UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft Windows Server 2019 Security Technical Implementation Guide


Overview

Date Finding Count (273)
2023-05-03 CAT I (High): 33 CAT II (Med): 226 CAT III (Low): 14
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-205713 High Windows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication.
V-205738 High Windows Server 2019 must only allow administrators responsible for the domain controller to have Administrator rights on the system.
V-205806 High Windows Server 2019 AutoPlay must be disabled for all drives.
V-205804 High Windows Server 2019 Autoplay must be turned off for non-volume devices.
V-205805 High Windows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands.
V-205802 High Windows Server 2019 must disable the Windows Installer Always install with elevated privileges option.
V-205919 High Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.
V-205646 High Windows Server 2019 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
V-205647 High Windows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA).
V-205725 High Windows Server 2019 must restrict anonymous access to Named Pipes and Shares.
V-205724 High Windows Server 2019 must not allow anonymous enumeration of shares.
V-205654 High Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords.
V-205653 High Windows Server 2019 reversible password encryption must be disabled.
V-205711 High Windows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication.
V-205739 High Windows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access.
V-205663 High Windows Server 2019 local volumes must use a format that supports NTFS attributes.
V-205875 High Windows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
V-205844 High Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
V-205845 High Windows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
V-205849 High Windows Server 2019 must be maintained at a supported servicing level.
V-205757 High Windows Server 2019 Debug programs: user right must only be assigned to the Administrators group.
V-205742 High Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
V-205850 High Windows Server 2019 must use an anti-virus program.
V-205914 High Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
V-205913 High Windows Server 2019 must not allow anonymous SID/Name translation.
V-205753 High Windows Server 2019 Create a token object user right must not be assigned to any groups or accounts.
V-205750 High Windows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts.
V-205908 High Windows Server 2019 must prevent local accounts with blank passwords from being used from the network.
V-205907 High Windows Server 2019 must be running Credential Guard on domain-joined member servers.
V-205746 High Windows Server 2019 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system.
V-205741 High Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions.
V-205740 High Windows Server 2019 Active Directory SYSVOL directory must have the proper access control permissions.
V-205743 High Windows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
V-205767 Medium Windows Server 2019 Restore files and directories user right must only be assigned to the Administrators group.
V-205715 Medium Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.
V-205712 Medium Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication.
V-205659 Medium Windows Server 2019 maximum password age must be configured to 60 days or less.
V-205658 Medium Windows Server 2019 passwords must be configured to expire.
V-205631 Medium Windows Server 2019 required legal notice must be configured to display before console logon.
V-205630 Medium Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
V-205633 Medium Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.
V-205635 Medium Windows Server 2019 must be configured to audit logon failures.
V-205634 Medium Windows Server 2019 must be configured to audit logon successes.
V-205636 Medium Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.
V-205639 Medium Windows Server 2019 PowerShell script block logging must be enabled.
V-205638 Medium Windows Server 2019 command line data must be included in process creation events.
V-205732 Medium Windows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
V-205733 Medium Windows Server 2019 "Deny log on through Remote Desktop Services" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
V-205734 Medium Windows Server 2019 permissions for the system drive root directory (usually C:\) must conform to minimum requirements.
V-205735 Medium Windows Server 2019 permissions for program file directories must conform to minimum requirements.
V-205736 Medium Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements.
V-205737 Medium Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
V-205807 Medium Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
V-205803 Medium Windows Server 2019 system files must be monitored for unauthorized changes.
V-205801 Medium Windows Server 2019 must prevent users from changing installation options.
V-205808 Medium Windows Server 2019 must not save passwords in the Remote Desktop Client.
V-205809 Medium Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection.
V-205832 Medium Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes.
V-205772 Medium Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures.
V-205818 Medium Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
V-205827 Medium Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
V-205765 Medium Windows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group.
V-205828 Medium Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
V-205728 Medium Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Endpoint Security Solution (ESS) is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
V-205918 Medium Windows Server 2019 must prevent PKU2U authentication using online identities.
V-205764 Medium Windows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group.
V-205644 Medium Windows Server 2019 must force audit policy subcategory settings to override audit policy category settings.
V-205645 Medium Windows Server 2019 domain controllers must have a PKI server certificate.
V-205640 Medium Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts.
V-205641 Medium Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts.
V-205642 Medium Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts.
V-205643 Medium Windows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group.
V-205723 Medium Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files.
V-205810 Medium Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials.
V-205721 Medium Windows Server 2019 non-system-created file shares must limit access to groups that require it.
V-205720 Medium Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.
V-205727 Medium Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
V-205816 Medium Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic.
V-205811 Medium Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled.
V-205722 Medium Windows Server 2019 Remote Desktop Services must prevent drive redirection.
V-205763 Medium Windows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts.
V-205813 Medium Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
V-205762 Medium Windows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group.
V-205812 Medium Windows Server 2019 User Account Control must automatically deny standard user requests for elevation.
V-205760 Medium Windows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-214936 Medium Windows Server 2019 must have a host-based firewall installed and enabled.
V-205648 Medium Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.
V-205775 Medium Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
V-205649 Medium Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.
V-205796 Medium Windows Server 2019 Application event log size must be configured to 32768 KB or greater.
V-205797 Medium Windows Server 2019 Security event log size must be configured to 196608 KB or greater.
V-205795 Medium Windows Server 2019 account lockout duration must be configured to 15 minutes or greater.
V-205792 Medium Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures.
V-205793 Medium Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes.
V-205790 Medium Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings.
V-205791 Medium Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes.
V-205798 Medium Windows Server 2019 System event log size must be configured to 32768 KB or greater.
V-205799 Medium Windows Server 2019 audit records must be backed up to a different system or media than the system being audited.
V-205657 Medium Windows Server 2019 passwords for the built-in Administrator account must be changed at least every 60 days.
V-205656 Medium Windows Server 2019 minimum password age must be configured to at least one day.
V-205655 Medium Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.
V-205869 Medium Windows Server 2019 Telemetry must be configured to Security or Basic.
V-205651 Medium Windows Server 2019 users must be required to enter a password to access private keys stored on the computer.
V-205719 Medium Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.
V-205716 Medium Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
V-205865 Medium Windows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
V-205714 Medium Windows Server 2019 administrator accounts must not be enumerated during elevation.
V-205867 Medium Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery).
V-205861 Medium Windows Server 2019 insecure logons to an SMB server must be disabled.
V-205710 Medium Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
V-205863 Medium Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials.
V-205789 Medium Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings.
V-205788 Medium Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.
V-205781 Medium Windows Server 2019 must be configured to audit System - Security State Change successes.
V-205780 Medium Windows Server 2019 must be configured to audit System - Other System Events failures.
V-205783 Medium Windows Server 2019 must be configured to audit System - System Integrity successes.
V-205782 Medium Windows Server 2019 must be configured to audit System - Security System Extension successes.
V-205785 Medium Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings.
V-205784 Medium Windows Server 2019 must be configured to audit System - System Integrity failures.
V-205787 Medium Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings.
V-205786 Medium Windows Server 2019 Active Directory Domain object must be configured with proper audit settings.
V-205815 Medium Windows Server 2019 computer account password must not be prevented from being reset.
V-205668 Medium Windows Server 2019 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
V-205669 Medium Windows Server 2019 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
V-205662 Medium Windows Server 2019 minimum password length must be configured to 14 characters.
V-205660 Medium Windows Server 2019 password history must be configured to 24 passwords remembered.
V-205661 Medium Windows Server 2019 manually managed application account passwords must be at least 15 characters in length.
V-205666 Medium Windows Server 2019 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers.
V-205667 Medium Windows Server 2019 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
V-205665 Medium Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.
V-205701 Medium Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
V-205700 Medium Windows Server 2019 accounts must require passwords.
V-205703 Medium Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
V-205702 Medium Windows Server 2019 Kerberos user logon restrictions must be enforced.
V-205705 Medium Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
V-205637 Medium Windows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level.
V-205707 Medium Windows Server 2019 outdated or unused accounts must be removed or disabled.
V-205925 Medium Windows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart.
V-205709 Medium Windows Server 2019 must have the built-in guest account disabled.
V-205708 Medium Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
V-205922 Medium Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
V-205873 Medium Windows Server 2019 must prevent attachments from being downloaded from RSS feeds.
V-205872 Medium Windows Server 2019 File Explorer shell protocol must run in protected mode.
V-205730 Medium Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures.
V-205731 Medium Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion.
V-205924 Medium Windows Server 2019 must preserve zone information when saving attachments.
V-205817 Medium Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic.
V-205777 Medium Windows Server 2019 must be configured to audit System - IPsec Driver successes.
V-205679 Medium Windows Server 2019 must not have the Peer Name Resolution Protocol installed.
V-205678 Medium Windows Server 2019 must not have the Fax Server role installed.
V-205744 Medium Windows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.
V-205675 Medium Windows Server 2019 "Deny log on locally" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
V-205674 Medium Windows Server 2019 "Deny log on as a service" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.
V-205677 Medium Windows Server 2019 must have the roles and features required by the system documented.
V-205676 Medium Windows Server 2019 Allow log on locally user right must only be assigned to the Administrators group.
V-205671 Medium Windows Server 2019 "Access this computer from the network" user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone or nondomain-joined systems.
V-205814 Medium Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone or nondomain-joined systems.
V-205673 Medium Windows Server 2019 "Deny log on as a batch job" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
V-205672 Medium Windows Server 2019 "Deny access to this computer from the network" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
V-205842 Medium Windows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
V-205843 Medium Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly.
V-205840 Medium Windows Server 2019 must be configured to audit Object Access - Removable Storage successes.
V-205841 Medium Windows Server 2019 must be configured to audit Object Access - Removable Storage failures.
V-205846 Medium Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
V-205847 Medium Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
V-205848 Medium Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
V-205778 Medium Windows Server 2019 must be configured to audit System - IPsec Driver failures.
V-205779 Medium Windows Server 2019 must be configured to audit System - Other System Events successes.
V-205773 Medium Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes.
V-205625 Medium Windows Server 2019 must be configured to audit Account Management - Security Group Management successes.
V-205921 Medium Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
V-205680 Medium Windows Server 2019 must not have Simple TCP/IP Services installed.
V-205681 Medium Windows Server 2019 must not have the TFTP Client installed.
V-205682 Medium Windows Server 2019 must not have the Server Message Block (SMB) v1 protocol installed.
V-205683 Medium Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.
V-205684 Medium Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.
V-205685 Medium Windows Server 2019 must not have Windows PowerShell 2.0 installed.
V-205686 Medium Windows Server 2019 must prevent the display of slide shows on the lock screen.
V-205687 Medium Windows Server 2019 must have WDigest Authentication disabled.
V-205688 Medium Windows Server 2019 downloading print driver packages over HTTP must be turned off.
V-205689 Medium Windows Server 2019 printing over HTTP must be turned off.
V-205862 Medium Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
V-205704 Medium Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less.
V-205855 Medium Windows Server 2019 must have orphaned security identifiers (SIDs) removed from user rights.
V-205766 Medium Windows Server 2019 Profile single process user right must only be assigned to the Administrators group.
V-205851 Medium Windows Server 2019 must have a host-based intrusion detection or prevention system.
V-205761 Medium Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group.
V-205852 Medium Windows Server 2019 must have software certificate installation files removed.
V-205915 Medium Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
V-205774 Medium Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes.
V-205706 Medium Windows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less.
V-205910 Medium Windows Server 2019 built-in guest account must be renamed.
V-205912 Medium Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
V-205877 Medium The password for the krbtgt account on a domain must be reset at least every 180 days.
V-205690 Medium Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen.
V-205876 Medium Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords.
V-205697 Medium Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization.
V-205917 Medium Windows Server 2019 must prevent NTLM from falling back to a Null session.
V-205920 Medium Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing.
V-205874 Medium Windows Server 2019 users must be notified if a web-based program attempts to install software.
V-205693 Medium Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP.
V-205692 Medium Windows Server 2019 Windows Defender SmartScreen must be enabled.
V-205758 Medium Windows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group.
V-205759 Medium Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service.
V-205670 Medium Windows Server 2019 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
V-205696 Medium Windows Server 2019 local users on domain-joined member servers must not be enumerated.
V-205695 Medium Windows Server 2019 domain controllers must run on a machine dedicated to that function.
V-205694 Medium Windows Server 2019 must prevent Indexing of encrypted files.
V-205752 Medium Windows Server 2019 Create a pagefile user right must only be assigned to the Administrators group.
V-205699 Medium Windows Server 2019 shared user accounts must not be permitted.
V-205698 Medium Windows Server 2019 must not have the Telnet Client installed.
V-205756 Medium Windows Server 2019 Create symbolic links user right must only be assigned to the Administrators group.
V-205754 Medium Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-205755 Medium Windows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts.
V-205751 Medium Windows Server 2019 Back up files and directories user right must only be assigned to the Administrators group.
V-205769 Medium Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes.
V-205909 Medium Windows Server 2019 built-in administrator account must be renamed.
V-205906 Medium Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers.
V-205853 Medium Windows Server 2019 FTP servers must be configured to prevent anonymous logons.
V-205771 Medium Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes.
V-205820 Medium Windows Server 2019 domain controllers must require LDAP access signing.
V-205821 Medium Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
V-205822 Medium Windows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.
V-205823 Medium Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
V-205824 Medium Windows Server 2019 must be configured to require a strong session key.
V-205825 Medium Windows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
V-205826 Medium Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
V-205911 Medium Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less.
V-205770 Medium Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes.
V-205829 Medium Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
V-205768 Medium Windows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group.
V-205916 Medium Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
V-205834 Medium Windows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes.
V-205854 Medium Windows Server 2019 FTP servers must be configured to prevent access to the system drive.
V-205749 Medium Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
V-205748 Medium Windows Server 2019 "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems.
V-205745 Medium Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
V-205868 Medium Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in).
V-205747 Medium Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.
V-205652 Medium Windows Server 2019 must have the built-in Windows password complexity policy enabled.
V-205718 Medium Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation.
V-205628 Medium Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes.
V-205629 Medium Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less.
V-205626 Medium Windows Server 2019 must be configured to audit Account Management - User Account Management successes.
V-205627 Medium Windows Server 2019 must be configured to audit Account Management - User Account Management failures.
V-205624 Medium Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours.
V-205650 Medium Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.
V-205776 Medium Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
V-236001 Medium The Windows Explorer Preview pane must be disabled for Windows Server 2019.
V-205833 Medium Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures.
V-205864 Medium Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
V-205830 Medium Windows Server 2019 Explorer Data Execution Prevention must be enabled.
V-205837 Medium Windows Server 2019 must be configured to audit Object Access - Other Object Access Events failures.
V-205836 Medium Windows Server 2019 must be configured to audit Object Access - Other Object Access Events successes.
V-205835 Medium Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes.
V-205717 Medium Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.
V-205839 Medium Windows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes.
V-205838 Medium Windows Server 2019 must be configured to audit logoff successes.
V-205866 Medium Windows Server 2019 group policy objects must be reprocessed even if they have not changed.
V-205691 Low Windows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
V-205632 Low Windows Server 2019 title for legal banner dialog box must be configured with the appropriate text.
V-205923 Low Windows Server 2019 default permissions of global system objects must be strengthened.
V-205800 Low The Windows Server 2019 time service must synchronize with an appropriate DoD time source.
V-205819 Low Windows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS servers.
V-205726 Low Windows Server 2019 directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity.
V-205860 Low Windows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
V-205664 Low Windows Server 2019 non-administrative accounts or groups must only have print permissions on printer shares.
V-205871 Low Windows Server 2019 Turning off File Explorer heap termination on corruption must be disabled.
V-205870 Low Windows Server 2019 Windows Update must not obtain updates from other PCs on the Internet.
V-205859 Low Windows Server 2019 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
V-205857 Low Windows Server 2019 must have Secure Boot enabled.
V-205856 Low Windows Server 2019 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
V-205858 Low Windows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.