This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: email@example.com.
Anonymous access to the registry must be restricted.
The registry is integral to the function, security, and stability of the Windows system. Some processes may require anonymous access to the registry. This must be limited to properly protect the system.
File Transfer Protocol (FTP) servers must be configured to prevent access to the system drive.
The FTP service allows remote users to access shared files and directories. Access outside of the specific directories of shared data could provide access to system resources and compromise the system.
File Explorer shell protocol must run in protected mode.
The shell protocol will limit the set of folders applications can open when run in protected mode. Restricting files an application can open to a limited set of folders increases the security of Windows.
Active directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), PIV-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
Smart cards such as the Common Access Card (CAC) support a two-factor authentication technique. This provides a higher level of trust in the asserted identity than use of the username and...
Protection methods such as TLS, encrypted VPNs, or IPSEC must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during...
Windows Server 2012 / 2012 R2 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where ESS is used; 30 days, for any additional internal network scans n
Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits...
Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data-in-transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data
Commercial-grade encryption does not provide adequate protection when the classification level of directory data in transit is higher than the level of the network.
App notifications on the lock screen must be turned off.
App notifications that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged on user.
Toast notifications to the lock screen must be turned off.
Toast notifications that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged on user.