UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft Windows Server 2016 Security Technical Implementation Guide


Overview

Date Finding Count (273)
2021-03-05 CAT I (High): 33 CAT II (Med): 227 CAT III (Low): 13
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-224874 High Windows Server 2016 reversible password encryption must be disabled.
V-224819 High Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
V-225012 High Windows Server 2016 must be running Credential Guard on domain-joined member servers.
V-224954 High The Windows Installer Always install with elevated privileges option must be disabled.
V-225025 High Local accounts with blank passwords must be restricted to prevent access from the network.
V-224829 High The Windows Server 2016 system must use an anti-virus program.
V-224828 High Systems must be maintained at a supported servicing level.
V-224831 High Local volumes must use a format that supports NTFS attributes.
V-224934 High AutoPlay must be disabled for all drives.
V-224933 High The default AutoRun behavior must be configured to prevent AutoRun commands.
V-224932 High AutoPlay must be turned off for non-volume devices.
V-225048 High Anonymous access to Named Pipes and Shares must be restricted.
V-225044 High Anonymous SID/Name translation must not be allowed.
V-225045 High Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed.
V-225046 High Anonymous enumeration of shares must not be allowed.
V-224958 High The Windows Remote Management (WinRM) client must not use Basic authentication.
V-225054 High The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM.
V-225053 High Windows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords.
V-224821 High Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
V-224961 High The Windows Remote Management (WinRM) service must not use Basic authentication.
V-224964 High Only administrators responsible for the domain controller must have Administrator rights on the system.
V-225071 High The Act as part of the operating system user right must not be assigned to any groups or accounts.
V-225079 High The Debug programs user right must only be assigned to the Administrators group.
V-224993 High PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
V-224992 High Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
V-225091 High The Create a token object user right must not be assigned to any groups or accounts.
V-224978 High Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
V-224973 High The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
V-224972 High Active Directory Group Policy objects must have proper access control permissions.
V-224971 High The Active Directory SYSVOL directory must have the proper access control permissions.
V-224970 High Permissions on the Active Directory data files must only allow System and Administrators access.
V-224974 High Domain-created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
V-225007 High Only administrators responsible for the member server or standalone system must have Administrator rights on the system.
V-224959 Medium The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
V-224948 Medium Remote Desktop Services must be configured with the client connection encryption set to High Level.
V-224949 Medium Attachments must be prevented from being downloaded from RSS feeds.
V-224946 Medium Remote Desktop Services must always prompt a client for passwords upon connection.
V-224947 Medium The Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications.
V-224944 Medium Passwords must not be saved in the Remote Desktop Client.
V-224945 Medium Local drives must be prevented from sharing with Remote Desktop Session Hosts.
V-224943 Medium File Explorer shell protocol must run in protected mode.
V-224940 Medium Windows Server 2016 Windows SmartScreen must be enabled.
V-224941 Medium Explorer Data Execution Prevention must be enabled.
V-224872 Medium Windows Server 2016 minimum password length must be configured to 14 characters.
V-224873 Medium Windows Server 2016 must have the built-in Windows password complexity policy enabled.
V-224870 Medium Windows Server 2016 maximum password age must be configured to 60 days or less.
V-224871 Medium Windows Server 2016 minimum password age must be configured to at least one day.
V-224876 Medium Windows Server 2016 must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.
V-224877 Medium Permissions for the Application event log must prevent access by non-privileged accounts.
V-224875 Medium Audit records must be backed up to a different system or media than the system being audited.
V-224858 Medium The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
V-224878 Medium Permissions for the Security event log must prevent access by non-privileged accounts.
V-224879 Medium Permissions for the System event log must prevent access by non-privileged accounts.
V-224859 Medium Windows PowerShell 2.0 must not be installed.
V-224898 Medium Windows Server 2016 must be configured to audit Object Access - Removable Storage successes.
V-224899 Medium Windows Server 2016 must be configured to audit Object Access - Removable Storage failures.
V-224953 Medium Users must be prevented from changing installation options.
V-224952 Medium Indexing of encrypted files must be turned off.
V-224955 Medium Users must be notified if a web-based program attempts to install software.
V-224957 Medium PowerShell script block logging must be enabled.
V-224956 Medium Automatically signing in the last interactive user after a system-initiated restart must be disabled.
V-224890 Medium Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout failures.
V-224891 Medium Windows Server 2016 must be configured to audit Logon/Logoff - Group Membership successes.
V-224892 Medium Windows Server 2016 must be configured to audit Logon/Logoff - Logoff successes.
V-224893 Medium Windows Server 2016 must be configured to audit Logon/Logoff - Logon successes.
V-224894 Medium Windows Server 2016 must be configured to audit Logon/Logoff - Logon failures.
V-224895 Medium Windows Server 2016 must be configured to audit Logon/Logoff - Special Logon successes.
V-224896 Medium Windows 2016 must be configured to audit Object Access - Other Object Access Events successes.
V-224897 Medium Windows 2016 must be configured to audit Object Access - Other Object Access Events failures.
V-224857 Medium The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
V-224850 Medium The Fax Server role must not be installed.
V-224851 Medium The Microsoft FTP service must not be installed unless required.
V-225024 Medium Windows Server 2016 built-in guest account must be disabled.
V-224861 Medium FTP servers must be configured to prevent access to the system drive.
V-224860 Medium FTP servers must be configured to prevent anonymous logons.
V-224863 Medium Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2016.
V-224869 Medium Windows Server 2016 password history must be configured to 24 passwords remembered.
V-224868 Medium Windows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
V-225028 Medium Audit policy using subcategories must be enabled.
V-225029 Medium The setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
V-224924 Medium Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
V-224925 Medium Group Policy objects must be reprocessed even if they have not changed.
V-224889 Medium Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout successes.
V-224888 Medium Windows Server 2016 must be configured to audit Detailed Tracking - Process Creation successes.
V-224920 Medium Insecure logons to an SMB server must be disabled.
V-224921 Medium Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
V-224922 Medium Command line data must be included in process creation events.
V-224923 Medium Windows Server 2016 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
V-224883 Medium Windows Server 2016 must be configured to audit Account Management - Other Account Management Events successes.
V-224882 Medium Windows Server 2016 must be configured to audit Account Logon - Credential Validation failures.
V-224881 Medium Windows Server 2016 must be configured to audit Account Logon - Credential Validation successes.
V-224880 Medium Event Viewer must be protected from unauthorized modification and deletion.
V-224887 Medium Windows Server 2016 must be configured to audit Detailed Tracking - Plug and Play Events successes.
V-224886 Medium Windows Server 2016 must be configured to audit Account Management - User Account Management failures.
V-224885 Medium Windows Server 2016 must be configured to audit Account Management - User Account Management successes.
V-224884 Medium Windows Server 2016 must be configured to audit Account Management - Security Group Management successes.
V-225039 Medium The setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
V-225031 Medium The setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
V-225030 Medium The setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.
V-225033 Medium The maximum age for machine account passwords must be configured to 30 days or less.
V-225032 Medium The computer account password must not be prevented from being reset.
V-225035 Medium The machine inactivity limit must be set to 15 minutes, locking the system with the screen saver.
V-225034 Medium Windows Server 2016 must be configured to require a strong session key.
V-225036 Medium The required legal notice must be configured to display before console logon.
V-224866 Medium Windows 2016 account lockout duration must be configured to 15 minutes or greater.
V-225022 Medium The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
V-225011 Medium Caching of logon credentials must be limited.
V-225023 Medium The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
V-224837 Medium Outdated or unused accounts must be removed from the system or disabled.
V-224834 Medium Permissions for the Windows installation directory must conform to minimum requirements.
V-224835 Medium Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
V-224832 Medium Permissions for the system drive root directory (usually C:\) must conform to minimum requirements.
V-224833 Medium Permissions for program file directories must conform to minimum requirements.
V-224830 Medium Servers must have a host-based intrusion detection or prevention system.
V-225021 Medium The DoD Root CA certificates must be installed in the Trusted Root Store.
V-224838 Medium Windows Server 2016 accounts must require passwords.
V-224839 Medium Passwords must be configured to expire.
V-224937 Medium The Application event log size must be configured to 32768 KB or greater.
V-224936 Medium Windows Telemetry must be configured to Security or Basic.
V-224935 Medium Administrator accounts must not be enumerated during elevation.
V-224930 Medium Users must be prompted to authenticate when the system wakes from sleep (plugged in).
V-224823 Medium Manually managed application account passwords must be at least 15 characters in length.
V-224939 Medium The System event log size must be configured to 32768 KB or greater.
V-224938 Medium The Security event log size must be configured to 196608 KB or greater.
V-224822 Medium Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
V-225049 Medium Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
V-225020 Medium The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on member servers.
V-225047 Medium Windows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
V-225040 Medium The setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
V-225041 Medium Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.
V-225042 Medium The setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
V-225043 Medium The setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
V-224908 Medium Windows Server 2016 must be configured to audit System - Other System Events successes.
V-224909 Medium Windows Server 2016 must be configured to audit System - Other System Events failures.
V-225089 Medium The Profile single process user right must only be assigned to the Administrators group.
V-224902 Medium Windows Server 2016 must be configured to audit Policy Change - Authentication Policy Change successes.
V-224903 Medium Windows Server 2016 must be configured to audit Policy Change - Authorization Policy Change successes.
V-224900 Medium Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change successes.
V-224901 Medium Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change failures.
V-224906 Medium Windows Server 2016 must be configured to audit System - IPsec Driver successes.
V-224907 Medium Windows Server 2016 must be configured to audit System - IPsec Driver failures.
V-224904 Medium Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
V-224905 Medium Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
V-225004 Medium The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
V-225013 Medium Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
V-225059 Medium Windows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
V-225058 Medium Users must be required to enter a password to access private keys stored on the computer.
V-225057 Medium Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
V-225056 Medium Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
V-225055 Medium Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing.
V-225052 Medium Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
V-225051 Medium PKU2U authentication using online identities must be prevented.
V-225050 Medium NTLM must be prevented from falling back to a Null session.
V-225010 Medium Unauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC server.
V-225017 Medium The Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.
V-225016 Medium The Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.
V-225015 Medium The Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems.
V-224915 Medium WDigest Authentication must be disabled on Windows Server 2016.
V-224914 Medium The display of slide shows on the lock screen must be disabled.
V-224911 Medium Windows Server 2016 must be configured to audit System - Security System Extension successes.
V-224910 Medium Windows Server 2016 must be configured to audit System - Security State Change successes.
V-224913 Medium Windows Server 2016 must be configured to audit System - System Integrity failures.
V-224912 Medium Windows Server 2016 must be configured to audit System - System Integrity successes.
V-225026 Medium Windows Server 2016 built-in administrator account must be renamed.
V-225019 Medium The Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems.
V-225062 Medium UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
V-225063 Medium User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.
V-225061 Medium User Account Control approval mode for the built-in Administrator must be enabled.
V-225066 Medium User Account Control must only elevate UIAccess applications that are installed in secure locations.
V-225067 Medium User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
V-225064 Medium User Account Control must automatically deny standard user requests for elevation.
V-225065 Medium User Account Control must be configured to detect application installations and prompt for elevation.
V-225068 Medium User Account Control must virtualize file and registry write failures to per-user locations.
V-225069 Medium Zone information must be preserved when saving attachments.
V-236000 Medium The Windows Explorer Preview pane must be disabled for Windows Server 2016.
V-224926 Medium Downloading print driver packages over HTTP must be prevented.
V-224982 Medium The Active Directory Infrastructure object must be configured with proper audit settings.
V-224983 Medium The Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.
V-224980 Medium Active Directory Group Policy objects must be configured with proper audit settings.
V-224981 Medium The Active Directory Domain object must be configured with proper audit settings.
V-224986 Medium Windows Server 2016 must be configured to audit Account Management - Computer Account Management successes.
V-224987 Medium Windows Server 2016 must be configured to audit DS Access - Directory Service Access successes.
V-224984 Medium The Active Directory AdminSDHolder object must be configured with proper audit settings.
V-224985 Medium The Active Directory RID Manager$ object must be configured with proper audit settings.
V-224820 Medium Passwords for the built-in Administrator account must be changed at least every 60 days.
V-224988 Medium Windows Server 2016 must be configured to audit DS Access - Directory Service Access failures.
V-224989 Medium Windows Server 2016 must be configured to audit DS Access - Directory Service Changes successes.
V-224825 Medium Shared user accounts must not be permitted on the system.
V-224824 Medium Manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
V-224827 Medium Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
V-224826 Medium Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
V-225088 Medium The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
V-225018 Medium The Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.
V-225080 Medium The Force shutdown from a remote system user right must only be assigned to the Administrators group.
V-225081 Medium The Generate security audits user right must only be assigned to Local Service and Network Service.
V-225082 Medium The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-225083 Medium The Increase scheduling priority user right must only be assigned to the Administrators group.
V-225084 Medium The Load and unload device drivers user right must only be assigned to the Administrators group.
V-225085 Medium The Lock pages in memory user right must not be assigned to any groups or accounts.
V-225086 Medium The Manage auditing and security log user right must only be assigned to the Administrators group.
V-225087 Medium The Modify firmware environment values user right must only be assigned to the Administrators group.
V-224968 Medium The Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
V-224969 Medium The computer clock synchronization tolerance must be limited to 5 minutes or less.
V-224867 Medium Windows Server 2016 must have the number of allowed bad logon attempts configured to three or less.
V-224960 Medium The Windows Remote Management (WinRM) client must not use Digest authentication.
V-224962 Medium The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
V-224963 Medium The Windows Remote Management (WinRM) service must not store RunAs credentials.
V-224965 Medium Kerberos user logon restrictions must be enforced.
V-224966 Medium The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
V-225074 Medium The Create a pagefile user right must only be assigned to the Administrators group.
V-225077 Medium The Create permanent shared objects user right must not be assigned to any groups or accounts.
V-225076 Medium The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-225070 Medium The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
V-225073 Medium The Back up files and directories user right must only be assigned to the Administrators group.
V-225072 Medium The Allow log on locally user right must only be assigned to the Administrators group.
V-224928 Medium The network selection user interface (UI) must not be displayed on the logon screen.
V-225078 Medium The Create symbolic links user right must only be assigned to the Administrators group.
V-224929 Medium Users must be prompted to authenticate when the system wakes from sleep (on battery).
V-224995 Medium Domain controllers must require LDAP access signing.
V-224994 Medium Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
V-224997 Medium The Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.
V-224996 Medium Domain controllers must be configured to allow reset of machine account passwords.
V-224991 Medium Domain controllers must have a PKI server certificate.
V-224990 Medium Windows Server 2016 must be configured to audit DS Access - Directory Service Changes failures.
V-224854 Medium The Telnet Client must not be installed.
V-224855 Medium The TFTP Client must not be installed.
V-224856 Medium The Server Message Block (SMB) v1 protocol must be uninstalled.
V-224967 Medium The Kerberos user ticket lifetime must be limited to 10 hours or less.
V-224999 Medium The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group.
V-224998 Medium The Add workstations to domain user right must only be assigned to the Administrators group.
V-224852 Medium The Peer Name Resolution Protocol must not be installed.
V-224853 Medium Simple TCP/IP Services must not be installed.
V-224849 Medium Windows Server 2016 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
V-225038 Medium The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
V-225093 Medium The Take ownership of files or other objects user right must only be assigned to the Administrators group.
V-225092 Medium The Restore files and directories user right must only be assigned to the Administrators group.
V-224848 Medium Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours.
V-224847 Medium Windows Server 2016 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
V-225014 Medium The Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on member servers.
V-224846 Medium A host-based firewall must be installed and enabled on the system.
V-224977 Medium Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
V-224976 Medium Domain controllers must run on a machine dedicated to that function.
V-224975 Medium Data files owned by users must be on a different logical partition from the directory server data files.
V-224951 Medium Basic authentication for RSS feeds over HTTP must not be used.
V-225027 Medium Windows Server 2016 built-in guest account must be renamed.
V-225000 Medium The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
V-225001 Medium The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
V-225002 Medium The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
V-225003 Medium The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
V-224927 Medium Printing over HTTP must be prevented.
V-225005 Medium The Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
V-225006 Medium The password for the krbtgt account on a domain must be reset at least every 180 days.
V-225008 Medium Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
V-225009 Medium Local users on domain-joined computers must not be enumerated.
V-224845 Medium The roles and features required by the system must be documented.
V-224844 Medium Protection methods such as TLS, encrypted VPNs, or IPsec must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
V-224843 Medium Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
V-224842 Medium Software certificate installation files must be removed from Windows Server 2016.
V-224841 Medium Non-system-created file shares on a system must limit access to groups that require it.
V-224840 Medium System files must be monitored for unauthorized changes.
V-224942 Low Turning off File Explorer heap termination on corruption must be disabled.
V-224865 Low Windows 2016 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
V-224864 Low Secure Boot must be enabled on Windows Server 2016 systems.
V-224862 Low The time service must synchronize with an appropriate DoD time source.
V-225037 Low The Windows dialog box title for the legal banner must be configured with the appropriate text.
V-224836 Low Non-administrative accounts or groups must only have print permissions on printer shares.
V-224931 Low The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
V-224979 Low The directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity.
V-224919 Low Windows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers.
V-224917 Low Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
V-224916 Low Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
V-225060 Low The default permissions of global system objects must be strengthened.
V-224918 Low Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.