UCF STIG Viewer Logo

Windows Server 2016 Security Technical Implementation Guide


Overview

Date Finding Count (273)
2020-06-16 CAT I (High): 33 CAT II (Med): 227 CAT III (Low): 13
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-73669 High Anonymous enumeration of shares must not be allowed.
V-73545 High AutoPlay must be turned off for non-volume devices.
V-73547 High The default AutoRun behavior must be configured to prevent AutoRun commands.
V-73385 High Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
V-73667 High Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed.
V-73377 High Domain-created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
V-73375 High The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
V-73373 High Active Directory Group Policy objects must have proper access control permissions.
V-73371 High The Active Directory SYSVOL directory must have the proper access control permissions.
V-73549 High AutoPlay must be disabled for all drives.
V-73369 High Permissions on the Active Directory data files must only allow System and Administrators access.
V-73735 High The Act as part of the operating system user right must not be assigned to any groups or accounts.
V-73247 High Local volumes must use a format that supports NTFS attributes.
V-73241 High The Windows Server 2016 system must use an anti-virus program.
V-73325 High Windows Server 2016 reversible password encryption must be disabled.
V-73621 High Local accounts with blank passwords must be restricted to prevent access from the network.
V-73747 High The Create a token object user right must not be assigned to any groups or accounts.
V-73239 High Systems must be maintained at a supported servicing level.
V-73613 High Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
V-73615 High PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
V-73755 High The Debug programs user right must only be assigned to the Administrators group.
V-73221 High Only administrators responsible for the member server or standalone system must have Administrator rights on the system.
V-73225 High Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
V-73585 High The Windows Installer Always install with elevated privileges option must be disabled.
V-73515 High Windows Server 2016 must be running Credential Guard on domain-joined member servers.
V-73599 High The Windows Remote Management (WinRM) service must not use Basic authentication.
V-73219 High Only administrators responsible for the domain controller must have Administrator rights on the system.
V-73593 High The Windows Remote Management (WinRM) client must not use Basic authentication.
V-73217 High Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
V-73665 High Anonymous SID/Name translation must not be allowed.
V-73691 High The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM.
V-73675 High Anonymous access to Named Pipes and Shares must be restricted.
V-73687 High Windows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords.
V-73541 Medium Unauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC server.
V-73389 Medium Active Directory Group Policy objects must be configured with proper audit settings.
V-73383 Medium Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
V-73661 Medium The setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
V-73381 Medium Domain controllers must run on a machine dedicated to that function.
V-73663 Medium The setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
V-73479 Medium Windows Server 2016 must be configured to audit System - Other System Events failures.
V-73475 Medium Windows Server 2016 must be configured to audit System - IPsec Driver failures.
V-73477 Medium Windows Server 2016 must be configured to audit System - Other System Events successes.
V-73471 Medium Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
V-73365 Medium The Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
V-73473 Medium Windows Server 2016 must be configured to audit System - IPsec Driver successes.
V-73379 Medium Data files owned by users must be on a different logical partition from the directory server data files.
V-73771 Medium The Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.
V-73777 Medium The Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
V-73279 Medium A host-based firewall must be installed and enabled on the system.
V-73775 Medium The Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems.
V-73277 Medium The roles and features required by the system must be documented.
V-73275 Medium Protection methods such as TLS, encrypted VPNs, or IPsec must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
V-73779 Medium The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on member servers.
V-73273 Medium Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
V-73271 Medium Software certificate installation files must be removed from Windows Server 2016.
V-73799 Medium The Profile single process user right must only be assigned to the Administrators group.
V-73497 Medium WDigest Authentication must be disabled on Windows Server 2016.
V-73399 Medium The Active Directory RID Manager$ object must be configured with proper audit settings.
V-73495 Medium Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
V-73717 Medium User Account Control must only elevate UIAccess applications that are installed in secure locations.
V-73493 Medium The display of slide shows on the lock screen must be disabled.
V-73419 Medium Windows Server 2016 must be configured to audit Account Management - Other Account Management Events successes.
V-73491 Medium Windows Server 2016 must be configured to audit System - System Integrity failures.
V-73427 Medium Windows Server 2016 must be configured to audit Account Management - User Account Management successes.
V-73391 Medium The Active Directory Domain object must be configured with proper audit settings.
V-73393 Medium The Active Directory Infrastructure object must be configured with proper audit settings.
V-73395 Medium The Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.
V-73397 Medium The Active Directory AdminSDHolder object must be configured with proper audit settings.
V-73417 Medium Windows Server 2016 must be configured to audit Account Management - Computer Account Management successes.
V-73223 Medium Passwords for the built-in Administrator account must be changed at least every 60 days.
V-73709 Medium UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
V-73415 Medium Windows Server 2016 must be configured to audit Account Logon - Credential Validation failures.
V-73423 Medium Windows Server 2016 must be configured to audit Account Management - Security Group Management successes.
V-73303 Medium FTP servers must be configured to prevent anonymous logons.
V-73301 Medium Windows PowerShell 2.0 must not be installed.
V-73469 Medium Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
V-73305 Medium FTP servers must be configured to prevent access to the system drive.
V-73463 Medium Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change failures.
V-73309 Medium Windows 2016 account lockout duration must be configured to 15 minutes or greater.
V-73461 Medium Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change successes.
V-73467 Medium Windows Server 2016 must be configured to audit Policy Change - Authorization Policy Change successes.
V-73465 Medium Windows Server 2016 must be configured to audit Policy Change - Authentication Policy Change successes.
V-73411 Medium Event Viewer must be protected from unauthorized modification and deletion.
V-73789 Medium The Load and unload device drivers user right must only be assigned to the Administrators group.
V-73787 Medium The Increase scheduling priority user right must only be assigned to the Administrators group.
V-73265 Medium System files must be monitored for unauthorized changes.
V-73785 Medium The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-73267 Medium Non-system-created file shares on a system must limit access to groups that require it.
V-73783 Medium The Generate security audits user right must only be assigned to Local Service and Network Service.
V-73261 Medium Windows Server 2016 accounts must require passwords.
V-73781 Medium The Force shutdown from a remote system user right must only be assigned to the Administrators group.
V-73263 Medium Passwords must be configured to expire.
V-73721 Medium User Account Control must virtualize file and registry write failures to per-user locations.
V-73529 Medium Printing over HTTP must be prevented.
V-73487 Medium Administrator accounts must not be enumerated during elevation.
V-73481 Medium Windows Server 2016 must be configured to audit System - Security State Change successes.
V-73727 Medium Zone information must be preserved when saving attachments.
V-73483 Medium Windows Server 2016 must be configured to audit System - Security System Extension successes.
V-73729 Medium The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
V-73521 Medium Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
V-91779 Medium The password for the krbtgt account on a domain must be reset at least every 180 days.
V-73527 Medium Downloading print driver packages over HTTP must be prevented.
V-73489 Medium Windows Server 2016 must be configured to audit System - System Integrity successes.
V-73525 Medium Group Policy objects must be reprocessed even if they have not changed.
V-73803 Medium The Take ownership of files or other objects user right must only be assigned to the Administrators group.
V-73311 Medium Windows Server 2016 must have the number of allowed bad logon attempts configured to three or less.
V-73313 Medium Windows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
V-73315 Medium Windows Server 2016 password history must be configured to 24 passwords remembered.
V-73317 Medium Windows Server 2016 maximum password age must be configured to 60 days or less.
V-73319 Medium Windows Server 2016 minimum password age must be configured to at least one day.
V-73573 Medium The Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications.
V-73443 Medium Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout successes.
V-73259 Medium Outdated or unused accounts must be removed from the system or disabled.
V-78127 Medium Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2016.
V-73657 Medium Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.
V-78125 Medium The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
V-73651 Medium Caching of logon credentials must be limited.
V-78123 Medium The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
V-73653 Medium The setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
V-73531 Medium The network selection user interface (UI) must not be displayed on the logon screen.
V-73251 Medium Permissions for program file directories must conform to minimum requirements.
V-73795 Medium The Modify firmware environment values user right must only be assigned to the Administrators group.
V-73253 Medium Permissions for the Windows installation directory must conform to minimum requirements.
V-73797 Medium The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
V-73413 Medium Windows Server 2016 must be configured to audit Account Logon - Credential Validation successes.
V-73791 Medium The Lock pages in memory user right must not be assigned to any groups or accounts.
V-73793 Medium The Manage auditing and security log user right must only be assigned to the Administrators group.
V-73637 Medium The setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
V-73539 Medium Users must be prompted to authenticate when the system wakes from sleep (plugged in).
V-73635 Medium The setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.
V-73533 Medium Local users on domain-joined computers must not be enumerated.
V-73633 Medium The setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
V-73631 Medium Domain controllers must be configured to allow reset of machine account passwords.
V-73739 Medium The Allow log on locally user right must only be assigned to the Administrators group.
V-73737 Medium The Add workstations to domain user right must only be assigned to the Administrators group.
V-73553 Medium The Application event log size must be configured to 32768 KB or greater.
V-73733 Medium The Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on member servers.
V-73639 Medium The computer account password must not be prevented from being reset.
V-73731 Medium The Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.
V-73537 Medium Users must be prompted to authenticate when the system wakes from sleep (on battery).
V-73245 Medium Servers must have a host-based intrusion detection or prevention system.
V-73321 Medium Windows Server 2016 minimum password length must be configured to 14 characters.
V-73323 Medium Windows Server 2016 must have the built-in Windows password complexity policy enabled.
V-73249 Medium Permissions for the system drive root directory (usually C:\) must conform to minimum requirements.
V-73643 Medium Windows Server 2016 must be configured to require a strong session key.
V-73641 Medium The maximum age for machine account passwords must be configured to 30 days or less.
V-73409 Medium Permissions for the System event log must prevent access by non-privileged accounts.
V-73645 Medium The machine inactivity limit must be set to 15 minutes, locking the system with the screen saver.
V-73405 Medium Permissions for the Application event log must prevent access by non-privileged accounts.
V-73407 Medium Permissions for the Security event log must prevent access by non-privileged accounts.
V-73401 Medium Audit records must be backed up to a different system or media than the system being audited.
V-73403 Medium Windows Server 2016 must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.
V-73625 Medium Windows Server 2016 built-in guest account must be renamed.
V-73749 Medium The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-73627 Medium Audit policy using subcategories must be enabled.
V-73623 Medium Windows Server 2016 built-in administrator account must be renamed.
V-73743 Medium The Back up files and directories user right must only be assigned to the Administrators group.
V-73741 Medium The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group.
V-73629 Medium Domain controllers must require LDAP access signing.
V-73745 Medium The Create a pagefile user right must only be assigned to the Administrators group.
V-73707 Medium User Account Control approval mode for the built-in Administrator must be enabled.
V-73655 Medium The setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
V-73299 Medium The Server Message Block (SMB) v1 protocol must be uninstalled.
V-73233 Medium Shared user accounts must not be permitted on the system.
V-73555 Medium The Security event log size must be configured to 196608 KB or greater.
V-73231 Medium Manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
V-73237 Medium Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
V-73235 Medium Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
V-73773 Medium The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
V-73609 Medium The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
V-73439 Medium Windows Server 2016 must be configured to audit DS Access - Directory Service Changes successes.
V-73575 Medium Remote Desktop Services must be configured with the client connection encryption set to High Level.
V-73431 Medium Windows Server 2016 must be configured to audit Detailed Tracking - Plug and Play Events successes.
V-73433 Medium Windows Server 2016 must be configured to audit Detailed Tracking - Process Creation successes.
V-73435 Medium Windows Server 2016 must be configured to audit DS Access - Directory Service Access successes.
V-73437 Medium Windows Server 2016 must be configured to audit DS Access - Directory Service Access failures.
V-73611 Medium Domain controllers must have a PKI server certificate.
V-73759 Medium The Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems.
V-73617 Medium Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
V-73441 Medium Windows Server 2016 must be configured to audit DS Access - Directory Service Changes failures.
V-73559 Medium Windows Server 2016 Windows SmartScreen must be enabled.
V-73751 Medium The Create permanent shared objects user right must not be assigned to any groups or accounts.
V-73753 Medium The Create symbolic links user right must only be assigned to the Administrators group.
V-73757 Medium The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
V-73685 Medium Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
V-73569 Medium Local drives must be prevented from sharing with Remote Desktop Session Hosts.
V-73445 Medium Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout failures.
V-73255 Medium Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
V-73589 Medium Automatically signing in the last interactive user after a system-initiated restart must be disabled.
V-73227 Medium Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
V-73229 Medium Manually managed application account passwords must be at least 15 characters in length.
V-73587 Medium Users must be notified if a web-based program attempts to install software.
V-73447 Medium Windows Server 2016 must be configured to audit Logon/Logoff - Group Membership successes.
V-73581 Medium Indexing of encrypted files must be turned off.
V-73583 Medium Users must be prevented from changing installation options.
V-73429 Medium Windows Server 2016 must be configured to audit Account Management - User Account Management failures.
V-73507 Medium Insecure logons to an SMB server must be disabled.
V-73713 Medium User Account Control must automatically deny standard user requests for elevation.
V-73509 Medium Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
V-73561 Medium Explorer Data Execution Prevention must be enabled.
V-73715 Medium User Account Control must be configured to detect application installations and prompt for elevation.
V-73607 Medium The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
V-73605 Medium The DoD Root CA certificates must be installed in the Trusted Root Store.
V-73567 Medium Passwords must not be saved in the Remote Desktop Client.
V-73603 Medium The Windows Remote Management (WinRM) service must not store RunAs credentials.
V-90359 Medium Windows 2016 must be configured to audit Object Access - Other Object Access Events successes.
V-73601 Medium The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
V-73711 Medium User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.
V-73453 Medium Windows Server 2016 must be configured to audit Logon/Logoff - Logon failures.
V-73451 Medium Windows Server 2016 must be configured to audit Logon/Logoff - Logon successes.
V-73455 Medium Windows Server 2016 must be configured to audit Logon/Logoff - Special Logon successes.
V-73591 Medium PowerShell script block logging must be enabled.
V-73597 Medium The Windows Remote Management (WinRM) client must not use Digest authentication.
V-73595 Medium The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
V-73699 Medium Users must be required to enter a password to access private keys stored on the computer.
V-73513 Medium Windows Server 2016 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
V-73297 Medium The TFTP Client must not be installed.
V-73295 Medium The Telnet Client must not be installed.
V-73291 Medium The Peer Name Resolution Protocol must not be installed.
V-73359 Medium Kerberos user logon restrictions must be enforced.
V-73293 Medium Simple TCP/IP Services must not be installed.
V-73557 Medium The System event log size must be configured to 32768 KB or greater.
V-102623 Medium The Windows Explorer Preview pane must be disabled for Windows Server 2016.
V-73693 Medium Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing.
V-73695 Medium Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
V-73565 Medium File Explorer shell protocol must run in protected mode.
V-73647 Medium The required legal notice must be configured to display before console logon.
V-73801 Medium The Restore files and directories user right must only be assigned to the Administrators group.
V-73679 Medium Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
V-73577 Medium Attachments must be prevented from being downloaded from RSS feeds.
V-73571 Medium Remote Desktop Services must always prompt a client for passwords upon connection.
V-73807 Medium The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
V-73673 Medium Windows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
V-73809 Medium Windows Server 2016 built-in guest account must be disabled.
V-73701 Medium Windows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
V-73285 Medium Windows Server 2016 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
V-73677 Medium Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
V-73579 Medium Basic authentication for RSS feeds over HTTP must not be used.
V-73719 Medium User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
V-73457 Medium Windows Server 2016 must be configured to audit Object Access - Removable Storage successes.
V-90361 Medium Windows 2016 must be configured to audit Object Access - Other Object Access Events failures.
V-73363 Medium The Kerberos user ticket lifetime must be limited to 10 hours or less.
V-73683 Medium PKU2U authentication using online identities must be prevented.
V-73681 Medium NTLM must be prevented from falling back to a Null session.
V-73449 Medium Windows Server 2016 must be configured to audit Logon/Logoff - Logoff successes.
V-73765 Medium The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
V-73283 Medium Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours.
V-73767 Medium The Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.
V-73281 Medium Windows Server 2016 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
V-73761 Medium The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
V-73287 Medium The Fax Server role must not be installed.
V-73763 Medium The Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.
V-73697 Medium Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
V-73361 Medium The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
V-73551 Medium Windows Telemetry must be configured to Security or Basic.
V-73289 Medium The Microsoft FTP service must not be installed unless required.
V-73769 Medium The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
V-73511 Medium Command line data must be included in process creation events.
V-73367 Medium The computer clock synchronization tolerance must be limited to 5 minutes or less.
V-73459 Medium Windows Server 2016 must be configured to audit Object Access - Removable Storage failures.
V-73387 Low The directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity.
V-73543 Low The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
V-73499 Low Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
V-73307 Low The time service must synchronize with an appropriate DoD time source.
V-73257 Low Non-administrative accounts or groups must only have print permissions on printer shares.
V-73705 Low The default permissions of global system objects must be strengthened.
V-73505 Low Windows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers.
V-73501 Low Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
V-73503 Low Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
V-90357 Low Windows 2016 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
V-90355 Low Secure Boot must be enabled on Windows Server 2016 systems.
V-73563 Low Turning off File Explorer heap termination on corruption must be disabled.
V-73649 Low The Windows dialog box title for the legal banner must be configured with the appropriate text.