UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Windows 2003 Domain Controller Security Technical Implementation Guide


Overview

Date Finding Count (224)
2015-06-03 CAT I (High): 46 CAT II (Med): 139 CAT III (Low): 39
STIG Description
The Windows 2003 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements were developed from Federal and DoD consensus, as well as the Windows 2003 Security Guide and security templates published by Microsoft Corporation. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Public)

Finding ID Severity Title
V-1074 High An approved, up-to-date, DOD antivirus program must be installed and used.
V-1073 High Systems must be at supported service packs (SP) or releases levels.
V-26683 High PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
V-34974 High The Windows Installer Always install with elevated privileges must be disabled.
V-39137 High The Enhanced Mitigation Experience Toolkit (EMET) V4.1 Update 1 or later must be installed on the system.
V-39333 High Domain created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
V-26070 High Standard user accounts will only have Read permissions to the Winlogon registry key.
V-27119 High Access control permissions on the GPT directory files must comply with the required guidance.
V-1081 High Local volumes are not formatted using NTFS.
V-8316 High Access control permissions on the AD database, log, and work files must conform to the required guidance.
V-6834 High Named Pipes and Shares can be accessed anonymously.
V-18010 High Unapproved Users have access to Debug programs.
V-1159 High The Recovery Console option is set to permit automatic logon to the system.
V-1152 High Anonymous access to the Registry is not restricted.
V-1153 High The Send download LanMan compatible password option is not set to Send NTLMv2 response only\refuse LM.
V-1155 High The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
V-2374 High The system is configured to autoplay removable media.
V-1093 High Anonymous shares are not restricted.
V-1145 High Automatic logons must be disabled.
V-1140 High Users with Administrative privilege are not documented or do not have separate accounts for administrative duties and normal operational tasks.
V-39332 High The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
V-29540 High The access control permissions for the Domain and OU group policy must be configured to use the required access permissions.
V-2908 High Unencrypted remote access is permitted to system services.
V-30037 High The Task Scheduler service must be disabled.
V-36451 High Policy must require that administrative user accounts not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.
V-1121 High Installed FTP server is configured to allow access to the system drive.
V-1127 High Only administrators responsible for the system must have Administrator rights on the system.
V-3339 High Unauthorized registry paths are remotely accessible.
V-7002 High DoD information system access will require the use of a password.
V-4107 High Windows operating systems that are no longer supported by the vendor for security updates must not be installed on a system.
V-32282 High Standard user accounts must only have Read permissions to the Active Setup\Installed Components registry key.
V-14798 High Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
V-12780 High The Synchronize directory service data user right must be configured to include no accounts or groups (blank).
V-36664 High The system must not use removable media as the boot loader.
V-3343 High Solicited Remote Assistance is allowed.
V-3341 High Remote control of a Terminal Service session is allowed.
V-3340 High Unauthorized shares can be accessed anonymously.
V-3344 High The use of local accounts with blank passwords is not restricted to console logons only.
V-4443 High Unauthorized registry paths and sub-paths are remotely accessible.
V-3338 High Unauthorized named pipes are accessible with anonymous credentials.
V-3337 High Anonymous SID/Name translation is allowed.
V-14820 High Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
V-2370 High The access control permissions for the directory service site group policy must be configured to use the required access permissions.
V-1102 High Unauthorized users are granted right to Act as part of the operating system.
V-3379 High The system is configured to store the LAN Manager hash of the password in the SAM.
V-17900 High Disallow AutoPlay/Autorun from Autorun.inf
V-1077 Medium Access permissions for event logs must conform to minimum requirements.
V-1072 Medium Shared user accounts are permitted on the system.
V-1070 Medium Physical security of the Automated Information System (AIS) does not meet DISA requirements.
V-4446 Medium Software certificate restriction policies are not enforced.
V-56569 Medium The system must be configured to collect unplanned Windows server shutdown events.
V-3384 Medium The system is not configured to make the object creator the owner of objects created by administrators.
V-3381 Medium The system is not configured to recommended LDAP client signing requirements.
V-3380 Medium The system is not configured to force users to log off when their allowed logon hours expire.
V-39330 Medium The Active Directory RID Manager$ object must be configured with proper audit settings.
V-3460 Medium Terminal Services is not configured to disconnect clients when time limits are exceeded.
V-3469 Medium The system is configured to prevent background refresh of Group Policy.
V-15823 Medium Remove Software Certificate Installation Files
V-56511 Medium The Error Reporting Service must be running and configured to start automatically.
V-56567 Medium The system must be configured to collect operating system kernel errors.
V-56515 Medium The system must be configured to store error reports locally, on the system or in the enclave, not send them to Microsoft.
V-3375 Medium Domain Controller authentication is not required to unlock the workstation.
V-1168 Medium Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
V-1164 Medium Outgoing secure channel traffic is not signed when possible.
V-1166 Medium The Windows SMB client is not enabled to perform SMB packet signing when possible.
V-1163 Medium Outgoing secure channel traffic is not encrypted when possible.
V-1162 Medium The Windows SMB server is not enabled to perform SMB packet signing when possible.
V-3471 Medium The system must be configured to collect error information.
V-3470 Medium The system is configured to allow unsolicited remote assistance offers.
V-1088 Medium Registry key auditing configuration does not meet minimum requirements.
V-1089 Medium The required legal notice must be configured to display before console logon.
V-3479 Medium The system is not configured to use Safe DLL Search Mode.
V-3478 Medium The system is configured to allow installation of printers using kernel-mode drivers.
V-1080 Medium File-auditing configuration does not meet minimum requirements.
V-36704 Medium The Enhanced Mitigation Experience Toolkit (EMET) Protection Profile for Popular Software must be implemented.
V-36705 Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Data Execution Prevention (DEP) must be enabled and configured to at least Application Opt Out.
V-6850 Medium Auditing must be configured as required.
V-56565 Medium The system must be configured to collect all Windows application errors.
V-6836 Medium For systems utilizing a logon ID as the individual identifier, passwords must be a minimum of 14 characters in length.
V-27109 Medium File Replication Service (FRS) directory data files must have proper access control permissions.
V-6832 Medium The Windows Server SMB client is not enabled to always perform SMB packet signing.
V-6833 Medium The Windows Server SMB server is not enabled to always perform SMB packet signing.
V-6830 Medium DCOM calls are not executed under the security context of the calling user.
V-6831 Medium Outgoing secure channel traffic is not encrypted or signed.
V-8326 Medium The directory server supporting (directly or indirectly) system access or resource authorization must run on a machine dedicated to that function.
V-8327 Medium Windows services that are critical for directory server operation must be configured for automatic startup.
V-8320 Medium Directory server directories and files must be configured with required permissions.
V-14262 Medium IPv6 must be disabled until a deliberate transition strategy has been implemented.
V-8322 Medium Time synchronization must be enabled on the domain controller.
V-1154 Medium Ctrl+Alt+Del security attention sequence is Disabled.
V-3289 Medium A Server does not have a host-based Intrusion Detection System.
V-1099 Medium Lockout duration does not meet minimum requirements.
V-1098 Medium Time before bad-logon counter is reset does not meet minimum requirements.
V-2373 Medium The Server Operators group must have the ability to schedule jobs by means of the AT command disabled.
V-2372 Medium Reversible password encryption is not disabled.
V-2377 Medium The Kerberos service ticket maximum lifetime must meet minimum standards.
V-2376 Medium The Kerberos policy option must be configured to enforce user logon restrictions.
V-3383 Medium The system is not configured to use FIPS compliant Algorithms for Encryption, Hashing, and Signing.
V-1095 Medium Anonymous access to the event logs is not restricted.
V-3349 Medium Windows Messenger (MSN Messenger, .NET messenger) is run at system startup.
V-1097 Medium Number of allowed bad-logon attempts does not meet minimum requirements.
V-3382 Medium The system is not configured to meet the minimum requirement for session security for NTLM SSP based Clients.
V-3372 Medium The system can be removed from the docking station without logging on first.
V-3348 Medium The user is allowed to launch Windows Messenger (MSN Messenger, .NET Messenger).
V-3376 Medium The system is configured to permit storage of credentials or .NET Passports.
V-3377 Medium The system is configured to give anonymous users Everyone rights.
V-3374 Medium The system is not configured to require a strong session key.
V-3378 Medium The system is not configured to use the Classic security model.
V-1171 Medium Ejection of removable NTFS media is not restricted to Administrators.
V-1141 Medium Unencrypted password is sent to 3rd party SMB Server.
V-6825 Medium A Windows system has an incorrect default DCOM authorization level.
V-6826 Medium A Windows system has a writable DCOM configuration.
V-14271 Medium Application account passwords length and change requirement
V-3342 Medium The computer does not wait for the network at computer startup.
V-3459 Medium Terminal Services is not configured to allow only the original client to reconnect.
V-3458 Medium Terminal Services idle session time limit does not meet the requirement.
V-3450 Medium Terminal Services is not configured to limit the number of connections.
V-3457 Medium Terminal Services is not configured to set a time limit for disconnected sessions.
V-3456 Medium Terminal Services is not configured to delete temporary folders.
V-3455 Medium Terminal Services is configured to use a common temporary folder for all sessions.
V-3454 Medium Terminal Services is not configured with the client connection encryption set to the required level.
V-4407 Medium Domain Controllers must require LDAP signing.
V-3369 Medium Restricted accounts are not disabled.
V-1130 Medium ACLs for system files and directories do not conform to minimum requirements.
V-1131 Medium A password filter that enforces DoD requirements is not installed.
V-2907 Medium System files are not checked for unauthorized changes.
V-1139 Medium The option to prevent the password in dial-up networking from being saved is not enabled.
V-14247 Medium Terminal Services / Remote Desktop Service - Prevent password saving in the Remote Desktop Client
V-1119 Medium Booting into alternate operating systems is permitted.
V-1114 Medium The built-in guest account has not been renamed.
V-6840 Medium To the extent system capabilities permit, system mechanisms will be implemented to enforce automatic expiration of passwords and to prevent reuse.
V-1115 Medium The built-in administrator account has not been renamed.
V-3426 Medium The system is configured to allow remote desktop sharing through NetMeeting.
V-1120 Medium Installed FTP server is configured to allow prohibited logins.
V-1122 Medium The system configuration is not set with a password-protected screen saver.
V-3491 Medium There is no local policy for reviewing audit logs.
V-56559 Medium The system must be configured to collect all application error reports.
V-56557 Medium The system must be configured to prevent the display of error messages to the user.
V-26486 Medium The Deny log on through Terminal Services user right on domain controllers must prevent all access if TS is not used by the organization. If TS is used, it must be configured to prevent unauthenticated access.
V-1113 Medium The built-in guest account is not disabled.
V-56551 Medium The system must be configured to queue error reports.
V-3828 Medium Security-related Software Patches are not applied.
V-26484 Medium The Deny log on as a service user right will be configured to include no one (blank).
V-32274 Medium The DoD Interoperability Root CA 1 to DoD Root CA 2 cross certificate must be installed.
V-1117 Medium Security events are not properly preserved.
V-32272 Medium The DoD Root Certificate must be installed.
V-36663 Medium System BIOS or system controllers must have administrator accounts/passwords configured.
V-40195 Medium System BIOS or system controllers must not allow user-level access.
V-2380 Medium The Kerberos policy option Maximum tolerance for computer clock synchronization must be set to a maximum of 5 minutes or less.
V-3480 Medium Media Player must be configured to prevent automatic checking for updates.
V-1118 Medium Event log sizes do not meet minimum requirements.
V-4448 Medium Group Policy objects are not reprocessed if they have not changed.
V-3481 Medium Media Player is configured to allow automatic CODEC downloads.
V-4447 Medium The Terminal Server does not require secure RPC communication.
V-1137 Medium An Auditors group has not been created to restrict access to the Windows Event Logs.
V-3385 Medium The system is configured to allow case insensitivity.
V-56545 Medium The system must be configured to collect additional files and include in error reports.
V-56547 Medium The system must be configured to collect additional information about the system when error reports are generated.
V-14226 Medium Audit logs are archived to prevent loss.
V-14225 Medium Administrator Passwords are changed when necessary.
V-14224 Medium The system does not have a backup administrator account
V-56561 Medium The system must be configured to collect Microsoft application errors.
V-3487 Medium Unnecessary services must be disabled.
V-1157 Medium The Smart Card removal option is set to take no action.
V-2371 Medium ACLs for disabled services do not conform to minimum standards.
V-1103 Medium User rights assignments must meet minimum requirements.
V-3245 Medium File share ACLs have not been reconfigured to remove the Everyone group.
V-1107 Medium Password uniqueness does not meet minimum requirements.
V-1105 Medium Minimum password age does not meet minimum requirements.
V-1104 Medium Maximum password age does not meet minimum requirements.
V-4444 Medium Users must enter a password to access private keys.
V-15505 Medium The HBSS McAfee Agent is not installed.
V-3449 Medium Terminal Services is not configured to limit users to one remote session.
V-26483 Medium The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
V-39327 Medium The Active Directory Infrastructure object must be configured with proper audit settings.
V-39326 Medium The Active Directory Domain object must be configured with proper audit settings.
V-39325 Medium Active Directory Group Policy objects must be configured with proper audit settings.
V-26485 Medium The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
V-15488 Medium For unclassified systems, the directory server must be configured to use the CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
V-2378 Medium The Kerberos policy option maximum lifetime for user ticket must be set to a maximum of 10 hours or less.
V-39329 Medium The Active Directory AdminSDHolder object must be configured with proper audit settings.
V-39328 Medium The Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.
V-3666 Medium The system is not configured to meet the minimum requirement for session security for NTLM SSP based Servers.
V-2379 Medium The Kerberos policy option Maximum lifetime for user ticket renewal must be configured for a maximum of 7 days or less.
V-40237 Medium The US DoD CCEB Interoperability Root CA 1 to DoD Root CA 2 cross-certificate must be installed into the Untrusted Certificates Store.
V-1076 Low System information backups are not created, updated, and protected according to DISA requirements.
V-1075 Low The system allows shutdown from the logon dialog box.
V-1174 Low Amount of idle time required before suspending a session is improperly set.
V-1172 Low Users are not warned in advance that their passwords will expire.
V-1173 Low The default permissions of Global system objects are not increased.
V-3472 Low The system is configured to use an unauthorized time server.
V-1165 Low The computer account password is prevented from being reset.
V-1160 Low The unsigned driver installation behavior is improperly set.
V-1150 Low The built-in Microsoft password filter is not enabled.
V-1151 Low Print driver installation privilege is not restricted to administrators.
V-1091 Low System does not halt once an event log has reached its maximum size.
V-3373 Low The maximum age for machine account passwords is not set to requirements.
V-26359 Low The Windows dialog box title for the legal banner must be configured.
V-8324 Low The time synchronization tool must be configured to enable logging of time source switching.
V-14831 Low The directory service must be configured to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity.
V-4408 Low The domain controller must be configured to allow reset of machine account passwords.
V-1136 Low Users must be forcibly disconnected when their logon hours expire.
V-1135 Low Printer share permissions are not configured as recommended.
V-1126 Low The Recycle Bin on a Server is not configured to delete files.
V-4438 Low TCP data retransmissions are not controlled.
V-4437 Low TCP connection response retransmissions are not controlled.
V-4111 Low The system is configured to redirect ICMP.
V-4108 Low The system does not generate an audit event when the audit log reaches a percent full threshold.
V-4109 Low The system must be configured to disable dead gateway detection.
V-1128 Low Security configuration tools or equivalent processes must be used to configure and maintain platforms for security compliance.
V-56555 Low The system must be configured to replace occurrences of the word, Microsoft, with a specified string in all error report dialogs.
V-1158 Low The Recovery Console SET command is enabled.
V-14797 Low Anonymous access to the root DSE of a non-public directory must be disabled.
V-11806 Low The system is configured to allow the display of the last user name on the logon screen.
V-4113 Low The system is configured for a greater keep-alive time than recommended.
V-4112 Low The system is configured to detect and configure default gateway addresses.
V-4110 Low The system is configured to allow IP source routing.
V-4117 Low The system is configured to allow SYN attacks.
V-4116 Low The system is configured to allow name-release attacks.
V-4442 Low This check verifies that Windows is configured to have password protection take effect within a limited time frame when the screen saver becomes active.
V-4445 Low Optional Subsystems are permitted to operate on the system.
V-56549 Low The system must be configured to prevent the display of any error dialog links to any website.
V-1112 Low User account is dormant.
V-1090 Low Caching of logon credentials is not limited.