UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Windows Server 2012 / 2012 R2 Domain Controller Security Technical Implementation Guide


Overview

Date Finding Count (419)
2015-09-02 CAT I (High): 46 CAT II (Med): 298 CAT III (Low): 75
STIG Description
The Windows Server 2012 / 2012 R2 Domain Controller Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-36718 High The Windows Remote Management (WinRM) service must not use Basic authentication.
V-36712 High The Windows Remote Management (WinRM) client must not use Basic authentication.
V-6834 High Anonymous access to Named Pipes and Shares must be restricted.
V-18010 High Unauthorized accounts must not have the Debug programs user right.
V-1093 High Anonymous enumeration of shares must be restricted.
V-26283 High Anonymous enumeration of SAM accounts must not be allowed.
V-57637 High The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
V-1121 High FTP servers must be configured to prevent access to the system drive.
V-1127 High Only administrators responsible for the domain controller must have Administrator rights on the system.
V-12780 High The Synchronize directory service data user right must be configured to include no accounts or groups (blank).
V-39331 High The Active Directory SYSVOL directory must have the proper access control permissions.
V-39332 High The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
V-39333 High Domain created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
V-26070 High Standard user accounts must only have Read permissions to the Winlogon registry key.
V-8316 High Active Directory data files must have proper access control permissions.
V-1159 High The Recovery Console option must be set to prevent automatic logon to the system.
V-1152 High Anonymous access to the registry must be restricted.
V-1153 High The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
V-2372 High Reversible password encryption must be disabled.
V-2374 High Autoplay must be disabled for all drives.
V-22692 High The default Autorun behavior must be configured to prevent Autorun commands.
V-26683 High PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
V-40175 High The antivirus program signature files must be kept updated.
V-36451 High Policy must require that administrative accounts not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
V-3338 High Named pipes that can be accessed anonymously must be configured with limited values on domain controllers.
V-3339 High Unauthorized remotely accessible registry paths must not be configured.
V-3337 High Anonymous SID/Name translation must not be allowed.
V-14798 High Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
V-3343 High Solicited Remote Assistance must not be allowed.
V-3340 High Network shares that can be accessed anonymously must not be allowed.
V-3344 High Local accounts with blank passwords must be restricted to prevent access from the network.
V-1102 High Unauthorized accounts must not have the Act as part of the operating system user right.
V-1074 High An approved DoD antivirus program must be installed and used.
V-1073 High Systems must be maintained at a supported service pack level.
V-34974 High The Windows Installer Always install with elevated privileges option must be disabled.
V-26479 High Unauthorized accounts must not have the Create a token object user right.
V-36659 High Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
V-1081 High Local volumes must be formatted using NTFS.
V-32282 High Standard user accounts must only have Read permissions to the Active Setup\Installed Components registry key.
V-3379 High The system must be configured to prevent the storage of the LAN Manager hash of passwords.
V-33673 High Active Directory Group Policy objects must have proper access control permissions.
V-7002 High Accounts must require passwords.
V-21973 High Autoplay must be turned off for non-volume devices.
V-36664 High The system must not use removable media as the boot loader.
V-4443 High Unauthorized remotely accessible registry paths and sub-paths must not be configured.
V-14820 High Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
V-36719 Medium The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
V-36714 Medium The Windows Remote Management (WinRM) client must not use Digest authentication.
V-36713 Medium The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
V-36711 Medium The Windows Store application must be turned off.
V-15991 Medium UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
V-16000 Medium The system must be configured to ensure smart card devices can be redirected to the Remote Desktop session. (Remote Desktop Services Role).
V-16008 Medium Windows must elevate all applications in User Account Control, not just signed ones.
V-26503 Medium Unauthorized accounts must not have the Replace a process level token user right.
V-26501 Medium Unauthorized accounts must not have the Profile system performance user right.
V-26500 Medium Unauthorized accounts must not have the Profile single process user right.
V-1168 Medium Members of the Backup Operators group must be documented.
V-26505 Medium Unauthorized accounts must not have the Shut down the system user right.
V-26504 Medium Unauthorized accounts must not have the Restore files and directories user right.
V-1164 Medium Outgoing secure channel traffic must be signed when possible.
V-1166 Medium The Windows SMB client must be enabled to perform SMB packet signing when possible.
V-1163 Medium Outgoing secure channel traffic must be encrypted when possible.
V-1162 Medium The Windows SMB server must perform SMB packet signing when possible.
V-26469 Medium Unauthorized accounts must not have the Access Credential Manager as a trusted caller user right.
V-6836 Medium Passwords must, at a minimum, be 14 characters.
V-6832 Medium The Windows SMB client must be configured to always perform SMB packet signing.
V-6833 Medium The Windows SMB server must be configured to always perform SMB packet signing.
V-6831 Medium Outgoing secure channel traffic must be encrypted or signed.
V-1099 Medium The lockout duration must be configured to require an administrator to unlock an account.
V-1098 Medium The period of time before the bad logon counter is reset must meet minimum requirements.
V-3449 Medium Remote Desktop Services must limit users to one remote session.
V-1097 Medium The number of allowed bad logon attempts must meet minimum requirements.
V-6840 Medium System mechanisms must be implemented to enforce automatic expiration of passwords.
V-14270 Medium The system must notify antivirus when file attachments are opened.
V-4407 Medium Domain controllers must require LDAP access signing.
V-14241 Medium User Account Control must switch to the secure desktop when prompting for elevation.
V-14240 Medium User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
V-36698 Medium The use of biometrics must be disabled.
V-14242 Medium User Account Control must virtualize file and registry write failures to per-user locations.
V-14247 Medium Passwords must not be saved in the Remote Desktop Client.
V-14249 Medium Local drives must be prevented from sharing with Remote Desktop Session Hosts. (Remote Desktop Services Role).
V-33664 Medium The system must be configured to audit DS Access - Directory Service Access failures.
V-33665 Medium The system must be configured to audit DS Access - Directory Service Changes successes.
V-57633 Medium The system must be configured to audit Policy Change - Authorization Policy Change successes.
V-57635 Medium The system must be configured to audit Policy Change - Authorization Policy Change failures.
V-33663 Medium The system must be configured to audit DS Access - Directory Service Access successes.
V-57639 Medium Users must be required to enter a password to access private keys stored on the computer.
V-1120 Medium FTP servers must be configured to prevent anonymous logons.
V-15666 Medium Windows Peer-to-Peer networking services must be turned off.
V-15667 Medium Network Bridges must be prohibited in Windows.
V-57459 Medium The system must be configured to use SSL to forward error reports.
V-57455 Medium The system must be configured to prevent the display of error messages to the user.
V-57457 Medium The system must be configured to store error reports locally, on the system or in the enclave, and not send them to Microsoft.
V-57453 Medium The system must be configured to collect multiple error reports of the same event type.
V-40198 Medium Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
V-40195 Medium System BIOS or system controllers must not allow user-level access.
V-21980 Medium Explorer Data Execution Prevention must be enabled.
V-40193 Medium Virtual guest operating systems must be registered in a vulnerability and asset management system.
V-2380 Medium The computer clock synchronization tolerance must be limited to 5 minutes or less.
V-26495 Medium Unauthorized accounts must not have the Log on as a batch job user right.
V-26494 Medium Unauthorized accounts must not have the Lock pages in memory user right.
V-26497 Medium Unauthorized accounts must not have the Modify an object label user right.
V-26496 Medium Unauthorized accounts must not have the Manage auditing and security log user right.
V-26491 Medium Unauthorized accounts must not have the Increase a process working set user right.
V-26490 Medium Unauthorized accounts must not have the Impersonate a client after authentication user right.
V-26493 Medium Unauthorized accounts must not have the Load and unload device drivers user right.
V-26492 Medium Unauthorized accounts must not have the Increase scheduling priority user right.
V-26554 Medium The system must be configured to audit System - Security State Change failures.
V-26556 Medium The system must be configured to audit System - Security System Extension failures.
V-26557 Medium The system must be configured to audit System - System Integrity successes.
V-26499 Medium Unauthorized accounts must not have the Perform volume maintenance tasks user right.
V-26498 Medium Unauthorized accounts must not have the Modify firmware environment values user right.
V-26552 Medium The system must be configured to audit System - IPsec Driver failures.
V-26553 Medium The system must be configured to audit System - Security State Change successes.
V-15700 Medium Remote access to the Plug and Play interface must be disabled for device installation.
V-15706 Medium The user must be prompted to authenticate on resume from sleep (plugged in).
V-15705 Medium Users must be prompted to authenticate on resume from sleep (on battery).
V-36679 Medium Early Launch Antimalware, Boot-Start Driver Initialization Policy must be enabled and configured to only Good and Unknown.
V-26558 Medium The system must be configured to audit System - System Integrity failures.
V-26555 Medium The system must be configured to audit System - Security System Extension successes.
V-26506 Medium Unauthorized accounts must not have the Take ownership of files or other objects user right.
V-26550 Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
V-26551 Medium The system must be configured to audit System - IPsec Driver successes.
V-3385 Medium The system must be configured to require case insensitivity for non-Windows subsystems.
V-3383 Medium The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
V-3382 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP-based clients.
V-3381 Medium The system must be configured to the required LDAP client signing level.
V-3380 Medium The system must be configured to force users to log off when their allowed logon hours expire.
V-39330 Medium The Active Directory RID Manager$ object must be configured with proper audit settings.
V-39334 Medium Domain controllers must have a PKI server certificate.
V-26600 Medium The Fax service must be disabled if installed.
V-26602 Medium The Microsoft FTP service must not be installed.
V-26604 Medium The Peer Networking Identity Manager service must be disabled if installed.
V-26605 Medium The Simple TCP/IP Services service must be disabled if installed.
V-26606 Medium The Telnet service must be disabled if installed.
V-36670 Medium Audit data must be reviewed on a regular basis.
V-36671 Medium Audit data must be retained for at least one year.
V-36672 Medium Audit records must be backed up onto a different system or media than the system being audited.
V-57719 Medium The operating system must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.
V-36708 Medium The location feature must be turned off.
V-36709 Medium Basic authentication for RSS feeds over HTTP must be turned off.
V-36700 Medium The password reveal button must not be displayed.
V-8317 Medium Data files owned by users must be on a different logical partition from the directory server data files.
V-26539 Medium The system must be configured to audit Detailed Tracking - Process Creation successes.
V-36773 Medium The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
V-30016 Medium Unauthorized accounts must not have the Add workstations to domain user right.
V-15697 Medium The Responder network protocol driver must be disabled.
V-15696 Medium The Mapper I/O network protocol (LLTDIO) driver must be disabled.
V-15699 Medium The Windows Connect Now wizards must be disabled.
V-15698 Medium The configuration of wireless devices using Windows Connect Now must be disabled.
V-26533 Medium The system must be configured to audit Account Management - Other Account Management Events successes.
V-1154 Medium The Ctrl+Alt+Del security attention sequence for logons must be enabled.
V-1155 Medium The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
V-1157 Medium The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
V-2377 Medium The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
V-2376 Medium Kerberos user logon restrictions must be enforced.
V-2379 Medium The Kerberos policy user ticket renewal maximum lifetime must be limited to 7 days or less.
V-2378 Medium The Kerberos user ticket lifetime must be limited to 10 hours or less.
V-40166 Medium Audit data of systems containing sources and methods intelligence (SAMI) must be retained for at least five years.
V-15997 Medium Users must be prevented from mapping local COM ports and redirecting data from the Remote Desktop Session Host to local COM ports. (Remote Desktop Services Role).
V-15998 Medium Users must be prevented from mapping local LPT ports and redirecting data from the Remote Desktop Session Host to local LPT ports. (Remote Desktop Services Role).
V-15999 Medium Users must be prevented from redirecting Plug and Play devices to the Remote Desktop Session Host. (Remote Desktop Services Role).
V-3458 Medium Remote Desktop Services must be configured to disconnect an idle session after the specified time period.
V-3453 Medium Remote Desktop Services must always prompt a client for passwords upon connection.
V-3457 Medium Remote Desktop Services must be configured to set a time limit for disconnected sessions.
V-3456 Medium Remote Desktop Services must delete temporary folders when a session is terminated.
V-3455 Medium Remote Desktop Services must be configured to use session-specific temporary folders.
V-3454 Medium Remote Desktop Services must be configured with the client connection encryption set to the required level.
V-14259 Medium Printing over HTTP must be prevented.
V-1119 Medium The system must not boot into multiple operating systems (dual-boot).
V-1114 Medium The built-in guest account must be renamed.
V-1115 Medium The built-in administrator account must be renamed.
V-1113 Medium The built-in guest account must be disabled.
V-57721 Medium Event Viewer must be protected from unauthorized modification and deletion.
V-14268 Medium Zone information must be preserved when saving attachments.
V-16021 Medium The Windows Help Experience Improvement Program must be disabled.
V-16020 Medium The Windows Customer Experience Improvement Program must be disabled.
V-21951 Medium Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.
V-21950 Medium The service principal name (SPN) target name validation level must be turned off.
V-21953 Medium PKU2U authentication using online identities must be prevented.
V-21952 Medium NTLM must be prevented from falling back to a Null session.
V-21954 Medium The use of DES encryption suites must not be allowed for Kerberos encryption.
V-26482 Medium Unauthorized accounts must not have the Create symbolic links user right.
V-26483 Medium The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
V-26480 Medium Unauthorized accounts must not have the Create global objects user right.
V-26481 Medium Unauthorized accounts must not have the Create permanent shared objects user right.
V-26486 Medium The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
V-26487 Medium Unauthorized accounts must not have the Enable computer and user accounts to be trusted for delegation user right on domain controllers.
V-26484 Medium The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
V-26485 Medium The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
V-15488 Medium The directory server must be configured to use the CAC, PIV-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
V-26488 Medium Unauthorized accounts must not have the Force shutdown from a remote system user right.
V-26489 Medium Unauthorized accounts must not have the Generate security audits user right.
V-15713 Medium Microsoft Active Protection Service membership must be disabled.
V-15714 Medium The system must be configured to save Error Reporting events and messages to the system event log.
V-15715 Medium The system must be configured to generate error reports.
V-15717 Medium The system must be configured to allow a local or DOD-wide collector to request additional error reporting diagnostic data to be sent.
V-15505 Medium The HBSS McAfee Agent must be installed.
V-42420 Medium A host-based firewall must be installed and enabled on the system.
V-3469 Medium Group Policies must be refreshed in the background if the user is logged on.
V-15823 Medium Software certificate installation files must be removed from a system.
V-8326 Medium The directory server supporting (directly or indirectly) system access or resource authorization must run on a machine dedicated to that function.
V-8327 Medium Windows services that are critical for directory server operation must be configured for automatic startup.
V-14261 Medium Windows must be prevented from using Windows Update to search for drivers.
V-14260 Medium Downloading print driver packages over HTTP must be prevented.
V-14269 Medium Mechanisms for removing zone information from file attachments must be hidden.
V-3289 Medium Servers must have a host-based Intrusion Detection System.
V-15684 Medium Users must be notified if a web-based program attempts to install software.
V-36735 Medium The system must support automated patch management tools to facilitate flaw remediation.
V-36734 Medium The operating system must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
V-36736 Medium The system must query the certification authority to determine whether a public key certificate has been revoked before accepting the certificate for authentication purposes.
V-26579 Medium The Application event log must be configured to a minimum size requirement.
V-15682 Medium Attachments must be prevented from being downloaded from RSS feeds.
V-15683 Medium File Explorer shell protocol must run in protected mode.
V-1145 Medium Automatic logons must be disabled.
V-1141 Medium Unencrypted passwords must not be sent to third-party SMB Servers.
V-15685 Medium Users must be prevented from changing installation options.
V-57473 Medium The maximum number of error reports to queue on a system must be configured to 50 or greater.
V-57471 Medium The system must be configured to add all error reports to the queue.
V-57477 Medium The system must be configured to automatically consent to send all data requested by a local or DOD-wide error collection site.
V-57475 Medium The system must be configured to attempt to forward queued error reports once a day.
V-57479 Medium The system must be configured to permit the default consent levels of Windows Error Reporting to override any other consent policy setting.
V-40177 Medium Permissions for program file directories must conform to minimum requirements.
V-26529 Medium The system must be configured to audit Account Logon - Credential Validation successes.
V-40178 Medium Permissions for system drive root directory (usually C:\) must conform to minimum requirements.
V-40179 Medium Permissions for Windows installation directory must conform to minimum requirements.
V-2907 Medium System files must be monitored for unauthorized changes.
V-4447 Medium The Remote Desktop Session Host must require secure RPC communications.
V-3480 Medium Windows Media Player must be configured to prevent automatic checking for updates.
V-3481 Medium Media Player must be configured to prevent automatic Codec downloads.
V-4446 Medium Software certificate restriction policies must be enforced.
V-32274 Medium The DoD Interoperability Root CA 1 to DoD Root CA 2 cross-certificate must be installed into the Untrusted Certificates Store.
V-32272 Medium The DoD root certificate must be installed into the Trusted Root Store.
V-14229 Medium Auditing of Backup and Restore Privileges must be turned off.
V-14228 Medium Auditing the Access of Global System Objects must be turned off.
V-14225 Medium Passwords for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization.
V-36772 Medium The machine account lockout threshold must be set to 10 on systems with BitLocker enabled.
V-57653 Medium The operating system must automatically remove or disable temporary user accounts after 72 hours.
V-57655 Medium The operating system must be configured such that emergency administrator accounts are never automatically removed or disabled.
V-40204 Medium Only the default client printer must be redirected to the Remote Desktop Session Host. (Remote Desktop Services Role).
V-40206 Medium The Smart Card Removal Policy service must be configured to automatic.
V-40200 Medium The system must be configured to audit Object Access - Central Access Policy Staging failures.
V-40202 Medium The system must be configured to audit Object Access - Central Access Policy Staging successes.
V-1107 Medium The password uniqueness must meet minimum requirements.
V-1105 Medium The minimum password age must meet requirements.
V-1104 Medium The maximum password age must meet requirements.
V-43238 Medium The display of slide shows on the lock screen must be disabled (Windows 2012 R2).
V-43239 Medium Command line data must be prevented from inclusion in process creation events (Windows 2012 R2).
V-1072 Medium Shared user accounts must not be permitted on the system.
V-1070 Medium Server systems must be located in a controlled access area, accessible only to authorized personnel.
V-26576 Medium The IP-HTTPS IPv6 transition technology must be disabled.
V-26577 Medium The ISATAP IPv6 transition technology must be disabled.
V-26575 Medium The 6to4 IPv6 transition technology must be disabled.
V-26578 Medium The Teredo IPv6 transition technology must be disabled.
V-1171 Medium Ejection of removable NTFS media must be restricted to Administrators.
V-26478 Medium Unauthorized accounts must not have the Create a pagefile user right.
V-26476 Medium Unauthorized accounts must not have the Change the system time user right.
V-26474 Medium Unauthorized accounts must not have the back up files and directories user right.
V-26473 Medium Unauthorized accounts must not have the Allow log on through Remote Desktop Services user right.
V-26472 Medium Unauthorized accounts must not have the Allow log on locally user right.
V-26471 Medium Unauthorized accounts must not have the Adjust memory quotas for a process user right.
V-26470 Medium Unauthorized accounts must not have the Access this computer from the network user right on domain controllers.
V-36658 Medium Users with administrative privilege must be documented.
V-36656 Medium A screen saver must be enabled on the system.
V-36657 Medium The screen saver must be password protected.
V-15727 Medium Users must be prevented from sharing files in their profiles.
V-15722 Medium Windows Media Digital Rights Management (DRM) must be prevented from accessing the Internet.
V-56511 Medium The Windows Error Reporting Service must be running and configured to start automatically.
V-1089 Medium The required legal notice must be configured to display before console logon.
V-3470 Medium The system must be configured to prevent unsolicited remote assistance offers.
V-1088 Medium Global object access auditing of the registry must be configured to record failures.
V-3479 Medium The system must be configured to use Safe DLL Search Mode.
V-1080 Medium Global object access auditing of the file system must be configured to record failures.
V-14243 Medium The system must require username and password to elevate a running application.
V-26582 Medium The System event log must be configured to a minimum size requirement.
V-26581 Medium The Setup event log must be configured to a minimum size requirement.
V-26580 Medium The Security event log must be configured to a minimum size requirement.
V-3376 Medium The system must be configured to prevent the storage of passwords and credentials.
V-3377 Medium The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
V-3374 Medium The system must be configured to require a strong session key.
V-3378 Medium The system must be configured to use the Classic security model.
V-33666 Medium The system must be configured to audit DS Access - Directory Service Changes failures.
V-36724 Medium Permissions for the System event log must prevent access by nonprivileged accounts.
V-36722 Medium Permissions for the Application event log must prevent access by nonprivileged accounts.
V-36723 Medium Permissions for the Security event log must prevent access by nonprivileged accounts.
V-36720 Medium The Windows Remote Management (WinRM) service must not store RunAs credentials.
V-36684 Medium Local users on domain-joined computers must not be enumerated.
V-36687 Medium App notifications on the lock screen must be turned off.
V-36681 Medium Copying of user input methods to the system account for sign-in must be prevented.
V-36680 Medium Access to the Windows Store must be turned off.
V-1131 Medium Password complexity software that enforces DoD requirements must be implemented.
V-36669 Medium The system must be configured to audit Object Access - Handle Manipulation failures.
V-15674 Medium The Internet File Association service must be turned off.
V-57461 Medium The system must be configured to send error reports on TCP port 1232.
V-26538 Medium The system must be configured to audit Account Management - User Account Management failures.
V-57463 Medium The system must be configured to archive error reports.
V-57465 Medium The system must be configured to store all data in the error report archive.
V-57467 Medium The maximum number of error reports to archive on a system must be configured to 100 or greater.
V-26532 Medium The system must be configured to audit Account Management - Computer Account Management failures.
V-57469 Medium The system must be configured to queue error reports until a local or DOD-wide collector is available.
V-26530 Medium The system must be configured to audit Account Logon - Credential Validation failures.
V-26531 Medium The system must be configured to audit Account Management - Computer Account Management successes.
V-26536 Medium The system must be configured to audit Account Management - Security Group Management failures.
V-26537 Medium The system must be configured to audit Account Management - User Account Management successes.
V-26534 Medium The system must be configured to audit Account Management - Other Account Management Events failures.
V-26535 Medium The system must be configured to audit Account Management - Security Group Management successes.
V-43240 Medium The network selection user interface (UI) must not be displayed on the logon screen (Windows 2012 R2).
V-43245 Medium Automatically signing in the last interactive user after a system-initiated restart must be disabled (Windows 2012 R2).
V-26549 Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
V-26548 Medium The system must be configured to audit Policy Change - Authentication Policy Change successes.
V-26547 Medium The system must be configured to audit Policy Change - Audit Policy Change failures.
V-26546 Medium The system must be configured to audit Policy Change - Audit Policy Change successes.
V-26545 Medium The system must be configured to audit Object Access - Registry failures.
V-26544 Medium The system must be configured to audit Object Access - File System failures.
V-26543 Medium The system must be configured to audit Logon/Logoff - Special Logon successes.
V-26542 Medium The system must be configured to audit Logon/Logoff - Logon failures.
V-26541 Medium The system must be configured to audit Logon/Logoff - Logon successes.
V-26540 Medium The system must be configured to audit Logon/Logoff - Logoff successes.
V-36667 Medium The system must be configured to audit Object Access - Removable Storage failures.
V-36666 Medium Policy must require that system administrators (SAs) be trained for the operating systems used by systems under their control.
V-36663 Medium System BIOS or system controllers must have administrator accounts/passwords configured.
V-36662 Medium Application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
V-36661 Medium Policy must require application account passwords be at least 15 characters in length.
V-16048 Medium Windows Help Ratings feedback must be turned off.
V-8322 Medium Time synchronization must be enabled on the domain controller.
V-36668 Medium The system must be configured to audit Object Access - Removable Storage successes.
V-4448 Medium Group Policy objects must be reprocessed even if they have not changed.
V-3487 Medium Necessary services must be documented to maintain a baseline to determine if additional, unnecessary services have been added to a system.
V-3666 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP-based servers.
V-14239 Medium User Account Control must only elevate UIAccess applications that are installed in secure locations.
V-14230 Medium Audit policy using subcategories must be enabled.
V-14234 Medium User Account Control approval mode for the built-in Administrator must be enabled.
V-14235 Medium User Account Control must, at minimum, prompt administrators for consent.
V-14236 Medium User Account Control must automatically deny standard user requests for elevation.
V-14237 Medium User Account Control must be configured to detect application installations and prompt for elevation.
V-39327 Medium The Active Directory Infrastructure object must be configured with proper audit settings.
V-39326 Medium The Active Directory Domain object must be configured with proper audit settings.
V-39325 Medium Active Directory Group Policy objects must be configured with proper audit settings.
V-57641 Medium Protection methods such as TLS, encrypted VPNs, or IPSEC must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
V-39329 Medium The Active Directory AdminSDHolder object must be configured with proper audit settings.
V-39328 Medium The Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.
V-57645 Medium Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
V-3245 Medium File shares must limit access to data on a system.
V-40237 Medium The US DoD CCEB Interoperability Root CA 1 to DoD Root CA 2 cross-certificate must be installed into the Untrusted Certificates Store.
V-36710 Low Automatic download of updates from the Windows Store must be turned off.
V-16005 Low The system must be configured to remove the Disconnect option from the Shut Down dialog box on the Remote Desktop Client. (Remote Desktop Services Role).
V-1165 Low The computer account password must not be prevented from being reset.
V-1090 Low Caching of logon credentials must be limited.
V-4408 Low Domain controllers must be configured to allow reset of machine account passwords.
V-36690 Low The display must turn off after 20 minutes of inactivity when the system is running on battery.
V-36691 Low The display must turn off after 20 minutes of inactivity when the system is plugged in.
V-36696 Low The detection of compatibility issues for applications and drivers must be turned off.
V-36697 Low Trusted app installation must be enabled to allow for signed enterprise line of business apps.
V-1128 Low Security configuration tools or equivalent processes must be used to configure and maintain platforms for security compliance.
V-21964 Low Device metadata retrieval from the Internet must be prevented.
V-21965 Low Device driver searches using Windows Update must be prevented.
V-21967 Low Microsoft Support Diagnostic Tool (MSDT) interactive communication with Microsoft must be prevented.
V-21960 Low Domain users must be required to elevate when setting a networks location.
V-21961 Low All Direct Access traffic must be routed through the internal network.
V-21963 Low Windows Update must be prevented from searching for point and print drivers.
V-21969 Low Access to Windows Online Troubleshooting Service (WOTS) must be prevented.
V-28504 Low Windows must be prevented from sending an error report when a device driver requests additional software during installation.
V-15703 Low Users must not be prompted to search Windows Update for device drivers.
V-15702 Low An Error Report must not be sent when a generic device driver is installed.
V-15701 Low A system restore point must be created when a new device driver is installed.
V-15707 Low Remote Assistance log files must be generated.
V-36673 Low IP stateless autoconfiguration limits state must be enabled.
V-36678 Low Device driver updates must only search managed servers, not Windows Update.
V-14831 Low The directory service must be configured to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity.
V-36677 Low Optional component installation and component repair must be prevented from using Windows Update.
V-15704 Low Errors in handwriting recognition on tablet PCs must not be reported to Microsoft.
V-36707 Low The Windows SmartScreen must be turned off.
V-11806 Low The system must be configured to prevent the display of the last username on the logon screen.
V-1158 Low The Recovery Console SET command must be disabled.
V-1150 Low The built-in Microsoft password complexity filter must be enabled.
V-1151 Low The print driver installation privilege must be restricted to administrators.
V-4438 Low The system must limit how many times unacknowledged TCP data is retransmitted.
V-1112 Low Outdated or unused accounts must be removed from the system or disabled.
V-21955 Low IPv6 source routing must be configured to the highest protection level.
V-21956 Low IPv6 TCP data retransmissions must be configured to prevent resources from becoming exhausted.
V-15718 Low Turning off File Explorer heap termination on corruption must be disabled.
V-15719 Low Users must be notified if the logon server was inaccessible and cached credentials were used.
V-8324 Low The time synchronization tool must be configured to enable logging of time source switching.
V-36733 Low User-level information must be backed up in accordance with local recovery time and recovery point objectives.
V-15686 Low Nonadministrators must be prevented from applying vendor-signed updates.
V-15687 Low Users must not be presented with Privacy and Installation options on first use of Windows Media Player.
V-40172 Low Backups of system-level information must be protected.
V-40173 Low System-related documentation must be backed up in accordance with local recovery time and recovery point objectives.
V-4113 Low The system must be configured to limit how often keep-alive packets are sent.
V-4108 Low The system must generate an audit event when the audit log reaches a percentage of full threshold.
V-14797 Low Anonymous access to the root DSE of a non-public directory must be disabled.
V-36775 Low Changing the screen saver must be prevented.
V-36774 Low A screen saver must be defined.
V-36777 Low Toast notifications to the lock screen must be turned off.
V-36776 Low Notifications from Windows Push Network Service must be turned off.
V-1076 Low System-level information must be backed up in accordance with local recovery time and recovery point objectives.
V-1075 Low The shutdown option must not be available from the logon dialog box.
V-1174 Low The amount of idle time required before suspending a session must be properly set.
V-1172 Low Users must be warned in advance of their passwords expiring.
V-1173 Low The default permissions of global system objects must be increased.
V-26477 Low Unauthorized accounts must not have the Change the time zone user right.
V-26475 Low Unauthorized accounts must not have the Bypass traverse checking user right.
V-3472 Low If the time service is configured, it must use an authorized time server.
V-3373 Low The maximum age for machine account passwords must be set to requirements.
V-26359 Low The Windows dialog box title for the legal banner must be configured.
V-1136 Low Users must be forcibly disconnected when their logon hours expire.
V-1135 Low Nonadministrative user accounts or groups must only have print permissions on printer shares.
V-15672 Low Event Viewer Events.asp links must be turned off.
V-15671 Low Root Certificates must not be updated automatically from the Microsoft site.
V-43241 Low The setting to allow Microsoft accounts to be optional for modern style apps must be enabled (Windows 2012 R2).
V-21971 Low The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
V-21970 Low Responsiveness events must be prevented from being aggregated and sent to Microsoft.
V-4445 Low Optional Subsystems must not be permitted to operate on the system.
V-4112 Low The system must be configured to disable the Internet Router Discovery Protocol (IRDP).
V-4111 Low The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
V-4110 Low The system must be configured to prevent IP source routing.
V-4116 Low The system must be configured to ignore NetBIOS name release requests except from WINS servers.
V-4442 Low The system must be configured to have password protection take effect within a limited time frame when the screen saver becomes active.
V-14232 Low IPSec Exemptions must be limited.