UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft Windows Server 2012 Domain Controller Security Technical Implementation Guide


Overview

Date Finding Count (437)
2013-07-25 CAT I (High): 49 CAT II (Med): 292 CAT III (Low): 96
STIG Description
Microsoft Windows Server 2012 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
WN12-GE-000004-DC High Only administrators responsible for the system must have Administrator rights on the system.
WN12-SO-000004 High Local accounts with blank passwords must be restricted to prevent access from the network.
WN12-UR-000012 High Unauthorized accounts must not have the Create a token object user right.
WN12-UR-000016 High Unauthorized accounts must not have the Debug programs user right.
WN12-SO-000055-DC High Named pipes that can be accessed anonymously must be configured with limited values on domain controllers.
WN12-AD-000004-DC High The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
WN12-PK-000005-DC High Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
WN12-AD-000005-DC High Domain created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
WN12-GE-000027 High FTP servers must be configured to prevent access to the system drive.
WN12-00-000018 High Unencrypted remote access to system services must not be permitted.
WN12-UR-000043-DC High The Synchronize directory service data user right must be configured to include no accounts or groups (blank).
WN12-AC-000009 High Reversible password encryption must be disabled.
WN12-AD-000013-DC High Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
WN12-UR-000003 High Unauthorized accounts must not have the Act as part of the operating system user right.
WN12-CC-000059 High Solicited Remote Assistance must not be allowed.
WN12-SO-000059 High Network shares that can be accessed anonymously must not be allowed.
WN12-SO-000058 High Anonymous access to Named Pipes and Shares must be restricted.
WN12-SO-000052 High Anonymous enumeration of shares must be restricted.
WN12-SO-000051 High Anonymous enumeration of SAM accounts must not be allowed.
WN12-SO-000050 High Anonymous SID/Name translation must not be allowed.
WN12-SO-000057 High Unauthorized remotely accessible registry paths and sub-paths must not be configured.
WN12-SO-000056 High Unauthorized remotely accessible registry paths must not be configured.
WN12-AD-000002-DC High The Active Directory SYSVOL directory must have the proper access control permissions.
WN12-CC-000126 High The Windows Remote Management (WinRM) service must not use Basic authentication.
WN12-CC-000123 High The Windows Remote Management (WinRM) client must not use Basic authentication.
WN12-FW-000002 High The Windows Firewall must block unsolicited inbound connections for the Domain Profile.
WN12-SO-000067 High The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
WN12-SO-000065 High The system must be configured to prevent the storage of the LAN Manager hash of passwords.
WN12-CC-000116 High The Windows Installer Always install with elevated privileges option must be disabled.
WN12-GE-000005 High Local volumes must be formatted using NTFS.
WN12-GE-000002 High An approved DoD antivirus program must be installed and used.
WN12-GE-000003 High The antivirus program signature files must be kept updated.
WN12-GE-000001 High Systems must be maintained at a supported service pack level.
WN12-AD-000003-DC High Active Directory Group Policy objects must have proper access control permissions.
WN12-AD-000001-DC High Active Directory data files must have proper access control permissions.
WN12-CC-000074 High Autoplay must be disabled for all drives.
WN12-CC-000073 High The default autorun behavior must be configured to prevent autorun commands.
WN12-CC-000072 High Autoplay must be turned off for non-volume devices.
WN12-FW-000020 High The Windows Firewall must block unsolicited inbound connections for the Public Profile.
WN12-FW-000011 High The Windows Firewall must block unsolicited inbound connections for the Private Profile.
WN12-SO-000071 High The Recovery Console option must be set to prevent automatic logon to the system.
WN12-PK-000006-DC High PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
WN12-RG-000001 High Standard user accounts must only have Read permissions to the Winlogon registry key.
WN12-RG-000002 High Standard user accounts must only have Read permissions to the Active Setup\Installed Components registry key.
WN12-RG-000004 High Anonymous access to the registry must be restricted.
WN12-GE-000015 High Accounts must require passwords.
WN12-00-000008 High Policy must require that administrative user accounts not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
WN12-00-000003 High The system must not use removable media as the boot loader.
WN12-00-000005 High Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
WN12-AD-000010-DC Medium Windows services that are critical for directory server operation must be configured for automatic startup.
WN12-AU-000068 Medium The system must be configured to audit Object Access - File System failures.
WN12-AU-000060 Medium The system must be configured to audit Object Access - Central Access Policy Staging failures.
WN12-AU-000036-DC Medium The system must be configured to audit DS Access - Directory Service Changes failures.
WN12-SO-000009 Medium Audit policy using subcategories must be enabled.
WN12-UR-000021-DC Medium The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
WN12-SO-000003 Medium The built-in guest account must be disabled.
WN12-SO-000005 Medium The built-in administrator account must be renamed.
WN12-SO-000006 Medium The built-in guest account must be renamed.
WN12-SO-000007 Medium Auditing the Access to Global System Objects must be turned off.
WN12-UR-000020-DC Medium The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
WN12-UR-000013 Medium Unauthorized accounts must not have the Create global objects user right.
WN12-UR-000011 Medium Unauthorized accounts must not have the Create a pagefile user right.
WN12-UR-000014 Medium Unauthorized accounts must not have the Create permanent shared objects user right.
WN12-UR-000015 Medium Unauthorized accounts must not have the Create symbolic links user right.
WN12-AU-000031-DC Medium The system must be configured to audit DS Access - Directory Service Access successes.
WN12-CC-000048 Medium Copying of user input methods to the system account for sign-in must be prevented.
WN12-CC-000041 Medium Search Companion must be prevented from automatically downloading content updates.
WN12-CC-000043 Medium The file and folder Publish to Web option must be unavailable in Windows folders.
WN12-CC-000044 Medium Windows Messenger must be prevented from collecting anonymous information about how the service is used.
WN12-CC-000045 Medium The Windows Customer Experience Improvement Program must be disabled.
WN12-CC-000046 Medium The system must be configured to prevent automatic forwarding of error information.
WN12-CC-000047 Medium Windows must be prevented from using Windows Update to search for drivers.
WN12-PK-000003 Medium The DoD Interoperability Root CA to DoD Root CA 2 cross-certificate must be installed into the Untrusted Certificates Store.
WN12-PK-000002 Medium The External CA root certificate must be installed into the Trusted Root Store.
WN12-PK-000001 Medium The DoD root certificate must be installed into the Trusted Root Store.
WN12-CC-000128 Medium The Windows Remote Management (WinRM) service must not store RunAs credentials.
WN12-AU-000116 Medium Global object access auditing of the registry must be configured to record failures.
WN12-AU-000114 Medium Global object access auditing of the file system must be configured to record failures.
WN12-AU-000112 Medium The system must be configured to audit System - System Integrity failures.
WN12-AU-000110 Medium The system must be configured to audit System - Security System Extension failures.
WN12-AU-000111 Medium The system must be configured to audit System - System Integrity successes.
WN12-SO-000090-DC Medium Domain controllers must require LDAP access signing.
WN12-AU-000023 Medium The system must be configured to audit Detailed Tracking - Process Creation successes.
WN12-AU-000020 Medium The system must be configured to audit Account Management - User Account Management failures.
WN12-SO-000008 Medium Auditing of Backup and Restore Privileges must be turned off.
WN12-AD-000011-DC Medium Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data-in-transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
WN12-SO-000045 Medium The system must be configured to use Safe DLL Search Mode.
WN12-SV-000103 Medium The Peer Networking Identity Manager service must be disabled if installed.
WN12-SV-000100 Medium The Fax service must be disabled if installed.
WN12-SV-000101 Medium The Microsoft FTP service must not be installed.
WN12-SV-000106 Medium The Smart Card Removal Policy service must be configured to automatic.
WN12-PK-000007-DC Medium The directory server must be configured to use the CAC, PIV-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
WN12-SV-000104 Medium The Simple TCP/IP Services service must be disabled if installed.
WN12-SV-000105 Medium The Telnet service must be disabled if installed.
WN12-CC-000130 Medium The Remote Desktop Session Host must require secure RPC communications.
WN12-CC-000131 Medium Remote Desktop Services must limit users to one remote session.
WN12-CC-000132 Medium Users must be prevented from mapping local COM ports and redirecting data from the Remote Desktop Session Host to local COM ports. (Remote Desktop Services Role).
WN12-CC-000133 Medium Users must be prevented from mapping local LPT ports and redirecting data from the Remote Desktop Session Host to local LPT ports. (Remote Desktop Services Role).
WN12-CC-000134 Medium The system must be configured to ensure smart card devices can be redirected to the Remote Desktop session. (Remote Desktop Services Role).
WN12-CC-000135 Medium Users must be prevented from redirecting Plug and Play devices to the Remote Desktop Session Host. (Remote Desktop Services Role).
WN12-CC-000136 Medium Only the default client printer must be redirected to the Remote Desktop Session Host. (Remote Desktop Services Role).
WN12-AU-000018 Medium The system must be configured to audit Account Management - Security Group Management failures.
WN12-CC-000008 Medium The IP-HTTPS IPv6 transition technology must be disabled.
WN12-CC-000009 Medium The ISATAP IPv6 transition technology must be disabled.
WN12-CC-000004 Medium Network Bridges must be prohibited in Windows.
WN12-CC-000007 Medium The 6to4 IPv6 transition technology must be disabled.
WN12-CC-000001 Medium The Mapper I/O network protocol (LLTDIO) driver must be disabled.
WN12-CC-000002 Medium The Responder network protocol driver must be disabled.
WN12-CC-000003 Medium Windows Peer-to-Peer Networking Services must be turned off.
WN12-UR-000041 Medium Unauthorized accounts must not have the Shut down the system user right.
WN12-UR-000040 Medium Unauthorized accounts must not have the Restore files and directories user right.
WN12-UR-000042 Medium Unauthorized accounts must not have the Take ownership of files or other objects user right.
WN12-SO-000077 Medium User Account Control approval mode for the built-in Administrator must be enabled.
WN12-GE-000020 Medium Software certificate installation files must be removed from a system.
WN12-GE-000021 Medium Necessary services must be documented to maintain a baseline to determine if additional, unnecessary services have been added to a system.
WN12-GE-000022 Medium Servers must have a host-based Intrusion Detection System.
WN12-GE-000023 Medium The system must employ automated mechanisms or must have an application installed that, on an organization defined frequency, determines the state of information system components with regard to flaw remediation.
WN12-GE-000024 Medium The system must support automated patch management tools to facilitate flaw remediation to organization defined information system components.
WN12-GE-000025 Medium The system must query the certification authority to determine whether a public key certificate has been revoked before accepting the certificate for authentication purposes.
WN12-GE-000026 Medium FTP servers must be configured to prevent anonymous logons.
WN12-FW-000005 Medium The Windows Firewall must block unicast responses to multicast or broadcast messages for the Domain Profile.
WN12-UC-000011 Medium The system must notify antivirus when file attachments are opened.
WN12-UC-000010 Medium Mechanisms for removing zone information from file attachments must be hidden.
WN12-UC-000013 Medium Media Player must be configured to prevent automatic Codec downloads.
WN12-UC-000012 Medium Users must be prevented from sharing files in their profiles.
WN12-00-000011 Medium Application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
WN12-00-000010 Medium Application account passwords must be at least 15 characters in length.
WN12-00-000012 Medium Shared user accounts must not be permitted on the system.
WN12-SO-000080 Medium User Account Control must be configured to detect application installations and prompt for elevation.
WN12-SO-000081 Medium Windows must elevate all applications in User Account Control, not just signed ones.
WN12-SO-000082 Medium User Account Control must only elevate UIAccess applications that are installed in secure locations.
WN12-SO-000083 Medium User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
WN12-SO-000084 Medium User Account Control must switch to the secure desktop when prompting for elevation.
WN12-SO-000085 Medium User Account Control must virtualize file and registry write failures to per-user locations.
WN12-SO-000086 Medium UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
WN12-SO-000087 Medium Software certificate restriction policies must be enforced.
WN12-AU-000211-DC Medium The Active Directory AdminSDHolder object must be configured with proper audit settings.
WN12-AU-000074 Medium The system must be configured to audit Object Access - Handle Manipulation failures.
WN12-AC-000002 Medium The number of allowed bad logon attempts must meet minimum requirements.
WN12-AC-000003 Medium The period of time before the bad logon counter is reset must meet minimum requirements.
WN12-AC-000001 Medium The lockout duration must be configured to require an administrator to unlock an account.
WN12-AC-000006 Medium The minimum password age must meet requirements.
WN12-AC-000007 Medium Passwords must, at a minimum, be 14 characters.
WN12-AC-000004 Medium The password uniqueness must meet minimum requirements.
WN12-AC-000005 Medium The maximum password age must meet requirements.
WN12-SO-000017 Medium The system must be configured to require a strong session key.
WN12-SO-000014 Medium Outgoing secure channel traffic must be signed when possible.
WN12-SO-000013 Medium Outgoing secure channel traffic must be encrypted when possible.
WN12-SO-000012 Medium Outgoing secure channel traffic must be encrypted or signed.
WN12-SO-000011 Medium Ejection of removable NTFS media must be restricted to Administrators.
WN12-SO-000019 Medium The Ctrl+Alt+Del security attention sequence for logons must be enabled.
WN12-AU-000206 Medium Permissions for the System event log must prevent access by nonprivileged accounts.
WN12-AU-000204 Medium Permissions for the Application event log must prevent access by nonprivileged accounts.
WN12-AU-000205 Medium Permissions for the Security event log must prevent access by nonprivileged accounts.
WN12-AU-000202 Medium Audit data of systems containing sources and methods intelligence (SAMI) must be retained for at least five years.
WN12-AU-000203 Medium Audit records must be backed up on an organization defined frequency onto a different system or media than the system being audited.
WN12-AU-000200 Medium Audit data must be reviewed on a regular basis.
WN12-AU-000201 Medium Audit data must be retained for at least one year.
WN12-UR-000001 Medium Unauthorized accounts must not have the Access Credential Manager as a trusted caller user right.
WN12-UR-000005 Medium Unauthorized accounts must not have the Allow log on locally user right.
WN12-UR-000004 Medium Unauthorized accounts must not have the Adjust memory quotas for a process user right.
WN12-UR-000007 Medium Unauthorized accounts must not have the Back up files and directories user right.
WN12-UR-000006 Medium Unauthorized accounts must not have the Allow log on through Remote Desktop Services user right.
WN12-UR-000009 Medium Unauthorized accounts must not have the Change the system time user right.
WN12-GE-000100 Medium The Enhanced Mitigation Experience Toolkit (EMET) must be installed on the system.
WN12-CC-000055 Medium The user must be prompted for a password on resume from sleep (plugged in).
WN12-CC-000054 Medium Users must be prompted for a password on resume from sleep (on battery).
WN12-CC-000052 Medium App notifications on the lock screen must be turned off.
WN12-CC-000051 Medium Local users on domain-joined computers must not be enumerated.
WN12-CC-000058 Medium The system must be configured to prevent unsolicited remote assistance offers.
WN12-AU-000209-DC Medium The Active Directory Infrastructure object must be configured with proper audit settings.
WN12-AU-000104 Medium The system must be configured to audit System - IPSec Driver failures.
WN12-AU-000107 Medium The system must be configured to audit System - Security State Change successes.
WN12-AU-000101 Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
WN12-AU-000103 Medium The system must be configured to audit System - IPSec Driver successes.
WN12-AU-000102 Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
WN12-AU-000109 Medium The system must be configured to audit System - Security System Extension successes.
WN12-AU-000108 Medium The system must be configured to audit System - Security State Change failures.
WN12-SO-000053 Medium The system must be configured to prevent the storage of passwords and credentials.
WN12-SO-000054 Medium The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
WN12-CC-000084 Medium The Application event log must be configured to a minimum size requirement.
WN12-CC-000085 Medium The Security event log must be configured to a minimum size requirement.
WN12-CC-000087 Medium The System event log must be configured to a minimum size requirement.
WN12-CC-000080 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Recommended Software must be enabled.
WN12-CC-000081 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Popular Software must be enabled.
WN12-CC-000129 Medium Automatic Updates must not be used (unless configured to point to a DoD server).
WN12-CC-000083 Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Structured Exception Handler Overwrite Protection (SEHOP) must be configured to Application Opt Out.
WN12-CC-000127 Medium The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
WN12-CC-000125 Medium The Windows Remote Management (WinRM) client must not use Digest authentication.
WN12-CC-000124 Medium The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
WN12-CC-000122 Medium Windows Media Player must be configured to prevent automatic checking for updates.
WN12-CC-000120 Medium Windows Media Digital Rights Management (DRM) must be prevented from accessing the Internet.
WN12-AC-000012-DC Medium The Kerberos user ticket lifetime must be limited to 10 hours or less.
WN12-SO-000028 Medium The Windows SMB client must be configured to always perform SMB packet signing.
WN12-SO-000029 Medium The Windows SMB client must be enabled to perform SMB packet signing when possible.
WN12-SO-000027 Medium The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
WN12-SO-000022 Medium The required legal notice must be configured to display before console logon.
WN12-SO-000020 Medium The machine account lockout threshold must be set to 10 on systems with BitLocker enabled.
WN12-SO-000021 Medium The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
WN12-CC-000019 Medium Remote access to the Plug and Play interface must be disabled for device installation.
WN12-CC-000013 Medium The Windows Connect Now wizards must be disabled.
WN12-CC-000012 Medium The configuration of wireless devices using Windows Connect Now must be disabled.
WN12-CC-000010 Medium The Teredo IPv6 transition technology must be disabled.
WN12-FW-000001 Medium The Windows Firewall must be enabled for the Domain Profile.
WN12-FW-000003 Medium The Windows Firewall must allow outbound connections, unless a rule explicitly blocks the connection for the Domain Profile.
WN12-SO-000063 Medium PKU2U authentication using online identities must be prevented.
WN12-CC-000064 Medium Unauthenticated RPC clients must be restricted from connecting to the RPC server.
WN12-AU-000032-DC Medium The system must be configured to audit DS Access - Directory Service Access failures.
WN12-CC-000063 Medium Client computers must be required to authenticate for RPC communication.
WN12-AD-000006-DC Medium Data files owned by users must be on a different logical partition from the directory server data files.
WN12-AC-000013-DC Medium The Kerberos policy user ticket renewal maximum lifetime must be limited to 7 days or less.
WN12-AU-000035-DC Medium The system must be configured to audit DS Access - Directory Service Changes successes.
WN12-AU-000048 Medium The system must be configured to audit Logon/Logoff - Logon failures.
WN12-AU-000045 Medium The system must be configured to audit Logon/Logoff - Logoff successes.
WN12-AU-000047 Medium The system must be configured to audit Logon/Logoff - Logon successes.
WN12-SO-000062 Medium NTLM must be prevented from falling back to a Null session.
WN12-AD-000007-DC Medium Time synchronization must be enabled on the domain controller.
WN12-SO-000060 Medium The system must be configured to use the Classic security model.
WN12-SO-000061 Medium Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.
WN12-SO-000066 Medium The system must be configured to force users to log off when their allowed logon hours expire.
WN12-SO-000064 Medium Kerberos encryption types must be configured to prevent the use of DES encryption suites.
WN12-SO-000068 Medium The system must be configured to the required LDAP client signing level.
WN12-SO-000069 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP-based clients.
WN12-CC-000117 Medium Users must be notified if a web-based program attempts to install software.
WN12-CC-000115 Medium Users must be prevented from changing installation options.
WN12-UR-000039 Medium Unauthorized accounts must not have the Replace a process level token user right.
WN12-CC-000110 Medium The Windows Store application must be turned off.
WN12-CC-000111 Medium Microsoft Active Protection Service membership must be disabled.
WN12-UR-000034 Medium Unauthorized accounts must not have the Modify firmware environment values user right.
WN12-UR-000035 Medium Unauthorized accounts must not have the Perform volume maintenance tasks user right.
WN12-UR-000036 Medium Unauthorized accounts must not have the Profile single process user right.
WN12-UR-000037 Medium Unauthorized accounts must not have the Profile system performance user right.
WN12-UR-000030 Medium Unauthorized accounts must not have the Log on as a batch job user right.
WN12-UR-000032 Medium Unauthorized accounts must not have the Manage auditing and security log user right.
WN12-CC-000086 Medium The Setup event log must be configured to a minimum size requirement.
WN12-UR-000017-DC Medium The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
WN12-FW-000012 Medium The Windows Firewall must allow outbound connections, unless a rule explicitly blocks the connection for the Private Profile.
WN12-CC-000027 Medium Early Launch Antimalware, Boot-Start Driver Initialization Policy must be enabled and configured to only Good and Unknown.
WN12-CC-000028 Medium Group Policy objects must be reprocessed even if they have not changed.
WN12-CC-000029 Medium Group Policies must be refreshed in the background if the user is logged on.
WN12-UR-000028 Medium Unauthorized accounts must not have the Load and unload device drivers user right.
WN12-UR-000033 Medium Unauthorized accounts must not have the Modify an object label user right.
WN12-CC-000089 Medium Explorer Data Execution Prevention must be enabled.
WN12-GE-000006 Medium Permissions for system drive root directory (usually C:) must conform to minimum requirements.
WN12-GE-000007 Medium Permissions for program file directories must conform to minimum requirements.
WN12-AU-000207-DC Medium Active Directory Group Policy objects must be configured with proper audit settings.
WN12-GE-000008 Medium Permissions for Windows installation directory must conform to minimum requirements.
WN12-GE-000009 Medium Password complexity software that enforces DoD requirements must be implemented.
WN12-AU-000001 Medium The system must be configured to audit Account Logon - Credential Validation successes.
WN12-AU-000002 Medium The system must be configured to audit Account Logon - Credential Validation failures.
WN12-PK-000004-DC Medium Domain controllers must have a PKI server certificate.
WN12-CC-000082 Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Data Execution Prevention (DEP) must be enabled and configured to at least Application Opt Out.
WN12-CC-000091 Medium File Explorer shell protocol must run in protected mode.
WN12-CC-000096 Medium Passwords must not be saved in the Remote Desktop Client.
WN12-CC-000095 Medium The location feature must be turned off.
WN12-CC-000099 Medium Remote Desktop Services must always prompt a client for passwords upon connection.
WN12-CC-000098 Medium Local drives must be prevented from sharing with Remote Desktop Session Hosts. (Remote Desktop Services Role).
WN12-UR-000044-DC Medium Unauthorized accounts must not have the Add workstations to domain user right.
WN12-SO-000035 Medium The service principal name (SPN) target name validation level must be turned off.
WN12-SO-000036 Medium Automatic logons must be disabled.
WN12-SO-000030 Medium Unencrypted passwords must not be sent to a third-party SMB server.
WN12-SO-000033 Medium The Windows SMB server must perform SMB packet signing when possible.
WN12-SO-000032 Medium The Windows SMB server must be configured to always perform SMB packet signing.
WN12-AC-000014-DC Medium The computer clock synchronization tolerance must be limited to 5 minutes or less.
WN12-UR-000027 Medium Unauthorized accounts must not have the Increase scheduling priority user right.
WN12-FW-000019 Medium The Windows Firewall must be enabled for the Public Profile.
WN12-FW-000014 Medium The Windows Firewall must block unicast responses to multicast or broadcast messages for the Private Profile.
WN12-CC-000079 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Internet Explorer must be enabled.
WN12-CC-000078 Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Address Space Layout Randomization (ASLR) must be enabled and configured to Application Opt In.
WN12-CC-000075 Medium The use of biometrics must be disabled.
WN12-CC-000077 Medium The system must require username and password to elevate a running application.
WN12-CC-000076 Medium The password reveal button must not be displayed.
WN12-FW-000025 Medium The Windows Firewall local firewall rules must not be merged with Group Policy settings for the Public Profile.
WN12-FW-000024 Medium The Windows Firewall local connection rules must not be merged with Group Policy settings for the Public Profile.
WN12-FW-000023 Medium The Windows Firewall must block unicast responses to multicast or broadcast messages for the Public Profile.
WN12-FW-000021 Medium The Windows Firewall must allow outbound connections, unless a rule explicitly blocks the connection for the Public Profile.
WN12-AU-000212-DC Medium The Active Directory RID Manager$ object must be configured with proper audit settings.
WN12-AU-000019 Medium The system must be configured to audit Account Management - User Account Management successes.
WN12-AU-000208-DC Medium The Active Directory Domain object must be configured with proper audit settings.
WN12-AU-000012 Medium The system must be configured to audit Account Logon - Computer Account Management failures.
WN12-AU-000017 Medium The system must be configured to audit Account Management - Security Group Management successes.
WN12-AU-000016 Medium The system must be configured to audit Account Management - Other Account Management Events failures.
WN12-AU-000053 Medium The system must be configured to audit Logon/Logoff - Special Logon successes.
WN12-00-000004 Medium Users with administrative privilege must be documented.
WN12-AU-000059 Medium The system must be configured to audit Object Access - Central Access Policy Staging successes.
WN12-UR-000022-DC Medium Unauthorized accounts must not have the Enable computer and user accounts to be trusted for delegation user right.
WN12-SO-000070 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP-based servers.
WN12-SO-000075 Medium The system must be configured to require case insensitivity for non-Windows subsystems.
WN12-SO-000074 Medium The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
WN12-AC-000010-DC Medium Kerberos user logon restrictions must be enforced.
WN12-SO-000079 Medium User Account Control must automatically deny standard user requests for elevation.
WN12-SO-000078 Medium User Account Control must, at minimum, prompt administrators for consent.
WN12-CC-000105 Medium Attachments must be prevented from being downloaded from RSS feeds.
WN12-CC-000104 Medium Remote Desktop Services must be configured to use session-specific temporary folders.
WN12-UR-000029 Medium Unauthorized accounts must not have the Lock pages in memory user right.
WN12-CC-000106 Medium Basic authentication for RSS feeds over HTTP must be turned off.
WN12-CC-000101 Medium Remote Desktop Services must be configured to disconnect an idle session after the specified time period.
WN12-CC-000100 Medium Remote Desktop Services must be configured with the client connection encryption set to the required level.
WN12-CC-000103 Medium Remote Desktop Services must delete temporary folders when a session is terminated.
WN12-CC-000102 Medium Remote Desktop Services must be configured to set a time limit for disconnected sessions.
WN12-UR-000023 Medium Unauthorized accounts must not have the Force shutdown from a remote system user right.
WN12-UR-000026 Medium Unauthorized accounts must not have the Increase a process working set user right.
WN12-UR-000025 Medium Unauthorized accounts must not have the Impersonate a client after authentication user right.
WN12-UR-000024 Medium Unauthorized accounts must not have the Generate security audits user right.
WN12-AU-000210-DC Medium The Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.
WN12-UR-000002-DC Medium Unauthorized accounts must not have the Access this computer from the network user right.
WN12-RG-000003 Medium Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
WN12-AC-000011-DC Medium The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
WN12-CC-000030 Medium Access to the Windows Store must be turned off.
WN12-CC-000032 Medium Downloading print driver packages over HTTP must be prevented.
WN12-CC-000037 Medium Web publishing and online ordering wizards must be prevented from downloading a list of providers.
WN12-CC-000039 Medium Printing over HTTP must be prevented.
WN12-CC-000038 Medium The Internet File Association service must be turned off.
WN12-AD-000009-DC Medium The directory server supporting (directly or indirectly) system access or resource authorization must run on a machine dedicated to that function.
WN12-UR-000018-DC Medium The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
WN12-GE-000017 Medium System files must be monitored for unauthorized changes.
WN12-GE-000016 Medium System mechanisms must be implemented to enforce automatic expiration of passwords.
WN12-GE-000011 Medium Virtual guest operating systems must be registered in a vulnerability and asset management system.
WN12-GE-000010 Medium The system must not boot into multiple operating systems (dual-boot).
WN12-GE-000019 Medium The HBSS McAfee Agent must be installed.
WN12-GE-000018 Medium File shares must limit access to data on a system.
WN12-UC-000008 Medium Windows Help Ratings feedback must be turned off.
WN12-UC-000009 Medium Zone information must be preserved when saving attachments.
WN12-UC-000007 Medium The Windows Help Experience Improvement Program must be disabled.
WN12-UC-000003 Medium The screen saver must be password protected.
WN12-FW-000010 Medium The Windows Firewall must be enabled for the Private Profile.
WN12-UC-000001 Medium A screen saver must be enabled on the system.
WN12-00-000009 Medium Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
WN12-00-000002 Medium System BIOS or system controllers supporting password protection must have administrator accounts/passwords only configured, and no others.
WN12-AU-000011 Medium The system must be configured to audit Account Logon - Computer Account Management successes.
WN12-00-000001 Medium Server systems must be located in a controlled access area.
WN12-00-000006 Medium Policy must require that system administrators (SAs) be trained for the operating systems used by systems under their control.
WN12-00-000007 Medium Passwords for the built-in Administrator account must be changed regularly.
WN12-AU-000015 Medium The system must be configured to audit Account Management - Other Account Management Events successes.
WN12-UR-000019-DC Medium The Deny log on as a service user right must be configured to include no accounts or groups (blank).
WN12-AU-000085 Medium The system must be configured to audit Policy Change - Audit Policy Change successes.
WN12-AU-000086 Medium The system must be configured to audit Policy Change - Audit Policy Change failures.
WN12-AU-000087 Medium The system must be configured to audit Policy Change - Authentication Policy Change successes.
WN12-AU-000080 Medium The system must be configured to audit Object Access - Registry failures.
WN12-AU-000081 Medium The system must be configured to audit Object Access - Removable Storage successes.
WN12-AU-000082 Medium The system must be configured to audit Object Access - Removable Storage failures.
WN12-AD-000014-DC Low The directory service must be configured to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity.
WN12-UR-000010 Low Unauthorized accounts must not have the Change the time zone user right.
WN12-CC-000049 Low The classic logon screen must be required for user logons.
WN12-CC-000040 Low Windows Registration Wizard must be turned off.
WN12-CC-000042 Low The Order Prints Online wizard must be turned off.
WN12-CC-000069 Low If the time service is configured, it must use an authorized time server.
WN12-CC-000062 Low Remote Assistance log files must be generated.
WN12-SO-000048 Low The system must limit how many times unacknowledged TCP data is retransmitted.
WN12-SO-000049 Low The system must generate an audit event when the audit log reaches a percentage of full threshold.
WN12-SO-000044 Low The system must be configured to disable the Internet Router Discovery Protocol (IRDP).
WN12-SO-000046 Low The system must be configured to have password protection take effect within a limited time frame when the screen saver becomes active.
WN12-SO-000047 Low IPv6 TCP data retransmissions must be configured to prevent resources from becoming exhausted.
WN12-SO-000041 Low The system must be configured to limit how often keep-alive packets are sent.
WN12-SO-000042 Low IPSec exemptions must be limited.
WN12-SO-000043 Low The system must be configured to ignore NetBIOS name release requests except from WINS servers.
WN12-CC-000137 Low The system must be configured to remove the Disconnect option from the Shut Down dialog box on the Remote Desktop Client. (Remote Desktop Services Role).
WN12-CC-000005 Low Domain users must be required to elevate when setting a network's location.
WN12-CC-000006 Low All Direct Access traffic must be routed through the internal network.
WN12-FW-000009 Low The Windows Firewall must log successful connections for the Domain Profile.
WN12-FW-000008 Low The Windows Firewall must log dropped packets for the Domain Profile.
WN12-FW-000004 Low The Windows Firewall must display notifications when a program is blocked from receiving an inbound connection for the Domain Profile.
WN12-FW-000007 Low The Windows Firewall log size must be configured for the Domain Profile.
WN12-FW-000006 Low The Windows Firewall log file name and location must be configured for the Domain Profile.
WN12-00-000013 Low Security configuration tools or equivalent processes must be used to configure and maintain platforms for security compliance.
WN12-00-000015 Low User-level information must be backed up per organization defined frequency consistent with recovery time and recovery point objectives.
WN12-00-000014 Low System-level information must be backed up per organization defined frequency consistent with recovery time and recovery point objectives.
WN12-00-000017 Low System-related documentation must be backed up per organization defined frequency consistent with recovery time and recovery point objectives.
WN12-00-000016 Low Backups of system-level information must be protected.
WN12-SO-000088 Low Optional Subsystems must not be permitted to operate on the system.
WN12-SO-000089 Low The print driver installation privilege must be restricted to administrators.
WN12-AC-000008 Low The built-in Microsoft password complexity filter must be enabled.
WN12-SO-000016 Low The maximum age for machine account passwords must be set to requirements.
WN12-SO-000015 Low The computer account password must not be prevented from being reset.
WN12-SO-000018 Low The system must be configured to prevent the display of the last username on the logon screen.
WN12-UR-000008 Low Unauthorized accounts must not have the Bypass traverse checking user right.
WN12-CC-000057 Low The display must turn off after 20 minutes of inactivity when the system is plugged in.
WN12-CC-000056 Low The display must turn off after 20 minutes of inactivity when the system is running on battery.
WN12-AD-000008-DC Low The time synchronization tool must be configured to enable logging of time source switching.
WN12-AD-000012-DC Low Anonymous access to the root DSE of a non-public directory must be disabled.
WN12-CC-000121 Low Users must not be presented with Privacy and Installation options on first use of Windows Media Player.
WN12-FW-000013 Low The Windows Firewall must display notifications when a program is blocked from receiving an inbound connection for the Private Profile.
WN12-SO-000024 Low Caching of logon credentials must be limited.
WN12-SO-000025 Low Users must be warned in advance of their passwords expiring.
WN12-SO-000023 Low The Windows dialog box title for the legal banner must be configured.
WN12-CC-000018 Low Optional component installation and component repair must be prevented from using Windows Update.
WN12-CC-000011 Low IP stateless autoconfiguration limits state must be enabled.
WN12-CC-000016 Low Windows Update must be prevented from searching for point and print drivers.
WN12-CC-000068 Low Responsiveness events must be prevented from being aggregated and sent to Microsoft.
WN12-CC-000066 Low Microsoft Support Diagnostic Tool (MSDT) interactive communication with Microsoft must be prevented.
WN12-CC-000067 Low Access to Windows Online Troubleshooting Service (WOTS) must be prevented.
WN12-CC-000065 Low The detection of compatibility issues for applications and drivers must be turned off.
WN12-CC-000114 Low Additional data requests in response to Error Reporting must be declined.
WN12-CC-000112 Low Error Reporting events must be logged in the system event log.
WN12-CC-000119 Low Users must be notified if the logon server was inaccessible and cached credentials were used.
WN12-CC-000022 Low Device metadata retrieval from the Internet must be prevented.
WN12-CC-000023 Low Windows must be prevented from sending an error report when a device driver requests additional software during installation.
WN12-CC-000020 Low An error report must not be sent when a generic device driver is installed.
WN12-CC-000021 Low A system restore point must be created when a new device driver is installed.
WN12-CC-000026 Low Users must not be prompted to search Windows Update for device drivers.
WN12-CC-000024 Low Device driver searches using Windows Update must be prevented.
WN12-CC-000025 Low Device driver updates must only search managed servers, not Windows Update.
WN12-CC-000118 Low Nonadministrators must be prevented from applying vendor-signed updates.
WN12-CC-000088 Low The Windows SmartScreen must be turned off.
WN12-CC-000090 Low Turning off File Explorer heap termination on corruption must be disabled.
WN12-SO-000039 Low The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
WN12-SO-000038 Low The system must be configured to prevent IP source routing.
WN12-SO-000034 Low Users must be forcibly disconnected when their logon hours expire.
WN12-SO-000037 Low IPv6 source routing must be configured to the highest protection level.
WN12-SO-000031 Low The amount of idle time required before suspending a session must be properly set.
WN12-FW-000018 Low The Windows Firewall must log successful connections for the Private Profile.
WN12-FW-000016 Low The Windows Firewall log size must be configured for the Private Profile.
WN12-FW-000017 Low The Windows Firewall must log dropped packets for the Private Profile.
WN12-FW-000015 Low The Windows Firewall log file name and location must be configured for the Private Profile.
WN12-CC-000071 Low The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
WN12-CC-000070 Low Trusted app installation must be enabled to allow for signed enterprise line of business apps.
WN12-FW-000027 Low The Windows Firewall log size must be configured for the Public Profile.
WN12-FW-000026 Low The Windows Firewall log file name and location must be configured for the Public Profile.
WN12-FW-000022 Low The Windows Firewall must display notifications when a program is blocked from receiving an inbound connection for the Public Profile.
WN12-FW-000029 Low The Windows Firewall must log successful connections for the Public Profile.
WN12-FW-000028 Low The Windows Firewall must log dropped packets for the Public Profile.
WN12-SO-000073 Low The shutdown option must not be available from the logon dialog box.
WN12-SO-000072 Low The Recovery Console SET command must be disabled.
WN12-SO-000076 Low The default permissions of global system objects must be increased.
WN12-SO-000091-DC Low Domain controllers must be configured to allow reset of machine account passwords.
WN12-CC-000109 Low Automatic download of updates from the Windows Store must be turned off.
WN12-CC-000031 Low Root Certificates must not be updated automatically from the Microsoft site.
WN12-CC-000033 Low Event Viewer Events.asp links must be turned off.
WN12-CC-000035 Low Errors in handwriting recognition on tablet PCs must not be reported to Microsoft.
WN12-CC-000036 Low The Internet Connection Wizard must not download a list of Internet Service Providers (ISPs) from Microsoft.
WN12-GE-000014 Low Outdated or unused accounts must be removed from the system.
WN12-GE-000013 Low Local users must not exist on a system in a domain.
WN12-GE-000012 Low Nonadministrative user accounts or groups must only have print permissions on printer shares.
WN12-UC-000006 Low Toast notifications to the lock screen must be turned off.
WN12-UC-000004 Low Changing the screen saver must be prevented.
WN12-UC-000005 Low Notifications from Windows Push Network Service must be turned off.
WN12-UC-000002 Low A screen saver must be defined.