UCF STIG Viewer Logo

Microsoft Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide


Overview

Date Finding Count (366)
2022-03-01 CAT I (High): 41 CAT II (Med): 262 CAT III (Low): 63
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-226330 High The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
V-226246 High Windows 2012/2012 R2 accounts must be configured to require passwords.
V-226064 High Reversible password encryption must be disabled.
V-226184 High Autoplay must be turned off for non-volume devices.
V-226185 High The default Autorun behavior must be configured to prevent Autorun commands.
V-226186 High Autoplay must be disabled for all drives.
V-226237 High Systems must be maintained at a supported service pack level.
V-226238 High Only administrators responsible for the domain controller must have Administrator rights on the system.
V-226239 High Local volumes must use a format that supports NTFS attributes.
V-226272 High Local accounts with blank passwords must be restricted to prevent access from the network.
V-226270 High Anonymous access to the registry must be restricted.
V-226328 High The system must be configured to prevent the storage of the LAN Manager hash of passwords.
V-226380 High The Debug programs user right must only be assigned to the Administrators group.
V-226315 High Anonymous enumeration of SAM accounts must not be allowed.
V-226314 High Anonymous SID/Name translation must not be allowed.
V-226316 High Anonymous enumeration of shares must be restricted.
V-226265 High Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
V-226266 High PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
V-226269 High Standard user accounts must only have Read permissions to the Active Setup\Installed Components registry key.
V-226268 High Standard user accounts must only have Read permissions to the Winlogon registry key.
V-226320 High Unauthorized remotely accessible registry paths and sub-paths must not be configured.
V-226321 High Anonymous access to Named Pipes and Shares must be restricted.
V-226322 High Network shares that can be accessed anonymously must not be allowed.
V-226210 High The Windows Installer Always install with elevated privileges option must be disabled.
V-226216 High The Windows Remote Management (WinRM) client must not use Basic authentication.
V-226219 High The Windows Remote Management (WinRM) service must not use Basic authentication.
V-226031 High Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
V-226034 High Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
V-226048 High The Windows 2012 / 2012 R2 system must use an anti-virus program.
V-226258 High File Transfer Protocol (FTP) servers must be configured to prevent access to the system drive.
V-226319 High Unauthorized remotely accessible registry paths must not be configured.
V-226318 High Named pipes that can be accessed anonymously must be configured with limited values on domain controllers.
V-226074 High Domain created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
V-226070 High Active Directory data files must have proper access control permissions.
V-226071 High The Active Directory SYSVOL directory must have the proper access control permissions.
V-226072 High Active Directory Group Policy objects must have proper access control permissions.
V-226073 High The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
V-226372 High The Act as part of the operating system user right must not be assigned to any groups or accounts.
V-226376 High The Create a token object user right must not be assigned to any groups or accounts.
V-226082 High Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
V-226175 High Solicited Remote Assistance must not be allowed.
V-226336 Medium The system must be configured to require case insensitivity for non-Windows subsystems.
V-226335 Medium The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
V-226333 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP-based servers.
V-226332 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP-based clients.
V-226331 Medium The system must be configured to the required LDAP client signing level.
V-226339 Medium User Account Control must, at minimum, prompt administrators for consent.
V-226338 Medium User Account Control approval mode for the built-in Administrator must be enabled.
V-226203 Medium Remote Desktop Services must delete temporary folders when a session is terminated.
V-226202 Medium Remote Desktop Services must be configured with the client connection encryption set to the required level.
V-226201 Medium Remote Desktop Services must always prompt a client for passwords upon connection.
V-226200 Medium Local drives must be prevented from sharing with Remote Desktop Session Hosts. (Remote Desktop Services Role).
V-226206 Medium Basic authentication for RSS feeds over HTTP must be turned off.
V-226205 Medium Attachments must be prevented from being downloaded from RSS feeds.
V-226204 Medium Remote Desktop Services must be configured to use session-specific temporary folders.
V-226209 Medium Users must be prevented from changing installation options.
V-226208 Medium The Windows Store application must be turned off.
V-226029 Medium Server systems must be located in a controlled access area, accessible only to authorized personnel.
V-226147 Medium The Windows Connect Now wizards must be disabled.
V-226061 Medium The minimum password age must meet requirements.
V-226060 Medium The maximum password age must meet requirements.
V-226058 Medium The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2012.
V-226059 Medium The password history must be configured to 24 passwords remembered.
V-226069 Medium The computer clock synchronization tolerance must be limited to 5 minutes or less.
V-226341 Medium User Account Control must be configured to detect application installations and prompt for elevation.
V-226050 Medium The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
V-226051 Medium The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
V-226249 Medium Non system-created file shares on a system must limit access to groups that require it.
V-226248 Medium System files must be monitored for unauthorized changes.
V-226247 Medium Windows 2012/2012 R2 passwords must be configured to expire.
V-226243 Medium The system must not boot into multiple operating systems (dual-boot).
V-226242 Medium Permissions for Windows installation directory must conform to minimum requirements.
V-226241 Medium Permissions for program file directories must conform to minimum requirements.
V-226240 Medium Permissions for system drive root directory (usually C:\) must conform to minimum requirements.
V-226067 Medium The Kerberos user ticket lifetime must be limited to 10 hours or less.
V-226066 Medium The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
V-226065 Medium Kerberos user logon restrictions must be enforced.
V-226063 Medium The built-in Windows password complexity policy must be enabled.
V-226062 Medium Passwords must, at a minimum, be 14 characters.
V-226346 Medium User Account Control must virtualize file and registry write failures to per-user locations.
V-226347 Medium UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
V-226344 Medium User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
V-226345 Medium User Account Control must switch to the secure desktop when prompting for elevation.
V-226342 Medium Windows must elevate all applications in User Account Control, not just signed ones.
V-226343 Medium User Account Control must only elevate UIAccess applications that are installed in secure locations.
V-226340 Medium User Account Control must automatically deny standard user requests for elevation.
V-226068 Medium The Kerberos policy user ticket renewal maximum lifetime must be limited to 7 days or less.
V-226119 Medium The system must be configured to audit System - System Integrity successes.
V-226118 Medium The system must be configured to audit System - Security System Extension successes.
V-226113 Medium The system must be configured to audit System - IPsec Driver successes.
V-226112 Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
V-226111 Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
V-226110 Medium The system must be configured to audit Policy Change - Authorization Policy Change successes.
V-226117 Medium The system must be configured to audit System - Security State Change successes.
V-226116 Medium Windows Server 2012/2012 R2 must be configured to audit System - Other System Events failures.
V-226115 Medium Windows Server 2012/2012 R2 must be configured to audit System - Other System Events successes.
V-226114 Medium The system must be configured to audit System - IPsec Driver failures.
V-226187 Medium The use of biometrics must be disabled.
V-226188 Medium The password reveal button must not be displayed.
V-226189 Medium Administrator accounts must not be enumerated during elevation.
V-226079 Medium Windows services that are critical for directory server operation must be configured for automatic startup.
V-226236 Medium A host-based firewall must be installed and enabled on the system.
V-226234 Medium Automatically signing in the last interactive user after a system-initiated restart must be disabled (Windows 2012 R2).
V-226235 Medium WDigest Authentication must be disabled.
V-226233 Medium The Windows Explorer Preview pane must be disabled for Windows 2012.
V-226230 Medium Windows 2012 R2 must include command line data in process creation events.
V-226231 Medium The network selection user interface (UI) must not be displayed on the logon screen (Windows 2012 R2).
V-226150 Medium Remote access to the Plug and Play interface must be disabled for device installation.
V-226159 Medium Group Policy objects must be reprocessed even if they have not changed.
V-226158 Medium Early Launch Antimalware, Boot-Start Driver Initialization Policy must be enabled and configured to only Good and Unknown.
V-226391 Medium The Load and unload device drivers user right must only be assigned to the Administrators group.
V-226390 Medium The Increase scheduling priority user right must only be assigned to the Administrators group.
V-226309 Medium The system must be configured to use Safe DLL Search Mode.
V-226300 Medium The service principal name (SPN) target name validation level must be turned off.
V-226301 Medium Automatic logons must be disabled.
V-226146 Medium The configuration of wireless devices using Windows Connect Now must be disabled.
V-226251 Medium Software certificate installation files must be removed from Windows 2012/2012 R2.
V-226400 Medium The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group.
V-226076 Medium Time synchronization must be enabled on the domain controller.
V-226378 Medium The Create permanent shared objects user right must not be assigned to any groups or accounts.
V-226273 Medium The built-in administrator account must be renamed.
V-226271 Medium The built-in guest account must be disabled.
V-226276 Medium Auditing of Backup and Restore Privileges must be turned off.
V-226277 Medium Audit policy using subcategories must be enabled.
V-226274 Medium The built-in guest account must be renamed.
V-226275 Medium Auditing the Access of Global System Objects must be turned off.
V-226278 Medium Ejection of removable NTFS media must be restricted to Administrators.
V-226279 Medium Outgoing secure channel traffic must be encrypted or signed.
V-226298 Medium The Windows SMB server must perform SMB packet signing when possible.
V-226353 Medium The Fax service must be disabled if installed.
V-226352 Medium Users must be required to enter a password to access private keys stored on the computer.
V-226355 Medium The Peer Networking Identity Manager service must be disabled if installed.
V-226354 Medium The Microsoft FTP service must not be installed unless required.
V-226357 Medium The Telnet service must be disabled if installed.
V-226356 Medium The Simple TCP/IP Services service must be disabled if installed.
V-226359 Medium A screen saver must be enabled on the system.
V-226292 Medium The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
V-226293 Medium The Windows SMB client must be configured to always perform SMB packet signing.
V-226294 Medium The Windows SMB client must be enabled to perform SMB packet signing when possible.
V-226295 Medium Unencrypted passwords must not be sent to third-party SMB Servers.
V-226297 Medium The Windows SMB server must be configured to always perform SMB packet signing.
V-226128 Medium Active Directory Group Policy objects must be configured with proper audit settings.
V-226129 Medium The Active Directory Domain object must be configured with proper audit settings.
V-226126 Medium Permissions for the Security event log must prevent access by nonprivileged accounts.
V-226127 Medium Permissions for the System event log must prevent access by nonprivileged accounts.
V-226124 Medium The operating system must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.
V-226125 Medium Permissions for the Application event log must prevent access by nonprivileged accounts.
V-226122 Medium Audit data must be retained for at least one year.
V-226123 Medium Audit records must be backed up onto a different system or media than the system being audited.
V-226120 Medium The system must be configured to audit System - System Integrity failures.
V-226121 Medium Audit data must be reviewed on a regular basis.
V-226288 Medium The required legal notice must be configured to display before console logon.
V-226193 Medium The System event log size must be configured to 32768 KB or greater.
V-226192 Medium The Setup event log size must be configured to 32768 KB or greater.
V-226191 Medium The Security event log size must be configured to 196608 KB or greater.
V-226190 Medium The Application event log size must be configured to 32768 KB or greater.
V-226197 Medium File Explorer shell protocol must run in protected mode.
V-226195 Medium Explorer Data Execution Prevention must be enabled.
V-226194 Medium Windows SmartScreen must be enabled on Windows 2012/2012 R2.
V-226052 Medium Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2012 / 2012 R2.
V-226053 Medium Windows PowerShell must be updated to a version that supports script block logging on Windows 2012/2012 R2.
V-226199 Medium Passwords must not be saved in the Remote Desktop Client.
V-226198 Medium The location feature must be turned off.
V-226056 Medium Windows 2012 account lockout duration must be configured to 15 minutes or greater.
V-226057 Medium The number of allowed bad logon attempts must meet minimum requirements.
V-226054 Medium PowerShell script block logging must be enabled on Windows 2012/2012 R2.
V-226055 Medium Windows PowerShell 2.0 must not be installed on Windows 2012/2012 R2.
V-226286 Medium The Ctrl+Alt+Del security attention sequence for logons must be enabled.
V-226229 Medium The display of slide shows on the lock screen must be disabled (Windows 2012 R2).
V-226228 Medium Only the default client printer must be redirected to the Remote Desktop Session Host. (Remote Desktop Services Role).
V-226381 Medium The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
V-226386 Medium Unauthorized accounts must not have the Enable computer and user accounts to be trusted for delegation user right on domain controllers.
V-226387 Medium The Force shutdown from a remote system user right must only be assigned to the Administrators group.
V-226384 Medium The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
V-226385 Medium The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
V-226221 Medium The Windows Remote Management (WinRM) service must not store RunAs credentials.
V-226220 Medium The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
V-226388 Medium The Generate security audits user right must only be assigned to Local Service and Network Service.
V-226389 Medium The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-226225 Medium Users must be prevented from mapping local LPT ports and redirecting data from the Remote Desktop Session Host to local LPT ports. (Remote Desktop Services Role).
V-226224 Medium Users must be prevented from mapping local COM ports and redirecting data from the Remote Desktop Session Host to local COM ports. (Remote Desktop Services Role).
V-226227 Medium Users must be prevented from redirecting Plug and Play devices to the Remote Desktop Session Host. (Remote Desktop Services Role).
V-226226 Medium The system must be configured to ensure smart card devices can be redirected to the Remote Desktop session. (Remote Desktop Services Role).
V-226368 Medium Users must be prevented from sharing files in their profiles.
V-226369 Medium Media Player must be configured to prevent automatic Codec downloads.
V-226360 Medium The screen saver must be password protected.
V-226363 Medium The Windows Help Experience Improvement Program must be disabled.
V-226364 Medium Windows Help Ratings feedback must be turned off.
V-226365 Medium Zone information must be preserved when saving attachments.
V-226366 Medium Mechanisms for removing zone information from file attachments must be hidden.
V-226367 Medium The system must notify antivirus when file attachments are opened.
V-226096 Medium The system must be configured to audit DS Access - Directory Service Access failures.
V-226097 Medium The system must be configured to audit DS Access - Directory Service Changes successes.
V-226094 Medium Windows Server 2012/2012 R2 must be configured to audit Logon/Logoff - Account Lockout failures.
V-226095 Medium The system must be configured to audit DS Access - Directory Service Access successes.
V-226092 Medium The system must be configured to audit Detailed Tracking - Process Creation successes.
V-226093 Medium Windows Server 2012/2012 R2 must be configured to audit Logon/Logoff - Account Lockout successes.
V-226090 Medium The system must be configured to audit Account Management - User Account Management successes.
V-226091 Medium The system must be configured to audit Account Management - User Account Management failures.
V-226317 Medium The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
V-226098 Medium The system must be configured to audit DS Access - Directory Service Changes failures.
V-226382 Medium The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
V-226383 Medium The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
V-226168 Medium Windows must be prevented from using Windows Update to search for drivers.
V-226169 Medium Copying of user input methods to the system account for sign-in must be prevented.
V-226162 Medium Downloading print driver packages over HTTP must be prevented.
V-226160 Medium Group Policies must be refreshed in the background if the user is logged on.
V-226161 Medium Access to the Windows Store must be turned off.
V-226166 Medium Printing over HTTP must be prevented.
V-226167 Medium The Windows Customer Experience Improvement Program must be disabled.
V-226165 Medium The Internet File Association service must be turned off.
V-226038 Medium Windows 2012/2012 R2 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
V-226222 Medium The Remote Desktop Session Host must require secure RPC communications.
V-226039 Medium Shared user accounts must not be permitted on the system.
V-226030 Medium Users with administrative privilege must be documented.
V-226138 Medium Network Bridges must be prohibited in Windows.
V-226264 Medium Domain controllers must have a PKI server certificate.
V-226267 Medium Active directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), PIV-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
V-226261 Medium The DoD Root CA certificates must be installed in the Trusted Root Store.
V-226260 Medium Windows 2012 / 2012 R2 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
V-226263 Medium The US DoD CCEB Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems.
V-226262 Medium The DoD Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems.
V-226324 Medium Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.
V-226325 Medium NTLM must be prevented from falling back to a Null session.
V-226327 Medium Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
V-226323 Medium The system must be configured to use the Classic security model.
V-226281 Medium Outgoing secure channel traffic must be signed when possible.
V-226280 Medium Outgoing secure channel traffic must be encrypted when possible.
V-226287 Medium The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
V-226329 Medium The system must be configured to force users to log off when their allowed logon hours expire.
V-226284 Medium The system must be configured to require a strong session key.
V-226211 Medium Users must be notified if a web-based program attempts to install software.
V-226213 Medium Windows Media Digital Rights Management (DRM) must be prevented from accessing the Internet.
V-226215 Medium Windows Media Player must be configured to prevent automatic checking for updates.
V-226217 Medium The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
V-226218 Medium The Windows Remote Management (WinRM) client must not use Digest authentication.
V-226131 Medium The Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.
V-226130 Medium The Active Directory Infrastructure object must be configured with proper audit settings.
V-226133 Medium The Active Directory RID Manager$ object must be configured with proper audit settings.
V-226132 Medium The Active Directory AdminSDHolder object must be configured with proper audit settings.
V-226135 Medium The Mapper I/O network protocol (LLTDIO) driver must be disabled.
V-226134 Medium Event Viewer must be protected from unauthorized modification and deletion.
V-226137 Medium Windows Peer-to-Peer networking services must be turned off.
V-226136 Medium The Responder network protocol driver must be disabled.
V-226032 Medium Policy must require that system administrators (SAs) be trained for the operating systems used by systems under their control.
V-226033 Medium Windows 2012/2012 R2 password for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization.
V-226035 Medium Members of the Backup Operators group must be documented.
V-226036 Medium Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
V-226037 Medium Policy must require application account passwords be at least 15 characters in length.
V-226049 Medium The Server Message Block (SMB) v1 protocol must be disabled on Windows 2012 R2.
V-226045 Medium The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
V-226047 Medium Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
V-226046 Medium Protection methods such as TLS, encrypted VPNs, or IPSEC must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
V-226350 Medium Domain controllers must require LDAP access signing.
V-226358 Medium The Smart Card Removal Policy service must be configured to automatic.
V-226395 Medium The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
V-226394 Medium The Modify firmware environment values user right must only be assigned to the Administrators group.
V-226397 Medium The Restore files and directories user right must only be assigned to the Administrators group.
V-226396 Medium The Profile single process user right must only be assigned to the Administrators group.
V-226259 Medium Windows 2012 / 2012 R2 must automatically remove or disable temporary user accounts after 72 hours.
V-226393 Medium The Manage auditing and security log user right must only be assigned to the Administrators group.
V-226392 Medium The Lock pages in memory user right must not be assigned to any groups or accounts.
V-226254 Medium Windows Server 2012 / 2012 R2 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where ESS is used; 30 days, for any additional internal network scans n
V-226255 Medium The system must support automated patch management tools to facilitate flaw remediation.
V-226256 Medium The system must query the certification authority to determine whether a public key certificate has been revoked before accepting the certificate for authentication purposes.
V-226257 Medium File Transfer Protocol (FTP) servers must be configured to prevent anonymous logons.
V-226399 Medium Unauthorized accounts must not have the Add workstations to domain user right.
V-226398 Medium The Take ownership of files or other objects user right must only be assigned to the Administrators group.
V-226252 Medium Necessary services must be documented to maintain a baseline to determine if additional, unnecessary services have been added to a system.
V-226253 Medium Servers must have a host-based Intrusion Detection System.
V-226326 Medium PKU2U authentication using online identities must be prevented.
V-226075 Medium Data files owned by users must be on a different logical partition from the directory server data files.
V-226379 Medium The Create symbolic links user right must only be assigned to the Administrators group.
V-226373 Medium The Allow log on locally user right must only be assigned to the Administrators group.
V-226371 Medium Unauthorized accounts must not have the Access this computer from the network user right on domain controllers.
V-226370 Medium The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
V-226078 Medium The directory server supporting (directly or indirectly) system access or resource authorization must run on a machine dedicated to that function.
V-226375 Medium The Create a pagefile user right must only be assigned to the Administrators group.
V-226374 Medium The Back up files and directories user right must only be assigned to the Administrators group.
V-226089 Medium The system must be configured to audit Account Management - Security Group Management successes.
V-226088 Medium The system must be configured to audit Account Management - Other Account Management Events successes.
V-226080 Medium Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data-in-transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data
V-226085 Medium The system must be configured to audit Account Logon - Credential Validation successes.
V-226084 Medium The password for the krbtgt account on a domain must be reset at least every 180 days.
V-226087 Medium Windows Server 2012/2012 R2 domain controllers must be configured to audit Account Management - Computer Account Management successes.
V-226086 Medium The system must be configured to audit Account Logon - Credential Validation failures.
V-226099 Medium The system must be configured to audit Logon/Logoff - Logoff successes.
V-226108 Medium The system must be configured to audit Policy Change - Audit Policy Change failures.
V-226109 Medium The system must be configured to audit Policy Change - Authentication Policy Change successes.
V-226100 Medium The system must be configured to audit Logon/Logoff - Logon successes.
V-226101 Medium The system must be configured to audit Logon/Logoff - Logon failures.
V-226102 Medium The system must be configured to audit Logon/Logoff - Special Logon successes.
V-226103 Medium The system must be configured to audit Object Access - Central Access Policy Staging successes.
V-226104 Medium The system must be configured to audit Object Access - Central Access Policy Staging failures.
V-226105 Medium The system must be configured to audit Object Access - Removable Storage successes.
V-226106 Medium The system must be configured to audit Object Access - Removable Storage failures.
V-226107 Medium The system must be configured to audit Policy Change - Audit Policy Change successes.
V-226377 Medium The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-226174 Medium The system must be configured to prevent unsolicited remote assistance offers.
V-226171 Medium App notifications on the lock screen must be turned off.
V-226170 Medium Local users on domain-joined computers must not be enumerated.
V-226173 Medium The user must be prompted to authenticate on resume from sleep (plugged in).
V-226172 Medium Users must be prompted to authenticate on resume from sleep (on battery).
V-226337 Low The default permissions of global system objects must be increased.
V-226334 Low The shutdown option must not be available from the logon dialog box.
V-226207 Low Automatic download of updates from the Windows Store must be turned off.
V-226145 Low IP stateless autoconfiguration limits state must be enabled.
V-226140 Low All Direct Access traffic must be routed through the internal network.
V-226148 Low Windows Update must be prevented from searching for point and print drivers.
V-226149 Low Optional component installation and component repair must be prevented from using Windows Update.
V-226245 Low Outdated or unused accounts must be removed from the system or disabled.
V-226244 Low Nonadministrative user accounts or groups must only have print permissions on printer shares.
V-226348 Low Optional Subsystems must not be permitted to operate on the system.
V-226349 Low The print driver installation privilege must be restricted to administrators.
V-226180 Low Responsiveness events must be prevented from being aggregated and sent to Microsoft.
V-226181 Low The time service must synchronize with an appropriate DoD time source.
V-226182 Low Trusted app installation must be enabled to allow for signed enterprise line of business apps.
V-226183 Low The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
V-226232 Low The setting to allow Microsoft accounts to be optional for modern style apps must be enabled (Windows 2012 R2).
V-226157 Low Users must not be prompted to search Windows Update for device drivers.
V-226156 Low Device driver updates must only search managed servers, not Windows Update.
V-226155 Low Device driver searches using Windows Update must be prevented.
V-226154 Low Windows must be prevented from sending an error report when a device driver requests additional software during installation.
V-226153 Low Device metadata retrieval from the Internet must be prevented.
V-226152 Low A system restore point must be created when a new device driver is installed.
V-226151 Low An Error Report must not be sent when a generic device driver is installed.
V-226308 Low The system must be configured to disable the Internet Router Discovery Protocol (IRDP).
V-226302 Low IPv6 source routing must be configured to the highest protection level.
V-226303 Low The system must be configured to prevent IP source routing.
V-226306 Low IPSec Exemptions must be limited.
V-226307 Low The system must be configured to ignore NetBIOS name release requests except from WINS servers.
V-226304 Low The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
V-226305 Low The system must be configured to limit how often keep-alive packets are sent.
V-226299 Low Users must be forcibly disconnected when their logon hours expire.
V-226291 Low Users must be warned in advance of their passwords expiring.
V-226296 Low The amount of idle time required before suspending a session must be properly set.
V-226196 Low Turning off File Explorer heap termination on corruption must be disabled.
V-226361 Low Notifications from Windows Push Network Service must be turned off.
V-226362 Low Toast notifications to the lock screen must be turned off.
V-226311 Low IPv6 TCP data retransmissions must be configured to prevent resources from becoming exhausted.
V-226310 Low The system must be configured to have password protection take effect within a limited time frame when the screen saver becomes active.
V-226312 Low The system must limit how many times unacknowledged TCP data is retransmitted.
V-226163 Low Event Viewer Events.asp links must be turned off.
V-226164 Low Errors in handwriting recognition on tablet PCs must not be reported to Microsoft.
V-226289 Low The Windows dialog box title for the legal banner must be configured.
V-226283 Low The maximum age for machine account passwords must be set to requirements.
V-226282 Low The computer account password must not be prevented from being reset.
V-226285 Low The system must be configured to prevent the display of the last username on the logon screen.
V-226212 Low Nonadministrators must be prevented from applying vendor-signed updates.
V-226214 Low Users must not be presented with Privacy and Installation options on first use of Windows Media Player.
V-226139 Low Domain users must be required to elevate when setting a networks location.
V-226044 Low System-related documentation must be backed up in accordance with local recovery time and recovery point objectives.
V-226041 Low System-level information must be backed up in accordance with local recovery time and recovery point objectives.
V-226040 Low Security configuration tools or equivalent processes must be used to configure and maintain platforms for security compliance.
V-226043 Low Backups of system-level information must be protected.
V-226042 Low User-level information must be backed up in accordance with local recovery time and recovery point objectives.
V-226351 Low Domain controllers must be configured to allow reset of machine account passwords.
V-226290 Low Caching of logon credentials must be limited.
V-226077 Low The time synchronization tool must be configured to enable logging of time source switching.
V-226081 Low Anonymous access to the root DSE of a non-public directory must be disabled.
V-226083 Low The directory service must be configured to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity.
V-226313 Low The system must generate an audit event when the audit log reaches a percentage of full threshold.
V-226179 Low Access to Windows Online Troubleshooting Service (WOTS) must be prevented.
V-226178 Low Microsoft Support Diagnostic Tool (MSDT) interactive communication with Microsoft must be prevented.
V-226177 Low The detection of compatibility issues for applications and drivers must be turned off.
V-226176 Low Remote Assistance log files must be generated.