UCF STIG Viewer Logo

Windows 2008 Domain Controller Security Technical Implementation Guide


Overview

Date Finding Count (242)
2019-06-18 CAT I (High): 37 CAT II (Med): 163 CAT III (Low): 42
STIG Description
The Windows 2008 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements were developed from DoD consensus, as well as the Windows 2008 Security Guide and security templates published by Microsoft Corporation. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Public)

Finding ID Severity Title
V-1074 High The Windows 2008 system must use an anti-virus program.
V-1073 High Systems must be at supported service packs (SP) or releases levels.
V-26683 High PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
V-34974 High The Windows Installer Always install with elevated privileges must be disabled.
V-39332 High The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
V-39333 High Domain created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
V-26070 High Standard user accounts must only have Read permissions to the Winlogon registry key.
V-27119 High The Active Directory SYSVOL directory must have the proper access control permissions.
V-2908 High Unencrypted remote access is permitted to system services.
V-1081 High Local volumes are not formatted using NTFS.
V-8316 High Active Directory data files must have proper access control permissions.
V-6834 High Named Pipes and Shares can be accessed anonymously.
V-1152 High Anonymous access to the registry must be restricted.
V-1153 High The Send download LanMan compatible password option is not set to Send NTLMv2 response only\refuse LM.
V-1093 High Anonymous shares are not restricted.
V-1140 High Users with Administrative privilege are not documented or do not have separate accounts for administrative duties and normal operational tasks.
V-33673 High Active Directory Group Policy objects must have proper access control permissions.
V-36451 High Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
V-1121 High File Transfer Protocol (FTP) servers must be configured to prevent access to the system drive.
V-1127 High Only administrators responsible for the system must have Administrator rights on the system.
V-3339 High Unauthorized registry paths are remotely accessible.
V-7002 High Windows 2008 accounts must be configured to require passwords.
V-32282 High Standard user accounts must only have Read permissions to the Active Setup\Installed Components registry key.
V-18010 High Unapproved Users have access to Debug programs.
V-14798 High Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
V-2374 High The system is configured to autoplay removable media.
V-12780 High The Synchronize directory service data user right must be configured to include no accounts or groups (blank).
V-3343 High Solicited Remote Assistance is allowed.
V-3340 High Unauthorized shares can be accessed anonymously.
V-3344 High The use of local accounts with blank passwords is not restricted to console logons only.
V-4443 High Unauthorized registry paths and sub-paths are remotely accessible.
V-3338 High Unauthorized named pipes are accessible with anonymous credentials.
V-3337 High Anonymous SID/Name translation must not be allowed.
V-14820 High Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
V-1102 High Unauthorized users are granted right to Act as part of the operating system.
V-17900 High Disallow AutoPlay/Autorun from Autorun.inf
V-3379 High The system is configured to store the LAN Manager hash of the password in the SAM.
V-1077 Medium Permissions for event logs must conform to minimum requirements.
V-1072 Medium Shared user accounts must not be permitted on the system.
V-1070 Medium Physical security of the Automated Information System (AIS) does not meet DISA requirements.
V-3383 Medium The system is not configured to use FIPS compliant Algorithms for Encryption, Hashing, and Signing.
V-3381 Medium The system is not configured to recommended LDAP client signing requirements.
V-1171 Medium Ejection of removable NTFS media is not restricted to Administrators.
V-39330 Medium The Active Directory RID Manager$ object must be configured with proper audit settings.
V-26600 Medium The Fax service must be disabled if installed.
V-26602 Medium The Microsoft FTP service must not be installed unless required.
V-3469 Medium The system is configured to prevent background refresh of Group Policy.
V-26604 Medium The Peer Networking Identity Manager service must be disabled if installed.
V-26605 Medium The Simple TCP/IP Services service must be disabled if installed.
V-26606 Medium The Telnet service must be disabled if installed.
V-15727 Medium User Network Sharing
V-15721 Medium Windows Mail – Disable Application
V-15823 Medium Software certificate installation files must be removed from Windows 2008.
V-15722 Medium Media DRM – Internet Access
V-16000 Medium Terminal Services – Smart Card Device Redirection Enabled (Terminal Server Role).
V-14236 Medium User Account Control - Behavior of elevation prompt for standard users.
V-16008 Medium UAC - Application Elevations
V-1168 Medium Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
V-1164 Medium Outgoing secure channel traffic is not signed when possible.
V-1166 Medium The Windows SMB client is not enabled to perform SMB packet signing when possible.
V-3378 Medium The system is not configured to use the Classic security model.
V-1163 Medium Outgoing secure channel traffic is not encrypted when possible.
V-1162 Medium The Windows SMB server is not enabled to perform SMB packet signing when possible.
V-3470 Medium The system is configured to allow unsolicited remote assistance offers.
V-3385 Medium The system must be configured to require case insensitivity for non-Windows subsystems.
V-1089 Medium The required legal notice must be configured to display before console logon.
V-3479 Medium The system is not configured to use Safe DLL Search Mode.
V-6850 Medium Auditing records must be configured as required.
V-15697 Medium Network – Responder Driver
V-15696 Medium Network – Mapper I/O Driver
V-91777 Medium The password for the krbtgt account on a domain must be reset at least every 180 days.
V-6836 Medium For systems utilizing a logon ID as the individual identifier, passwords must be a minimum of 14 characters in length.
V-27109 Medium File Replication Service (FRS) directory data files must have proper access control permissions.
V-6832 Medium The Windows Server SMB client is not enabled to always perform SMB packet signing.
V-6833 Medium The Windows Server SMB server is not enabled to always perform SMB packet signing.
V-6831 Medium Outgoing secure channel traffic is not encrypted or signed.
V-8326 Medium The directory server supporting (directly or indirectly) system access or resource authorization must run on a machine dedicated to that function.
V-8327 Medium Windows services that are critical for directory server operation must be configured for automatic startup.
V-8322 Medium Time synchronization must be enabled on the domain controller.
V-14260 Medium Computer prevented from downloading print driver packages over HTTP.
V-1150 Medium The built-in Windows password complexity policy must be enabled.
V-1154 Medium Ctrl+Alt+Del security attention sequence is Disabled.
V-1155 Medium The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
V-14269 Medium Hide mechanism for removing Zone information from file attachments.
V-3289 Medium A Server does not have a host-based Intrusion Detection System.
V-1099 Medium Windows 2008 account lockout duration must be configured to 15 minutes or greater.
V-1098 Medium The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2008.
V-2373 Medium The Server Operators group must have the ability to schedule jobs by means of the AT command disabled.
V-2372 Medium Reversible password encryption is not disabled.
V-3449 Medium Terminal Services is not configured to limit users to one remote session (Terminal Server Role)
V-2377 Medium The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
V-2376 Medium Kerberos user logon restrictions must be enforced.
V-2379 Medium The Kerberos user ticket renewal maximum lifetime must be limited to 7 days or less.
V-3349 Medium Windows Messenger (MSN Messenger, .NET messenger) is run at system startup.
V-1097 Medium Number of allowed bad-logon attempts does not meet minimum requirements.
V-3382 Medium The system is not configured to meet the minimum requirement for session security for NTLM SSP based Clients.
V-3372 Medium The system can be removed from the docking station without logging on first.
V-15991 Medium UAC - Allow UIAccess applications to prompt for elevation without using the secure desktop
V-3376 Medium The system is configured to permit storage of credentials or .NET Passports.
V-15997 Medium Terminal Services – Prevent COM Port Redirection (Terminal Server Role).
V-3374 Medium The system is not configured to require a strong session key.
V-15998 Medium Terminal Services – Prevent LPT Port Redirection (Terminal Server Role).
V-15999 Medium Terminal Services – Prevent Plug and Play Device Redirection (Terminal Server Role).
V-4444 Medium Users must be required to enter a password to access private keys stored on the computer.
V-15682 Medium Attachments must be prevented from being downloaded from RSS feeds.
V-15683 Medium Windows Explorer – Shell Protocol Protected Mode
V-1145 Medium Automatic logons must be disabled.
V-1141 Medium Unencrypted passwords must not be sent to third-party SMB Servers.
V-15685 Medium Windows Installer – User Control
V-14270 Medium Notify antivirus when file attachments are opened.
V-14271 Medium Application account passwords must meet DoD requirements for length, complexity and changes.
V-3456 Medium Terminal Services is not configured to delete temporary folders (Terminal Server Role).
V-3455 Medium Terminal Services is configured to use a common temporary folder for all sessions (Terminal Server Role).
V-3454 Medium Terminal Services is not configured with the client connection encryption set to the required level.
V-4407 Medium Domain Controllers must require LDAP signing.
V-15666 Medium Windows Peer to Peer Networking
V-1130 Medium ACLs for system files and directories do not conform to minimum requirements.
V-26483 Medium The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
V-2907 Medium System files are not checked for unauthorized changes.
V-15679 Medium Windows Movie Maker Online Hosting
V-15678 Medium Windows Movie Maker Web Links
V-15677 Medium Windows Movie Maker Codec Downloads
V-15674 Medium Disable Internet File Association Service
V-14241 Medium User Account Control - Switch to secure desktop
V-14240 Medium User Account Control - Run all admins in Admin Approval Mode
V-14243 Medium Administrator accounts must not be enumerated during elevation.
V-14242 Medium User Account Control - Non UAC Compliant Application Virtualization
V-14247 Medium Terminal Services / Remote Desktop Service - Prevent password saving in the Remote Desktop Client
V-14249 Medium Terminal Services / Remote Desktop Services - Local drives prevented from sharing with Terminal Servers (Terminal Server Role).
V-1119 Medium Booting into alternate operating systems is permitted.
V-1115 Medium The built-in administrator account has not been renamed.
V-3377 Medium The system is configured to give anonymous users Everyone rights.
V-6840 Medium Windows 2008 passwords must be configured to expire.
V-1120 Medium File Transfer Protocol (FTP) servers must be configured to prevent anonymous logons.
V-1122 Medium The system configuration is not set with a password-protected screen saver.
V-15667 Medium Prohibit Network Bridge in Windows
V-15698 Medium Network – Windows Connect Now Wireless Configuration
V-1114 Medium The built-in guest account has not been renamed.
V-3491 Medium There is no local policy for reviewing audit logs.
V-14258 Medium Search Companion prevented from automatically downloading content updates.
V-14259 Medium Prevent printing over HTTP.
V-14256 Medium Web Publishing and online ordering wizards prevented from downloading list of providers.
V-14257 Medium Windows Messenger prevented from collecting anonymous information.
V-14255 Medium File and Folder Publish to Web option unavailable.
V-26486 Medium The Deny log on through Terminal Services user right on domain controllers must be configured to prevent unauthenticated access.
V-39326 Medium The Active Directory Domain object must be configured with proper audit settings.
V-15684 Medium Windows Installer – IE Security Prompt
V-3828 Medium Security-related Software Patches are not applied.
V-26484 Medium The Deny log on as a service user right must be configured to include no accounts or groups (blank).
V-32274 Medium The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
V-1113 Medium The built-in guest account is not disabled.
V-32272 Medium The DoD Root CA certificates must be installed in the Trusted Root Store.
V-3348 Medium The user is allowed to launch Windows Messenger (MSN Messenger, .NET Messenger).
V-1157 Medium The Smart Card removal option is set to take no action.
V-14261 Medium Windows is prevented from using Windows Update to search for drivers.
V-2380 Medium The computer clock synchronization tolerance must be limited to 5 minutes or less.
V-3480 Medium Media Player must be configured to prevent automatic checking for updates.
V-1118 Medium Windows event log sizes must meet minimum requirements.
V-4448 Medium Group Policy objects are not reprocessed if they have not changed.
V-3481 Medium Media Player is configured to allow automatic CODEC downloads.
V-73523 Medium The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
V-4447 Medium The Terminal Server does not require secure RPC communication (Terminal Server Role).
V-4446 Medium Software certificate restriction policies are not enforced.
V-14229 Medium Audit of Backup and Restore Privileges is not turned off.
V-14228 Medium Auditing Access of Global System Objects must be turned off.
V-14226 Medium Audit data must be retained for at least one year.
V-14225 Medium The Windows 2008 password for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization.
V-3487 Medium Unnecessary services are not disabled.
V-15706 Medium Power Mgmt – Password Wake When Plugged In (Only applicable to 2008 if installed on a laptop.)
V-15705 Medium Power Mgmt – Password Wake on Battery (Only applicable to 2008 if installed on a laptop.)
V-14268 Medium Preserve Zone information when saving attachments.
V-16048 Medium Disable Help Ratings feed back.
V-16021 Medium Help Experience Improvement Program is disabled.
V-16020 Medium Windows Customer Experience Improvement Program is disabled.
V-1103 Medium User rights assignments must meet minimum requirements.
V-3245 Medium File share permissions must be configured to remove the Everyone group.
V-1107 Medium The password history must be configured to 24 passwords remembered.
V-1105 Medium Minimum password age does not meet minimum requirements.
V-1104 Medium Maximum password age does not meet minimum requirements.
V-14239 Medium User Account Control - Elevate UIAccess applications that are in secure locations
V-14230 Medium Audit policy using subcategories is enabled.
V-14234 Medium User Account Control - Built In Admin Approval Mode
V-14235 Medium User Account Control must, at minimum, prompt administrators for consent.
V-15505 Medium The HBSS McAfee Agent must be installed.
V-14237 Medium User Account Control - Detect Application Installations
V-39327 Medium The Active Directory Infrastructure object must be configured with proper audit settings.
V-39325 Medium Active Directory Group Policy objects must be configured with proper audit settings.
V-26485 Medium The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
V-15488 Medium Active directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), PIV-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
V-75915 Medium Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2008.
V-39329 Medium The Active Directory AdminSDHolder object must be configured with proper audit settings.
V-39328 Medium The Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.
V-3666 Medium The system is not configured to meet the minimum requirement for session security for NTLM SSP based Servers.
V-15699 Medium Network – Windows Connect Now Wizards
V-15710 Medium Online Assistance – Untrusted Content
V-15711 Medium Search – Encrypted Files Indexing
V-15713 Medium Defender – SpyNet Reporting
V-2378 Medium The Kerberos user ticket lifetime must be limited to 10 hours or less.
V-73519 Medium The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
V-40237 Medium The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
V-1076 Low System information backups are not created, updated, and protected according to DISA requirements.
V-1075 Low The system allows shutdown from the logon dialog box.
V-4110 Low The system is configured to allow IP source routing.
V-1174 Low The amount of idle time required before suspending a session must be properly set.
V-1173 Low The default permissions of Global system objects are not increased.
V-16001 Low Terminal Services – Default Only Client Printer Redirection (Terminal Server Role).
V-3472 Low The time service must synchronize with an appropriate DoD time source.
V-1165 Low The computer account password is prevented from being reset.
V-11806 Low The system is configured to allow the display of the last user name on the logon screen.
V-8324 Low The time synchronization tool must be configured to enable logging of time source switching.
V-1151 Low Print driver installation privilege is not restricted to administrators.
V-1090 Low Caching of logon credentials must be limited.
V-3373 Low The maximum age for machine account passwords is not set to requirements.
V-26359 Low The Windows dialog box title for the legal banner must be configured.
V-15686 Low Windows Installer – Vendor Signed Updates
V-15687 Low Media Player – First Use Dialog Boxes
V-1112 Low Outdated or unused accounts must be removed from the system or disabled.
V-14831 Low The directory service must be configured to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity.
V-4408 Low The domain controller must be configured to allow reset of machine account passwords.
V-1136 Low Users must be forcibly disconnected when their logon hours expire.
V-15676 Low Order Prints Online
V-15675 Low Windows Registration Wizard
V-15673 Low Internet Connection Wizard ISP Downloads
V-15672 Low Event Viewer Events.asp links must be turned off.
V-1172 Low Users are not warned in advance that their passwords will expire.
V-4438 Low The system must limit how many times unacknowledged TCP data is retransmitted.
V-4112 Low The system is configured to detect and configure default gateway addresses.
V-4111 Low The system is configured to redirect ICMP.
V-4108 Low The system must generate an audit event when the audit log reaches a percentage of full threshold.
V-1128 Low Security configuration tools or equivalent processes must be used to configure and maintain platforms for security compliance.
V-14797 Low Anonymous access to the root DSE of a non-public directory must be disabled.
V-15720 Low Windows Mail – Communities
V-4113 Low The system is configured for a greater keep-alive time than recommended.
V-4116 Low The system must be configured to ignore NetBIOS name release requests except from WINS servers.
V-4442 Low This check verifies that Windows is configured to have password protection take effect within a limited time frame when the screen saver becomes active.
V-15703 Low Driver Install – Device Driver Search Prompt
V-4445 Low Optional Subsystems are permitted to operate on the system.
V-15707 Low Remote Assistance – Session Logging
V-1135 Low Printer share permissions are not configured as recommended.
V-14232 Low IPSec Exemptions are limited.
V-1126 Low The Recycle Bin on a server must be configured to immediately delete files.
V-15718 Low Windows Explorer – Heap Termination