server 2019 Autoplay must be turned off for non-volume devices.
- V-205805
- Title: Windows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands.
- V-205806
- Title: Windows Server 2019 AutoPlay must be disabled for all drives.
- V-205808
- Title: Windows Server 2019 must not save passwords in the Remote Desktop Client.
- V-205809
- Title: Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection.
- V-205810
- Title: Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials.
- V-205811
- Title: Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled.
- V-205812
- Title: Windows Server 2019 User Account Control must automatically deny standard user requests for elevation.
- V-205813
- Title: Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
- V-205814
- Title: Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone or nondomain-joined systems.
- V-205815
- Title: Windows Server 2019 computer account password must not be prevented from being reset.
- V-205816
- Title: Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic.
- V-205817
- Title: Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic.
- V-205819
- Title: Windows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS servers.
- V-205820
- Title: Windows Server 2019 domain controllers must require LDAP access signing.
- V-205821
- Title: Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
- V-205822
- Title: Windows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.
- V-205823
- Title: Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
- V-205824
- Title: Windows Server 2019 must be configured to require a strong session key.
- V-205825
- Title: Windows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
- V-205826
- Title: Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
- V-205827
- Title: Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
- V-205828
- Title: Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
- V-205830
- Title: Windows Server 2019 Explorer Data Execution Prevention must be enabled.
- V-205832
- Title: Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes.
- V-205833
- Title: Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures.
- V-205835
- Title: Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes.
- V-205836
- Title: Windows Server 2019 must be configured to audit Object Access - Other Object Access Events successes.
- V-205837
- Title: Windows Server 2019 must be configured to audit Object Access - Other Object Access Events failures.
- V-205838
- Title: Windows Server 2019 must be configured to audit logoff successes.
- V-205858
- Title: Windows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
- V-205859
- Title: Windows Server 2019 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
- V-205860
- Title: Windows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
- V-205861
- Title: Windows Server 2019 insecure logons to an SMB server must be disabled.
- V-205862
- Title: Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\SYSVOL and \\NETLOGON shares.
- NOTE: Scan results may show failure after remediation, this is a false-negative due to pattern matching errors in the scanner.
- V-205863
- Title: Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials.
- V-205865
- Title: Windows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
- V-205866
- Title: Windows Server 2019 group policy objects must be reprocessed even if they have not changed.
- V-205867
- Title: Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery).
- V-205868
- Title: Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in).
- V-205869
- Title: Windows Server 2019 Telemetry must be configured to Security or Basic.
- V-205870
- Title: Windows Server 2019 Windows Update must not obtain updates from other PCs on the Internet.
- V-205871
- Title: Windows Server 2019 Turning off File Explorer heap termination on corruption must be disabled.
- V-205872
- Title: Windows Server 2019 File Explorer shell protocol must run in protected mode.
- V-205873
- Title: Windows Server 2019 must prevent attachments from being downloaded from RSS feeds.
- V-205874
- Title: Windows Server 2019 users must be notified if a web-based program attempts to install software.
- V-205876
- Title: Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords.
- V-205906
- Title: Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers.
- V-205908
- Title: Windows Server 2019 must prevent local accounts with blank passwords from being used from the network.
- V-205909
- Title: Windows Server 2019 built-in administrator account must be renamed.
- V-205910
- Title: Windows Server 2019 built-in guest account must be renamed.
- V-205911
- Title: Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less.
- V-205912
- Title: Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
- V-205914
- Title: Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
- V-205915
- Title: Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
- V-205916
- Title: Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
- V-205917
- Title: Windows Server 2019 must prevent NTLM from falling back to a Null session.
- V-205918
- Title: Windows Server 2019 must prevent PKU2U authentication using online identities.
- V-205919
- Title: Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.
- V-205920
- Title: Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing.
- V-205921
- Title: Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
- V-205922
- Title: Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
- V-205923
- Title: Windows Server 2019 default permissions of global system objects must be strengthened.
- V-205925
- Title: Windows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart.
- V-257503
- Title: Windows Server 2019 must have PowerShell Transcription enabled.
Windows 2022 (192/204 [94%])
- V-254269
- Title: Windows Server 2022 must not have the Fax Server role installed.
- V-254270
- Title: Windows Server 2022 must not have the Microsoft FTP service installed unless required by the organization.
- V-254271
- Title: Windows Server 2022 must not have the Peer Name Resolution Protocol installed.
- V-254272
- Title: Windows Server 2022 must not have Simple TCP/IP Services installed.
- V-254273
- Title: Windows Server 2022 must not have the Telnet Client installed.
- V-254274
- Title: Windows Server 2022 must not have the TFTP Client installed.
- V-254275
- Title: Windows Server 2022 must not the Server Message Block (SMB) v1 protocol installed.
- V-254276
- Title: Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.
- V-254277
- Title: Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.
- V-254278
- Title: Windows Server 2022 must not have Windows PowerShell 2.0 installed.
- V-254285
- Title: Windows Server 2022 account lockout duration must be configured to 15 minutes or greater.
- V-254286
- Title: Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less.
- V-254287
- Title: Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
- V-254288
- Title: Windows Server 2022 password history must be configured to 24 passwords remembered.
- V-254289
- Title: Windows Server 2022 maximum password age must be configured to 60 days or less.
- V-254290
- Title: Windows Server 2022 minimum password age must be configured to at least one day.
- V-254291
- Title: Windows Server 2022 minimum password length must be configured to 14 characters.
- V-254292
- Title: Windows Server 2022 must have the built-in Windows password complexity policy enabled.
- V-254293
- Title: Windows Server 2022 reversible password encryption must be disabled.
- V-254296
- Title: Windows Server 2022 permissions for the Application event log must prevent access by nonprivileged accounts.
- V-254297
- Title: Windows Server 2022 permissions for the Security event log must prevent access by nonprivileged accounts.
- V-254298
- Title: Windows Server 2022 permissions for the System event log must prevent access by nonprivileged accounts.
- V-254299
- Title: Windows Server 2022 Event Viewer must be protected from unauthorized modification and deletion.
- V-254300
- Title: Windows Server 2022 must be configured to audit Account Logon - Credential Validation successes.
- V-254301
- Title: Windows Server 2022 must be configured to audit Account Logon - Credential Validation failures.
- V-254302
- Title: Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes.
- V-254303
- Title: Windows Server 2022 must be configured to audit Account Management - Security Group Management successes.
- V-254304
- Title: Windows Server 2022 must be configured to audit Account Management - User Account Management successes.
- V-254305
- Title: Windows Server 2022 must be configured to audit Account Management - User Account Management failures.
- V-254307
- Title: Windows Server 2022 must be configured to audit Detailed Tracking - Process Creation successes.
- V-254309
- Title: Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout failures.
- V-254311
- Title: Windows Server 2022 must be configured to audit logoff successes.
- V-254312
- Title: Windows Server 2022 must be configured to audit logon successes.
- V-254313
- Title: Windows Server 2022 must be configured to audit logon failures.
- V-254314
- Title: Windows Server 2022 must be configured to audit Logon/Logoff - Special Logon successes.
- V-254315
- Title: Windows Server 2022 must be configured to audit Object Access - Other Object Access Events successes.
- V-254316
- Title: Windows Server 2022 must be configured to audit Object Access - Other Object Access Events failures.
- V-254319
- Title: Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change successes.
- V-254320
- Title: Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change failures.
- V-254321
- Title: Windows Server 2022 must be configured to audit Policy Change - Authentication Policy Change successes.
- V-254322
- Title: Windows Server 2022 must be configured to audit Policy Change - Authorization Policy Change successes.
- V-254323
- Title: Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
- V-254324
- Title: Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
- V-254325
- Title: Windows Server 2022 must be configured to audit System - IPsec Driver successes.
- V-254326
- Title: Windows Server 2022 must be configured to audit System - IPsec Driver failures.
- V-254327
- Title: Windows Server 2022 must be configured to audit System - Other System Events successes.
- V-254328
- Title: Windows Server 2022 must be configured to audit System - Other System Events failures.
- V-254329
- Title: Windows Server 2022 must be configured to audit System - Security State Change successes.
- V-254330
- Title: Windows Server 2022 must be configured to audit System - Security System Extension successes.
- V-254331
- Title: Windows Server 2022 must be configured to audit System - System Integrity successes.
- V-254332
- Title: Windows Server 2022 must be configured to audit System - System Integrity failures.
- V-254333
- Title: Windows Server 2022 must prevent the display of slide shows on the lock screen.
- V-254334
- Title: Windows Server 2022 must have WDigest Authentication disabled.
- V-254335
- Title: Windows Server 2022 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
- V-254336
- Title: Windows Server 2022 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
- V-254337
- Title: Windows Server 2022 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
- V-254338
- Title: Windows Server 2022 must be configured to ignore NetBIOS name release requests except from WINS servers.
- V-254339
- Title: Windows Server 2022 insecure logons to an SMB server must be disabled.
- V-254340
- Title: Windows Server 2022 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\SYSVOL and \\NETLOGON shares.
- NOTE: Scan results may show failure after remediation, this is a false-negative due to pattern matching errors in the scanner.
- V-254341
- Title: Windows Server 2022 command line data must be included in process creation events.
- V-254342
- Title: Windows Server 2022 must be configured to enable Remote host allows delegation of nonexportable credentials.
- V-254344
- Title: Windows Server 2022 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
- V-254345
- Title: Windows Server 2022 group policy objects must be reprocessed even if they have not changed.
- V-254346
- Title: Windows Server 2022 downloading print driver packages over HTTP must be turned off.
- V-254347
- Title: Windows Server 2022 printing over HTTP must be turned off.
- V-254348
- Title: Windows Server 2022 network selection user interface (UI) must not be displayed on the logon screen.
- V-254349
- Title: Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (on battery).
- V-254350
- Title: Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (plugged in).
- V-254351
- Title: Windows Server 2022 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
- V-254352
- Title: Windows Server 2022 Autoplay must be turned off for nonvolume devices.
- V-254353
- Title: Windows Server 2022 default AutoRun behavior must be configured to prevent AutoRun commands.
- V-254354
- Title: Windows Server 2022 AutoPlay must be disabled for all drives.
- V-254355
- Title: Windows Server 2022 administrator accounts must not be enumerated during elevation.
- V-254356
- Title: Windows Server 2022 Diagnostic Data must be configured to send “required diagnostic data” or “optional diagnostic data”.
- V-254357
- Title: Windows Server 2022 Windows Update must not obtain updates from other PCs on the internet.
- V-254358
- Title: Windows Server 2022 Application event log size must be configured to 32768 KB or greater.
- V-254359
- Title: Windows Server 2022 Security event log size must be configured to 196608 KB or greater.
- V-254360
- Title: Windows Server 2022 System event log size must be configured to 32768 KB or greater.
- V-254361
- Title: Windows Server 2022 Microsoft Defender antivirus SmartScreen must be enabled.
- V-254362
- Title: Windows Server 2022 Explorer Data Execution Prevention must be enabled.
- V-254363
- Title: Windows Server 2022 Turning off File Explorer heap termination on corruption must be disabled.
- V-254364
- Title: Windows Server 2022 File Explorer shell protocol must run in protected mode.
- V-254365
- Title: Windows Server 2022 must not save passwords in the Remote Desktop Client.
- V-254366
- Title: Windows Server 2022 Remote Desktop Services must prevent drive redirection.
- V-254367
- Title: Windows Server 2022 Remote Desktop Services must always prompt a client for passwords upon connection.
- V-254368
- Title: Windows Server 2022 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.
- V-254369
- Title: Windows Server 2022 Remote Desktop Services must be configured with the client connection encryption set to High Level.
- V-254370
- Title: Windows Server 2022 must prevent attachments from being downloaded from RSS feeds.
- V-254371
- Title: Windows Server 2022 must disable Basic authentication for RSS feeds over HTTP.
- V-254372
- Title: Windows Server 2022 must prevent Indexing of encrypted files.
- V-254373
- Title: Windows Server 2022 must prevent users from changing installation options.
- V-254374
- Title: Windows Server 2022 must disable the Windows Installer Always install with elevated privileges option.
- V-254375
- Title: Windows Server 2022 users must be notified if a web-based program attempts to install software.
- V-254376
- Title: Windows Server 2022 must disable automatically signing in the last interactive user after a system-initiated restart.
- V-254377
- Title: Windows Server 2022 PowerShell script block logging must be enabled.
- V-254378
- Title: Windows Server 2022 Windows Remote Management (WinRM) client must not use Basic authentication.
- V-254379
- Title: Windows Server 2022 Windows Remote Management (WinRM) client must not allow unencrypted traffic.
- V-254380
- Title: Windows Server 2022 Windows Remote Management (WinRM) client must not use Digest authentication.
- V-254381
- Title: Windows Server 2022 Windows Remote Management (WinRM) service must not use Basic authentication.
- V-254382
- Title: Windows Server 2022 Windows Remote Management (WinRM) service must not allow unencrypted traffic.
- V-254383
- Title: Windows Server 2022 Windows Remote Management (WinRM) service must not store RunAs credentials.
- V-254384
- Title: Windows Server 2022 must have PowerShell Transcription enabled.
- V-254407
- Title: Windows Server 2022 must be configured to audit Account Management - Computer Account Management successes.
- V-254408
- Title: Windows Server 2022 must be configured to audit DS Access - Directory Service Access successes.
- V-254409
- Title: Windows Server 2022 must be configured to audit DS Access - Directory Service Access failures.
- V-254410
- Title: Windows Server 2022 must be configured to audit DS Access - Directory Service Changes successes.
- V-254416
- Title: Windows Server 2022 domain controllers must require LDAP access signing.
- V-254417
- Title: Windows Server 2022 domain controllers must be configured to allow reset of machine account passwords.
- V-254418
- Title: Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and
Enterprise Domain Controllers groups on domain controllers.
- V-254419
- Title: Windows Server 2022 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.
- V-254420
- Title: Windows Server 2022 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers.
- V-254421
- Title: Windows Server 2022 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
- V-254422
- Title: Windows Server 2022 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
- V-254423
- Title: Windows Server 2022 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
- V-254424
- Title: Windows Server 2022 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
- V-254425
- Title: Windows Server 2022 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
- V-254426
- Title: Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
- V-254429
- Title: Windows Server 2022 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.
- V-254430
- Title: Windows Server 2022 local users on domain-joined member servers must not be enumerated.
- V-254431
- Title: Windows Server 2022 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone or nondomain-joined systems.
- V-254432
- Title: Windows Server 2022 must limit the caching of logon credentials to four or less on domain-joined member servers.
- V-254433
- Title: Windows Server 2022 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.
- V-254434
- Title: Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone or nondomain-joined systems.
- V-254435
- Title: Windows Server 2022 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
- V-254436
- Title: Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
- V-254437
- Title: Windows Server 2022 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.
- V-254438
- Title: Windows Server 2022 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
- V-254439
- Title: Windows Server 2022 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
- V-254440
- Title: Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems.
- V-254445
- Title: Windows Server 2022 must have the built-in guest account disabled.
- V-254446
- Title: Windows Server 2022 must prevent local accounts with blank passwords from being used from the network.
- V-254447
- Title: Windows Server 2022 built-in administrator account must be renamed.
- V-254448
- Title: Windows Server 2022 built-in guest account must be renamed.
- V-254449
- Title: Windows Server 2022 must force audit policy subcategory settings to override audit policy category settings.
- V-254450
- Title: Windows Server 2022 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
- V-254451
- Title: Windows Server 2022 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to Enabled.
- V-254452
- Title: Windows Server 2022 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
- V-254453
- Title: Windows Server 2022 computer account password must not be prevented from being reset.
- V-254454
- Title: Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less.
- V-254455
- Title: Windows Server 2022 must be configured to require a strong session key.
- V-254456
- Title: Windows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.
- V-254459
- Title: Windows Server 2022 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
- V-254460
- Title: Windows Server 2022 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
- V-254461
- Title: Windows Server 2022 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
- V-254462
- Title: Windows Server 2022 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.
- V-254463
- Title: Windows Server 2022 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
- V-254464
- Title: Windows Server 2022 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
- V-254466
- Title: Windows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
- V-254467
- Title: Windows Server 2022 must not allow anonymous enumeration of shares.
- V-254468
- Title: Windows Server 2022 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
- V-254469
- Title: Windows Server 2022 must restrict anonymous access to Named Pipes and Shares.
- V-254470
- Title: Windows Server 2022 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
- V-254471
- Title: Windows Server 2022 must prevent NTLM from falling back to a Null session.
- V-254472
- Title: Windows Server 2022 must prevent PKU2U authentication using online identities.
- V-254473
- Title: Windows Server 2022 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
- V-254474
- Title: Windows Server 2022 must be configured to prevent the storage of the LAN Manager hash of passwords.
- V-254475
- Title: Windows Server 2022 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.
- V-254476
- Title: Windows Server 2022 must be configured to at least negotiate signing for LDAP client signing.
- V-254477
- Title: Windows Server 2022 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
- V-254478
- Title: Windows Server 2022 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
- V-254479
- Title: Windows Server 2022 users must be required to enter a password to access private keys stored on the computer.
- V-254481
- Title: Windows Server 2022 default permissions of global system objects must be strengthened.
- V-254482
- Title: Windows Server 2022 User Account Control (UAC) approval mode for the built-in Administrator must be enabled.
- V-254483
- Title: Windows Server 2022 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
- V-254484
- Title: Windows Server 2022 User Account Control (UAC) must, at a minimum, prompt administrators for consent on the secure desktop.
- V-254485
- Title: Windows Server 2022 User Account Control (UAC) must automatically deny standard user requests for elevation.
- V-254486
- Title: Windows Server 2022 User Account Control (UAC) must be configured to detect application installations and prompt for elevation.
- V-254487
- Title: Windows Server 2022 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.
- V-254488
- Title: Windows Server 2022 User Account Control (UAC) must run all administrators in Admin Approval Mode, enabling UAC.
- V-254489
- Title: Windows Server 2022 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.
- V-254491
- Title: Windows Server 2022 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
- V-254492
- Title: Windows Server 2022 Act as part of the operating system user right must not be assigned to any groups or accounts.
- V-254493
- Title: Windows Server 2022 Allow log on locally user right must only be assigned to the Administrators group.
- V-254494
- Title: Windows Server 2022 back up files and directories user right must only be assigned to the Administrators group.
- V-254495
- Title: Windows Server 2022 create a pagefile user right must only be assigned to the Administrators group.
- V-254496
- Title: Windows Server 2022 create a token object user right must not be assigned to any groups or accounts.
- V-254497
- Title: Windows Server 2022 create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
- V-254498
- Title: Windows Server 2022 create permanent shared objects user right must not be assigned to any groups or accounts.
- V-254499
- Title: Windows Server 2022 create symbolic links user right must only be assigned to the Administrators group.
- V-254500
- Title: Windows Server 2022 debug programs user right must only be assigned to the Administrators group.
- V-254501
- Title: Windows Server 2022 force shutdown from a remote system user right must only be assigned to the Administrators group.
- V-254502
- Title: Windows Server 2022 generate security audits user right must only be assigned to Local Service and Network Service.
- V-254503
- Title: Windows Server 2022 impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
- V-254504
- Title: Windows Server 2022 increase scheduling priority: user right must only be assigned to the Administrators group.
- V-254505
- Title: Windows Server 2022 load and unload device drivers user right must only be assigned to the Administrators group.
- V-254506
- Title: Windows Server 2022 lock pages in memory user right must not be assigned to any groups or accounts.
- V-254507
- Title: Windows Server 2022 manage auditing and security log user right must only be assigned to the Administrators group.
- V-254508
- Title: Windows Server 2022 modify firmware environment values user right must only be assigned to the Administrators group.
- V-254509
- Title: Windows Server 2022 perform volume maintenance tasks user right must only be assigned to the Administrators group.
- V-254510
- Title: Windows Server 2022 profile single process user right must only be assigned to the Administrators group.
- V-254511
- Title: Windows Server 2022 restore files and directories user right must only be assigned to the Administrators group.
- V-254512
- Title: Windows Server 2022 take ownership of files or other objects user right must only be assigned to the Administrators group.