UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Windows Server 2019 Security Technical Implementation Guide


Overview

Date Finding Count (304)
2020-06-15 CAT I (High): 33 CAT II (Med): 257 CAT III (Low): 14
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Public)

Finding ID Severity Title
V-92991 High Windows Server 2019 local volumes must use a format that supports NTFS attributes.
V-93301 High Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.
V-93539 High Windows Server 2019 must restrict anonymous access to Named Pipes and Shares.
V-93029 High Windows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access.
V-93027 High Windows Server 2019 must only allow administrators responsible for the domain controller to have Administrator rights on the system.
V-93037 High Windows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
V-93485 High Windows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA).
V-93483 High Windows Server 2019 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
V-93369 High Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
V-93057 High Windows Server 2019 Create a token object user right must not be assigned to any groups or accounts.
V-93537 High Windows Server 2019 must not allow anonymous enumeration of shares.
V-93373 High Windows Server 2019 Autoplay must be turned off for non-volume devices.
V-93375 High Windows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands.
V-93377 High Windows Server 2019 AutoPlay must be disabled for all drives.
V-93291 High Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
V-93279 High Windows Server 2019 must prevent local accounts with blank passwords from being used from the network.
V-93271 High Windows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
V-93277 High Windows Server 2019 must be running Credential Guard on domain-joined member servers.
V-93065 High Windows Server 2019 Debug programs: user right must only be assigned to the Administrators group.
V-93215 High Windows Server 2019 must be maintained at a supported servicing level.
V-93465 High Windows Server 2019 reversible password encryption must be disabled.
V-93467 High Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords.
V-93051 High Windows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts.
V-93507 High Windows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication.
V-93503 High Windows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication.
V-93043 High Windows Server 2019 must only allow administrators responsible for the member server or standalone system to have Administrator rights on the system.
V-93201 High Windows Server 2019 must disable the Windows Installer Always install with elevated privileges option.
V-93205 High Windows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
V-93289 High Windows Server 2019 must not allow anonymous SID/Name translation.
V-93033 High Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions.
V-93031 High Windows Server 2019 Active Directory SYSVOL directory must have the proper access control permissions.
V-93035 High Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
V-93217 High Windows Server 2019 must use an anti-virus program.
V-93451 Medium Windows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less.
V-93333 Medium Windows Server 2019 Exploit Protection mitigations must be configured for GROOVE.EXE.
V-93119 Medium Windows Server 2019 must be configured to audit System - System Integrity failures.
V-93321 Medium Windows Server 2019 Exploit Protection mitigations must be configured for Acrobat.exe.
V-93199 Medium Windows Server 2019 must prevent users from changing installation options.
V-93223 Medium Windows Server 2019 FTP servers must be configured to prevent anonymous logons.
V-93221 Medium Windows Server 2019 must have software certificate installation files removed.
V-93227 Medium Windows Server 2019 must have orphaned security identifiers (SIDs) removed from user rights.
V-93225 Medium Windows Server 2019 FTP servers must be configured to prevent access to the system drive.
V-93161 Medium Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes.
V-93535 Medium Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files.
V-93533 Medium Windows Server 2019 Remote Desktop Services must prevent drive redirection.
V-93531 Medium Windows Server 2019 non-system-created file shares must limit access to groups that require it.
V-93303 Medium Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing.
V-93305 Medium Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
V-93307 Medium Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
V-93147 Medium Windows Server 2019 required legal notice must be configured to display before console logon.
V-93145 Medium Windows Server 2019 account lockout duration must be configured to 15 minutes or greater.
V-93131 Medium Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings.
V-93143 Medium Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
V-93141 Medium Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less.
V-93389 Medium Windows Server 2019 must not have the TFTP Client installed.
V-93021 Medium Windows Server 2019 permissions for program file directories must conform to minimum requirements.
V-93435 Medium Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
V-93023 Medium Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements.
V-93433 Medium Windows Server 2019 User Account Control must automatically deny standard user requests for elevation.
V-93025 Medium Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
V-93491 Medium Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.
V-93543 Medium Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
V-93493 Medium Windows Server 2019 users must be required to enter a password to access private keys stored on the computer.
V-93495 Medium Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
V-93497 Medium Windows Server 2019 must have the built-in guest account disabled.
V-93425 Medium Windows Server 2019 must not save passwords in the Remote Desktop Client.
V-93499 Medium Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic.
V-93123 Medium Windows Server 2019 Active Directory Domain object must be configured with proper audit settings.
V-93317 Medium Windows Server 2019 Exploit Protection system-level mitigation, Validate exception chains (SEHOP), must be on.
V-93315 Medium Windows Server 2019 Exploit Protection system-level mitigation, Control flow guard (CFG), must be on.
V-93099 Medium Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes.
V-93313 Medium Windows Server 2019 Exploit Protection system-level mitigation, Data Execution Prevention (DEP), must be on.
V-93311 Medium Windows Server 2019 must preserve zone information when saving attachments.
V-93095 Medium Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures.
V-93547 Medium Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
V-93097 Medium Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes.
V-93387 Medium Windows Server 2019 must not have Simple TCP/IP Services installed.
V-93091 Medium Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes.
V-93093 Medium Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes.
V-93319 Medium Windows Server 2019 Exploit Protection system-level mitigation, Validate heap integrity, must be on.
V-93015 Medium Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
V-93017 Medium Windows Server 2019 Allow log on locally user right must only be assigned to the Administrators group.
V-93517 Medium Windows Server 2019 administrator accounts must not be enumerated during elevation.
V-93011 Medium Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
V-93013 Medium Windows Server 2019 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.
V-93257 Medium Windows Server 2019 Telemetry must be configured to Security or Basic.
V-93255 Medium Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in).
V-93019 Medium Windows Server 2019 permissions for the system drive root directory (usually C:\) must conform to minimum requirements.
V-93251 Medium Windows Server 2019 group policy objects must be reprocessed even if they have not changed.
V-93511 Medium Windows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
V-93155 Medium Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures.
V-93157 Medium Windows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes.
V-92983 Medium Windows Server 2019 must be configured to audit Account Management - User Account Management failures.
V-93151 Medium Windows Server 2019 must force audit policy subcategory settings to override audit policy category settings.
V-93153 Medium Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes.
V-93397 Medium Windows Server 2019 must not have Windows PowerShell 2.0 installed.
V-93395 Medium Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.
V-93159 Medium Windows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes.
V-93391 Medium Windows Server 2019 must not the Server Message Block (SMB) v1 protocol installed.
V-93427 Medium Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection.
V-93489 Medium Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.
V-93253 Medium Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery).
V-93481 Medium Windows Server 2019 domain controllers must have a PKI server certificate.
V-93363 Medium Windows Server 2019 Exploit Protection mitigations must be configured for WINWORD.EXE.
V-93249 Medium Windows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
V-93361 Medium Windows Server 2019 Exploit Protection mitigations must be configured for VPREVIEW.EXE.
V-93089 Medium Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes.
V-93367 Medium Windows Server 2019 Exploit Protection mitigations must be configured for wordpad.exe.
V-93365 Medium Windows Server 2019 Exploit Protection mitigations must be configured for wmplayer.exe.
V-93083 Medium Windows Server 2019 Profile single process user right must only be assigned to the Administrators group.
V-93081 Medium Windows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group.
V-93087 Medium Windows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group.
V-93085 Medium Windows Server 2019 Restore files and directories user right must only be assigned to the Administrators group.
V-93003 Medium Windows Server 2019 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
V-93001 Medium Windows Server 2019 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
V-93007 Medium Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone systems.
V-93005 Medium Windows Server 2019 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
V-93245 Medium Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
V-93009 Medium Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
V-93241 Medium Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
V-93243 Medium Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials.
V-93419 Medium Windows Server 2019 local users on domain-joined member servers must not be enumerated.
V-93163 Medium Windows Server 2019 must be configured to audit Object Access - Other Object Access Events successes.
V-93165 Medium Windows Server 2019 must be configured to audit Object Access - Other Object Access Events failures.
V-93167 Medium Windows Server 2019 must be configured to audit Object Access - Removable Storage successes.
V-93169 Medium Windows Server 2019 must be configured to audit Object Access - Removable Storage failures.
V-93413 Medium Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP.
V-93415 Medium Windows Server 2019 must prevent Indexing of encrypted files.
V-93417 Medium Windows Server 2019 domain controllers must run on a machine dedicated to that function.
V-93393 Medium Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.
V-93399 Medium Windows Server 2019 must prevent the display of slide shows on the lock screen.
V-93293 Medium Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
V-93379 Medium Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
V-93407 Medium Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen.
V-93405 Medium Windows Server 2019 printing over HTTP must be turned off.
V-93403 Medium Windows Server 2019 downloading print driver packages over HTTP must be turned off.
V-93401 Medium Windows Server 2019 must have WDigest Authentication disabled.
V-93297 Medium Windows Server 2019 must prevent NTLM from falling back to a Null session.
V-93273 Medium Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords.
V-93561 Medium Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
V-93421 Medium Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization.
V-93077 Medium Windows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts.
V-93075 Medium Windows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group.
V-92973 Medium Windows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level.
V-93073 Medium Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group.
V-93295 Medium Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
V-93071 Medium Windows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-93179 Medium Windows Server 2019 Security event log size must be configured to 196608 KB or greater.
V-93177 Medium Windows Server 2019 Application event log size must be configured to 32768 KB or greater.
V-93175 Medium Windows Server 2019 PowerShell script block logging must be enabled.
V-93173 Medium Windows Server 2019 command line data must be included in process creation events.
V-93079 Medium Windows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group.
V-93171 Medium Windows Server 2019 must be configured to audit logoff successes.
V-93139 Medium Windows Server 2019 must be configured to audit DS Access - Directory Service Changes failures.
V-93129 Medium Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings.
V-93211 Medium The password for the krbtgt account on a domain must be reset at least every 180 days.
V-93183 Medium Windows Server 2019 audit records must be backed up to a different system or media than the system being audited.
V-93267 Medium Windows Server 2019 users must be notified if a web-based program attempts to install software.
V-93181 Medium Windows Server 2019 System event log size must be configured to 32768 KB or greater.
V-93265 Medium Windows Server 2019 must prevent attachments from being downloaded from RSS feeds.
V-93349 Medium Windows Server 2019 Exploit Protection mitigations must be configured for OneDrive.exe.
V-93263 Medium Windows Server 2019 File Explorer shell protocol must run in protected mode.
V-93185 Medium Windows Server 2019 must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.
V-93345 Medium Windows Server 2019 Exploit Protection mitigations must be configured for MSPUB.EXE.
V-93189 Medium Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts.
V-93341 Medium Windows Server 2019 Exploit Protection mitigations must be configured for lync.exe.
V-93343 Medium Windows Server 2019 Exploit Protection mitigations must be configured for MSACCESS.EXE.
V-93269 Medium Windows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart.
V-93473 Medium Windows Server 2019 passwords for the built-in Administrator account must be changed at least every 60 days.
V-93381 Medium Windows Server 2019 must have the roles and features required by the system documented.
V-93471 Medium Windows Server 2019 minimum password age must be configured to at least one day.
V-93477 Medium Windows Server 2019 maximum password age must be configured to 60 days or less.
V-93475 Medium Windows Server 2019 passwords must be configured to expire.
V-93567 Medium Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
V-93479 Medium Windows Server 2019 password history must be configured to 24 passwords remembered.
V-93571 Medium Windows Server 2019 must have a host-based firewall installed and enabled.
V-93383 Medium Windows Server 2019 must not have the Fax Server role installed.
V-93047 Medium Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone systems.
V-93109 Medium Windows Server 2019 must be configured to audit System - Other System Events successes.
V-93067 Medium Windows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group.
V-92979 Medium Windows Server 2019 must be configured to audit Account Management - Security Group Management successes.
V-93061 Medium Windows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts.
V-93063 Medium Windows Server 2019 Create symbolic links user right must only be assigned to the Administrators group.
V-92975 Medium Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours.
V-93385 Medium Windows Server 2019 must not have the Peer Name Resolution Protocol installed.
V-92977 Medium Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
V-93113 Medium Windows Server 2019 must be configured to audit System - Security State Change successes.
V-92971 Medium Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.
V-93069 Medium Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service.
V-93105 Medium Windows Server 2019 must be configured to audit System - IPsec Driver successes.
V-102625 Medium The Windows Explorer Preview pane must be disabled for Windows Server 2019.
V-93339 Medium Windows Server 2019 Exploit Protection mitigations must be configured for java.exe, javaw.exe, and javaws.exe.
V-93439 Medium Windows Server 2019 accounts must require passwords.
V-93133 Medium Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes.
V-92981 Medium Windows Server 2019 must be configured to audit Account Management - User Account Management successes.
V-93045 Medium Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone systems.
V-93103 Medium Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
V-93213 Medium Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
V-93437 Medium Windows Server 2019 shared user accounts must not be permitted.
V-92995 Medium Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.
V-93193 Medium Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts.
V-93195 Medium Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion.
V-93197 Medium Windows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group.
V-93353 Medium Windows Server 2019 Exploit Protection mitigations must be configured for plugin-container.exe.
V-93219 Medium Windows Server 2019 must have a host-based intrusion detection or prevention system.
V-93351 Medium Windows Server 2019 Exploit Protection mitigations must be configured for OUTLOOK.EXE.
V-93357 Medium Windows Server 2019 Exploit Protection mitigations must be configured for PPTVIEW.EXE.
V-92999 Medium Windows Server 2019 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
V-93355 Medium Windows Server 2019 Exploit Protection mitigations must be configured for POWERPNT.EXE.
V-93461 Medium Windows Server 2019 manually managed application account passwords must be at least 15 characters in length.
V-93463 Medium Windows Server 2019 minimum password length must be configured to 14 characters.
V-93107 Medium Windows Server 2019 must be configured to audit System - IPsec Driver failures.
V-93135 Medium Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures.
V-93053 Medium Windows Server 2019 Back up files and directories user right must only be assigned to the Administrators group.
V-93565 Medium Windows Server 2019 Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on.
V-93299 Medium Windows Server 2019 must prevent PKU2U authentication using online identities.
V-92969 Medium Windows Server 2019 must be configured to audit logon failures.
V-93055 Medium Windows Server 2019 Create a pagefile user right must only be assigned to the Administrators group.
V-93431 Medium Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled.
V-93115 Medium Windows Server 2019 must be configured to audit System - Security System Extension successes.
V-92963 Medium Windows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
V-93505 Medium Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication.
V-92961 Medium Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.
V-92967 Medium Windows Server 2019 must be configured to audit logon successes.
V-93501 Medium Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic.
V-92965 Medium Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
V-93337 Medium Windows Server 2019 Exploit Protection mitigations must be configured for INFOPATH.EXE.
V-93059 Medium Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-93513 Medium Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
V-93275 Medium Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers.
V-93101 Medium Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
V-93545 Medium Windows Server 2019 domain controllers must require LDAP access signing.
V-93331 Medium Windows Server 2019 Exploit Protection mitigations must be configured for FLTLDR.EXE.
V-93515 Medium Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
V-93203 Medium Windows Server 2019 system files must be monitored for unauthorized changes.
V-93411 Medium Windows Server 2019 Windows Defender SmartScreen must be enabled.
V-93207 Medium Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
V-93209 Medium Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
V-92989 Medium Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures.
V-93469 Medium Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.
V-93125 Medium Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings.
V-93563 Medium Windows Server 2019 Explorer Data Execution Prevention must be enabled.
V-93127 Medium Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.
V-93335 Medium Windows Server 2019 Exploit Protection mitigations must be configured for iexplore.exe.
V-93121 Medium Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings.
V-93327 Medium Windows Server 2019 Exploit Protection mitigations must be configured for EXCEL.EXE.
V-93325 Medium Windows Server 2019 Exploit Protection mitigations must be configured for chrome.exe.
V-93323 Medium Windows Server 2019 Exploit Protection mitigations must be configured for AcroRd32.exe.
V-93453 Medium Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone systems.
V-93557 Medium Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
V-93117 Medium Windows Server 2019 must be configured to audit System - System Integrity successes.
V-93519 Medium Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.
V-93049 Medium Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
V-93487 Medium Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.
V-93281 Medium Windows Server 2019 built-in administrator account must be renamed.
V-93283 Medium Windows Server 2019 built-in guest account must be renamed.
V-93285 Medium Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less.
V-93287 Medium Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
V-92985 Medium Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes.
V-93111 Medium Windows Server 2019 must be configured to audit System - Other System Events failures.
V-93041 Medium Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
V-93549 Medium Windows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.
V-93551 Medium Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
V-93137 Medium Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes.
V-93525 Medium Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation.
V-93429 Medium Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials.
V-93553 Medium Windows Server 2019 must be configured to require a strong session key.
V-93239 Medium Windows Server 2019 insecure logons to an SMB server must be disabled.
V-93423 Medium Windows Server 2019 must not have the Telnet Client installed.
V-93459 Medium Windows Server 2019 must have the built-in Windows password complexity policy enabled.
V-93555 Medium Windows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
V-92997 Medium Windows Server 2019 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers.
V-93449 Medium Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
V-93329 Medium Windows Server 2019 Exploit Protection mitigations must be configured for firefox.exe.
V-93191 Medium Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts.
V-93443 Medium Windows Server 2019 Kerberos user logon restrictions must be enforced.
V-93347 Medium Windows Server 2019 Exploit Protection mitigations must be configured for OIS.EXE.
V-93441 Medium Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
V-93447 Medium Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less.
V-93445 Medium Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
V-93529 Medium Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.
V-93455 Medium Windows Server 2019 computer account password must not be prevented from being reset.
V-93039 Medium Windows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.
V-93359 Medium Windows Server 2019 Exploit Protection mitigations must be configured for VISIO.EXE.
V-93559 Medium Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
V-93521 Medium Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
V-93523 Medium Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.
V-92987 Medium Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes.
V-93457 Medium Windows Server 2019 outdated or unused accounts must be removed or disabled.
V-93527 Medium Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.
V-93229 Low Windows Server 2019 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
V-93309 Low Windows Server 2019 default permissions of global system objects must be strengthened.
V-93149 Low Windows Server 2019 title for legal banner dialog box must be configured with the appropriate text.
V-93541 Low Windows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS servers.
V-93259 Low Windows Server 2019 Windows Update must not obtain updates from other PCs on the Internet.
V-93235 Low Windows Server 2019 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
V-93261 Low Windows Server 2019 Turning off File Explorer heap termination on corruption must be disabled.
V-92993 Low Windows Server 2019 non-administrative accounts or groups must only have print permissions on printer shares.
V-93509 Low Windows Server 2019 directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity.
V-93409 Low Windows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
V-93187 Low The Windows Server 2019 time service must synchronize with an appropriate DoD time source.
V-93237 Low Windows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
V-93231 Low Windows Server 2019 must have Secure Boot enabled.
V-93233 Low Windows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.