UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft Windows Server 2022 Security Technical Implementation Guide


Overview

Date Finding Count (273)
2024-06-14 CAT I (High): 31 CAT II (Med): 230 CAT III (Low): 12
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-254492 High Windows Server 2022 Act as part of the operating system user right must not be assigned to any groups or accounts.
V-254413 High Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
V-254414 High Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA).
V-254399 High Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access.
V-254394 High Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
V-254395 High Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
V-254391 High Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access.
V-254392 High Windows Server 2022 Active Directory SYSVOL directory must have the proper access control permissions.
V-254393 High Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions.
V-254250 High Windows Server 2022 local volumes must use a format that supports NTFS attributes.
V-254428 High Windows Server 2022 must only allow administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system.
V-254385 High Windows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system.
V-254381 High Windows Server 2022 Windows Remote Management (WinRM) service must not use Basic authentication.
V-254496 High Windows Server 2022 create a token object user right must not be assigned to any groups or accounts.
V-254466 High Windows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
V-254352 High Windows Server 2022 Autoplay must be turned off for nonvolume devices.
V-254353 High Windows Server 2022 default AutoRun behavior must be configured to prevent AutoRun commands.
V-254354 High Windows Server 2022 AutoPlay must be disabled for all drives.
V-254446 High Windows Server 2022 must prevent local accounts with blank passwords from being used from the network.
V-254441 High Windows Server 2022 must be running Credential Guard on domain-joined member servers.
V-254262 High Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
V-254293 High Windows Server 2022 reversible password encryption must be disabled.
V-254374 High Windows Server 2022 must disable the Windows Installer Always install with elevated privileges option.
V-254465 High Windows Server 2022 must not allow anonymous SID/Name translation.
V-254500 High Windows Server 2022 debug programs user right must only be assigned to the Administrators group.
V-254475 High Windows Server 2022 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.
V-254474 High Windows Server 2022 must be configured to prevent the storage of the LAN Manager hash of passwords.
V-254469 High Windows Server 2022 must restrict anonymous access to Named Pipes and Shares.
V-254378 High Windows Server 2022 Windows Remote Management (WinRM) client must not use Basic authentication.
V-254467 High Windows Server 2022 must not allow anonymous enumeration of shares.
V-254240 High Windows Server 2022 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.
V-254307 Medium Windows Server 2022 must be configured to audit Detailed Tracking - Process Creation successes.
V-254306 Medium Windows Server 2022 must be configured to audit Detailed Tracking - Plug and Play Events successes.
V-254305 Medium Windows Server 2022 must be configured to audit Account Management - User Account Management failures.
V-254304 Medium Windows Server 2022 must be configured to audit Account Management - User Account Management successes.
V-254303 Medium Windows Server 2022 must be configured to audit Account Management - Security Group Management successes.
V-254302 Medium Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes.
V-254301 Medium Windows Server 2022 must be configured to audit Account Logon - Credential Validation failures.
V-254300 Medium Windows Server 2022 must be configured to audit Account Logon - Credential Validation successes.
V-254499 Medium Windows Server 2022 create symbolic links user right must only be assigned to the Administrators group.
V-254498 Medium Windows Server 2022 create permanent shared objects user right must not be assigned to any groups or accounts.
V-254491 Medium Windows Server 2022 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
V-254309 Medium Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout failures.
V-254419 Medium Windows Server 2022 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.
V-254490 Medium Windows Server 2022 must preserve zone information when saving attachments.
V-254412 Medium Windows Server 2022 domain controllers must have a PKI server certificate.
V-254375 Medium Windows Server 2022 users must be notified if a web-based program attempts to install software.
V-254410 Medium Windows Server 2022 must be configured to audit DS Access - Directory Service Changes successes.
V-254417 Medium Windows Server 2022 domain controllers must be configured to allow reset of machine account passwords.
V-254416 Medium Windows Server 2022 domain controllers must require LDAP access signing.
V-254415 Medium Windows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
V-254266 Medium Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Endpoint Security Solution (ESS) is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
V-254398 Medium Windows Server 2022 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
V-254396 Medium Windows Server 2022 data files owned by users must be on a different logical partition from the directory server data files.
V-254397 Medium Windows Server 2022 domain controllers must run on a machine dedicated to that function.
V-254390 Medium Windows Server 2022 computer clock synchronization tolerance must be limited to five minutes or less.
V-254259 Medium Windows Server 2022 system files must be monitored for unauthorized changes.
V-254258 Medium Windows Server 2022 passwords must be configured to expire.
V-254254 Medium Windows Server 2022 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
V-254257 Medium Windows Server 2022 accounts must require passwords.
V-254256 Medium Windows Server 2022 outdated or unused accounts must be removed or disabled.
V-254251 Medium Windows Server 2022 permissions for the system drive root directory (usually C:\) must conform to minimum requirements.
V-254253 Medium Windows Server 2022 permissions for the Windows installation directory must conform to minimum requirements.
V-254252 Medium Windows Server 2022 permissions for program file directories must conform to minimum requirements.
V-254239 Medium Windows Server 2022 passwords for the built-in Administrator account must be changed at least every 60 days.
V-254238 Medium Windows Server 2022 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
V-254268 Medium Windows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
V-254317 Medium Windows Server 2022 must be configured to audit Object Access - Removable Storage successes.
V-254269 Medium Windows Server 2022 must not have the Fax Server role installed.
V-254429 Medium Windows Server 2022 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.
V-254426 Medium Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
V-254427 Medium The password for the krbtgt account on a domain must be reset at least every 180 days.
V-254424 Medium Windows Server 2022 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
V-254425 Medium Windows Server 2022 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
V-254422 Medium Windows Server 2022 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
V-254423 Medium Windows Server 2022 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
V-254420 Medium Windows Server 2022 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers.
V-254421 Medium Windows Server 2022 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
V-254389 Medium Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
V-254388 Medium Windows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less.
V-254387 Medium Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
V-254386 Medium Windows Server 2022 Kerberos user logon restrictions must be enforced.
V-254384 Medium Windows Server 2022 must have PowerShell Transcription enabled.
V-254383 Medium Windows Server 2022 Windows Remote Management (WinRM) service must not store RunAs credentials.
V-254382 Medium Windows Server 2022 Windows Remote Management (WinRM) service must not allow unencrypted traffic.
V-254380 Medium Windows Server 2022 Windows Remote Management (WinRM) client must not use Digest authentication.
V-254418 Medium Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.
V-254370 Medium Windows Server 2022 must prevent attachments from being downloaded from RSS feeds.
V-254360 Medium Windows Server 2022 System event log size must be configured to 32768 KB or greater.
V-254314 Medium Windows Server 2022 must be configured to audit Logon/Logoff - Special Logon successes.
V-254315 Medium Windows Server 2022 must be configured to audit Object Access - Other Object Access Events successes.
V-254316 Medium Windows Server 2022 must be configured to audit Object Access - Other Object Access Events failures.
V-254431 Medium Windows Server 2022 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone or nondomain-joined systems.
V-254430 Medium Windows Server 2022 local users on domain-joined member servers must not be enumerated.
V-254433 Medium Windows Server 2022 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.
V-254432 Medium Windows Server 2022 must limit the caching of logon credentials to four or less on domain-joined member servers.
V-254435 Medium Windows Server 2022 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
V-254434 Medium Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone or nondomain-joined systems.
V-254437 Medium Windows Server 2022 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.
V-254436 Medium Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
V-254439 Medium Windows Server 2022 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
V-254438 Medium Windows Server 2022 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
V-254311 Medium Windows Server 2022 must be configured to audit logoff successes.
V-254371 Medium Windows Server 2022 must disable Basic authentication for RSS feeds over HTTP.
V-254312 Medium Windows Server 2022 must be configured to audit logon successes.
V-254495 Medium Windows Server 2022 create a pagefile user right must only be assigned to the Administrators group.
V-254313 Medium Windows Server 2022 must be configured to audit logon failures.
V-254339 Medium Windows Server 2022 insecure logons to an SMB server must be disabled.
V-254459 Medium Windows Server 2022 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
V-254332 Medium Windows Server 2022 must be configured to audit System - System Integrity failures.
V-254333 Medium Windows Server 2022 must prevent the display of slide shows on the lock screen.
V-254330 Medium Windows Server 2022 must be configured to audit System - Security System Extension successes.
V-254331 Medium Windows Server 2022 must be configured to audit System - System Integrity successes.
V-254334 Medium Windows Server 2022 must have WDigest Authentication disabled.
V-254358 Medium Windows Server 2022 Application event log size must be configured to 32768 KB or greater.
V-254359 Medium Windows Server 2022 Security event log size must be configured to 196608 KB or greater.
V-254350 Medium Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (plugged in).
V-254355 Medium Windows Server 2022 administrator accounts must not be enumerated during elevation.
V-254356 Medium Windows Server 2022 Diagnostic Data must be configured to send "required diagnostic data" or "optional diagnostic data".
V-254444 Medium Windows Server 2022 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.
V-254445 Medium Windows Server 2022 must have the built-in guest account disabled.
V-254447 Medium Windows Server 2022 built-in administrator account must be renamed.
V-254440 Medium Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems.
V-254442 Medium Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.
V-254443 Medium Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.
V-254448 Medium Windows Server 2022 built-in guest account must be renamed.
V-254449 Medium Windows Server 2022 must force audit policy subcategory settings to override audit policy category settings.
V-254286 Medium Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less.
V-254287 Medium Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
V-254284 Medium Windows Server 2022 must have Secure Boot enabled.
V-254285 Medium Windows Server 2022 account lockout duration must be configured to 15 minutes or greater.
V-254282 Medium Windows Server 2022 must have orphaned security identifiers (SIDs) removed from user rights.
V-254283 Medium Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
V-254280 Medium Windows Server 2022 FTP servers must be configured to prevent access to the system drive.
V-254325 Medium Windows Server 2022 must be configured to audit System - IPsec Driver successes.
V-254324 Medium Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
V-254327 Medium Windows Server 2022 must be configured to audit System - Other System Events successes.
V-254326 Medium Windows Server 2022 must be configured to audit System - IPsec Driver failures.
V-254321 Medium Windows Server 2022 must be configured to audit Policy Change - Authentication Policy Change successes.
V-254320 Medium Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change failures.
V-254323 Medium Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
V-254289 Medium Windows Server 2022 maximum password age must be configured to 60 days or less.
V-254264 Medium Windows Server 2022 must have the roles and features required by the system documented.
V-254265 Medium Windows Server 2022 must have a host-based firewall installed and enabled.
V-254349 Medium Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (on battery).
V-254348 Medium Windows Server 2022 network selection user interface (UI) must not be displayed on the logon screen.
V-254260 Medium Windows Server 2022 nonsystem-created file shares must limit access to groups that require it.
V-254261 Medium Windows Server 2022 must have software certificate installation files removed.
V-254263 Medium Windows Server 2022 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
V-254343 Medium Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
V-254342 Medium Windows Server 2022 must be configured to enable Remote host allows delegation of nonexportable credentials.
V-254341 Medium Windows Server 2022 command line data must be included in process creation events.
V-254340 Medium Windows Server 2022 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
V-254347 Medium Windows Server 2022 printing over HTTP must be turned off.
V-254346 Medium Windows Server 2022 downloading print driver packages over HTTP must be turned off.
V-254345 Medium Windows Server 2022 group policy objects must be reprocessed even if they have not changed.
V-254344 Medium Windows Server 2022 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
V-254457 Medium Windows Server 2022 required legal notice must be configured to display before console logon.
V-254456 Medium Windows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.
V-254455 Medium Windows Server 2022 must be configured to require a strong session key.
V-254454 Medium Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less.
V-254453 Medium Windows Server 2022 computer account password must not be prevented from being reset.
V-254452 Medium Windows Server 2022 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
V-254451 Medium Windows Server 2022 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to Enabled.
V-254450 Medium Windows Server 2022 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
V-254267 Medium Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours.
V-254365 Medium Windows Server 2022 must not save passwords in the Remote Desktop Client.
V-254512 Medium Windows Server 2022 take ownership of files or other objects user right must only be assigned to the Administrators group.
V-254510 Medium Windows Server 2022 profile single process user right must only be assigned to the Administrators group.
V-254511 Medium Windows Server 2022 restore files and directories user right must only be assigned to the Administrators group.
V-254299 Medium Windows Server 2022 Event Viewer must be protected from unauthorized modification and deletion.
V-254298 Medium Windows Server 2022 permissions for the System event log must prevent access by nonprivileged accounts.
V-254494 Medium Windows Server 2022 back up files and directories user right must only be assigned to the Administrators group.
V-254291 Medium Windows Server 2022 minimum password length must be configured to 14 characters.
V-254290 Medium Windows Server 2022 minimum password age must be configured to at least one day.
V-254292 Medium Windows Server 2022 must have the built-in Windows password complexity policy enabled.
V-254295 Medium Windows Server 2022 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly.
V-254294 Medium Windows Server 2022 audit records must be backed up to a different system or media than the system being audited.
V-254297 Medium Windows Server 2022 permissions for the Security event log must prevent access by nonprivileged accounts.
V-254296 Medium Windows Server 2022 permissions for the Application event log must prevent access by nonprivileged accounts.
V-254369 Medium Windows Server 2022 Remote Desktop Services must be configured with the client connection encryption set to High Level.
V-254368 Medium Windows Server 2022 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.
V-254277 Medium Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.
V-254276 Medium Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.
V-254275 Medium Windows Server 2022 must not the Server Message Block (SMB) v1 protocol installed.
V-254274 Medium Windows Server 2022 must not have the TFTP Client installed.
V-254273 Medium Windows Server 2022 must not have the Telnet Client installed.
V-254272 Medium Windows Server 2022 must not have Simple TCP/IP Services installed.
V-254271 Medium Windows Server 2022 must not have the Peer Name Resolution Protocol installed.
V-254270 Medium Windows Server 2022 must not have the Microsoft FTP service installed unless required by the organization.
V-254376 Medium Windows Server 2022 must disable automatically signing in the last interactive user after a system-initiated restart.
V-254377 Medium Windows Server 2022 PowerShell script block logging must be enabled.
V-254461 Medium Windows Server 2022 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
V-254372 Medium Windows Server 2022 must prevent Indexing of encrypted files.
V-254373 Medium Windows Server 2022 must prevent users from changing installation options.
V-254464 Medium Windows Server 2022 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
V-254503 Medium Windows Server 2022 impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-254502 Medium Windows Server 2022 generate security audits user right must only be assigned to Local Service and Network Service.
V-254505 Medium Windows Server 2022 load and unload device drivers user right must only be assigned to the Administrators group.
V-254504 Medium Windows Server 2022 increase scheduling priority: user right must only be assigned to the Administrators group.
V-254507 Medium Windows Server 2022 manage auditing and security log user right must only be assigned to the Administrators group.
V-254506 Medium Windows Server 2022 lock pages in memory user right must not be assigned to any groups or accounts.
V-254509 Medium Windows Server 2022 perform volume maintenance tasks user right must only be assigned to the Administrators group.
V-254508 Medium Windows Server 2022 modify firmware environment values user right must only be assigned to the Administrators group.
V-254322 Medium Windows Server 2022 must be configured to audit Policy Change - Authorization Policy Change successes.
V-254468 Medium Windows Server 2022 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
V-254361 Medium Windows Server 2022 Microsoft Defender antivirus SmartScreen must be enabled.
V-254278 Medium Windows Server 2022 must not have Windows PowerShell 2.0 installed.
V-254362 Medium Windows Server 2022 Explorer Data Execution Prevention must be enabled.
V-254479 Medium Windows Server 2022 users must be required to enter a password to access private keys stored on the computer.
V-254478 Medium Windows Server 2022 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
V-254367 Medium Windows Server 2022 Remote Desktop Services must always prompt a client for passwords upon connection.
V-254366 Medium Windows Server 2022 Remote Desktop Services must prevent drive redirection.
V-254477 Medium Windows Server 2022 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
V-254476 Medium Windows Server 2022 must be configured to at least negotiate signing for LDAP client signing.
V-254471 Medium Windows Server 2022 must prevent NTLM from falling back to a Null session.
V-254470 Medium Windows Server 2022 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
V-254473 Medium Windows Server 2022 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
V-254472 Medium Windows Server 2022 must prevent PKU2U authentication using online identities.
V-254497 Medium Windows Server 2022 create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-254379 Medium Windows Server 2022 Windows Remote Management (WinRM) client must not allow unencrypted traffic.
V-254462 Medium Windows Server 2022 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.
V-254463 Medium Windows Server 2022 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
V-254329 Medium Windows Server 2022 must be configured to audit System - Security State Change successes.
V-254460 Medium Windows Server 2022 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
V-254328 Medium Windows Server 2022 must be configured to audit System - Other System Events failures.
V-254480 Medium Windows Server 2022 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
V-254482 Medium Windows Server 2022 User Account Control (UAC) approval mode for the built-in Administrator must be enabled.
V-254483 Medium Windows Server 2022 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
V-254310 Medium Windows Server 2022 must be configured to audit Logon/Logoff - Group Membership successes.
V-254485 Medium Windows Server 2022 User Account Control (UAC) must automatically deny standard user requests for elevation.
V-254486 Medium Windows Server 2022 User Account Control (UAC) must be configured to detect application installations and prompt for elevation.
V-254487 Medium Windows Server 2022 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.
V-254488 Medium Windows Server 2022 User Account Control (UAC) must run all administrators in Admin Approval Mode, enabling UAC.
V-254489 Medium Windows Server 2022 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.
V-254318 Medium Windows Server 2022 must be configured to audit Object Access - Removable Storage failures.
V-254319 Medium Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change successes.
V-254408 Medium Windows Server 2022 must be configured to audit DS Access - Directory Service Access successes.
V-254409 Medium Windows Server 2022 must be configured to audit DS Access - Directory Service Access failures.
V-254279 Medium Windows Server 2022 FTP servers must be configured to prevent anonymous logons.
V-254401 Medium Windows Server 2022 Active Directory Group Policy objects must be configured with proper audit settings.
V-254402 Medium Windows Server 2022 Active Directory Domain object must be configured with proper audit settings.
V-254403 Medium Windows Server 2022 Active Directory Infrastructure object must be configured with proper audit settings.
V-254404 Medium Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.
V-254405 Medium Windows Server 2022 Active Directory AdminSDHolder object must be configured with proper audit settings.
V-254406 Medium Windows Server 2022 Active Directory RID Manager$ object must be configured with proper audit settings.
V-254407 Medium Windows Server 2022 must be configured to audit Account Management - Computer Account Management successes.
V-254501 Medium Windows Server 2022 force shutdown from a remote system user right must only be assigned to the Administrators group.
V-254484 Medium Windows Server 2022 User Account Control (UAC) must, at a minimum, prompt administrators for consent on the secure desktop.
V-254364 Medium Windows Server 2022 File Explorer shell protocol must run in protected mode.
V-254248 Medium Windows Server 2022 must use an antivirus program.
V-254249 Medium Windows Server 2022 must have a host-based intrusion detection or prevention system.
V-254288 Medium Windows Server 2022 password history must be configured to 24 passwords remembered.
V-254493 Medium Windows Server 2022 Allow log on locally user right must only be assigned to the Administrators group.
V-254242 Medium Windows Server 2022 manually managed application account passwords must be at least 14 characters in length.
V-254243 Medium Windows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
V-254241 Medium Windows Server 2022 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
V-254246 Medium Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
V-254247 Medium Windows Server 2022 must be maintained at a supported servicing level.
V-254244 Medium Windows Server 2022 shared user accounts must not be permitted.
V-254245 Medium Windows Server 2022 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
V-254255 Low Windows Server 2022 nonadministrative accounts or groups must only have print permissions on printer shares.
V-254338 Low Windows Server 2022 must be configured to ignore NetBIOS name release requests except from WINS servers.
V-254336 Low Windows Server 2022 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
V-254337 Low Windows Server 2022 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
V-254335 Low Windows Server 2022 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
V-254351 Low Windows Server 2022 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
V-254357 Low Windows Server 2022 Windows Update must not obtain updates from other PCs on the internet.
V-254281 Low The Windows Server 2022 time service must synchronize with an appropriate DOD time source.
V-254458 Low Windows Server 2022 title for legal banner dialog box must be configured with the appropriate text.
V-254363 Low Windows Server 2022 Turning off File Explorer heap termination on corruption must be disabled.
V-254481 Low Windows Server 2022 default permissions of global system objects must be strengthened.
V-254400 Low Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity.