UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft Windows Server 2012/2012 R2 Member Server Security Technical Implementation Guide


Overview

Date Finding Count (330)
2022-03-01 CAT I (High): 33 CAT II (Med): 238 CAT III (Low): 59
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-225447 High Anonymous access to the registry must be restricted.
V-225244 High Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
V-225258 High The Windows 2012 / 2012 R2 system must use an anti-virus program.
V-225547 High The Act as part of the operating system user right must not be assigned to any groups or accounts.
V-225438 High File Transfer Protocol (FTP) servers must be configured to prevent access to the system drive.
V-225449 High Local accounts with blank passwords must be restricted to prevent access from the network.
V-225444 High Standard user accounts must only have Read permissions to the Winlogon registry key.
V-225445 High Standard user accounts must only have Read permissions to the Active Setup\Installed Components registry key.
V-225354 High Solicited Remote Assistance must not be allowed.
V-225241 High Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
V-225426 High Windows 2012/2012 R2 accounts must be configured to require passwords.
V-225498 High Anonymous access to Named Pipes and Shares must be restricted.
V-225505 High The system must be configured to prevent the storage of the LAN Manager hash of passwords.
V-225507 High The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
V-225274 High Reversible password encryption must be disabled.
V-225365 High The default Autorun behavior must be configured to prevent Autorun commands.
V-225364 High Autoplay must be turned off for non-volume devices.
V-225366 High Autoplay must be disabled for all drives.
V-225419 High Local volumes must use a format that supports NTFS attributes.
V-225499 High Network shares that can be accessed anonymously must not be allowed.
V-225497 High Unauthorized remotely accessible registry paths and sub-paths must not be configured.
V-225496 High Unauthorized remotely accessible registry paths must not be configured.
V-225495 High Named pipes that can be accessed anonymously must be configured to contain no values on member servers.
V-225493 High Anonymous enumeration of shares must be restricted.
V-225492 High Anonymous enumeration of SAM accounts must not be allowed.
V-225491 High Anonymous SID/Name translation must not be allowed.
V-225390 High The Windows Installer Always install with elevated privileges option must be disabled.
V-225396 High The Windows Remote Management (WinRM) client must not use Basic authentication.
V-225418 High Only administrators responsible for the member server must have Administrator rights on the system.
V-225399 High The Windows Remote Management (WinRM) service must not use Basic authentication.
V-225417 High Systems must be maintained at a supported service pack level.
V-225556 High The Debug programs user right must only be assigned to the Administrators group.
V-225552 High The Create a token object user right must not be assigned to any groups or accounts.
V-225268 Medium The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2012.
V-225410 Medium Windows 2012 R2 must include command line data in process creation events.
V-225310 Medium Permissions for the Application event log must prevent access by nonprivileged accounts.
V-225454 Medium Audit policy using subcategories must be enabled.
V-225478 Medium Automatic logons must be disabled.
V-225311 Medium Permissions for the Security event log must prevent access by nonprivileged accounts.
V-225409 Medium The display of slide shows on the lock screen must be disabled (Windows 2012 R2).
V-225513 Medium The system must be configured to require case insensitivity for non-Windows subsystems.
V-225259 Medium The Server Message Block (SMB) v1 protocol must be disabled on Windows 2012 R2.
V-225381 Medium Remote Desktop Services must always prompt a client for passwords upon connection.
V-225380 Medium Local drives must be prevented from sharing with Remote Desktop Session Hosts. (Remote Desktop Services Role).
V-225386 Medium Basic authentication for RSS feeds over HTTP must be turned off.
V-225385 Medium Attachments must be prevented from being downloaded from RSS feeds.
V-225384 Medium Remote Desktop Services must be configured to use session-specific temporary folders.
V-225420 Medium Permissions for system drive root directory (usually C:\) must conform to minimum requirements.
V-225255 Medium The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
V-225257 Medium Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
V-225256 Medium Protection methods such as TLS, encrypted VPNs, or IPSEC must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
V-225541 Medium Mechanisms for removing zone information from file attachments must be hidden.
V-225540 Medium Zone information must be preserved when saving attachments.
V-225543 Medium Users must be prevented from sharing files in their profiles.
V-225308 Medium Audit records must be backed up onto a different system or media than the system being audited.
V-225545 Medium The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
V-225544 Medium Media Player must be configured to prevent automatic Codec downloads.
V-225546 Medium The Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on member servers.
V-225303 Medium The system must be configured to audit System - Security System Extension successes.
V-225302 Medium The system must be configured to audit System - Security State Change successes.
V-225301 Medium Windows Server 2012/2012 R2 must be configured to audit System - Other System Events failures.
V-225300 Medium Windows Server 2012/2012 R2 must be configured to audit System - Other System Events successes.
V-225307 Medium Audit data must be retained for at least one year.
V-225306 Medium Audit data must be reviewed on a regular basis.
V-225305 Medium The system must be configured to audit System - System Integrity failures.
V-225304 Medium The system must be configured to audit System - System Integrity successes.
V-225500 Medium The system must be configured to use the Classic security model.
V-225312 Medium Permissions for the System event log must prevent access by nonprivileged accounts.
V-225317 Medium Network Bridges must be prohibited in Windows.
V-225289 Medium The system must be configured to audit Object Access - Central Access Policy Staging failures.
V-225448 Medium The built-in guest account must be disabled.
V-225263 Medium Windows PowerShell must be updated to a version that supports script block logging on Windows 2012/2012 R2.
V-225329 Medium Remote access to the Plug and Play interface must be disabled for device installation.
V-225379 Medium Passwords must not be saved in the Remote Desktop Client.
V-225314 Medium The Mapper I/O network protocol (LLTDIO) driver must be disabled.
V-225279 Medium The system must be configured to audit Account Management - User Account Management successes.
V-225278 Medium The system must be configured to audit Account Management - Security Group Management successes.
V-225439 Medium Windows 2012 / 2012 R2 must automatically remove or disable temporary user accounts after 72 hours.
V-225315 Medium The Responder network protocol driver must be disabled.
V-225435 Medium The system must support automated patch management tools to facilitate flaw remediation.
V-225434 Medium Windows Server 2012 / 2012 R2 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where ESS is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
V-225437 Medium File Transfer Protocol (FTP) servers must be configured to prevent anonymous logons.
V-225436 Medium The system must query the certification authority to determine whether a public key certificate has been revoked before accepting the certificate for authentication purposes.
V-225431 Medium Software certificate installation files must be removed from Windows 2012/2012 R2.
V-225433 Medium Servers must have a host-based Intrusion Detection System.
V-225432 Medium Necessary services must be documented to maintain a baseline to determine if additional, unnecessary services have been added to a system.
V-225534 Medium A screen saver must be enabled on the system.
V-225535 Medium The screen saver must be password protected.
V-225530 Medium The Peer Networking Identity Manager service must be disabled if installed.
V-225531 Medium The Simple TCP/IP Services service must be disabled if installed.
V-225338 Medium Group Policy objects must be reprocessed even if they have not changed.
V-225339 Medium Group Policies must be refreshed in the background if the user is logged on.
V-225337 Medium Early Launch Antimalware, Boot-Start Driver Initialization Policy must be enabled and configured to only Good and Unknown.
V-225265 Medium Windows PowerShell 2.0 must not be installed on Windows 2012/2012 R2.
V-225348 Medium Copying of user input methods to the system account for sign-in must be prevented.
V-225452 Medium Auditing the Access of Global System Objects must be turned off.
V-225313 Medium Event Viewer must be protected from unauthorized modification and deletion.
V-225245 Medium Members of the Backup Operators group must be documented.
V-225276 Medium The system must be configured to audit Account Logon - Credential Validation failures.
V-225375 Medium Explorer Data Execution Prevention must be enabled.
V-225326 Medium The Windows Connect Now wizards must be disabled.
V-225260 Medium The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
V-225273 Medium The built-in Windows password complexity policy must be enabled.
V-225239 Medium Server systems must be located in a controlled access area, accessible only to authorized personnel.
V-225261 Medium The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
V-225262 Medium Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2012 / 2012 R2.
V-225527 Medium Users must be required to enter a password to access private keys stored on the computer.
V-225524 Medium UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
V-225325 Medium The configuration of wireless devices using Windows Connect Now must be disabled.
V-225522 Medium User Account Control must switch to the secure desktop when prompting for elevation.
V-225521 Medium User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
V-225520 Medium User Account Control must only elevate UIAccess applications that are installed in secure locations.
V-225440 Medium Windows 2012 / 2012 R2 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
V-225441 Medium The DoD Root CA certificates must be installed in the Trusted Root Store.
V-225442 Medium The DoD Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems.
V-225443 Medium The US DoD CCEB Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems.
V-225529 Medium The Microsoft FTP service must not be installed unless required.
V-225528 Medium The Fax service must be disabled if installed.
V-225383 Medium Remote Desktop Services must delete temporary folders when a session is terminated.
V-225275 Medium The system must be configured to audit Account Logon - Credential Validation successes.
V-225532 Medium The Telnet service must be disabled if installed.
V-225382 Medium Remote Desktop Services must be configured with the client connection encryption set to the required level.
V-225533 Medium The Smart Card Removal Policy service must be configured to automatic.
V-225428 Medium System files must be monitored for unauthorized changes.
V-225429 Medium Non system-created file shares on a system must limit access to groups that require it.
V-225269 Medium The password history must be configured to 24 passwords remembered.
V-225411 Medium The network selection user interface (UI) must not be displayed on the logon screen (Windows 2012 R2).
V-225271 Medium The minimum password age must meet requirements.
V-225518 Medium User Account Control must be configured to detect application installations and prompt for elevation.
V-225519 Medium Windows must elevate all applications in User Account Control, not just signed ones.
V-225243 Medium Windows 2012/2012 R2 password for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization.
V-225512 Medium The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
V-225538 Medium The Windows Help Experience Improvement Program must be disabled.
V-225510 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP-based servers.
V-225516 Medium User Account Control must, at minimum, prompt administrators for consent.
V-225407 Medium Users must be prevented from redirecting Plug and Play devices to the Remote Desktop Session Host. (Remote Desktop Services Role).
V-225515 Medium User Account Control approval mode for the built-in Administrator must be enabled.
V-225422 Medium Permissions for Windows installation directory must conform to minimum requirements.
V-225458 Medium Outgoing secure channel traffic must be signed when possible.
V-225350 Medium App notifications on the lock screen must be turned off.
V-225351 Medium Users must be prompted to authenticate on resume from sleep (on battery).
V-225352 Medium The user must be prompted to authenticate on resume from sleep (plugged in).
V-225423 Medium The system must not boot into multiple operating systems (dual-boot).
V-225282 Medium Windows Server 2012/2012 R2 must be configured to audit Logon/Logoff - Account Lockout successes.
V-225283 Medium Windows Server 2012/2012 R2 must be configured to audit Logon/Logoff - Account Lockout failures.
V-225280 Medium The system must be configured to audit Account Management - User Account Management failures.
V-225281 Medium The system must be configured to audit Detailed Tracking - Process Creation successes.
V-225286 Medium The system must be configured to audit Logon/Logoff - Logon failures.
V-225389 Medium Users must be prevented from changing installation options.
V-225284 Medium The system must be configured to audit Logon/Logoff - Logoff successes.
V-225285 Medium The system must be configured to audit Logon/Logoff - Logon successes.
V-225270 Medium The maximum password age must meet requirements.
V-225388 Medium The Windows Store application must be turned off.
V-225316 Medium Windows Peer-to-Peer networking services must be turned off.
V-225427 Medium Windows 2012/2012 R2 passwords must be configured to expire.
V-225248 Medium Windows 2012/2012 R2 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
V-225421 Medium Permissions for program file directories must conform to minimum requirements.
V-225293 Medium The system must be configured to audit Policy Change - Audit Policy Change failures.
V-225509 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP-based clients.
V-225508 Medium The system must be configured to the required LDAP client signing level.
V-225504 Medium Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
V-225506 Medium The system must be configured to force users to log off when their allowed logon hours expire.
V-225501 Medium Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.
V-225309 Medium The operating system must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.
V-225503 Medium PKU2U authentication using online identities must be prevented.
V-225502 Medium NTLM must be prevented from falling back to a Null session.
V-225347 Medium Windows must be prevented from using Windows Update to search for drivers.
V-225346 Medium The Windows Customer Experience Improvement Program must be disabled.
V-225345 Medium Printing over HTTP must be prevented.
V-225542 Medium The system must notify antivirus when file attachments are opened.
V-225299 Medium The system must be configured to audit System - IPsec Driver failures.
V-225298 Medium The system must be configured to audit System - IPsec Driver successes.
V-225340 Medium Access to the Windows Store must be turned off.
V-225295 Medium The system must be configured to audit Policy Change - Authorization Policy Change successes.
V-225294 Medium The system must be configured to audit Policy Change - Authentication Policy Change successes.
V-225297 Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
V-225296 Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
V-225463 Medium The Ctrl+Alt+Del security attention sequence for logons must be enabled.
V-225349 Medium Local users on domain-joined computers must not be enumerated.
V-225461 Medium The system must be configured to require a strong session key.
V-225292 Medium The system must be configured to audit Policy Change - Audit Policy Change successes.
V-225242 Medium Policy must require that system administrators (SAs) be trained for the operating systems used by systems under their control.
V-225341 Medium Downloading print driver packages over HTTP must be prevented.
V-225408 Medium Only the default client printer must be redirected to the Remote Desktop Session Host. (Remote Desktop Services Role).
V-225344 Medium The Internet File Association service must be turned off.
V-225469 Medium The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
V-225539 Medium Windows Help Ratings feedback must be turned off.
V-225549 Medium The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group and other approved groups.
V-225393 Medium Windows Media Digital Rights Management (DRM) must be prevented from accessing the Internet.
V-225548 Medium The Allow log on locally user right must only be assigned to the Administrators group.
V-225472 Medium Unencrypted passwords must not be sent to third-party SMB Servers.
V-225465 Medium The required legal notice must be configured to display before console logon.
V-225464 Medium The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
V-225395 Medium Windows Media Player must be configured to prevent automatic checking for updates.
V-225378 Medium The location feature must be turned off.
V-225456 Medium Outgoing secure channel traffic must be encrypted or signed.
V-225267 Medium The number of allowed bad logon attempts must meet minimum requirements.
V-225372 Medium The Setup event log size must be configured to 32768 KB or greater.
V-225291 Medium The system must be configured to audit Object Access - Removable Storage failures.
V-225370 Medium The Application event log size must be configured to 32768 KB or greater.
V-225371 Medium The Security event log size must be configured to 196608 KB or greater.
V-225288 Medium The system must be configured to audit Object Access - Central Access Policy Staging successes.
V-225377 Medium File Explorer shell protocol must run in protected mode.
V-225374 Medium Windows SmartScreen must be enabled on Windows 2012/2012 R2.
V-225290 Medium The system must be configured to audit Object Access - Removable Storage successes.
V-225471 Medium The Windows SMB client must be enabled to perform SMB packet signing when possible.
V-225470 Medium The Windows SMB client must be configured to always perform SMB packet signing.
V-225287 Medium The system must be configured to audit Logon/Logoff - Special Logon successes.
V-225475 Medium The Windows SMB server must perform SMB packet signing when possible.
V-225477 Medium The service principal name (SPN) target name validation level must be turned off.
V-225570 Medium The Modify firmware environment values user right must only be assigned to the Administrators group.
V-225571 Medium The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
V-225572 Medium The Profile single process user right must only be assigned to the Administrators group.
V-225573 Medium The Restore files and directories user right must only be assigned to the Administrators group.
V-225574 Medium The Take ownership of files or other objects user right must only be assigned to the Administrators group.
V-225247 Medium Policy must require application account passwords be at least 15 characters in length.
V-225277 Medium The system must be configured to audit Account Management - Other Account Management Events successes.
V-225451 Medium The built-in guest account must be renamed.
V-225264 Medium PowerShell script block logging must be enabled on Windows 2012/2012 R2.
V-225397 Medium The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
V-225240 Medium Users with administrative privilege must be documented.
V-225517 Medium User Account Control must automatically deny standard user requests for elevation.
V-225569 Medium The Manage auditing and security log user right must only be assigned to the Administrators group.
V-225474 Medium The Windows SMB server must be configured to always perform SMB packet signing.
V-225486 Medium The system must be configured to use Safe DLL Search Mode.
V-225246 Medium Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
V-225369 Medium Administrator accounts must not be enumerated during elevation.
V-225368 Medium The password reveal button must not be displayed.
V-225367 Medium The use of biometrics must be disabled.
V-225373 Medium The System event log size must be configured to 32768 KB or greater.
V-225404 Medium Users must be prevented from mapping local COM ports and redirecting data from the Remote Desktop Session Host to local COM ports. (Remote Desktop Services Role).
V-225405 Medium Users must be prevented from mapping local LPT ports and redirecting data from the Remote Desktop Session Host to local LPT ports. (Remote Desktop Services Role).
V-225406 Medium The system must be configured to ensure smart card devices can be redirected to the Remote Desktop session. (Remote Desktop Services Role).
V-225568 Medium The Lock pages in memory user right must not be assigned to any groups or accounts.
V-225400 Medium The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
V-225401 Medium The Windows Remote Management (WinRM) service must not store RunAs credentials.
V-225402 Medium The Remote Desktop Session Host must require secure RPC communications.
V-225563 Medium The Force shutdown from a remote system user right must only be assigned to the Administrators group.
V-225562 Medium Unauthorized accounts must not have the Enable computer and user accounts to be trusted for delegation user right on member servers.
V-225561 Medium The Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems, and from unauthenticated access on all systems.
V-225560 Medium The Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems, and from unauthenticated access on all systems.
V-225567 Medium The Load and unload device drivers user right must only be assigned to the Administrators group.
V-225566 Medium The Increase scheduling priority user right must only be assigned to the Administrators group.
V-225565 Medium The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-225564 Medium The Generate security audits user right must only be assigned to Local Service and Network Service.
V-225266 Medium Windows 2012 account lockout duration must be configured to 15 minutes or greater.
V-225559 Medium The Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.
V-225353 Medium The system must be configured to prevent unsolicited remote assistance offers.
V-225457 Medium Outgoing secure channel traffic must be encrypted when possible.
V-225453 Medium Auditing of Backup and Restore Privileges must be turned off.
V-225523 Medium User Account Control must virtualize file and registry write failures to per-user locations.
V-225272 Medium Passwords must, at a minimum, be 14 characters.
V-225557 Medium The Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems.
V-225494 Medium The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
V-225391 Medium Users must be notified if a web-based program attempts to install software.
V-225450 Medium The built-in administrator account must be renamed.
V-225398 Medium The Windows Remote Management (WinRM) client must not use Digest authentication.
V-225446 Medium Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
V-225416 Medium A host-based firewall must be installed and enabled on the system.
V-225415 Medium WDigest Authentication must be disabled.
V-225414 Medium Automatically signing in the last interactive user after a system-initiated restart must be disabled (Windows 2012 R2).
V-225413 Medium The Windows Explorer Preview pane must be disabled for Windows 2012.
V-225455 Medium Ejection of removable NTFS media must be restricted to Administrators.
V-225558 Medium The Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems, and from unauthenticated access on all systems.
V-225249 Medium Shared user accounts must not be permitted on the system.
V-225356 Medium Unauthenticated RPC clients must be restricted from connecting to the RPC server.
V-225554 Medium The Create permanent shared objects user right must not be assigned to any groups or accounts.
V-225555 Medium The Create symbolic links user right must only be assigned to the Administrators group.
V-225553 Medium The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-225550 Medium The Back up files and directories user right must only be assigned to the Administrators group.
V-225551 Medium The Create a pagefile user right must only be assigned to the Administrators group.
V-225387 Low Automatic download of updates from the Windows Store must be turned off.
V-225251 Low System-level information must be backed up in accordance with local recovery time and recovery point objectives.
V-225250 Low Security configuration tools or equivalent processes must be used to configure and maintain platforms for security compliance.
V-225252 Low User-level information must be backed up in accordance with local recovery time and recovery point objectives.
V-225254 Low System-related documentation must be backed up in accordance with local recovery time and recovery point objectives.
V-225327 Low Windows Update must be prevented from searching for point and print drivers.
V-225328 Low Optional component installation and component repair must be prevented from using Windows Update.
V-225466 Low The Windows dialog box title for the legal banner must be configured.
V-225324 Low IP stateless autoconfiguration limits state must be enabled.
V-225536 Low Notifications from Windows Push Network Service must be turned off.
V-225537 Low Toast notifications to the lock screen must be turned off.
V-225336 Low Users must not be prompted to search Windows Update for device drivers.
V-225334 Low Device driver searches using Windows Update must be prevented.
V-225335 Low Device driver updates must only search managed servers, not Windows Update.
V-225332 Low Device metadata retrieval from the Internet must be prevented.
V-225333 Low Windows must be prevented from sending an error report when a device driver requests additional software during installation.
V-225330 Low An Error Report must not be sent when a generic device driver is installed.
V-225331 Low A system restore point must be created when a new device driver is installed.
V-225376 Low Turning off File Explorer heap termination on corruption must be disabled.
V-225525 Low Optional Subsystems must not be permitted to operate on the system.
V-225479 Low IPv6 source routing must be configured to the highest protection level.
V-225358 Low Microsoft Support Diagnostic Tool (MSDT) interactive communication with Microsoft must be prevented.
V-225511 Low The shutdown option must not be available from the logon dialog box.
V-225514 Low The default permissions of global system objects must be increased.
V-225459 Low The computer account password must not be prevented from being reset.
V-225467 Low Caching of logon credentials must be limited.
V-225253 Low Backups of system-level information must be protected.
V-225424 Low Nonadministrative user accounts or groups must only have print permissions on printer shares.
V-225359 Low Access to Windows Online Troubleshooting Service (WOTS) must be prevented.
V-225425 Low Outdated or unused accounts must be removed from the system or disabled.
V-225318 Low Domain users must be required to elevate when setting a networks location.
V-225468 Low Users must be warned in advance of their passwords expiring.
V-225462 Low The system must be configured to prevent the display of the last username on the logon screen.
V-225526 Low The print driver installation privilege must be restricted to administrators.
V-225343 Low Errors in handwriting recognition on tablet PCs must not be reported to Microsoft.
V-225473 Low The amount of idle time required before suspending a session must be properly set.
V-225460 Low The maximum age for machine account passwords must be set to requirements.
V-225476 Low Users must be forcibly disconnected when their logon hours expire.
V-225342 Low Event Viewer Events.asp links must be turned off.
V-225412 Low The setting to allow Microsoft accounts to be optional for modern style apps must be enabled (Windows 2012 R2).
V-225488 Low IPv6 TCP data retransmissions must be configured to prevent resources from becoming exhausted.
V-225489 Low The system must limit how many times unacknowledged TCP data is retransmitted.
V-225484 Low The system must be configured to ignore NetBIOS name release requests except from WINS servers.
V-225485 Low The system must be configured to disable the Internet Router Discovery Protocol (IRDP).
V-225487 Low The system must be configured to have password protection take effect within a limited time frame when the screen saver becomes active.
V-225480 Low The system must be configured to prevent IP source routing.
V-225481 Low The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
V-225482 Low The system must be configured to limit how often keep-alive packets are sent.
V-225483 Low IPSec Exemptions must be limited.
V-225355 Low Remote Assistance log files must be generated.
V-225361 Low The time service must synchronize with an appropriate DoD time source.
V-225360 Low Responsiveness events must be prevented from being aggregated and sent to Microsoft.
V-225363 Low The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
V-225357 Low The detection of compatibility issues for applications and drivers must be turned off.
V-225319 Low All Direct Access traffic must be routed through the internal network.
V-225490 Low The system must generate an audit event when the audit log reaches a percentage of full threshold.
V-225392 Low Nonadministrators must be prevented from applying vendor-signed updates.
V-225394 Low Users must not be presented with Privacy and Installation options on first use of Windows Media Player.
V-225362 Low Trusted app installation must be enabled to allow for signed enterprise line of business apps.