UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Windows 10 Security Technical Implementation Guide


Overview

Date Finding Count (278)
2016-06-24 CAT I (High): 28 CAT II (Med): 229 CAT III (Low): 21
STIG Description
The Windows 10 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-63797 High The system must be configured to prevent the storage of the LAN Manager hash of passwords.
V-63651 High Solicited Remote Assistance must not be allowed.
V-63869 High The Debug programs user right must only be assigned to the Administrators group.
V-63325 High The Windows Installer Always install with elevated privileges must be disabled.
V-63353 High Local volumes must be formatted using NTFS.
V-63667 High Autoplay must be turned off for non-volume devices.
V-63759 High Anonymous access to Named Pipes and Shares must be restricted.
V-63673 High Autoplay must be disabled for all drives.
V-63671 High The default autorun behavior must be configured to prevent autorun commands.
V-63379 High The Enhanced Mitigation Experience Toolkit (EMET) v5.5 or later must be installed on the system.
V-63377 High Internet Information System (IIS) or its subcomponents must not be installed on a workstation.
V-63847 High The Act as part of the operating system user right must not be assigned to any groups or accounts.
V-63361 High Only accounts responsible for the administration of a system must have Administrator rights on the system.
V-63859 High The Create a token object user right must not be assigned to any groups or accounts.
V-63351 High An approved, up-to-date, DoD antivirus program must be installed and used.
V-63745 High Anonymous enumeration of SAM accounts must not be allowed.
V-63429 High Reversible password encryption must be disabled.
V-68849 High Structured Exception Handling Overwrite Protection (SEHOP) must be turned on.
V-63739 High Anonymous SID/Name translation must not be allowed.
V-63809 High The Recovery Console option must be set to prevent automatic logon to the system.
V-68845 High Data Execution Prevention (DEP) must be configured to at least OptOut.
V-63801 High The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
V-63347 High The Windows Remote Management (WinRM) service must not use Basic authentication.
V-63349 High Systems must be maintained at a supported servicing level.
V-63749 High Anonymous enumeration of shares must be restricted.
V-63331 High The system must not use removable media as the boot loader.
V-63337 High Mobile systems must encrypt all disks to protect the confidentiality and integrity of all information at rest.
V-63335 High The Windows Remote Management (WinRM) client must not use Basic authentication.
V-63395 Medium The HBSS McAfee Agent must be installed.
V-63413 Medium The period of time before the bad logon counter is reset must be configured to 15 minutes.
V-63397 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Recommended Software must be enabled.
V-63411 Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Structured Exception Handler Overwrite Protection (SEHOP) must be configured to Application Opt Out.
V-63391 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Popular Software must be enabled.
V-63417 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Actions and Mitigations Settings must enable Deep Hooks.
V-63393 Medium Software certificate installation files must be removed from a system.
V-63415 Medium The password history must be configured to 24 passwords remembered.
V-63419 Medium The maximum password age must be configured to 60 days or less.
V-63399 Medium A host-based firewall must be installed and enabled on the system.
V-63711 Medium Unencrypted passwords must not be sent to third-party SMB Servers.
V-63713 Medium The SmartScreen filter for Microsoft Edge must be enabled.
V-63717 Medium The use of a hardware security device with Microsoft Passport for Work must be enabled.
V-63879 Medium The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
V-63719 Medium The Windows SMB server must be configured to always perform SMB packet signing.
V-63655 Medium Client computers must be required to authenticate for RPC communication.
V-63657 Medium Unauthenticated RPC clients must be restricted from connecting to the RPC server.
V-63519 Medium The Application event log size must be configured to 32768 KB or greater.
V-63427 Medium The built-in Microsoft password complexity filter must be enabled.
V-63941 Medium The Take ownership of files or other objects user right must only be assigned to the Administrators group.
V-63321 Medium Users must be prevented from changing installation options.
V-63489 Medium The system must be configured to save Error Reporting events and messages to the system event log.
V-68819 Medium PowerShell script block logging must be enabled.
V-63327 Medium System firmware or system controllers must have administrator accounts/passwords configured.
V-63865 Medium The Create symbolic links user right must only be assigned to the Administrators group.
V-63329 Medium Users must be notified if a web-based program attempts to install software.
V-63487 Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
V-63481 Medium The system must be configured to audit Policy Change - Authentication Policy Change successes.
V-63483 Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
V-63529 Medium The system must be configured to send error reports on TCP port 1232.
V-63665 Medium The system must be configured to require a strong session key.
V-63383 Medium Simple TCP/IP Services must not be installed on the system.
V-63381 Medium Simple Network Management Protocol (SNMP) must not be installed on the system.
V-63387 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Internet Explorer must be enabled.
V-63385 Medium The Telnet Client must not be installed on the system.
V-63389 Medium The TFTP Client must not be installed on the system.
V-63669 Medium The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
V-63467 Medium The system must be configured to audit Logon/Logoff - Logon successes.
V-63871 Medium The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
V-63873 Medium The Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
V-63463 Medium The system must be configured to audit Logon/Logoff - Logon failures.
V-63357 Medium Non system-created file shares on a system must limit access to groups that require it.
V-63461 Medium The system must be configured to generate error reports.
V-63877 Medium The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
V-63707 Medium The Windows SMB client must be enabled to perform SMB packet signing when possible.
V-63705 Medium InPrivate browsing in Microsoft Edge must be disabled.
V-63703 Medium The Windows SMB client must be configured to always perform SMB packet signing.
V-63469 Medium The system must be configured to audit Logon/Logoff - Special Logon successes.
V-63701 Medium Users must not be allowed to ignore SmartScreen filter warnings for unverified files in Microsoft Edge.
V-63423 Medium Passwords must, at a minimum, be 14 characters.
V-63863 Medium The Create permanent shared objects user right must not be assigned to any groups or accounts.
V-63861 Medium The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-63551 Medium Automatic logons must be disabled.
V-63499 Medium The system must be configured to audit System - Other System Events successes.
V-63319 Medium Domain-joined systems must use Windows 10 Enterprise Edition.
V-63555 Medium IPv6 source routing must be configured to highest protection.
V-63835 Medium A screen saver must be enabled on the system.
V-63493 Medium The system must be configured to allow a local or DOD-wide collector to request additional error reporting diagnostic data to be sent.
V-63559 Medium The system must be configured to prevent IP source routing.
V-63491 Medium The system must be configured to audit System - IPSec Driver failures.
V-63497 Medium The system must be configured to collect multiple error reports of the same event type.
V-63495 Medium The system must be configured to audit System - IPSec Driver successes.
V-63677 Medium Enhanced anti-spoofing when available must be enabled for facial recognition.
V-63675 Medium The required legal notice must be configured to display before console logon.
V-63375 Medium The Windows Remote Management (WinRM) service must not store RunAs credentials.
V-63459 Medium The system must be configured to audit Logon/Logoff - Logoff successes.
V-63373 Medium Permissions for system files and directories must conform to minimum requirements.
V-63371 Medium Accounts must be configured to require password expiration.
V-63475 Medium The system must be configured to audit Policy Change - Audit Policy Change failures.
V-63849 Medium The Adjust memory quotas for a process user right must only be assigned to Administrators, Local Service, and Network Service.
V-63471 Medium The system must be configured to audit Object Access - Removable Storage failures.
V-63473 Medium The system must be configured to audit Object Access - Removable Storage successes.
V-63845 Medium The Access this computer from the network user right must only be assigned to the Administrators group.
V-63841 Medium Zone information must be preserved when saving attachments.
V-63479 Medium The system must be configured to audit Policy Change - Audit Policy Change successes.
V-63843 Medium The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
V-63453 Medium The system must be configured to audit Detailed Tracking - Process Creation successes.
V-63541 Medium Permissions for the System event log must prevent access by non-privileged accounts.
V-63543 Medium The maximum number of error reports to archive on a system must be configured to 100 or greater.
V-63545 Medium Camera access from the lock screen must be disabled.
V-63547 Medium The system must be configured to queue error reports until a local or DOD-wide collector is available.
V-63549 Medium The display of slide shows on the lock screen must be disabled.
V-63933 Medium The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
V-63369 Medium The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
V-63689 Medium Explorer Data Execution Prevention must be enabled.
V-63365 Medium Users must not be allowed to run virtual machines in Hyper-V on the system.
V-63685 Medium The Windows SmartScreen must be configured to require approval from an administrator before running downloaded unknown software.
V-63683 Medium Windows Telemetry must be configured to the lowest level of data sent to Microsoft.
V-63363 Medium Only accounts responsible for the backup operations must be members of the Backup Operators group.
V-63441 Medium The system must be configured to audit Account Management - Other Account Management Events successes.
V-63443 Medium The system must be configured to audit Account Management - Security Group Management failures.
V-63445 Medium The system must be configured to audit Account Management - Security Group Management successes.
V-63447 Medium The system must be configured to audit Account Management - User Account Management failures.
V-63449 Medium The system must be configured to audit Account Management - User Account Management successes.
V-63853 Medium The Back up files and directories user right must only be assigned to the Administrators group.
V-63761 Medium The system must be configured to use the Classic security model.
V-63763 Medium Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.
V-63765 Medium NTLM must be prevented from falling back to a Null session.
V-63609 Medium Group Policy objects must be reprocessed even if they have not changed.
V-63767 Medium PKU2U authentication using online identities must be prevented.
V-63607 Medium Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
V-63355 Medium Alternate operating systems must not be permitted on the same system.
V-68821 Medium PowerShell script block invocation logging must be enabled.
V-63875 Medium The Deny log on as a service user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
V-63557 Medium The system must be configured to add all error reports to the queue.
V-63579 Medium The DoD Root Certificate must be installed into the Trusted Root Store.
V-63575 Medium The system must be configured to permit the default consent levels of Windows Error Reporting to override any other consent policy setting.
V-63577 Medium Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
V-63571 Medium The system must be configured to automatically consent to send all data requested by a local or DOD-wide error collection site.
V-63573 Medium All Direct Access traffic must be routed through the internal network.
V-63721 Medium The minimum pin length for Microsoft Passport for Work must be 6 characters or greater.
V-63751 Medium Indexing of encrypted files must be turned off.
V-63601 Medium The built-in administrator account must be disabled.
V-63753 Medium The system must be configured to prevent the storage of passwords and credentials.
V-63695 Medium File Explorer shell protocol must run in protected mode.
V-63515 Medium The system must be configured to audit System - System Integrity failures.
V-63697 Medium The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
V-63513 Medium The system must be configured to audit System - Security System Extension successes.
V-63511 Medium The system must be configured to audit System - Security System Extension failures.
V-63597 Medium Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
V-63615 Medium Downloading print driver packages over HTTP must be prevented.
V-63617 Medium Local accounts with blank passwords must be restricted to prevent access from the network.
V-63593 Medium Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
V-63611 Medium The built-in guest account must be disabled.
V-63591 Medium Wi-Fi Sense must be disabled.
V-63613 Medium Group Policies must be refreshed in the background if the user is logged on.
V-63457 Medium The system must be configured to audit Logon/Logoff - Group Membership successes.
V-63455 Medium The system must be configured to audit Logon/Logoff - Account Lockout successes.
V-63619 Medium The built-in administrator account must be renamed.
V-63451 Medium The system must be configured to audit Detailed Tracking - PNP Activity successes.
V-63851 Medium The Allow log on locally user right must only be assigned to the Administrators and Users groups.
V-63425 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Actions and Mitigations Settings must enable Anti Detours.
V-63829 Medium User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
V-63527 Medium The System event log size must be configured to 32768 KB or greater.
V-63827 Medium User Account Control must only elevate UIAccess applications that are installed in secure locations.
V-63825 Medium User Account Control must be configured to detect application installations and prompt for elevation.
V-63795 Medium Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
V-63857 Medium The Create a pagefile user right must only be assigned to the Administrators group.
V-63723 Medium The Windows SMB server must perform SMB packet signing when possible.
V-63525 Medium The system must be configured to use SSL to forward error reports.
V-63631 Medium Connected users on domain-joined computers must not be enumerated.
V-63561 Medium The maximum number of error reports to queue on a system must be configured to 50 or greater.
V-63855 Medium The Change the system time user right must only be assigned to Administrators and Local Service.
V-63523 Medium The Security event log size must be configured to 196608 KB or greater.
V-63743 Medium Attachments must be prevented from being downloaded from RSS feeds.
V-63679 Medium Administrator accounts must not be enumerated during elevation.
V-63799 Medium The system must be configured to force users to log off when their allowed logon hours expire.
V-63747 Medium Basic authentication for RSS feeds over HTTP must not be used.
V-63505 Medium The system must be configured to prevent the display of error messages to the user.
V-63507 Medium The system must be configured to audit System - Security State Change successes.
V-63699 Medium Users must not be allowed to ignore SmartScreen filter warnings for malicious websites in Microsoft Edge.
V-63503 Medium The system must be configured to audit System - Other System Events failures.
V-63621 Medium Web publishing and online ordering wizards must be prevented from downloading a list of providers.
V-63585 Medium Connections to non-domain networks when connected to a domain authenticated network must be blocked.
V-63587 Medium The DoD Interoperability Root CA 1 to DoD Root CA 2 cross certificate must be installed into the Untrusted Certificates Store.
V-63625 Medium The built-in guest account must be renamed.
V-63581 Medium Simultaneous connections to the Internet or a Windows domain must be limited.
V-63627 Medium Systems must at least attempt device authentication using certificates.
V-63583 Medium The External CA Root Certificate must be installed into the Trusted Root Store.
V-63629 Medium The network selection user interface (UI) must not be displayed on the logon screen.
V-63421 Medium The minimum password age must be configured to at least 1 day.
V-63931 Medium The Modify firmware environment values user right must only be assigned to the Administrators group.
V-63589 Medium The US DoD CCEB Interoperability Root CA 1 to DoD Root CA 2 cross-certificate must be installed into the Untrusted Certificates Store.
V-63935 Medium The Profile single process user right must only be assigned to the Administrators group.
V-63741 Medium Remote Desktop Services must be configured with the client connection encryption set to the required level.
V-63837 Medium The screen saver must be password protected.
V-63831 Medium User Account Control must virtualize file and registry write failures to per-user locations.
V-63937 Medium The Replace a process level token user right must only be assigned to Local Service and Network Service.
V-63709 Medium The password manager function in the Edge browser must be disabled.
V-63565 Medium The system must be configured to attempt to forward queued error reports once a day.
V-63755 Medium The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
V-63539 Medium The system must be configured to store all data in the error report archive.
V-63821 Medium User Account Control must automatically deny elevation requests for standard users.
V-63569 Medium Insecure logons to an SMB server must be disabled.
V-63533 Medium Permissions for the Application event log must prevent access by non-privileged accounts.
V-63535 Medium The system must be configured to archive error reports.
V-63537 Medium Permissions for the Security event log must prevent access by non-privileged accounts.
V-63737 Medium The Remote Desktop Session Host must require secure RPC communications.
V-63439 Medium The system must be configured to audit Account Management - Other Account Management Events failures.
V-63735 Medium The service principal name (SPN) target name validation level must be configured to Accept if provided by client.
V-63929 Medium The Modify an object label user right must not be assigned to any groups or accounts.
V-63733 Medium Remote Desktop Services must always prompt a client for passwords upon connection.
V-63731 Medium Local drives must be prevented from sharing with Remote Desktop Session Hosts.
V-63639 Medium Outgoing secure channel traffic must be encrypted or signed.
V-63637 Medium Signing in using a PIN must be turned off.
V-63633 Medium Local users on domain-joined computers must not be enumerated.
V-63433 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Actions and Mitigations Settings must enable Banned Functions.
V-63927 Medium The Manage auditing and security log user right must only be assigned to the Administrators group.
V-63925 Medium The Lock pages in memory user right must not be assigned to any groups or accounts.
V-63725 Medium The use of OneDrive for storage must be disabled.
V-63635 Medium Audit policy using subcategories must be enabled.
V-63803 Medium The system must be configured to the required LDAP client signing level.
V-63805 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
V-63807 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
V-63435 Medium The system must be configured to audit Account Logon - Credential Validation successes.
V-63881 Medium The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts.
V-63883 Medium The Force shutdown from a remote system user right must only be assigned to the Administrators group.
V-63345 Medium The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
V-63343 Medium The operating system must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
V-63887 Medium The Generate security audits user right must only be assigned to Local Service and Network Service.
V-63341 Medium The Windows Remote Management (WinRM) client must not use Digest authentication.
V-63889 Medium The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-63521 Medium The system must be configured to store error reports locally, on the system or in the enclave, and not send them to Microsoft.
V-63437 Medium The Windows Error Reporting Service must be running and configured to start automatically.
V-63405 Medium The lockout duration must be configured to require an administrator to unlock an account.
V-63407 Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Data Execution Prevention (DEP) must be enabled and configured to at least Application Opt Out.
V-63401 Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Address Space Layout Randomization (ASLR) must be enabled and configured to Application Opt In.
V-63403 Medium Inbound exceptions to the firewall on domain workstations must only allow authorized remote management hosts.
V-63409 Medium The number of allowed bad logon attempts must be configured to 3 or less.
V-68817 Medium Command line data must be included in process creation events.
V-63817 Medium User Account Control approval mode for the built-in Administrator must be enabled.
V-63649 Medium The user must be prompted for a password on resume from sleep (plugged in).
V-63813 Medium The system must be configured to require case insensitivity for non-Windows subsystems.
V-63811 Medium The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
V-63643 Medium Outgoing secure channel traffic must be encrypted when possible.
V-63641 Medium The system must be configured to block untrusted fonts from loading.
V-63647 Medium Outgoing secure channel traffic must be signed when possible.
V-63729 Medium Passwords must not be saved in the Remote Desktop Client.
V-63645 Medium Users must be prompted for a password on resume from sleep (on battery).
V-63819 Medium User Account Control must, at minimum, prompt administrators for consent on the secure desktop.
V-63431 Medium The system must be configured to audit Account Logon - Credential Validation failures.
V-63957 Medium The machine account lockout threshold must be set to 10 on systems with BitLocker enabled.
V-63623 Medium Printing over HTTP must be prevented.
V-63333 Medium Automatically signing in the last interactive user after a system-initiated restart must be disabled.
V-63917 Medium The Load and unload device drivers user right must only be assigned to the Administrators group.
V-63939 Medium The Restore files and directories user right must only be assigned to the Administrators group.
V-63339 Medium The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
V-63517 Medium The system must be configured to audit System - System Integrity successes.
V-63891 Medium The Increase scheduling priority user right must only be assigned to the Administrators group.
V-63659 Low The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.
V-63715 Low The amount of idle time required before suspending a session must be configured to 15 minutes or less.
V-63653 Low The computer account password must not be prevented from being reset.
V-63323 Low Domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
V-63661 Low The maximum age for machine account passwords must be configured to 30 days or less.
V-63663 Low The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
V-63687 Low Caching of logon credentials must be limited.
V-63367 Low Standard local user accounts must not exist on a system in a domain.
V-63681 Low The Windows dialog box title for the legal banner must be configured.
V-63727 Low Users must be forcibly disconnected when their logon hours expire.
V-63603 Low Virtualization-based protection of code integrity must be enabled on domain-joined systems.
V-63359 Low Unused accounts must be disabled or removed from the system after 35 days of inactivity.
V-63691 Low Turning off File Explorer heap termination on corruption must be disabled.
V-63693 Low Domain Controller authentication must not be required to unlock the workstation.
V-63595 Low Virtualization Based Security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
V-63599 Low Credential Guard must be running on domain-joined systems.
V-63563 Low The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
V-63567 Low The system must be configured to ignore NetBIOS name release requests except from WINS servers.
V-63839 Low Toast notifications to the lock screen must be turned off.
V-65681 Low Windows Update must not obtain updates from other PCs on the Internet.
V-63815 Low The default permissions of global system objects must be increased.