| Finding ID |
Severity |
Title |
Description |
|
V-254354
|
High |
Windows Server 2022 AutoPlay must be disabled for all drives. |
Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. By default, AutoPlay is disabled on removable drives, such as... |
|
V-254353
|
High |
Windows Server 2022 default AutoRun behavior must be configured to prevent AutoRun commands. |
Allowing AutoRun commands to execute may introduce malicious code to a system. Configuring this setting prevents AutoRun commands from executing. |
|
V-254352
|
High |
Windows Server 2022 Autoplay must be turned off for nonvolume devices. |
Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon as media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. This setting will disable AutoPlay for nonvolume devices, such... |
|
V-254293
|
High |
Windows Server 2022 reversible password encryption must be disabled. |
Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords, which are easily compromised. For this reason, this policy must never be enabled. |
|
V-254262
|
High |
Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. |
This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.
Selection of a cryptographic mechanism is based on the need... |
|
V-254250
|
High |
Windows Server 2022 local volumes must use a format that supports NTFS attributes. |
The ability to set access permissions and auditing is critical to maintaining the security and proper access controls of a system. To support this, volumes must be formatted using a file system that supports NTFS attributes. |
|
V-254240
|
High |
Windows Server 2022 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email. |
Using applications that access the internet or have potential internet sources using administrative privileges exposes a system to compromise. If a flaw in an application is exploited while running as a privileged user, the entire system could be compromised. Web browsers and email are common attack vectors for introducing malicious... |
|
V-254361
|
Medium |
Windows Server 2022 Microsoft Defender antivirus SmartScreen must be enabled. |
Microsoft Defender antivirus SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling SmartScreen can block potentially malicious programs or warn users. |
|
V-254360
|
Medium |
Windows Server 2022 System event log size must be configured to 32768 KB or greater. |
Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel. |
|
V-254359
|
Medium |
Windows Server 2022 Security event log size must be configured to 196608 KB or greater. |
Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel. |
|
V-254358
|
Medium |
Windows Server 2022 Application event log size must be configured to 32768 KB or greater. |
Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel. |
|
V-254356
|
Medium |
Windows Server 2022 Diagnostic Data must be configured to send "required diagnostic data" or "optional diagnostic data". |
Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability will prevent potentially sensitive information from being sent outside the enterprise. The "send required diagnostic data" option for Allow Diagnostic Data configures the lowest amount of data, effectively none... |
|
V-254355
|
Medium |
Windows Server 2022 administrator accounts must not be enumerated during elevation. |
Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the system to always require users to type in a username and password to elevate a running application. |
|
V-254350
|
Medium |
Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (plugged in). |
A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be required when accessing a system. This setting ensures users are prompted for a password when the system wakes from sleep (plugged in). |
|
V-254349
|
Medium |
Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (on battery). |
A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be required when accessing a system. This setting ensures users are prompted for a password when the system wakes from sleep (on battery). |
|
V-254348
|
Medium |
Windows Server 2022 network selection user interface (UI) must not be displayed on the logon screen. |
Enabling interaction with the network selection UI allows users to change connections to available networks without signing in to Windows. |
|
V-254347
|
Medium |
Windows Server 2022 printing over HTTP must be turned off. |
Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.
This setting prevents the client computer from printing over... |
|
V-254346
|
Medium |
Windows Server 2022 downloading print driver packages over HTTP must be turned off. |
Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.
This setting prevents the computer from downloading print driver... |
|
V-254345
|
Medium |
Windows Server 2022 group policy objects must be reprocessed even if they have not changed. |
Registry entries for group policy settings can potentially be changed from the required configuration. This could occur as part of troubleshooting or by a malicious process on a compromised system. Enabling this setting and then selecting the "Process even if the Group Policy objects have not changed" option ensures the... |
|
V-254344
|
Medium |
Windows Server 2022 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. |
Compromised boot drivers can introduce malware prior to protection mechanisms that load after initialization. The Early Launch Antimalware driver can limit allowed drivers based on classifications determined by the malware protection application. At a minimum, drivers determined to be bad must not be allowed. |
|
V-254343
|
Medium |
Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. |
Virtualization Based Security (VBS) provides the platform for the additional security features Credential Guard and virtualization-based protection of code integrity. Secure Boot is the minimum security level, with DMA protection providing additional memory protection. DMA Protection requires a CPU that supports input/output memory management unit (IOMMU). |
|
V-254342
|
Medium |
Windows Server 2022 must be configured to enable Remote host allows delegation of nonexportable credentials. |
An exportable version of credentials is provided to remote hosts when using credential delegation which exposes them to theft on the remote host. Restricted Admin mode or Remote Credential Guard allow delegation of nonexportable credentials providing additional protection of the credentials. Enabling this configures the host to support Restricted Admin... |
|
V-254341
|
Medium |
Windows Server 2022 command line data must be included in process creation events. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254340
|
Medium |
Windows Server 2022 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares. |
Additional security requirements are applied to UNC paths specified in hardened UNC paths before allowing access to them. This aids in preventing tampering with or spoofing of connections to these paths. |
|
V-254339
|
Medium |
Windows Server 2022 insecure logons to an SMB server must be disabled. |
Insecure guest logons allow unauthenticated access to shared folders. Shared resources on a system must require authentication to establish proper access. |
|
V-254334
|
Medium |
Windows Server 2022 must have WDigest Authentication disabled. |
When the WDigest Authentication protocol is enabled, plain-text passwords are stored in the Local Security Authority Subsystem Service (LSASS), exposing them to theft. WDigest is disabled by default in Windows Server 2022. This setting ensures this is enforced. |
|
V-254333
|
Medium |
Windows Server 2022 must prevent the display of slide shows on the lock screen. |
Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged-on user. |
|
V-254332
|
Medium |
Windows Server 2022 must be configured to audit System - System Integrity failures. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254331
|
Medium |
Windows Server 2022 must be configured to audit System - System Integrity successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254330
|
Medium |
Windows Server 2022 must be configured to audit System - Security System Extension successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254329
|
Medium |
Windows Server 2022 must be configured to audit System - Security State Change successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254328
|
Medium |
Windows Server 2022 must be configured to audit System - Other System Events failures. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254327
|
Medium |
Windows Server 2022 must be configured to audit System - Other System Events successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254326
|
Medium |
Windows Server 2022 must be configured to audit System - IPsec Driver failures. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254325
|
Medium |
Windows Server 2022 must be configured to audit System - IPsec Driver successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254324
|
Medium |
Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use failures. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254323
|
Medium |
Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254322
|
Medium |
Windows Server 2022 must be configured to audit Policy Change - Authorization Policy Change successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254321
|
Medium |
Windows Server 2022 must be configured to audit Policy Change - Authentication Policy Change successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254320
|
Medium |
Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change failures. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254319
|
Medium |
Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254318
|
Medium |
Windows Server 2022 must be configured to audit Object Access - Removable Storage failures. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254317
|
Medium |
Windows Server 2022 must be configured to audit Object Access - Removable Storage successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254316
|
Medium |
Windows Server 2022 must be configured to audit Object Access - Other Object Access Events failures. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254315
|
Medium |
Windows Server 2022 must be configured to audit Object Access - Other Object Access Events successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254314
|
Medium |
Windows Server 2022 must be configured to audit Logon/Logoff - Special Logon successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254313
|
Medium |
Windows Server 2022 must be configured to audit logon failures. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254312
|
Medium |
Windows Server 2022 must be configured to audit logon successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254311
|
Medium |
Windows Server 2022 must be configured to audit logoff successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254310
|
Medium |
Windows Server 2022 must be configured to audit Logon/Logoff - Group Membership successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254309
|
Medium |
Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout failures. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254307
|
Medium |
Windows Server 2022 must be configured to audit Detailed Tracking - Process Creation successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254306
|
Medium |
Windows Server 2022 must be configured to audit Detailed Tracking - Plug and Play Events successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254305
|
Medium |
Windows Server 2022 must be configured to audit Account Management - User Account Management failures. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254304
|
Medium |
Windows Server 2022 must be configured to audit Account Management - User Account Management successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254303
|
Medium |
Windows Server 2022 must be configured to audit Account Management - Security Group Management successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254302
|
Medium |
Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254301
|
Medium |
Windows Server 2022 must be configured to audit Account Logon - Credential Validation failures. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254300
|
Medium |
Windows Server 2022 must be configured to audit Account Logon - Credential Validation successes. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential... |
|
V-254299
|
Medium |
Windows Server 2022 Event Viewer must be protected from unauthorized modification and deletion. |
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the... |
|
V-254298
|
Medium |
Windows Server 2022 permissions for the System event log must prevent access by nonprivileged accounts. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The System event log may... |
|
V-254297
|
Medium |
Windows Server 2022 permissions for the Security event log must prevent access by nonprivileged accounts. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The Security event log may... |
|
V-254296
|
Medium |
Windows Server 2022 permissions for the Application event log must prevent access by nonprivileged accounts. |
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The Application event log may... |
|
V-254295
|
Medium |
Windows Server 2022 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly. |
Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration. |
|
V-254294
|
Medium |
Windows Server 2022 audit records must be backed up to a different system or media than the system being audited. |
Protection of log data includes ensuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration. |
|
V-254292
|
Medium |
Windows Server 2022 must have the built-in Windows password complexity policy enabled. |
The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at least three of the four types of characters (numbers, uppercase and lowercase letters, and special characters) and prevents the inclusion of user names or parts of user names.
Satisfies:... |
|
V-254291
|
Medium |
Windows Server 2022 minimum password length must be configured to 14 characters. |
Information systems not protected with strong password schemes (including passwords of minimum length) provide the opportunity for anyone to crack the password, thus gaining access to the system and compromising the device, information, or the local network. |
|
V-254290
|
Medium |
Windows Server 2022 minimum password age must be configured to at least one day. |
Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes. |
|
V-254289
|
Medium |
Windows Server 2022 maximum password age must be configured to 60 days or less. |
The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system. |
|
V-254288
|
Medium |
Windows Server 2022 password history must be configured to 24 passwords remembered. |
A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is "24" for... |
|
V-254287
|
Medium |
Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. |
The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that must pass after failed logon attempts before the counter is reset to "0". The smaller this value is, the less effective the account lockout feature will be in protecting... |
|
V-254286
|
Medium |
Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. |
The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of bad logon attempts must be reasonably small to minimize the possibility of a successful password... |
|
V-254285
|
Medium |
Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. |
The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that an account will remain locked after the specified number of failed logon attempts. |
|
V-254284
|
Medium |
Windows Server 2022 must have Secure Boot enabled. |
Secure Boot is a standard that ensures systems boot only to a trusted operating system. Secure Boot is required to support additional security features in Windows, including Virtualization Based Security and Credential Guard. If Secure Boot is turned off, these security features will not function. |
|
V-254283
|
Medium |
Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. |
UEFI provides additional security features in comparison to legacy BIOS firmware, including Secure Boot. UEFI is required to support additional security features in Windows, including Virtualization Based Security and Credential Guard. Systems with UEFI that are operating in "Legacy BIOS" mode will not support these security features. |
|
V-254282
|
Medium |
Windows Server 2022 must have orphaned security identifiers (SIDs) removed from user rights. |
Accounts or groups given rights on a system may show up as unresolved SIDs for various reasons including deletion of the accounts or groups. If the account or group objects are reanimated, there is a potential they may still have rights no longer intended. Valid domain accounts or groups may... |
|
V-254280
|
Medium |
Windows Server 2022 FTP servers must be configured to prevent access to the system drive. |
The FTP service allows remote users to access shared files and directories that could provide access to system resources and compromise the system, especially if the user can gain access to the root directory of the boot drive. |
|
V-254279
|
Medium |
Windows Server 2022 FTP servers must be configured to prevent anonymous logons. |
The FTP service allows remote users to access shared files and directories. Allowing anonymous FTP connections makes user auditing difficult.
Using accounts that have administrator privileges to log on to FTP risks that the userid and password will be captured on the network and give administrator access to an unauthorized... |
|
V-254278
|
Medium |
Windows Server 2022 must not have Windows PowerShell 2.0 installed. |
Windows PowerShell 5.x added advanced logging features that can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.x script block logging feature. |
|
V-254277
|
Medium |
Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client. |
SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant. |
|
V-254276
|
Medium |
Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server. |
SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant. |
|
V-254275
|
Medium |
Windows Server 2022 must not the Server Message Block (SMB) v1 protocol installed. |
SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks and is not FIPS compliant. |
|
V-254274
|
Medium |
Windows Server 2022 must not have the TFTP Client installed. |
Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system. |
|
V-254273
|
Medium |
Windows Server 2022 must not have the Telnet Client installed. |
Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system. |
|
V-254272
|
Medium |
Windows Server 2022 must not have Simple TCP/IP Services installed. |
Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system. |
|
V-254271
|
Medium |
Windows Server 2022 must not have the Peer Name Resolution Protocol installed. |
Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system. |
|
V-254270
|
Medium |
Windows Server 2022 must not have the Microsoft FTP service installed unless required by the organization. |
Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption. |
|
V-254269
|
Medium |
Windows Server 2022 must not have the Fax Server role installed. |
Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system. |
|
V-254268
|
Medium |
Windows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. |
Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.... |
|
V-254267
|
Medium |
Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours. |
If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.
Temporary accounts are established as part of normal account activation... |
|
V-254266
|
Medium |
Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Endpoint Security Solution (ESS) is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). |
Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. The operating system may have an integrated solution incorporating continuous scanning using ESS and periodic... |
|
V-254265
|
Medium |
Windows Server 2022 must have a host-based firewall installed and enabled. |
A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules.
Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00232 |
|
V-254264
|
Medium |
Windows Server 2022 must have the roles and features required by the system documented. |
Unnecessary roles and features increase the attack surface of a system. Limiting roles and features of a system to only those necessary reduces this potential. The standard installation option (previously called Server Core) further reduces this when selected at installation. |
|
V-254263
|
Medium |
Windows Server 2022 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. |
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.
Ensuring the confidentiality of transmitted information requires the operating system to take... |
|
V-254261
|
Medium |
Windows Server 2022 must have software certificate installation files removed. |
Use of software certificates and their accompanying installation files for end users to access resources is less secure than the use of hardware-based certificates. |
|
V-254260
|
Medium |
Windows Server 2022 nonsystem-created file shares must limit access to groups that require it. |
Shares on a system provide network access. To prevent exposing sensitive information, where shares are necessary, permissions must be reconfigured to give the minimum access to accounts that require it. |
|
V-254259
|
Medium |
Windows Server 2022 system files must be monitored for unauthorized changes. |
Monitoring system files for changes against a baseline on a regular basis may help detect the possible introduction of malicious code on a system. |
|
V-254258
|
Medium |
Windows Server 2022 passwords must be configured to expire. |
Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked. |
|
V-254257
|
Medium |
Windows Server 2022 accounts must require passwords. |
The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources. Accounts on a system must require passwords. |
|
V-254256
|
Medium |
Windows Server 2022 outdated or unused accounts must be removed or disabled. |
Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed. |
|
V-254254
|
Medium |
Windows Server 2022 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. |
The registry is integral to the function, security, and stability of the Windows system. Changing the system's registry permissions allows the possibility of unauthorized and anonymous modification to the operating system. |
|
V-254253
|
Medium |
Windows Server 2022 permissions for the Windows installation directory must conform to minimum requirements. |
Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications.
The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN22-SO-000240).
Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124 |
|
V-254252
|
Medium |
Windows Server 2022 permissions for program file directories must conform to minimum requirements. |
Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications.
The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN22-SO-000240).
Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124 |
|
V-254251
|
Medium |
Windows Server 2022 permissions for the system drive root directory (usually C:\) must conform to minimum requirements. |
Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications.
The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN22-SO-000240).
Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124 |
|
V-254249
|
Medium |
Windows Server 2022 must have a host-based intrusion detection or prevention system. |
A properly configured Host-based Intrusion Detection System (HIDS) or Host-based Intrusion Prevention System (HIPS) provides another level of defense against unauthorized access to critical servers. With proper configuration and logging enabled, such a system can stop and/or alert for many attempts to gain unauthorized access to resources. |
|
V-254248
|
Medium |
Windows Server 2022 must use an antivirus program. |
Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system. |
|
V-254247
|
Medium |
Windows Server 2022 must be maintained at a supported servicing level. |
Systems at unsupported servicing levels will not receive security updates for new vulnerabilities, which leave them subject to exploitation. Systems must be maintained at a servicing level supported by the vendor with new security updates. |
|
V-254246
|
Medium |
Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. |
Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. A number of system requirements must be met in order for Credential Guard to be configured and enabled properly. Without a TPM enabled and ready for use, Credential Guard keys are stored... |
|
V-254245
|
Medium |
Windows Server 2022 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. |
Using an allowlist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.
The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs... |
|
V-254244
|
Medium |
Windows Server 2022 shared user accounts must not be permitted. |
Shared accounts (accounts where two or more people log on with the same user identification) do not provide adequate identification and authentication. There is no way to provide for nonrepudiation or individual accountability for system access and resource usage. |
|
V-254243
|
Medium |
Windows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. |
Setting application account passwords to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them to attack. If managed service accounts are used, this alleviates the need to manually change application account passwords. |
|
V-254242
|
Medium |
Windows Server 2022 manually managed application account passwords must be at least 14 characters in length. |
Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually managed must have passwords at least 14 characters in length. |
|
V-254241
|
Medium |
Windows Server 2022 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. |
Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to circumvent the file access restrictions present on NTFS disk drives for backup and restore purposes. Members of the Backup Operators group must... |
|
V-254239
|
Medium |
Windows Server 2022 passwords for the built-in Administrator account must be changed at least every 60 days. |
The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password may not be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular... |
|
V-254238
|
Medium |
Windows Server 2022 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks. |
Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session that has been granted full privileges. |
|
V-254357
|
Low |
Windows Server 2022 Windows Update must not obtain updates from other PCs on the internet. |
Windows Update can obtain updates from additional sources instead of Microsoft. In addition to Microsoft, updates can be obtained from and sent to PCs on the local network as well as on the internet. This is part of the Windows Update trusted process; however, to minimize outside exposure, obtaining updates... |
|
V-254351
|
Low |
Windows Server 2022 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. |
Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.
This setting will prevent the Program Inventory from collecting... |
|
V-254338
|
Low |
Windows Server 2022 must be configured to ignore NetBIOS name release requests except from WINS servers. |
Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's... |
|
V-254337
|
Low |
Windows Server 2022 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes. |
Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via the shortest path first. |
|
V-254336
|
Low |
Windows Server 2022 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing. |
Configuring the system to disable IP source routing protects against spoofing. |
|
V-254335
|
Low |
Windows Server 2022 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing. |
Configuring the system to disable IPv6 source routing protects against spoofing. |
|
V-254281
|
Low |
The Windows Server 2022 time service must synchronize with an appropriate DOD time source. |
The Windows Time Service controls time synchronization settings. Time synchronization is essential for authentication and auditing purposes. If the Windows Time Service is used, it must synchronize with a secure, authorized time source. Domain-joined systems are automatically configured to synchronize with domain controllers. If an NTP server is configured, it... |
|
V-254255
|
Low |
Windows Server 2022 nonadministrative accounts or groups must only have print permissions on printer shares. |
Windows shares are a means by which files, folders, printers, and other resources can be published for network users to access. Improper configuration can permit access to devices and data beyond a user's need. |
