UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide


Overview

Date Finding Count (353)
2013-03-14 CAT I (High): 40 CAT II (Med): 243 CAT III (Low): 70
STIG Description
The Windows Server 2008 R2 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements were developed from DoD consensus, as well as the Windows Server 2008 R2 Security Guide and security templates published by Microsoft Corporation. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-27119 High Access control permissions on the GPT directory files must comply with the required guidance.
V-6834 High Anonymous access to Named Pipes and Shares will be restricted.
V-18010 High Unauthorized accounts will not have the "Debug programs" user right.
V-1093 High Anonymous enumeration of shares will be restricted.
V-29546 High The access control permissions for the OU objects must be configured to use the required access permissions.
V-26283 High Anonymous enumeration of SAM accounts will not be allowed.
V-1121 High Installed FTP server will not be configured to allow access to the system drive.
V-1127 High Only administrators responsible for the system must have Administrator rights on the system.
V-12780 High The Synchronize Directory Service Data user right must not be assigned to any account.
V-26070 High Standard user accounts will only have Read permissions to the Winlogon registry key.
V-8316 High Directory service data files must have proper access permissions.
V-1159 High The Recovery Console option will be set to prevent automatic logon to the system.
V-1152 High Anonymous access to the registry will be restricted.
V-1153 High The LanMan authentication level will be set to Send NTLMv2 response only\refuse LM & NTLM.
V-2374 High Autoplay will be disabled for all drives.
V-22692 High The default autorun behavior will be configured to prevent autorun commands.
V-26683 High PKI certificates (user certificates) must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
V-1145 High Automatic logons will be disabled.
V-1140 High Users with Administrative privilege will be documented and have separate accounts for administrative duties and normal operational tasks.
V-2908 High Unencrypted remote access will not be permitted to system services.
V-36451 High Policy must require that administrative user accounts not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.
V-3338 High Named pipes that can be accessed anonymously must be configured with limited values on domain controllers.
V-3339 High Unauthorized remotely accessible registry paths will not be configured.
V-3337 High Anonymous SID/Name translation will not be allowed.
V-4443 High Unauthorized remotely accessible registry paths and sub-paths will not be configured.
V-14798 High Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
V-3343 High Solicited Remote Assistance will not be allowed.
V-3340 High Network shares that can be accessed anonymously will not be allowed.
V-3344 High The use of local accounts with blank passwords will be restricted to console logons only.
V-1102 High Unauthorized accounts will not be granted the "Act as part of the operating system" user right.
V-1074 High An approved DoD virus scan program will be used and kept updated.
V-1073 High Systems must be at supported service pack (SP) or release levels.
V-34974 High The Windows Installer Always install with elevated privileges must be disabled.
V-26479 High Unauthorized accounts will not have the "Create a token object" user right.
V-1081 High Local volumes will be formatted using NTFS.
V-32282 High Standard user accounts must only have Read permissions to the Active Setup\Installed Components registry key.
V-3379 High The system will be configured to prevent the storage of the LAN Manager hash of passwords.
V-33673 High The access control permissions for Active Directory Group Policy Objects must be configured to use the required access permissions.
V-7002 High DoD information system access will require the use of a password.
V-14820 High PKI certificates (server and clients) must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
V-16000 Medium The system will be configured to ensure smart card devices can be redirected to the Remote Desktop Session. (Remote Desktop Services Role)
V-16006 Medium Unnecessary features will not be installed.
V-16008 Medium Windows will elevate all applications in User Account Control, not just signed ones.
V-26503 Medium Unauthorized accounts will not have the "Replace a process level token" user right.
V-26501 Medium Unauthorized accounts will not have the "Profile system performance" user right.
V-26500 Medium Unauthorized accounts will not have the "Profile single process" user right.
V-1168 Medium Members of the Backup Operators group will have separate accounts for backup duties and normal operational tasks.
V-26505 Medium Unauthorized accounts will not have the "Shut down the system" user right.
V-26504 Medium Unauthorized accounts will not have the "Restore files and directories" user right.
V-1164 Medium Outgoing secure channel traffic will be signed when possible.
V-1166 Medium The Windows SMB client will be enabled to perform SMB packet signing when possible.
V-1163 Medium Outgoing secure channel traffic will be encrypted when possible.
V-1162 Medium The Windows SMB server will perform SMB packet signing when possible.
V-26469 Medium Unauthorized accounts will not have the "Access Credential Manager as a trusted caller" user right.
V-6836 Medium For systems utilizing a logon ID as the individual identifier, passwords will, at a minimum, be 14 characters.
V-6832 Medium The Windows SMB client will be enabled to always perform SMB packet signing.
V-6833 Medium The Windows SMB server will be enabled to always perform SMB packet signing.
V-6831 Medium Outgoing secure channel traffic will be encrypted or signed.
V-1099 Medium The lockout duration will meet minimum requirements.
V-1098 Medium The time before the bad-logon counter is reset will meet minimum requirements.
V-3449 Medium Remote Desktop Services will limit users to one remote session.
V-1097 Medium The number of allowed bad-logon attempts will meet minimum requirements.
V-36439 Medium Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
V-6840 Medium System mechanisms will be implemented to enforce automatic expiration of passwords.
V-4243 Medium Directory service data objects must be configured with proper audit settings.
V-4407 Medium LDAP access signing is not required.
V-14241 Medium User Account Control will switch to the secure desktop when prompting for elevation.
V-14240 Medium User Account Control will run all administrators in Admin Approval Mode, enabling UAC.
V-14243 Medium The system will require username and password to elevate a running application.
V-14242 Medium User Account Control will virtualize file and registry write failures to per-user locations.
V-14247 Medium Passwords will not be saved in the Remote Desktop Client.
V-14249 Medium Local drives will be prevented from sharing with Remote Desktop Session Hosts (Remote Desktop Services Role).
V-33664 Medium The system must be configured to audit DS Access - Directory Service Access failures.
V-33665 Medium The system must be configured to audit DS Access - Directory Service Changes successes.
V-33666 Medium The system must be configured to audit DS Access - Directory Service Changes failures.
V-33663 Medium The system must be configured to audit DS Access - Directory Service Access successes.
V-1120 Medium Installed FTP server will not be configured to allow prohibited logins.
V-1122 Medium The system will be configured with a password-protected screen saver.
V-15666 Medium Windows Peer-to-Peer networking services will be turned off.
V-15667 Medium Network Bridges will be prohibited in Windows.
V-3828 Medium Security-related Software Patches will be applied.
V-21980 Medium Explorer Data Execution Prevention will be enabled.
V-2380 Medium The computer clock synchronization tolerance must meet minimum standards.
V-26495 Medium Unauthorized accounts will not have the "Log on as a batch job" user right.
V-26494 Medium Unauthorized accounts will not have the "Lock pages in memory" user right.
V-26497 Medium Unauthorized accounts will not have the "Modify an object label" user right.
V-26496 Medium Unauthorized accounts will not have the "Manage auditing and security log" user right.
V-26491 Medium Unauthorized accounts will not have the "Increase a process working set" user right.
V-26490 Medium Unauthorized accounts will not have the "Impersonate a client after authentication" user right.
V-26493 Medium Unauthorized accounts will not have the "Load and unload device drivers" user right.
V-26492 Medium Unauthorized accounts will not have the "Increase scheduling priority" user right.
V-26554 Medium The system will be configured to audit "System -> Security State Change" failures.
V-26556 Medium The system will be configured to audit "System -> Security System Extension" failures.
V-26557 Medium The system will be configured to audit "System -> System Integrity" successes.
V-26499 Medium Unauthorized accounts will not have the "Perform volume maintenance tasks" user right.
V-26551 Medium The system will be configured to audit "System -> IPSec Driver" successes.
V-26552 Medium The system will be configured to audit "System -> IPSec Driver" failures.
V-26553 Medium The system will be configured to audit "System -> Security State Change" successes.
V-15700 Medium Remote access to the Plug and Play interface will be disabled for device installation.
V-15706 Medium The user will be prompted for a password on resume from sleep (Plugged In). (Applicable on Server 2008 R2 if the system is configured to sleep.)
V-15705 Medium Users will be prompted for a password on resume from sleep (on battery). (Applicable to Server 2008 R2 if the system is configured to sleep.)
V-16048 Medium Windows Help Ratings feedback will be turned off.
V-26558 Medium The system will be configured to audit "System -> System Integrity" failures.
V-26555 Medium The system will be configured to audit "System -> Security System Extension" successes.
V-26506 Medium Unauthorized accounts will not have the "Take ownership of files or other objects" user right.
V-26550 Medium The system will be configured to audit "Privilege Use -> Sensitive Privilege Use" failures.
V-26498 Medium Unauthorized accounts will not have the "Modify firmware environment values" user right.
V-3385 Medium The system will be configured to allow case insensitivity for non-Windows subsystems.
V-3383 Medium The system will be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
V-3382 Medium The system will be configured to meet the minimum session security requirement for NTLM SSP based clients.
V-3381 Medium The system will be configured to the required LDAP client signing level.
V-3380 Medium The system will be configured to force users to log off when their allowed logon hours expire.
V-26600 Medium The Fax service will be disabled.
V-26602 Medium The Microsoft FTP service will be disabled.
V-26604 Medium The Peer Networking Identity Manager service will be disabled.
V-26605 Medium The Simple TCP/IP Services service will be disabled.
V-26606 Medium The Telnet service will be disabled.
V-8317 Medium The directory server data files must be located on a different logical partition from the data files owned by users.
V-30016 Medium Unauthorized accounts will not have the "Add workstations to domain” user right.
V-15697 Medium The Responder network protocol driver will be disabled.
V-15696 Medium The Mapper I/O network protocol driver will be disabled.
V-27109 Medium Access Control permissions on the FRS Directory data files must have proper access permissions.
V-15699 Medium The Windows Connect Now wizards will be disabled.
V-15698 Medium The configuration of wireless devices using Windows Connect Now will be disabled.
V-1154 Medium The Ctrl+Alt+Del security attention sequence for logons will be enabled.
V-1155 Medium The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
V-1157 Medium The Smart Card removal option will be configured to Force Logoff or Lock Workstation.
V-2373 Medium The Server Operators group must have the ability to schedule jobs by means of the AT command disabled.
V-2372 Medium Reversible password encryption will be disabled.
V-2377 Medium The Kerberos service ticket maximum lifetime must meet minimum standards.
V-2376 Medium Kerberos user logon restrictions must be enforced.
V-2379 Medium The Kerberos policy user ticket renewal maximum lifetime must meet minimum standards.
V-2378 Medium The Kerberos user ticket lifetime must be limited to a maximum of 10 hours or less.
V-15991 Medium UIAccess applications will not be allowed to prompt for elevation without using the secure desktop.
V-15996 Medium The system will be configured to prevent users from sharing clipboard content on their client computers with Remote Desktop Session Host that they access. (Remote Desktop Services Role)
V-15997 Medium The system will be configured to prevent users from mapping local COM ports and redirecting data from the Remote Desktop Session Host to local COM ports. (Remote Desktop Services Role)
V-15998 Medium The system will be configured to prevent users from mapping local LPT ports and redirecting data from the Remote Desktop Session Host to local LPT ports. (Remote Desktop Services Role)
V-15999 Medium The system will be configured to prevent users from redirecting Plug and Play devices to the Remote Desktop Session Host. (Remote Desktop Services Role)
V-3458 Medium Remote Desktop Services will be configured to disconnect an idle session after the specified time period.
V-3453 Medium Remote Desktop Services will always prompt a client for passwords upon connection.
V-3457 Medium Remote Desktop Services will be configured to set a time limit for disconnected sessions.
V-3456 Medium Remote Desktop Services will delete temporary folders when a session is terminated.
V-3455 Medium Remote Desktop Services will be configured to use session-specific temporary folders.
V-3454 Medium Remote Desktop Services will be configured with the client connection encryption set to the required level.
V-14258 Medium Search Companion will be prevented from automatically downloading content updates.
V-14259 Medium Printing over HTTP will be prevented.
V-14256 Medium Web publishing and online ordering wizards will be prevented from downloading a list of providers.
V-14257 Medium Windows Messenger will be prevented from collecting anonymous information about how the service is used.
V-14254 Medium Client computers will be required to authenticate for RPC communication.
V-14255 Medium File and folder Publish to Web option will be unavailable in Windows folders.
V-14253 Medium Unauthenticated RPC clients will be restricted from connecting to the RPC server.
V-14250 Medium Automatic Updates will not be used (unless configured to point to a DoD server).
V-1119 Medium Booting into alternate non STIG compliant operating systems will not be permitted.
V-1114 Medium The built-in guest account will be renamed.
V-1115 Medium The built-in administrator account will be renamed.
V-1113 Medium The built-in guest account will be disabled.
V-14268 Medium Zone information will be preserved when saving attachments.
V-16021 Medium The Windows Help Experience Improvement Program will be disabled
V-16020 Medium The Windows Customer Experience Improvement Program will be disabled.
V-21951 Medium Services using Local System that use negotiate when reverting to NTLM authentication will use the computer identity vs. authenticating anonymously.
V-21950 Medium The service principal name (SPN) target name validation level will be turned off.
V-21953 Medium PKU2U authentication using online identities will be prevented.
V-21952 Medium NTLM will be prevented from falling back to a Null session.
V-21954 Medium Kerberos encryption types will be configured to prevent the use of DES encryption suites.
V-26482 Medium Unauthorized accounts will not have the "Create symbolic links" user right.
V-26483 Medium The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
V-26480 Medium Unauthorized accounts will not have the "Create global objects" user right.
V-26481 Medium Unauthorized accounts will not have the "Create permanent shared objects" user right.
V-26486 Medium The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
V-26487 Medium Unauthorized accounts will not have the "Enable computer and user accounts to be trusted for delegation" user right.
V-26484 Medium The Deny log on as a service user right must be configured to include no accounts or groups (blank).
V-26485 Medium The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
V-15488 Medium For unclassified systems, the directory server must be configured to use the CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
V-26488 Medium Unauthorized accounts will not have the "Force shutdown from a remote system" user right.
V-26489 Medium Unauthorized accounts will not have the "Generate security audits" user right.
V-15713 Medium Windows Defender SpyNet membership will be disabled.
V-15715 Medium Windows Error Reporting to Microsoft will be disabled.
V-3469 Medium The system will be configured to enable the background refresh of Group Policy.
V-15823 Medium Software certificate installation files will be removed from a system.
V-8326 Medium The directory server supporting (directly or indirectly) system access or resource authorization, must run on a machine dedicated to that function.
V-8327 Medium OS services that are critical for directory server operation must be configured for automatic startup.
V-8320 Medium Directory server directories and files must be configured with required permissions.
V-14262 Medium IPv6 will be disabled until a deliberate transition strategy has been implemented.
V-14261 Medium Windows will be prevented from using Windows Update to search for drivers.
V-14260 Medium Downloading print driver packages over HTTP will be prevented.
V-14269 Medium Mechanisms for removing zone information from file attachments will be hidden.
V-3289 Medium Servers will have a host-based Intrusion Detection System.
V-15684 Medium Users will be notified if a web-based program attempts to install software.
V-26579 Medium The Application event log will be configured to a minimum size requirement.
V-15682 Medium Attachments will be prevented from being downloaded from RSS feeds.
V-15683 Medium Windows Explorer shell protocol will run in protected mode.
V-1141 Medium Unencrypted passwords will not be sent to third-party SMB Server.
V-15685 Medium Users will be prevented from changing installation options.
V-26529 Medium The system will be configured to audit "Account Logon -> Credential Validation" successes.
V-2907 Medium System files will be monitored for unauthorized changes.
V-4444 Medium Users will be required to enter a password to access private keys.
V-3480 Medium Media Player is configured to allow automatic checking for updates.
V-3481 Medium Media Player will be configured to prevent automatic Codec downloads.
V-32274 Medium The DoD Interoperability Root CA to DoD Root CA 2 cross certificate must be installed.
V-32272 Medium The DoD Root Certificate must be installed.
V-32273 Medium The External CA Root Certificate must be installed.
V-14229 Medium Audit of Backup and Restore Privileges will be turned off.
V-14228 Medium Audit Access to Global System Objects will be turned off.
V-14226 Medium Audit logs will be archived to prevent loss.
V-14225 Medium Administrator passwords will be changed as required.
V-14224 Medium The system will have a backup administrator account.
V-1107 Medium The password uniqueness will meet minimum requirements.
V-1105 Medium The minimum password age will meet requirements.
V-1104 Medium The maximum password age will meet DoD requirements.
V-1077 Medium ACLs for event logs will conform to minimum requirements.
V-1072 Medium Shared user accounts will not be permitted on the system.
V-1070 Medium The Automated Information System (AIS) will be physically secured in an access controlled area.
V-26576 Medium The IP-HTTPS IPv6 transition technology will be disabled.
V-26577 Medium The ISATAP IPv6 transition technology will be disabled.
V-26575 Medium The 6to4 IPv6 transition technology will be disabled.
V-26578 Medium The Teredo IPv6 transition technology will be disabled.
V-1171 Medium Ejection of removable NTFS media is not restricted to Administrators.
V-26478 Medium Unauthorized accounts will not have the "Create a pagefile" user right.
V-26476 Medium Unauthorized accounts will not have the "Change the system time" user right.
V-26474 Medium Unauthorized accounts will not have the "Back up files and directories" user right.
V-26473 Medium Unauthorized accounts will not have the "Allow log on through Remote Desktop Services" user right.
V-26472 Medium Unauthorized accounts will not have the "Allow log on locally" user right.
V-26471 Medium Unauthorized accounts will not have the "Adjust memory quotas for a process" user right.
V-26470 Medium Unauthorized accounts will not have the "Access this computer from the network" user right.
V-15727 Medium Users will be prevented from sharing files in their profiles.
V-15722 Medium Windows Media Digital Rights Management will be prevented from accessing the Internet.
V-1089 Medium The required legal notice will be configured to display before console logon.
V-3471 Medium The system will be configured to prevent automatic forwarding of error information.
V-3470 Medium The system will be configured to prevent unsolicited remote assistance offers.
V-1088 Medium Registry key auditing configuration will meet minimum requirements.
V-3479 Medium The system will be configured to use Safe DLL Search Mode.
V-1080 Medium File auditing configuration will meet minimum requirements.
V-26582 Medium The System event log will be configured to a minimum size requirement.
V-26581 Medium The Setup event log will be configured to a minimum size requirement.
V-26580 Medium The Security event log will be configured to a minimum size requirement.
V-3372 Medium A system must be logged on to before removing from a docking station.
V-3376 Medium The system will be configured to prevent the storage of passwords and credentials
V-3377 Medium The system will be configured to prevent anonymous users from having the same rights as the Everyone group.
V-3374 Medium The system will be configured to require a strong session key.
V-3378 Medium The system will be configured to use the Classic security model.
V-14270 Medium The system will notify antivirus when file attachments are opened.
V-14271 Medium Application account passwords will meet DoD requirements for length, complexity and changes.
V-1130 Medium ACLs for system files and directories will conform to minimum requirements.
V-1131 Medium A password complexity filter that enforces DoD requirements will be installed.
V-1137 Medium An Auditors group will be created to restrict access to the Windows Event Logs.
V-15674 Medium The Internet File Association service will be turned off.
V-26538 Medium The system will be configured to audit "Account Management -> User Account Management" failures.
V-26539 Medium The system will be configured to audit "Detailed Tracking -> Process Creation" successes.
V-26532 Medium The system will be configured to audit "Account Management -> Computer Account Management" failures.
V-26533 Medium The system will be configured to audit "Account Management -> Other Account Management Events" successes.
V-26530 Medium The system will be configured to audit "Account Logon -> Credential Validation" failures.
V-26531 Medium The system will be configured to audit "Account Management -> Computer Account Management" successes.
V-26536 Medium The system will be configured to audit "Account Management -> Security Group Management" failures.
V-26537 Medium The system will be configured to audit "Account Management -> User Account Management" successes.
V-26534 Medium The system will be configured to audit "Account Management -> Other Account Management Events" failures.
V-26535 Medium The system will be configured to audit "Account Management -> Security Group Management" successes.
V-21975 Medium The system will be prevented from joining a homegroup.
V-21973 Medium Autoplay will be turned off for non-volume devices.
V-26549 Medium The system will be configured to audit "Privilege Use -> Sensitive Privilege Use" successes.
V-26548 Medium The system will be configured to audit "Policy Change -> Authentication Policy Change" successes.
V-26547 Medium The system will be configured to audit "Policy Change -> Audit Policy Change" failures.
V-26546 Medium The system will be configured to audit "Policy Change -> Audit Policy Change" successes.
V-26545 Medium The system will be configured to audit "Object Access -> Registry" failures.
V-26544 Medium The system will be configured to audit "Object Access -> File System" failures.
V-26543 Medium The system will be configured to audit "Logon/Logoff -> Special Logon" successes.
V-26542 Medium The system will be configured to audit "Logon/Logoff -> Logon" failures.
V-26541 Medium The system will be configured to audit "Logon/Logoff -> Logon" successes.
V-26540 Medium The system will be configured to audit "Logon/Logoff -> Logoff" successes.
V-8322 Medium Time synchronization must be installed and enabled on the directory service server.
V-4448 Medium Group Policy objects will be reprocessed even if they have not changed.
V-4447 Medium The Remote Desktop Session Host will require secure RPC communications.
V-4446 Medium Software certificate restriction policies will be enforced.
V-3491 Medium Audit logs will be reviewed on a daily basis.
V-14783 Medium Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data-in-transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
V-3487 Medium Services will be documented and unnecessary services will not be installed or will be disabled.
V-3666 Medium The system will be configured to meet the minimum session security requirement for NTLM SSP based servers.
V-14239 Medium User Account Control will only elevate UIAccess applications that are installed in secure locations
V-14230 Medium Audit policy using subcategories will be enabled.
V-14234 Medium User Account Control approval mode for the built-in Administrator will be enabled.
V-14235 Medium User Account Control will, at a minimum, prompt administrators for consent.
V-14236 Medium User Account Control will automatically deny standard user requests for elevation.
V-14237 Medium User Account Control will be configured to detect application installations and prompt for elevation.
V-3245 Medium File share ACLs will be reconfigured to remove the Everyone group.
V-16001 Low The system will be configured to allow only the default client printer to be redirected in the Remote Desktop session. (Remote Desktop Services Role)
V-16005 Low The system will be configured to remove the Disconnect option from the Shut Down Windows dialog box on the Remote Desktop Client. (Remote Desktop Services Role)
V-26502 Low Unauthorized accounts will not have the "Remove computer from docking station" user right.
V-1165 Low The computer account password will not be prevented from being reset.
V-1090 Low Caching of logon credentials will be limited.
V-4408 Low The domain controller must be configured to allow reset of machine account passwords.
V-1128 Low Security configuration tools or equivalent processes will be used to configure platforms for security compliance.
V-21964 Low Device metadata retrieval from the Internet will be prevented.
V-21965 Low Device driver searches using Windows Update will be prevented.
V-21967 Low Microsoft Support Diagnostic Tool (MSDT) interactive communication with Microsoft will be prevented.
V-21960 Low Domain users will be required to elevate when setting a network’s location.
V-21961 Low All Direct Access traffic will be routed through the internal network.
V-21963 Low Windows Update will be prevented from searching for point and print drivers.
V-21969 Low Access to Windows Online Troubleshooting Service (WOTS) will be prevented.
V-28504 Low Windows will be prevented from sending an error report when a device driver requests additional software during installation.
V-15703 Low Users will not be prompted to search Windows Update for device drivers.
V-15702 Low An Error Report will not be sent when a generic device driver is installed.
V-15701 Low A system restore point will be created when a new device driver is installed.
V-15707 Low Remote Assistance log files will be generated.
V-15704 Low Errors in handwriting recognition on Tablet PCs will not be reported to Microsoft.
V-15709 Low Game explorer information will not be downloaded from Windows Metadata Services.
V-14831 Low The directory service must be configured to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity.
V-11806 Low The system will be configured to prevent the display of the last user name on the logon screen.
V-1158 Low The Recovery Console SET command will be disabled.
V-1150 Low The built-in Microsoft password complexity filter will be enabled.
V-1151 Low The print driver installation privilege will be restricted to administrators.
V-4438 Low The system will limit how many times unacknowledged TCP data is retransmitted.
V-1112 Low Outdated or unused accounts will be removed from the system.
V-21955 Low IPv6 source routing will be configured to highest protection.
V-21956 Low IPv6 TCP data retransmissions will be configured to prevent resources from becoming exhausted.
V-15714 Low Error Reporting events will be logged in the system event log.
V-15717 Low Additional data requests in response to Error Reporting will be declined.
V-15718 Low Windows Explorer heap termination on corruption will be disabled.
V-15719 Low Users will be notified if the logon server was inaccessible and cached credentials were used.
V-8324 Low The time synchronization tool must be configured to enable logging of time source switching.
V-15680 Low The classic logon screen will be required for user logons.
V-15686 Low Non-administrators will be prevented from applying vendor signed updates.
V-15687 Low Users will not be presented with Privacy and Installation options on first use of Windows Media Player.
V-4445 Low Optional Subsystems will not be permitted to operate on the system.
V-4111 Low The system will be configured to prevent ICMP redirects from overriding OSPF generated routes.
V-4110 Low The system will be configured to prevent IP source routing.
V-4108 Low The system will generate an audit event when the audit log reaches a percent full threshold.
V-14797 Low Anonymous access to the root DSE of a non-public directory must be disabled.
V-1076 Low System information backups will be created, updated, and protected.
V-1075 Low The shutdown option will not be available from the logon dialog box.
V-1174 Low The amount of idle time required before suspending a session will be properly set.
V-1172 Low Users will be warned in advance that their passwords will expire.
V-1173 Low The default permissions of Global system objects will be increased.
V-26477 Low Unauthorized accounts will not have the "Change the time zone" user right.
V-26475 Low Unauthorized accounts will not have the "Bypass traverse checking" user right.
V-3472 Low If the time service is configured, it will use an authorized time server.
V-3373 Low The maximum age for machine account passwords will be set to requirements.
V-26359 Low The Windows dialog box title for the legal banner will be configured.
V-1136 Low Users will be forcibly disconnected when their logon hours expire.
V-1135 Low Non-administrative user accounts or groups will only have print permissions of Printer Shares.
V-15676 Low The Order Prints Online wizard will be turned off.
V-15675 Low Windows Registration Wizard will be turned off.
V-15673 Low The Internet Connection Wizard will not download a list of Internet Service Providers (ISPs) from Microsoft.
V-15672 Low Event Viewer Events.asp links will be turned off.
V-15671 Low Root Certificates will not be updated automatically from the Microsoft site.
V-21974 Low Downloading of game update information will be turned off.
V-21971 Low The Application Compatibility Program Inventory will be prevented from collecting data and sending the information to Microsoft.
V-21970 Low Responsiveness events will be prevented from being aggregated and sent to Microsoft.
V-21978 Low Windows Anytime Upgrade will be disabled.
V-4113 Low The system will be configured to limit how often keep-alive packets are sent.
V-4112 Low The system will be configured to disable the Internet Router Discover Protocol (IRDP).
V-4116 Low The system will be configured to ignore NetBIOS name release requests except from WINS servers.
V-4442 Low The system will be configured to have password protection take effect within a limited time frame when the screen saver becomes active.
V-14789 Low Locally written (non-vendor) code used in AD operations must comply with the requirements of the Application STIG.
V-14232 Low IPSec Exemptions will be limited.