UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft Windows 11 Security Technical Implementation Guide


Overview

Date Finding Count (256)
2024-02-27 CAT I (High): 28 CAT II (Med): 211 CAT III (Low): 17
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-253283 High Data Execution Prevention (DEP) must be configured to at least OptOut.
V-253284 High Structured Exception Handling Overwrite Protection (SEHOP) must be enabled.
V-253305 High Reversible password encryption must be disabled.
V-253382 High Solicited Remote Assistance must not be allowed.
V-253386 High Autoplay must be turned off for non-volume devices.
V-253387 High The default autorun behavior must be configured to prevent autorun commands.
V-253388 High Autoplay must be disabled for all drives.
V-253486 High The "Create a token object" user right must not be assigned to any groups or accounts.
V-253481 High The "Act as part of the operating system" user right must not be assigned to any groups or accounts.
V-253411 High The Windows Installer feature "Always install with elevated privileges" must be disabled.
V-253416 High The Windows Remote Management (WinRM) client must not use Basic authentication.
V-253418 High The Windows Remote Management (WinRM) service must not use Basic authentication.
V-253259 High Windows 11 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.
V-253490 High The "Debug programs" user right must only be assigned to the Administrators group.
V-253370 High Credential Guard must be running on Windows 11 domain-joined systems.
V-253462 High The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
V-253461 High The system must be configured to prevent the storage of the LAN Manager hash of passwords.
V-253275 High Internet Information System (IIS) or its subcomponents must not be installed on a workstation.
V-253263 High Windows 11 systems must be maintained at a supported servicing level.
V-253456 High Anonymous access to Named Pipes and Shares must be restricted.
V-253454 High Anonymous enumeration of shares must be restricted.
V-253452 High Anonymous SID/Name translation must not be allowed.
V-253453 High Anonymous enumeration of SAM accounts must not be allowed.
V-253294 High Administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.
V-253269 High Only accounts responsible for the administration of a system must have Administrator rights on the system.
V-253265 High Local volumes must be formatted using NTFS.
V-253264 High The Windows 11 system must use an antivirus program.
V-253260 High Windows 11 systems must use a BitLocker PIN for pre-boot authentication.
V-253324 Medium The system must be configured to audit Object Access - Removable Storage successes.
V-253325 Medium The system must be configured to audit Policy Change - Audit Policy Change successes.
V-253289 Medium The Secondary Logon service must be disabled on Windows 11.
V-253288 Medium The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
V-253320 Medium Windows 11 must be configured to audit Object Access - File Share successes.
V-253321 Medium Windows 11 must be configured to audit Object Access - Other Object Access Events successes.
V-253322 Medium Windows 11 must be configured to audit Object Access - Other Object Access Events failures.
V-253323 Medium The system must be configured to audit Object Access - Removable Storage failures.
V-253282 Medium Inbound exceptions to the firewall on Windows 11 domain workstations must only allow authorized remote management hosts.
V-253281 Medium A host-based firewall must be installed and enabled on the system.
V-253280 Medium Software certificate installation files must be removed from Windows 11.
V-253287 Medium The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
V-253286 Medium The Server Message Block (SMB) v1 protocol must be disabled on the system.
V-253285 Medium The Windows PowerShell 2.0 feature must be disabled on the system.
V-253396 Medium Explorer Data Execution Prevention must be enabled.
V-253270 Medium Only accounts responsible for the backup operations must be members of the Backup Operators group.
V-253376 Medium Printing over HTTP must be prevented.
V-253337 Medium The Application event log size must be configured to 32768 KB or greater.
V-253336 Medium The system must be configured to audit System - System Integrity successes.
V-253335 Medium The system must be configured to audit System - System Integrity failures.
V-253334 Medium The system must be configured to audit System - Security System Extension successes.
V-253333 Medium The system must be configured to audit System - Security State Change successes.
V-253332 Medium The system must be configured to audit System - Other System Events failures.
V-253331 Medium The system must be configured to audit System - Other System Events successes.
V-253330 Medium The system must be configured to audit System - IPsec Driver failures.
V-253339 Medium The System event log size must be configured to 32768 KB or greater.
V-253338 Medium The Security event log size must be configured to 1024000 KB or greater.
V-253326 Medium The system must be configured to audit Policy Change - Authentication Policy Change successes.
V-253449 Medium The Windows SMB client must be configured to always perform SMB packet signing.
V-253448 Medium The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
V-257770 Medium Windows 11 must have command line process auditing events enabled for failures.
V-253440 Medium Outgoing secure channel traffic must be signed.
V-253443 Medium The system must be configured to require a strong session key.
V-253445 Medium The required legal notice must be configured to display before console logon.
V-253444 Medium The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
V-253308 Medium The system must be configured to audit Account Management - Security Group Management successes.
V-253309 Medium The system must be configured to audit Account Management - User Account Management failures.
V-253302 Medium The minimum password age must be configured to at least 1 day.
V-253303 Medium Passwords must, at a minimum, be 14 characters.
V-253300 Medium The password history must be configured to 24 passwords remembered.
V-253301 Medium The maximum password age must be configured to 60 days or less.
V-253306 Medium The system must be configured to audit Account Logon - Credential Validation failures.
V-253307 Medium The system must be configured to audit Account Logon - Credential Validation successes.
V-253304 Medium The built-in Microsoft password complexity filter must be enabled.
V-253415 Medium PowerShell Transcription must be enabled on Windows 11.
V-253429 Medium The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
V-253328 Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
V-253329 Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
V-253492 Medium The "Deny log on as a batch job" user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
V-253438 Medium Outgoing secure channel traffic must be encrypted or signed.
V-253439 Medium Outgoing secure channel traffic must be encrypted.
V-253493 Medium The "Deny log on as a service" user right on Windows 11 domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
V-253434 Medium Local accounts with blank passwords must be restricted to prevent access from the network.
V-253435 Medium The built-in administrator account must be renamed.
V-253436 Medium The built-in guest account must be renamed.
V-253437 Medium Audit policy using subcategories must be enabled.
V-253430 Medium The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
V-253431 Medium Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
V-253432 Medium The built-in administrator account must be disabled.
V-253433 Medium The built-in guest account must be disabled.
V-253498 Medium The "Impersonate a client after authentication" user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-253499 Medium The "Load and unload device drivers" user right must only be assigned to the Administrators group.
V-253319 Medium Windows 11 must be configured to audit Object Access - File Share failures.
V-253318 Medium The system must be configured to audit Logon/Logoff - Special Logon successes.
V-253258 Medium Windows 11 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where ESS is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
V-253315 Medium The system must be configured to audit Logon/Logoff - Logoff successes.
V-253314 Medium The system must be configured to audit Logon/Logoff - Group Membership successes.
V-253317 Medium The system must be configured to audit Logon/Logoff - Logon successes.
V-253491 Medium The "Deny access to this computer from the network" user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
V-253311 Medium The system must be configured to audit Detailed Tracking - PNP Activity successes.
V-253310 Medium The system must be configured to audit Account Management - User Account Management successes.
V-253313 Medium The system must be configured to audit Logon/Logoff - Account Lockout failures.
V-253312 Medium The system must be configured to audit Detailed Tracking - Process Creation successes.
V-253494 Medium The "Deny log on locally" user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
V-253495 Medium The "Deny log on through Remote Desktop Services" user right on Windows 11 workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
V-253298 Medium The number of allowed bad logon attempts must be configured to three or less.
V-253299 Medium The period of time before the bad logon counter is reset must be configured to 15 minutes.
V-253383 Medium Unauthenticated RPC clients must be restricted from connecting to the RPC server.
V-253380 Medium Users must be prompted for a password on resume from sleep (on battery).
V-253381 Medium The user must be prompted for a password on resume from sleep (plugged in).
V-253427 Medium The DoD Root CA certificates must be installed in the Trusted Root Store.
V-253426 Medium Windows 11 Kernel (Direct Memory Access) DMA Protection must be enabled.
V-253389 Medium Enhanced anti-spoofing for facial recognition must be enabled on Windows 11.
V-253423 Medium The convenience PIN for Windows 11 must be disabled.
V-253422 Medium Windows 11 must be configured to prevent Windows apps from being activated by voice while the system is locked.
V-253421 Medium The Windows Remote Management (WinRM) client must not use Digest authentication.
V-253420 Medium The Windows Remote Management (WinRM) service must not store RunAs credentials.
V-253463 Medium The system must be configured to the required LDAP client signing level.
V-253489 Medium The "Create symbolic links" user right must only be assigned to the Administrators group.
V-253488 Medium The "Create permanent shared objects" user right must not be assigned to any groups or accounts.
V-253485 Medium The "Create a pagefile" user right must only be assigned to the Administrators group.
V-253484 Medium The "Change the system time" user right must only be assigned to Administrators and Local Service.
V-253487 Medium The "Create global objects" user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-253480 Medium The "Access this computer from the network" user right must only be assigned to the Administrators and Remote Desktop Users groups.
V-253483 Medium The "Back up files and directories" user right must only be assigned to the Administrators group.
V-253482 Medium The "Allow log on locally" user right must only be assigned to the Administrators and Users groups.
V-253368 Medium Windows 11 must be configured to enable Remote host allows delegation of non-exportable credentials.
V-253369 Medium Virtualization-based Security must be enabled on Windows 11 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
V-253291 Medium Bluetooth must be turned off unless approved by the organization.
V-253360 Medium Insecure logons to an SMB server must be disabled.
V-253361 Medium Internet connection sharing must be disabled.
V-253362 Medium Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
V-253363 Medium Windows 11 must be configured to prioritize ECC Curves with longer key lengths first.
V-253364 Medium Simultaneous connections to the internet or a Windows domain must be limited.
V-253365 Medium Connections to non-domain networks when connected to a domain authenticated network must be blocked.
V-253366 Medium Wi-Fi Sense must be disabled.
V-253367 Medium Command line data must be included in process creation events.
V-253395 Medium The Microsoft Defender SmartScreen for Explorer must be enabled.
V-253290 Medium Orphaned security identifiers (SIDs) must be removed from user rights on Windows 11.
V-253295 Medium Windows 11 nonpersistent VM sessions must not exceed 24 hours.
V-253412 Medium Users must be notified if a web-based program attempts to install software.
V-253413 Medium Automatically signing in the last interactive user after a system-initiated restart must be disabled.
V-253410 Medium Users must be prevented from changing installation options.
V-253391 Medium Administrator accounts must not be enumerated during elevation.
V-253417 Medium The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
V-253393 Medium Windows Telemetry must not be configured to Full.
V-257592 Medium Windows 11 must not have portproxy enabled or in use.
V-253254 Medium Domain-joined systems must use Windows 11 Enterprise Edition 64-bit version.
V-253257 Medium Secure Boot must be enabled on Windows 11 systems.
V-253399 Medium Windows 11 must be configured to disable Windows Game Recording and Broadcasting.
V-253398 Medium File Explorer shell protocol must run in protected mode.
V-253470 Medium Windows 11 must use multifactor authentication for local and network access to privileged and nonprivileged accounts.
V-253471 Medium User Account Control must automatically deny elevation requests for standard users.
V-253472 Medium User Account Control must be configured to detect application installations and prompt for elevation.
V-253473 Medium User Account Control must only elevate UIAccess applications that are installed in secure locations.
V-253474 Medium User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
V-253414 Medium PowerShell script block logging must be enabled on Windows 11.
V-253476 Medium Passwords for enabled local Administrator accounts must be changed at least every 60 days.
V-253478 Medium Zone information must be preserved when saving attachments.
V-253479 Medium The "Access Credential Manager as a trusted caller" user right must not be assigned to any groups or accounts.
V-253392 Medium Enhanced diagnostic data must be limited to the minimum required to support Windows Analytics.
V-253379 Medium Local users on domain-joined computers must not be enumerated.
V-253378 Medium The network selection user interface (UI) must not be displayed on the logon screen.
V-253255 Medium Windows 11 domain-joined systems must have a Trusted Platform Module (TPM) enabled.
V-253372 Medium Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers.
V-253371 Medium Virtualization-based protection of code integrity must be enabled.
V-253377 Medium Systems must at least attempt device authentication using certificates.
V-253256 Medium Windows 11 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
V-253375 Medium Web publishing and online ordering wizards must be prevented from downloading a list of providers.
V-253374 Medium Downloading print driver packages over HTTP must be prevented.
V-253419 Medium The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
V-253316 Medium The system must be configured to audit Logon/Logoff - Logon failures.
V-253405 Medium The Remote Desktop Session Host must require secure RPC communications.
V-253404 Medium Remote Desktop Services must always prompt a client for passwords upon connection.
V-253407 Medium Attachments must be prevented from being downloaded from RSS feeds.
V-253406 Medium Remote Desktop Services must be configured with the client connection encryption set to the required level.
V-253401 Medium Windows 11 must be configured to require a minimum pin length of six characters or greater.
V-253400 Medium The use of a hardware security device with Windows Hello for Business must be enabled.
V-253403 Medium Local drives must be prevented from sharing with Remote Desktop Session Hosts.
V-253402 Medium Passwords must not be saved in the Remote Desktop Client.
V-253409 Medium Indexing of encrypted files must be turned off.
V-253408 Medium Basic authentication for RSS feeds over HTTP must not be used.
V-253373 Medium Group Policy objects must be reprocessed even if they have not changed.
V-253460 Medium Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
V-253466 Medium The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
V-253465 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
V-253464 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
V-253469 Medium User Account Control must prompt administrators for consent on the secure desktop.
V-253468 Medium User Account Control approval mode for the built-in Administrator must be enabled.
V-253496 Medium The "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts.
V-253348 Medium Windows 11 must be configured to audit MPSSVC Rule-Level Policy Change Successes.
V-253349 Medium Windows 11 must be configured to audit MPSSVC Rule-Level Policy Change Failures.
V-253346 Medium Windows 11 must be configured to audit other Logon/Logoff Events Failures.
V-253347 Medium Windows 11 must be configured to audit Detailed File Share Failures.
V-253344 Medium Windows 11 must be configured to audit Other Policy Change Events Failures.
V-253345 Medium Windows 11 must be configured to audit other Logon/Logoff Events Successes.
V-253342 Medium Windows 11 permissions for the System event log must prevent access by non-privileged accounts.
V-253343 Medium Windows 11 must be configured to audit Other Policy Change Events Successes.
V-253340 Medium Windows 11 permissions for the Application event log must prevent access by non-privileged accounts.
V-253341 Medium Windows 11 permissions for the Security event log must prevent access by non-privileged accounts.
V-253327 Medium The system must be configured to audit Policy Change - Authorization Policy Change successes.
V-253273 Medium Accounts must be configured to require password expiration.
V-253497 Medium The "Force shutdown from a remote system" user right must only be assigned to the Administrators group.
V-253271 Medium Only authorized user accounts must be allowed to create or run virtual machines on Windows 11 systems.
V-253276 Medium Simple Network Management Protocol (SNMP) must not be installed on the system.
V-253277 Medium Simple TCP/IP Services must not be installed on the system.
V-253274 Medium Permissions for system files and directories must conform to minimum requirements.
V-253278 Medium The Telnet Client must not be installed on the system.
V-253279 Medium The TFTP Client must not be installed on the system.
V-253457 Medium Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
V-253455 Medium The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
V-253450 Medium Unencrypted passwords must not be sent to third-party SMB Servers.
V-253451 Medium The Windows SMB server must be configured to always perform SMB packet signing.
V-253428 Medium The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems.
V-253458 Medium NTLM must be prevented from falling back to a Null session.
V-253459 Medium PKU2U authentication using online identities must be prevented.
V-253351 Medium Windows 11 must cover or disable the built-in or attached camera when not in use.
V-253350 Medium Camera access from the lock screen must be disabled.
V-253353 Medium IPv6 source routing must be configured to highest protection.
V-253352 Medium The display of slide shows on the lock screen must be disabled.
V-253354 Medium The system must be configured to prevent IP source routing.
V-253357 Medium Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
V-253359 Medium Run as different user must be removed from context menus.
V-253358 Medium WDigest Authentication must be disabled.
V-253292 Medium Bluetooth must be turned off when not in use.
V-253293 Medium The system must notify the user when a Bluetooth device attempts to connect.
V-253297 Medium Windows 11 account lockout duration must be configured to 15 minutes or greater.
V-253424 Medium Windows Ink Workspace must be configured to disallow access above the lock.
V-253475 Medium User Account Control must virtualize file and registry write failures to per-user locations.
V-253267 Medium Non-system-created file shares on a system must limit access to groups that require it.
V-253266 Medium Alternate operating systems must not be permitted on the same system.
V-253261 Medium Windows 11 systems must use a BitLocker PIN with a minimum length of six digits for pre-boot authentication.
V-256893 Medium Internet Explorer must be disabled for Windows 11.
V-253262 Medium The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
V-253504 Medium The "Profile single process" user right must only be assigned to the Administrators group.
V-253505 Medium The "Restore files and directories" user right must only be assigned to the Administrators group.
V-253506 Medium The "Take ownership of files or other objects" user right must only be assigned to the Administrators group.
V-253500 Medium The "Lock pages in memory" user right must not be assigned to any groups or accounts.
V-253501 Medium The "Manage auditing and security log" user right must only be assigned to the Administrators group.
V-253502 Medium The "Modify firmware environment values" user right must only be assigned to the Administrators group.
V-253503 Medium The "Perform volume maintenance tasks" user right must only be assigned to the Administrators group.
V-253390 Low Microsoft consumer experiences must be turned off.
V-253441 Low The computer account password must not be prevented from being reset.
V-253442 Low The maximum age for machine account passwords must be configured to 30 days or less.
V-253447 Low Caching of logon credentials must be limited.
V-253446 Low The Windows message title for the legal notice must be configured.
V-253384 Low The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.
V-253385 Low The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
V-253394 Low Windows Update must not obtain updates from other PCs on the internet.
V-253397 Low File Explorer heap termination on corruption must be disabled.
V-253477 Low Toast notifications to the lock screen must be turned off.
V-253467 Low The default permissions of global system objects must be increased.
V-253272 Low Standard local user accounts must not exist on a system in a domain.
V-253355 Low The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
V-253356 Low The system must be configured to ignore NetBIOS name release requests except from WINS servers.
V-253425 Low Windows 11 must be configured to prevent users from receiving suggestions for third-party or additional applications.
V-253296 Low The Windows 11 time service must synchronize with an appropriate DOD time source.
V-253268 Low Unused accounts must be disabled or removed from the system after 35 days of inactivity.