UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Windows 10 Security Technical Implementation Guide


Overview

Date Finding Count (202)
2016-01-07 CAT I (High): 21 CAT II (Med): 168 CAT III (Low): 13
STIG Description
The Windows 10 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-63797 High The system must be configured to prevent the storage of the LAN Manager hash of passwords.
V-63651 High Solicited Remote Assistance must not be allowed.
V-63869 High The Debug programs user right must only be assigned to the Administrators group.
V-63667 High Autoplay must be turned off for non-volume devices.
V-63673 High Autoplay must be disabled for all drives.
V-63671 High The default autorun behavior must be configured to prevent autorun commands.
V-63379 High The Enhanced Mitigation Experience Toolkit (EMET) v5.5 or later must be installed on the system.
V-63377 High Internet Information System (IIS) or its subcomponents must not be installed on a workstation.
V-63847 High The Act as part of the operating system user right must not be assigned to any groups or accounts.
V-63859 High The Create a token object user right must not be assigned to any groups or accounts.
V-63353 High Local volumes must be formatted using NTFS.
V-63759 High Anonymous access to Named Pipes and Shares must be restricted.
V-63325 High The Windows Installer Always install with elevated privileges must be disabled.
V-63745 High Anonymous enumeration of SAM accounts must not be allowed.
V-63749 High Anonymous enumeration of shares must be restricted.
V-63429 High Reversible password encryption must be disabled.
V-63809 High The Recovery Console option must be set to prevent automatic logon to the system.
V-63801 High The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
V-63347 High The Windows Remote Management (WinRM) service must not use Basic authentication.
V-63349 High Systems must be maintained at a supported servicing level.
V-63335 High The Windows Remote Management (WinRM) client must not use Basic authentication.
V-63395 Medium The HBSS McAfee Agent must be installed.
V-63413 Medium The period of time before the bad logon counter is reset must be configured to 15 minutes.
V-63397 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Recommended Software must be enabled.
V-63411 Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Structured Exception Handler Overwrite Protection (SEHOP) must be configured to Application Opt Out.
V-63391 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Popular Software must be enabled.
V-63417 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Actions and Mitigations Settings must enable Deep Hooks.
V-63415 Medium The password history must be configured to 24 passwords remembered.
V-63419 Medium The maximum password age must be configured to 60 days or less.
V-63795 Medium Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
V-63711 Medium Unencrypted passwords must not be sent to third-party SMB Servers.
V-63713 Medium The SmartScreen filter for Microsoft Edge must be enabled.
V-63717 Medium The use of a hardware security device with Microsoft Passport for Work must be enabled.
V-63719 Medium The Windows SMB server must be configured to always perform SMB packet signing.
V-63655 Medium Client computers must be required to authenticate for RPC communication.
V-63657 Medium Unauthenticated RPC clients must be restricted from connecting to the RPC server.
V-63519 Medium The Application event log size must be configured to 32768 KB or greater.
V-63427 Medium The built-in Microsoft password complexity filter must be enabled.
V-63941 Medium The Take ownership of files or other objects user right must only be assigned to the Administrators group.
V-63527 Medium The System event log size must be configured to 32768 KB or greater.
V-63525 Medium The system must be configured to use SSL to forward error reports.
V-63489 Medium The system must be configured to save Error Reporting events and messages to the system event log.
V-63523 Medium The Security event log size must be configured to 196608 KB or greater.
V-63329 Medium Users must be notified if a web-based program attempts to install software.
V-63529 Medium The system must be configured to send error reports on TCP port 1232.
V-63665 Medium The system must be configured to require a strong session key.
V-63383 Medium Simple TCP/IP Services must not be installed on the system.
V-63381 Medium Simple Network Management Protocol (SNMP) must not be installed on the system.
V-63387 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Internet Explorer must be enabled.
V-63385 Medium The Telnet Client must not be installed on the system.
V-63389 Medium The TFTP Client must not be installed on the system.
V-63669 Medium The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
V-63461 Medium The system must be configured to generate error reports.
V-63709 Medium The password manager function in the Edge browser must be disabled.
V-63707 Medium The Windows SMB client must be enabled to perform SMB packet signing when possible.
V-63705 Medium InPrivate browsing in Microsoft Edge must be disabled.
V-63703 Medium The Windows SMB client must be configured to always perform SMB packet signing.
V-63701 Medium Users must not be allowed to ignore SmartScreen filter warnings for unverified files in Microsoft Edge.
V-63423 Medium Passwords must, at a minimum, be 14 characters.
V-63863 Medium The Create permanent shared objects user right must not be assigned to any groups or accounts.
V-63861 Medium The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-63935 Medium The Profile single process user right must only be assigned to the Administrators group.
V-63551 Medium Automatic logons must be disabled.
V-63319 Medium Domain-joined systems must use Windows 10 Enterprise Edition.
V-63555 Medium IPv6 source routing must be configured to highest protection.
V-63493 Medium The system must be configured to allow a local or DOD-wide collector to request additional error reporting diagnostic data to be sent.
V-63559 Medium The system must be configured to prevent IP source routing.
V-63497 Medium The system must be configured to collect multiple error reports of the same event type.
V-63677 Medium Enhanced anti-spoofing when available must be enabled for facial recognition.
V-63675 Medium The required legal notice must be configured to display before console logon.
V-63375 Medium The Windows Remote Management (WinRM) service must not store RunAs credentials.
V-63679 Medium Administrator accounts must not be enumerated during elevation.
V-63371 Medium Accounts must be configured to require password expiration.
V-63849 Medium The Adjust memory quotas for a process user right must only be assigned to Administrators, Local Service, and Network Service.
V-63845 Medium The Access this computer from the network user right must only be assigned to the Administrators group.
V-63843 Medium The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
V-63541 Medium Permissions for the System event log must prevent access by non-privileged accounts.
V-63543 Medium The maximum number of error reports to archive on a system must be configured to 100 or greater.
V-63547 Medium The system must be configured to queue error reports until a local or DOD-wide collector is available.
V-63549 Medium The display of slide shows on the lock screen must be disabled.
V-63369 Medium The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
V-63689 Medium Explorer Data Execution Prevention must be enabled.
V-63365 Medium Users must not be allowed to run virtual machines in Hyper-V on the system.
V-63685 Medium The Windows SmartScreen must be configured to require approval from an administrator before running downloaded unknown software.
V-63683 Medium Windows Telemetry must be configured to the lowest level of data sent to Microsoft.
V-63607 Medium Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
V-63917 Medium The Load and unload device drivers user right must only be assigned to the Administrators group.
V-63853 Medium The Back up files and directories user right must only be assigned to the Administrators group.
V-63763 Medium Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.
V-63765 Medium NTLM must be prevented from falling back to a Null session.
V-63609 Medium Group Policy objects must be reprocessed even if they have not changed.
V-63767 Medium PKU2U authentication using online identities must be prevented.
V-63725 Medium The use of OneDrive for storage must be disabled.
V-63557 Medium The system must be configured to add all error reports to the queue.
V-63579 Medium The DoD Root Certificate must be installed into the Trusted Root Store.
V-63575 Medium The system must be configured to permit the default consent levels of Windows Error Reporting to override any other consent policy setting.
V-63577 Medium Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
V-63571 Medium The system must be configured to automatically consent to send all data requested by a local or DOD-wide error collection site.
V-63573 Medium All Direct Access traffic must be routed through the internal network.
V-63721 Medium The minimum pin length for Microsoft Passport for Work must be 6 characters or greater.
V-63755 Medium The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
V-63751 Medium Indexing of encrypted files must be turned off.
V-63699 Medium Users must not be allowed to ignore SmartScreen filter warnings for malicious websites in Microsoft Edge.
V-63753 Medium The system must be configured to prevent the storage of passwords and credentials.
V-63695 Medium File Explorer shell protocol must run in protected mode.
V-63697 Medium The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
V-63597 Medium Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
V-63615 Medium Downloading print driver packages over HTTP must be prevented.
V-63617 Medium Local accounts with blank passwords must be restricted to prevent access from the network.
V-63425 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Actions and Mitigations Settings must enable Anti Detours.
V-63591 Medium Wi-Fi Sense must be disabled.
V-63761 Medium The system must be configured to use the Classic security model.
V-63613 Medium Group Policies must be refreshed in the background if the user is logged on.
V-63851 Medium The Allow log on locally user right must only be assigned to the Administrators and Users groups.
V-63829 Medium User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
V-63321 Medium Users must be prevented from changing installation options.
V-63827 Medium User Account Control must only elevate UIAccess applications that are installed in secure locations.
V-63825 Medium User Account Control must be configured to detect application installations and prompt for elevation.
V-63821 Medium User Account Control must automatically deny elevation requests for standard users.
V-63857 Medium The Create a pagefile user right must only be assigned to the Administrators group.
V-63723 Medium The Windows SMB server must perform SMB packet signing when possible.
V-63569 Medium Insecure logons to an SMB server must be disabled.
V-63631 Medium Connected users on domain-joined computers must not be enumerated.
V-63561 Medium The maximum number of error reports to queue on a system must be configured to 50 or greater.
V-63855 Medium The Change the system time user right must only be assigned to Administrators and Local Service.
V-63743 Medium Attachments must be prevented from being downloaded from RSS feeds.
V-63741 Medium Remote Desktop Services must be configured with the client connection encryption set to the required level.
V-63747 Medium Basic authentication for RSS feeds over HTTP must not be used.
V-63505 Medium The system must be configured to prevent the display of error messages to the user.
V-63621 Medium Web publishing and online ordering wizards must be prevented from downloading a list of providers.
V-63585 Medium Connections to non-domain networks when connected to a domain authenticated network must be blocked.
V-63587 Medium The DoD Interoperability Root CA 1 to DoD Root CA 2 cross certificate must be installed into the Untrusted Certificates Store.
V-63939 Medium The Restore files and directories user right must only be assigned to the Administrators group.
V-63581 Medium Simultaneous connections to the Internet or a Windows domain must be limited.
V-63627 Medium Systems must at least attempt device authentication using certificates.
V-63583 Medium The External CA Root Certificate must be installed into the Trusted Root Store.
V-63629 Medium The network selection user interface (UI) must not be displayed on the logon screen.
V-63421 Medium The minimum password age must be configured to at least 1 day.
V-63931 Medium The Modify firmware environment values user right must only be assigned to the Administrators group.
V-63589 Medium The US DoD CCEB Interoperability Root CA 1 to DoD Root CA 2 cross-certificate must be installed into the Untrusted Certificates Store.
V-63933 Medium The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
V-63831 Medium User Account Control must virtualize file and registry write failures to per-user locations.
V-63937 Medium The Replace a process level token user right must only be assigned to Local Service and Network Service.
V-63865 Medium The Create symbolic links user right must only be assigned to the Administrators group.
V-63565 Medium The system must be configured to attempt to forward queued error reports once a day.
V-63539 Medium The system must be configured to store all data in the error report archive.
V-63533 Medium Permissions for the Application event log must prevent access by non-privileged accounts.
V-63535 Medium The system must be configured to archive error reports.
V-63537 Medium Permissions for the Security event log must prevent access by non-privileged accounts.
V-63737 Medium The Remote Desktop Session Host must require secure RPC communications.
V-63735 Medium The service principal name (SPN) target name validation level must be configured to Accept if provided by client.
V-63929 Medium The Modify an object label user right must not be assigned to any groups or accounts.
V-63733 Medium Remote Desktop Services must always prompt a client for passwords upon connection.
V-63731 Medium Local drives must be prevented from sharing with Remote Desktop Session Hosts.
V-63639 Medium Outgoing secure channel traffic must be encrypted or signed.
V-63637 Medium Signing in using a PIN must be turned off.
V-63433 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Actions and Mitigations Settings must enable Banned Functions.
V-63633 Medium Local users on domain-joined computers must not be enumerated.
V-63925 Medium The Lock pages in memory user right must not be assigned to any groups or accounts.
V-63635 Medium Audit policy using subcategories must be enabled.
V-63803 Medium The system must be configured to the required LDAP client signing level.
V-63805 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
V-63807 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
V-63927 Medium The Manage auditing and security log user right must only be assigned to the Administrators group.
V-63881 Medium The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts.
V-63883 Medium The Force shutdown from a remote system user right must only be assigned to the Administrators group.
V-63887 Medium The Generate security audits user right must only be assigned to Local Service and Network Service.
V-63341 Medium The Windows Remote Management (WinRM) client must not use Digest authentication.
V-63889 Medium The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-63437 Medium The Windows Error Reporting Service must be running and configured to start automatically.
V-63405 Medium The lockout duration must be configured to require an administrator to unlock an account.
V-63407 Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Data Execution Prevention (DEP) must be enabled and configured to at least Application Opt Out.
V-63401 Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Address Space Layout Randomization (ASLR) must be enabled and configured to Application Opt In.
V-63799 Medium The system must be configured to force users to log off when their allowed logon hours expire.
V-63409 Medium The number of allowed bad logon attempts must be configured to 3 or less.
V-63817 Medium User Account Control approval mode for the built-in Administrator must be enabled.
V-63649 Medium The user must be prompted for a password on resume from sleep (plugged in).
V-63813 Medium The system must be configured to require case insensitivity for non-Windows subsystems.
V-63811 Medium The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
V-63643 Medium Outgoing secure channel traffic must be encrypted when possible.
V-63641 Medium The system must be configured to block untrusted fonts from loading.
V-63647 Medium Outgoing secure channel traffic must be signed when possible.
V-63729 Medium Passwords must not be saved in the Remote Desktop Client.
V-63645 Medium Users must be prompted for a password on resume from sleep (on battery).
V-63819 Medium User Account Control must, at minimum, prompt administrators for consent on the secure desktop.
V-63623 Medium Printing over HTTP must be prevented.
V-63333 Medium Automatically signing in the last interactive user after a system-initiated restart must be disabled.
V-63339 Medium The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
V-63891 Medium The Increase scheduling priority user right must only be assigned to the Administrators group.
V-63659 Low The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.
V-63715 Low The amount of idle time required before suspending a session must be configured to 15 minutes or less.
V-63653 Low The computer account password must not be prevented from being reset.
V-63661 Low The maximum age for machine account passwords must be configured to 30 days or less.
V-63663 Low The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
V-63687 Low Caching of logon credentials must be limited.
V-63681 Low The Windows dialog box title for the legal banner must be configured.
V-63727 Low Users must be forcibly disconnected when their logon hours expire.
V-63691 Low Turning off File Explorer heap termination on corruption must be disabled.
V-63693 Low Domain Controller authentication must not be required to unlock the workstation.
V-63563 Low The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
V-63567 Low The system must be configured to ignore NetBIOS name release requests except from WINS servers.
V-63815 Low The default permissions of global system objects must be increased.