UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Windows Server 2012 / 2012 R2 Domain Controller Security Technical Implementation Guide


Overview

Date Finding Count (296)
2015-01-06 CAT I (High): 25 CAT II (Med): 212 CAT III (Low): 59
STIG Description
The Windows Server 2012 / 2012 R2 Domain Controller Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-1073 High Systems must be maintained at a supported service pack level.
V-34974 High The Windows Installer Always install with elevated privileges option must be disabled.
V-26479 High Unauthorized accounts must not have the Create a token object user right.
V-36712 High The Windows Remote Management (WinRM) client must not use Basic authentication.
V-1081 High Local volumes must be formatted using NTFS.
V-6834 High Anonymous access to Named Pipes and Shares must be restricted.
V-1159 High The Recovery Console option must be set to prevent automatic logon to the system.
V-1153 High The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
V-2372 High Reversible password encryption must be disabled.
V-2374 High Autoplay must be disabled for all drives.
V-1093 High Anonymous enumeration of shares must be restricted.
V-36718 High The Windows Remote Management (WinRM) service must not use Basic authentication.
V-26283 High Anonymous enumeration of SAM accounts must not be allowed.
V-3338 High Named pipes that can be accessed anonymously must be configured with limited values on domain controllers.
V-3339 High Unauthorized remotely accessible registry paths must not be configured.
V-22692 High The default autorun behavior must be configured to prevent autorun commands.
V-21973 High Autoplay must be turned off for non-volume devices.
V-18010 High Unauthorized accounts must not have the Debug programs user right.
V-12780 High The Synchronize directory service data user right must be configured to include no accounts or groups (blank).
V-3343 High Solicited Remote Assistance must not be allowed.
V-3379 High The system must be configured to prevent the storage of the LAN Manager hash of passwords.
V-3340 High Network shares that can be accessed anonymously must not be allowed.
V-3344 High Local accounts with blank passwords must be restricted to prevent access from the network.
V-4443 High Unauthorized remotely accessible registry paths and sub-paths must not be configured.
V-1102 High Unauthorized accounts must not have the Act as part of the operating system user right.
V-26499 Medium Unauthorized accounts must not have the Perform volume maintenance tasks user right.
V-14259 Medium Printing over HTTP must be prevented.
V-26498 Medium Unauthorized accounts must not have the Modify firmware environment values user right.
V-26576 Medium The IP-HTTPS IPv6 transition technology must be disabled.
V-26577 Medium The ISATAP IPv6 transition technology must be disabled.
V-26575 Medium The 6to4 IPv6 transition technology must be disabled.
V-26553 Medium The system must be configured to audit System - Security State Change successes.
V-3383 Medium The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
V-3381 Medium The system must be configured to the required LDAP client signing level.
V-3380 Medium The system must be configured to force users to log off when their allowed logon hours expire.
V-39137 Medium The Enhanced Mitigation Experience Toolkit (EMET) V4.1 Update 1 or later must be installed on the system.
V-26478 Medium Unauthorized accounts must not have the Create a pagefile user right.
V-26476 Medium Unauthorized accounts must not have the Change the system time user right.
V-26602 Medium The Microsoft FTP service must not be installed.
V-3469 Medium Group Policies must be refreshed in the background if the user is logged on.
V-26473 Medium Unauthorized accounts must not have the Allow log on through Remote Desktop Services user right.
V-26471 Medium Unauthorized accounts must not have the Adjust memory quotas for a process user right.
V-26470 Medium Unauthorized accounts must not have the Access this computer from the network user right on domain controllers.
V-26547 Medium The system must be configured to audit Policy Change - Audit Policy Change failures.
V-15700 Medium Remote access to the Plug and Play interface must be disabled for device installation.
V-15823 Medium Software certificate installation files must be removed from a system.
V-15722 Medium Windows Media Digital Rights Management (DRM) must be prevented from accessing the Internet.
V-16000 Medium The system must be configured to ensure smart card devices can be redirected to the Remote Desktop session. (Remote Desktop Services Role).
V-16008 Medium Windows must elevate all applications in User Account Control, not just signed ones.
V-26503 Medium Unauthorized accounts must not have the Replace a process level token user right.
V-26501 Medium Unauthorized accounts must not have the Profile system performance user right.
V-26500 Medium Unauthorized accounts must not have the Profile single process user right.
V-26483 Medium The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
V-26506 Medium Unauthorized accounts must not have the Take ownership of files or other objects user right.
V-26505 Medium Unauthorized accounts must not have the Shut down the system user right.
V-26504 Medium Unauthorized accounts must not have the Restore files and directories user right.
V-1164 Medium Outgoing secure channel traffic must be signed when possible.
V-1166 Medium The Windows SMB client must be enabled to perform SMB packet signing when possible.
V-3378 Medium The system must be configured to use the Classic security model.
V-1163 Medium Outgoing secure channel traffic must be encrypted when possible.
V-1162 Medium The Windows SMB server must perform SMB packet signing when possible.
V-3470 Medium The system must be configured to prevent unsolicited remote assistance offers.
V-3385 Medium The system must be configured to require case insensitivity for non-Windows subsystems.
V-1089 Medium The required legal notice must be configured to display before console logon.
V-36708 Medium The location feature must be turned off.
V-26469 Medium Unauthorized accounts must not have the Access Credential Manager as a trusted caller user right.
V-3479 Medium The system must be configured to use Safe DLL Search Mode.
V-36705 Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Data Execution Prevention (DEP) must be enabled and configured to at least Application Opt Out.
V-36706 Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Structured Exception Handler Overwrite Protection (SEHOP) must be configured to Application Opt Out.
V-36700 Medium The password reveal button must not be displayed.
V-36701 Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Address Space Layout Randomization (ASLR) must be enabled and configured to Application Opt In.
V-36702 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Internet Explorer must be enabled.
V-36703 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Recommended Software must be enabled.
V-36704 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Popular Software must be enabled.
V-14242 Medium User Account Control must virtualize file and registry write failures to per-user locations.
V-26578 Medium The Teredo IPv6 transition technology must be disabled.
V-26582 Medium The System event log must be configured to a minimum size requirement.
V-26581 Medium The Setup event log must be configured to a minimum size requirement.
V-26580 Medium The Security event log must be configured to a minimum size requirement.
V-30016 Medium Unauthorized accounts must not have the Add workstations to domain user right.
V-15697 Medium The Responder network protocol driver must be disabled.
V-3449 Medium Remote Desktop Services must limit users to one remote session.
V-6836 Medium Passwords must, at a minimum, be 14 characters.
V-6832 Medium The Windows SMB client must be configured to always perform SMB packet signing.
V-6833 Medium The Windows SMB server must be configured to always perform SMB packet signing.
V-6831 Medium Outgoing secure channel traffic must be encrypted or signed.
V-26541 Medium The system must be configured to audit Logon/Logoff - Logon successes.
V-14261 Medium Windows must be prevented from using Windows Update to search for drivers.
V-14260 Medium Downloading print driver packages over HTTP must be prevented.
V-1154 Medium The Ctrl+Alt+Del security attention sequence for logons must be enabled.
V-1157 Medium The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
V-1099 Medium The lockout duration must be configured to require an administrator to unlock an account.
V-1098 Medium The period of time before the bad logon counter is reset must meet minimum requirements.
V-2377 Medium The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
V-2376 Medium Kerberos user logon restrictions must be enforced.
V-2379 Medium The Kerberos policy user ticket renewal maximum lifetime must be limited to 7 days or less.
V-1097 Medium The number of allowed bad logon attempts must meet minimum requirements.
V-3382 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP-based clients.
V-15991 Medium UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
V-3376 Medium The system must be configured to prevent the storage of passwords and credentials.
V-15997 Medium Users must be prevented from mapping local COM ports and redirecting data from the Remote Desktop Session Host to local COM ports. (Remote Desktop Services Role).
V-3374 Medium The system must be configured to require a strong session key.
V-15998 Medium Users must be prevented from mapping local LPT ports and redirecting data from the Remote Desktop Session Host to local LPT ports. (Remote Desktop Services Role).
V-15999 Medium Users must be prevented from redirecting Plug and Play devices to the Remote Desktop Session Host. (Remote Desktop Services Role).
V-15682 Medium Attachments must be prevented from being downloaded from RSS feeds.
V-15683 Medium File Explorer shell protocol must run in protected mode.
V-1145 Medium Automatic logons must be disabled.
V-1141 Medium Unencrypted passwords must not be sent to a third-party SMB Server.
V-15685 Medium Users must be prevented from changing installation options.
V-1171 Medium Ejection of removable NTFS media must be restricted to Administrators.
V-26529 Medium The system must be configured to audit Account Logon - Credential Validation successes.
V-36720 Medium The Windows Remote Management (WinRM) service must not store RunAs credentials.
V-36684 Medium Local users on domain-joined computers must not be enumerated.
V-36687 Medium App notifications on the lock screen must be turned off.
V-36681 Medium Copying of user input methods to the system account for sign-in must be prevented.
V-36680 Medium Access to the Windows Store must be turned off.
V-3458 Medium Remote Desktop Services must be configured to disconnect an idle session after the specified time period.
V-36719 Medium The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
V-14239 Medium User Account Control must only elevate UIAccess applications that are installed in secure locations.
V-3453 Medium Remote Desktop Services must always prompt a client for passwords upon connection.
V-3457 Medium Remote Desktop Services must be configured to set a time limit for disconnected sessions.
V-3456 Medium Remote Desktop Services must delete temporary folders when a session is terminated.
V-3455 Medium Remote Desktop Services must be configured to use session-specific temporary folders.
V-3454 Medium Remote Desktop Services must be configured with the client connection encryption set to the required level.
V-26600 Medium The Fax service must be disabled if installed.
V-4407 Medium Domain controllers must require LDAP access signing.
V-26474 Medium Unauthorized accounts must not have the Back up files and directories user right.
V-26604 Medium The Peer Networking Identity Manager service must be disabled if installed.
V-15674 Medium The Internet File Association service must be turned off.
V-26472 Medium Unauthorized accounts must not have the Allow log on locally user right.
V-14241 Medium User Account Control must switch to the secure desktop when prompting for elevation.
V-14240 Medium User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
V-26538 Medium The system must be configured to audit Account Management - User Account Management failures.
V-26539 Medium The system must be configured to audit Detailed Tracking - Process Creation successes.
V-26606 Medium The Telnet service must be disabled if installed.
V-14247 Medium Passwords must not be saved in the Remote Desktop Client.
V-14249 Medium Local drives must be prevented from sharing with Remote Desktop Session Hosts. (Remote Desktop Services Role).
V-26533 Medium The system must be configured to audit Account Management - Other Account Management Events successes.
V-26530 Medium The system must be configured to audit Account Logon - Credential Validation failures.
V-26536 Medium The system must be configured to audit Account Management - Security Group Management failures.
V-26537 Medium The system must be configured to audit Account Management - User Account Management successes.
V-26534 Medium The system must be configured to audit Account Management - Other Account Management Events failures.
V-26535 Medium The system must be configured to audit Account Management - Security Group Management successes.
V-33664 Medium The system must be configured to audit DS Access - Directory Service Access failures.
V-33665 Medium The system must be configured to audit DS Access - Directory Service Changes successes.
V-33666 Medium The system must be configured to audit DS Access - Directory Service Changes failures.
V-33663 Medium The system must be configured to audit DS Access - Directory Service Access successes.
V-26540 Medium The system must be configured to audit Logon/Logoff - Logoff successes.
V-3377 Medium The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
V-1115 Medium The built-in administrator account must be renamed.
V-3480 Medium Windows Media Player must be configured to prevent automatic checking for updates.
V-26482 Medium Unauthorized accounts must not have the Create symbolic links user right.
V-36714 Medium The Windows Remote Management (WinRM) client must not use Digest authentication.
V-14243 Medium The system must require username and password to elevate a running application.
V-15699 Medium The Windows Connect Now wizards must be disabled.
V-15666 Medium Windows Peer-to-Peer networking services must be turned off.
V-15667 Medium Network Bridges must be prohibited in Windows.
V-26532 Medium The system must be configured to audit Account Management - Computer Account Management failures.
V-1114 Medium The built-in guest account must be renamed.
V-14254 Medium Client computers must be required to authenticate for RPC communication.
V-1113 Medium The built-in guest account must be disabled.
V-15684 Medium Users must be notified if a web-based program attempts to install software.
V-14230 Medium Audit policy using subcategories must be enabled.
V-26549 Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
V-26548 Medium The system must be configured to audit Policy Change - Authentication Policy Change successes.
V-32274 Medium The DoD Interoperability Root CA 1 to DoD Root CA 2 cross-certificate must be installed into the Untrusted Certificates Store.
V-26546 Medium The system must be configured to audit Policy Change - Audit Policy Change successes.
V-26545 Medium The system must be configured to audit Object Access - Registry failures.
V-26544 Medium The system must be configured to audit Object Access - File System failures.
V-26543 Medium The system must be configured to audit Logon/Logoff - Special Logon successes.
V-26542 Medium The system must be configured to audit Logon/Logoff - Logon failures.
V-32272 Medium The DoD root certificate must be installed into the Trusted Root Store.
V-36709 Medium Basic authentication for RSS feeds over HTTP must be turned off.
V-14228 Medium Auditing the Access of Global System Objects must be turned off.
V-15696 Medium The Mapper I/O network protocol (LLTDIO) driver must be disabled.
V-21980 Medium Explorer Data Execution Prevention must be enabled.
V-36713 Medium The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
V-36698 Medium The use of biometrics must be disabled.
V-36669 Medium The system must be configured to audit Object Access - Handle Manipulation failures.
V-2380 Medium The computer clock synchronization tolerance must be limited to 5 minutes or less.
V-4448 Medium Group Policy objects must be reprocessed even if they have not changed.
V-4447 Medium The Remote Desktop Session Host must require secure RPC communications.
V-4446 Medium Software certificate restriction policies must be enforced.
V-14229 Medium Auditing of Backup and Restore Privileges must be turned off.
V-36773 Medium The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
V-26495 Medium Unauthorized accounts must not have the Log on as a batch job user right.
V-26494 Medium Unauthorized accounts must not have the Lock pages in memory user right.
V-26497 Medium Unauthorized accounts must not have the Modify an object label user right.
V-26496 Medium Unauthorized accounts must not have the Manage auditing and security log user right.
V-26491 Medium Unauthorized accounts must not have the Increase a process working set user right.
V-26490 Medium Unauthorized accounts must not have the Impersonate a client after authentication user right.
V-26493 Medium Unauthorized accounts must not have the Load and unload device drivers user right.
V-26492 Medium Unauthorized accounts must not have the Increase scheduling priority user right.
V-26531 Medium The system must be configured to audit Account Management - Computer Account Management successes.
V-26556 Medium The system must be configured to audit System - Security System Extension failures.
V-26557 Medium The system must be configured to audit System - System Integrity successes.
V-26550 Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
V-26551 Medium The system must be configured to audit System - IPsec Driver successes.
V-26552 Medium The system must be configured to audit System - IPsec Driver failures.
V-1155 Medium The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
V-15706 Medium The user must be prompted to authenticate on resume from sleep (plugged in).
V-15705 Medium Users must be prompted to authenticate on resume from sleep (on battery).
V-40206 Medium The Smart Card Removal Policy service must be configured to automatic.
V-36679 Medium Early Launch Antimalware, Boot-Start Driver Initialization Policy must be enabled and configured to only Good and Unknown.
V-3666 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP-based servers.
V-16020 Medium The Windows Customer Experience Improvement Program must be disabled.
V-15717 Medium The system must be configured to allow a local or DOD-wide collector to request additional error reporting diagnostic data to be sent.
V-1107 Medium The password uniqueness must meet minimum requirements.
V-1105 Medium The minimum password age must meet requirements.
V-1104 Medium The maximum password age must meet requirements.
V-21951 Medium Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.
V-21950 Medium The service principal name (SPN) target name validation level must be turned off.
V-21953 Medium PKU2U authentication using online identities must be prevented.
V-21952 Medium NTLM must be prevented from falling back to a Null session.
V-21954 Medium Kerberos encryption types must be configured to prevent the use of DES encryption suites.
V-26579 Medium The Application event log must be configured to a minimum size requirement.
V-26558 Medium The system must be configured to audit System - System Integrity failures.
V-14234 Medium User Account Control approval mode for the built-in Administrator must be enabled.
V-14235 Medium User Account Control must, at minimum, prompt administrators for consent.
V-14236 Medium User Account Control must automatically deny standard user requests for elevation.
V-14237 Medium User Account Control must be configured to detect application installations and prompt for elevation.
V-26605 Medium The Simple TCP/IP Services service must be disabled if installed.
V-15698 Medium The configuration of wireless devices using Windows Connect Now must be disabled.
V-26480 Medium Unauthorized accounts must not have the Create global objects user right.
V-26481 Medium Unauthorized accounts must not have the Create permanent shared objects user right.
V-26486 Medium The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
V-26487 Medium Unauthorized accounts must not have the Enable computer and user accounts to be trusted for delegation user right on domain controllers.
V-26484 Medium The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
V-26485 Medium The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
V-2378 Medium The Kerberos user ticket lifetime must be limited to 10 hours or less.
V-26488 Medium Unauthorized accounts must not have the Force shutdown from a remote system user right.
V-26489 Medium Unauthorized accounts must not have the Generate security audits user right.
V-26554 Medium The system must be configured to audit System - Security State Change failures.
V-15713 Medium Microsoft Active Protection Service membership must be disabled.
V-15714 Medium The system must be configured to save Error Reporting events and messages to the system event log.
V-26555 Medium The system must be configured to audit System - Security System Extension successes.
V-40237 Medium The US DoD CCEB Interoperability Root CA 1 to DoD Root CA 2 cross-certificate must be installed into the Untrusted Certificates Store.
V-1075 Low The shutdown option must not be available from the logon dialog box.
V-4110 Low The system must be configured to prevent IP source routing.
V-1174 Low The amount of idle time required before suspending a session must be properly set.
V-1173 Low The default permissions of global system objects must be increased.
V-26477 Low Unauthorized accounts must not have the Change the time zone user right.
V-16005 Low The system must be configured to remove the Disconnect option from the Shut Down dialog box on the Remote Desktop Client. (Remote Desktop Services Role).
V-15704 Low Errors in handwriting recognition on tablet PCs must not be reported to Microsoft.
V-1165 Low The computer account password must not be prevented from being reset.
V-36707 Low The Windows SmartScreen must be turned off.
V-11806 Low The system must be configured to prevent the display of the last username on the logon screen.
V-1158 Low The Recovery Console SET command must be disabled.
V-1150 Low The built-in Microsoft password complexity filter must be enabled.
V-1151 Low The print driver installation privilege must be restricted to administrators.
V-36690 Low The display must turn off after 20 minutes of inactivity when the system is running on battery.
V-1090 Low Caching of logon credentials must be limited.
V-3373 Low The maximum age for machine account passwords must be set to requirements.
V-26359 Low The Windows dialog box title for the legal banner must be configured.
V-15686 Low Nonadministrators must be prevented from applying vendor-signed updates.
V-15687 Low Users must not be presented with Privacy and Installation options on first use of Windows Media Player.
V-4408 Low Domain controllers must be configured to allow reset of machine account passwords.
V-26475 Low Unauthorized accounts must not have the Bypass traverse checking user right.
V-1136 Low Users must be forcibly disconnected when their logon hours expire.
V-1172 Low Users must be warned in advance of their passwords expiring.
V-15672 Low Event Viewer Events.asp links must be turned off.
V-15671 Low Root Certificates must not be updated automatically from the Microsoft site.
V-15680 Low The classic logon screen must be required for user logons.
V-36691 Low The display must turn off after 20 minutes of inactivity when the system is plugged in.
V-4438 Low The system must limit how many times unacknowledged TCP data is retransmitted.
V-4111 Low The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
V-4113 Low The system must be configured to limit how often keep-alive packets are sent.
V-4108 Low The system must generate an audit event when the audit log reaches a percentage of full threshold.
V-21971 Low The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
V-21970 Low Responsiveness events must be prevented from being aggregated and sent to Microsoft.
V-36696 Low The detection of compatibility issues for applications and drivers must be turned off.
V-4445 Low Optional Subsystems must not be permitted to operate on the system.
V-4112 Low The system must be configured to disable the Internet Router Discovery Protocol (IRDP).
V-4116 Low The system must be configured to ignore NetBIOS name release requests except from WINS servers.
V-4442 Low The system must be configured to have password protection take effect within a limited time frame when the screen saver becomes active.
V-21964 Low Device metadata retrieval from the Internet must be prevented.
V-21965 Low Device driver searches using Windows Update must be prevented.
V-21967 Low Microsoft Support Diagnostic Tool (MSDT) interactive communication with Microsoft must be prevented.
V-21960 Low Domain users must be required to elevate when setting a networks location.
V-21961 Low All Direct Access traffic must be routed through the internal network.
V-21963 Low Windows Update must be prevented from searching for point and print drivers.
V-21969 Low Access to Windows Online Troubleshooting Service (WOTS) must be prevented.
V-28504 Low Windows must be prevented from sending an error report when a device driver requests additional software during installation.
V-15703 Low Users must not be prompted to search Windows Update for device drivers.
V-15702 Low An Error Report must not be sent when a generic device driver is installed.
V-15701 Low A system restore point must be created when a new device driver is installed.
V-36677 Low Optional component installation and component repair must be prevented from using Windows Update.
V-15707 Low Remote Assistance log files must be generated.
V-36673 Low IP stateless autoconfiguration limits state must be enabled.
V-36678 Low Device driver updates must only search managed servers, not Windows Update.
V-21955 Low IPv6 source routing must be configured to the highest protection level.
V-21956 Low IPv6 TCP data retransmissions must be configured to prevent resources from becoming exhausted.
V-14232 Low IPSec Exemptions must be limited.
V-36697 Low Trusted app installation must be enabled to allow for signed enterprise line of business apps.
V-15718 Low Turning off File Explorer heap termination on corruption must be disabled.
V-15719 Low Users must be notified if the logon server was inaccessible and cached credentials were used.