Microsoft Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide
Pick two releases to diff their requirements.
Open a previous version of this STIG.
Digest of Updates ✎ 2
Comparison against the immediately-prior release (V3R3). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.
Content changes 2
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-00-000001
- Vuln IDs
-
- V-226029
- V-1070
- Rule IDs
-
- SV-226029r794397_rule
- SV-52838
Checks: C-27731r475410_chk
Verify servers are located in controlled access areas that are accessible only to authorized personnel. If systems are not adequately protected, this is a finding.
Fix: F-27719r475411_fix
Ensure servers are located in secure, access-controlled areas.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-00-000004
- Vuln IDs
-
- V-226030
- V-36658
- Rule IDs
-
- SV-226030r794369_rule
- SV-51575
Checks: C-27732r475413_chk
Review the necessary documentation that identifies the members of the Administrators group. If a list of all users belonging to the Administrators group is not maintained with the ISSO, this is a finding.
Fix: F-27720r475414_fix
Create the necessary documentation that identifies the members of the Administrators group.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- WN12-00-000005
- Vuln IDs
-
- V-226031
- V-36659
- Rule IDs
-
- SV-226031r794370_rule
- SV-51576
Checks: C-27733r475416_chk
Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding.
Fix: F-27721r475417_fix
Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-00-000006
- Vuln IDs
-
- V-226032
- V-36666
- Rule IDs
-
- SV-226032r794371_rule
- SV-51577
Checks: C-27734r475419_chk
Determine whether the site has a policy that requires SAs be trained for all operating systems running on systems under their control. If the site does not have a policy requiring SAs be trained for all operating systems under their control, this is a finding.
Fix: F-27722r475420_fix
Establish site policy that requires SAs be trained for all operating systems running on systems under their control.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-00-000007
- Vuln IDs
-
- V-226033
- V-14225
- Rule IDs
-
- SV-226033r794811_rule
- SV-52942
Checks: C-27735r475422_chk
Review the password last set date for the built-in Administrator account. Domain controllers: Open "Windows PowerShell". Enter "Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like "*-500" | FL Name, SID, PasswordLastSet". If the "PasswordLastSet" date is greater than one year old, this is a finding. Member servers and standalone systems: Open "Windows PowerShell" or "Command Prompt". Enter 'Net User [account name] | Find /i "Password Last Set"', where [account name] is the name of the built-in administrator account. (The name of the built-in Administrator account must be changed to something other than "Administrator" per STIG requirements.) If the "PasswordLastSet" date is greater than one year old, this is a finding.
Fix: F-27723r794810_fix
Change the built-in Administrator account password at least annually or whenever an administrator leaves the organization. More frequent changes are recommended. It is highly recommended to use Microsoft's LAPS, which may be used on domain-joined member servers to accomplish this.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- WN12-00-000008
- Vuln IDs
-
- V-226034
- V-36451
- Rule IDs
-
- SV-226034r794692_rule
- SV-51578
Checks: C-27736r475425_chk
Determine whether administrative accounts are prevented from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding.
Fix: F-27724r794691_fix
Establish and enforce a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. Define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. Implement technical measures where feasible such as removal of applications or use of application whitelisting to restrict the use of applications that can access the Internet.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-00-000009-01
- Vuln IDs
-
- V-226035
- V-1168
- Rule IDs
-
- SV-226035r794374_rule
- SV-52156
Checks: C-27737r475428_chk
If no accounts are members of the Backup Operators group, this is NA. Any accounts that are members of the Backup Operators group, including application accounts, must be documented with the ISSO. If documentation of accounts that are members of the Backup Operators group is not maintained this is a finding.
Fix: F-27725r475429_fix
Create the necessary documentation that identifies the members of the Backup Operators group.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-00-000009-02
- Vuln IDs
-
- V-226036
- V-40198
- Rule IDs
-
- SV-226036r794375_rule
- SV-52157
Checks: C-27738r475431_chk
If no accounts are members of the Backup Operators group, this is NA. Verify users with accounts in the Backup Operators group have a separate user account for backup functions and for performing normal user tasks. If users with accounts in the Backup Operators group do not have separate accounts for backup functions and standard user functions, this is a finding.
Fix: F-27726r475432_fix
Ensure each member of the Backup Operators group has separate accounts for backup functions and standard user functions.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000205
- Version
- WN12-00-000010
- Vuln IDs
-
- V-226037
- V-36661
- Rule IDs
-
- SV-226037r794297_rule
- SV-51579
Checks: C-27739r475434_chk
Verify the site has a policy to ensure passwords for manually managed application/service accounts are at least 15 characters in length. If such a policy does not exist or has not been implemented, this is a finding.
Fix: F-27727r475435_fix
Establish a site policy that requires application/service account passwords that are manually managed to be at least 15 characters in length. Ensure the policy is enforced.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-00-000011
- Vuln IDs
-
- V-226038
- V-36662
- Rule IDs
-
- SV-226038r794376_rule
- SV-51580
Checks: C-27740r475437_chk
Determine if manually managed application/service accounts exist. If none exist, this is NA. If passwords for manually managed application/service accounts are not changed at least annually or when an administrator with knowledge of the password leaves the organization, this is a finding. Identify manually managed application/service accounts. To determine the date a password was last changed: Domain controllers: Open "Windows PowerShell". Enter "Get-ADUser -Identity [application account name] -Properties PasswordLastSet | FL Name, PasswordLastSet", where [application account name] is the name of the manually managed application/service account. If the "PasswordLastSet" date is more than one year old, this is a finding. Member servers and standalone systems: Open "Windows PowerShell" or "Command Prompt". Enter 'Net User [application account name] | Find /i "Password Last Set"', where [application account name] is the name of the manually managed application/service account. If the "Password Last Set" date is more than one year old, this is a finding.
Fix: F-27728r475438_fix
Change passwords for manually managed application/service accounts at least annually or when an administrator with knowledge of the password leaves the organization. It is recommended that system-managed service accounts be used where possible.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- WN12-00-000012
- Vuln IDs
-
- V-226039
- V-1072
- Rule IDs
-
- SV-226039r794694_rule
- SV-52839
Checks: C-27741r475440_chk
Determine whether any shared accounts exist. If no shared accounts exist, this is NA. Shared accounts, such as required by an application, may be approved by the organization. This must be documented with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity. If unapproved shared accounts exist, this is a finding.
Fix: F-27729r794693_fix
Remove unapproved shared accounts from the system. Document required shared accounts with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated, to include monitoring account activity.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-00-000013
- Vuln IDs
-
- V-226040
- V-1128
- Rule IDs
-
- SV-226040r794377_rule
- SV-52859
Checks: C-27742r475443_chk
Verify security configuration tools or equivalent processes are being used to configure Windows systems to meet security requirements. If security configuration tools or equivalent processes are not used, this is a finding. Security configuration tools that are integrated into Windows, such as Group Policies and Security Templates, may be used to configure platforms for security compliance. If an alternate method is used to configure a system (e.g., manually using the DISA Windows Security STIGs, etc.) and the same configured result is achieved, this is acceptable.
Fix: F-27730r475444_fix
Implement a process using security configuration tools or the equivalent to configure Windows systems to meet security requirements.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-00-000014
- Vuln IDs
-
- V-226041
- V-1076
- Rule IDs
-
- SV-226041r794378_rule
- SV-52841
Checks: C-27743r475446_chk
Determine whether system-level information is backed up in accordance with local recovery time and recovery point objectives. If system-level information is not backed up in accordance with local recovery time and recovery point objectives, this is a finding.
Fix: F-27731r475447_fix
Implement system-level information backups in accordance with local recovery time and recovery point objectives.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-00-000015
- Vuln IDs
-
- V-226042
- V-36733
- Rule IDs
-
- SV-226042r794312_rule
- SV-51581
Checks: C-27744r475449_chk
Determine whether user-level information is backed up in accordance with local recovery time and recovery point objectives. If user-level information is not backed up in accordance with local recovery time and recovery point objectives, this is a finding.
Fix: F-27732r475450_fix
Implement user-level information backups in accordance with local recovery time and recovery point objectives.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-00-000016
- Vuln IDs
-
- V-226043
- V-40172
- Rule IDs
-
- SV-226043r794313_rule
- SV-52130
Checks: C-27745r475452_chk
Determine if system-level information backups are protected from destruction and stored in a physically secure location. If they are not, this is a finding.
Fix: F-27733r475453_fix
Ensure system-level information backups are stored in a secure location and protected from destruction.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-00-000017
- Vuln IDs
-
- V-226044
- V-40173
- Rule IDs
-
- SV-226044r794314_rule
- SV-52131
Checks: C-27746r475455_chk
Determine whether system-related documentation is backed up in accordance with local recovery time and recovery point objectives. If system-related documentation is not backed up in accordance with local recovery time and recovery point objectives, this is a finding.
Fix: F-27734r475456_fix
Back up system-related documentation in accordance with local recovery time and recovery point objectives.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-001774
- Version
- WN12-00-000018
- Vuln IDs
-
- V-226045
- V-57637
- Rule IDs
-
- SV-226045r794696_rule
- SV-72047
Checks: C-27747r475458_chk
This is applicable to unclassified systems; for other systems this is NA. Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. If an application whitelisting program is not in use on the system, this is a finding. Configuration of whitelisting applications will vary by the program. AppLocker is a whitelisting application built into Windows Server 2012. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules. If AppLocker is used, perform the following to view the configuration of AppLocker: Open PowerShell. If the AppLocker PowerShell module has not been previously imported, execute the following first: Import-Module AppLocker Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system: Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review. Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link: https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
Fix: F-27735r794695_fix
Configure an application whitelisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. Configuration of whitelisting applications will vary by the program. AppLocker is a whitelisting application built into Windows Server 2012. If AppLocker is used, it is configured through group policy in Computer Configuration >> Windows Settings >> Security Settings >> Application Control Policies >> AppLocker. Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link: https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002420
- Version
- WN12-00-000019
- Vuln IDs
-
- V-226046
- V-57641
- Rule IDs
-
- SV-226046r794407_rule
- SV-72051
Checks: C-27748r475461_chk
If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPSEC have been implemented. If protection methods have not been implemented, this is a finding.
Fix: F-27736r794697_fix
Configure protection methods such as TLS, encrypted VPNs, or IPSEC when the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process to maintain the confidentiality and integrity.
- RMF Control
- SC-28
- Severity
- M
- CCI
- CCI-001199
- Version
- WN12-00-000020
- Vuln IDs
-
- V-226047
- V-57645
- Rule IDs
-
- SV-226047r794315_rule
- SV-72055
Checks: C-27749r475464_chk
Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest. If it does not, this is a finding.
Fix: F-27737r475465_fix
Configure systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data to employ encryption to protect the confidentiality and integrity of all information at rest.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- WN12-00-000100
- Vuln IDs
-
- V-226048
- V-1074
- Rule IDs
-
- SV-226048r794379_rule
- SV-52103
Checks: C-27750r475467_chk
Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. If there is no anti-virus solution installed on the system, this is a finding.
Fix: F-27738r475468_fix
Install an anti-virus solution on the system.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-00-000160
- Vuln IDs
-
- V-226049
- V-73805
- Rule IDs
-
- SV-226049r794699_rule
- SV-88471
Checks: C-27751r475470_chk
This requirement applies to Windows 2012 R2, it is NA for Windows 2012 (see V-73519 and V-73523 for 2012 requirements). Different methods are available to disable SMBv1 on Windows 2012 R2. This is the preferred method, however if V-73519 and V-73523 are configured, this is NA. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter the following: Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol If "State : Enabled" is returned, this is a finding. Alternately: Search for "Features". Select "Turn Windows features on or off". If "SMB 1.0/CIFS File Sharing Support" is selected, this is a finding.
Fix: F-27739r794698_fix
Run "Windows PowerShell" with elevated privileges (run as administrator). Enter the following: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol Alternately: Search for "Features". Select "Turn Windows features on or off". De-select "SMB 1.0/CIFS File Sharing Support". The system must be restarted for the changes to take effect.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-00-000170
- Vuln IDs
-
- V-226050
- V-73519
- Rule IDs
-
- SV-226050r794701_rule
- SV-88193
Checks: C-27752r475473_chk
This requirement specifically applies to Windows 2012 but can also be used for Windows 2012 R2. Different methods are available to disable SMBv1 on Windows 2012 R2, if V-73805 is configured on Windows 2012 R2, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ Value Name: SMB1 Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-27740r794700_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 Server" to "Disabled". The system must be restarted for the change to take effect. This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-00-000180
- Vuln IDs
-
- V-226051
- V-73523
- Rule IDs
-
- SV-226051r794766_rule
- SV-88205
Checks: C-27753r475476_chk
This requirement specifically applies to Windows 2012 but can also be used for Windows 2012 R2. Different methods are available to disable SMBv1 on Windows 2012 R2, if V-73805 is configured on Windows 2012 R2, this is NA. If the following registry value is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\mrxsmb10\ Value Name: Start Type: REG_DWORD Value: 0x00000004 (4) If the following registry value includes MRxSmb10, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\ Value Name: DependOnService Type: REG_MULTI_SZ Value: Default values after removing MRxSmb10 include the following, which are not a finding: Bowser MRxSmb20 NSI
Fix: F-27741r794765_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 client driver" to "Enabled" with "Disable driver (recommended)" selected for "Configure MrxSmb10 driver". Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 client (extra setting needed for pre-Win8.1/2012R2)" to "Enabled" with the following three lines of text entered for "Configure LanmanWorkstation Dependencies": Bowser MRxSmb20 NSI The system must be restarted for the changes to take effect. These policy settings requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-00-000190
- Vuln IDs
-
- V-226052
- V-75915
- Rule IDs
-
- SV-226052r794380_rule
- SV-90603
Checks: C-27754r475479_chk
Review the effective User Rights setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. Review each User Right listed for any unresolved SIDs to determine whether they are valid, such as due to being temporarily disconnected from the domain. (Unresolved SIDs have the format of "*S-1-…".) If any unresolved SIDs exist and are not for currently valid accounts or groups, this is a finding.
Fix: F-27742r475480_fix
Remove any unresolved SIDs found in User Rights assignments and determined to not be for currently valid accounts or groups by removing the accounts or groups from the appropriate group policy.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-00-000200
- Vuln IDs
-
- V-226053
- V-80473
- Rule IDs
-
- SV-226053r794790_rule
- SV-95179
Checks: C-27755r475482_chk
Open "Windows PowerShell". Enter "$PSVersionTable". If the value for "PSVersion" is not 4.0 or 5.x, this is a finding. Windows 2012 R2 includes PowerShell 4.0 by default. Windows 2012 must be updated. If PowerShell 4.0 is used, the required patch for script block logging will be verified with the requirement to have that enabled.
Fix: F-27743r794789_fix
Update Windows PowerShell to version 4.0 or 5.x. Windows 2012 R2 includes PowerShell 4.0 by default. It may be updated with the installation of Windows Management Framework (WMF) 5.0 or 5.1. Windows 2012 requires the installation of WMF 4.0, 5.0, or 5.1. Updating to a later PowerShell version may have compatibility issues with some applications. The following links should be reviewed and updates tested before applying to a production environment. WMF 4.0: Review the System Requirements under the download link - https://www.microsoft.com/en-us/download/details.aspx?id=40855 WMF 5.0: https://docs.microsoft.com/en-us/powershell/wmf/5.0/productincompat WMF 5.1: https://docs.microsoft.com/en-us/powershell/wmf/5.1/productincompat
- RMF Control
- AU-3
- Severity
- M
- CCI
- CCI-000135
- Version
- WN12-00-000210
- Vuln IDs
-
- V-226054
- V-80475
- Rule IDs
-
- SV-226054r794758_rule
- SV-95183
Checks: C-27756r475485_chk
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging Value Type: REG_DWORD Value: 0x00000001 (1) PowerShell 4.0 requires the installation of patch KB3000850 on Windows 2012 R2 or KB3119938 on Windows 2012. If the patch is not installed on systems with PowerShell 4.0, this is a finding. PowerShell 5.x does not require the installation of an additional patch.
Fix: F-27744r794757_fix
Configure the following registry value as specified. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging Value Type: REG_DWORD Value: 0x00000001 (1) Administrative templates from later versions of Windows include a group policy setting for this. Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> "Turn on PowerShell Script Block Logging" to "Enabled". Install patch KB3000850 on Windows 2012 R2 or KB3119938 on Windows 2012 on systems with PowerShell 4.0. PowerShell 5.x does not require the installation of an additional patch.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-00-000220
- Vuln IDs
-
- V-226055
- V-80477
- Rule IDs
-
- SV-226055r794768_rule
- SV-95185
Checks: C-27757r475488_chk
Windows PowerShell 2.0 is not installed by default. Open "Windows PowerShell". Enter "Get-WindowsFeature -Name PowerShell-v2". If "Installed State" is "Installed", this is a finding. An Installed State of "Available" or "Removed" is not a finding.
Fix: F-27745r794767_fix
Windows PowerShell 2.0 is not installed by default. Uninstall it if it has been installed. Open "Windows PowerShell". Enter "Uninstall-WindowsFeature -Name PowerShell-v2". Alternately: Use the "Remove Roles and Features Wizard" and deselect "Windows PowerShell 2.0 Engine" under "Windows PowerShell".
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-002238
- Version
- WN12-AC-000001
- Vuln IDs
-
- V-226056
- V-1099
- Rule IDs
-
- SV-226056r794778_rule
- SV-52850
Checks: C-27758r475491_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. If the "Account lockout duration" is less than "15" minutes (excluding "0"), this is a finding. Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding.
Fix: F-27746r794777_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout duration" to "15" minutes or greater. A value of "0" is also acceptable, requiring an administrator to unlock the account.
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-000044
- Version
- WN12-AC-000002
- Vuln IDs
-
- V-226057
- V-1097
- Rule IDs
-
- SV-226057r794277_rule
- SV-52848
Checks: C-27759r475494_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy. If the "Account lockout threshold" is "0" or more than "3" attempts, this is a finding.
Fix: F-27747r475495_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy -> "Account lockout threshold" to "3" or less invalid logon attempts (excluding "0" which is unacceptable).
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-000044
- Version
- WN12-AC-000003
- Vuln IDs
-
- V-226058
- V-1098
- Rule IDs
-
- SV-226058r794278_rule
- SV-52849
Checks: C-27760r475497_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding.
Fix: F-27748r475498_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Reset account lockout counter after" to at least "15" minutes.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000200
- Version
- WN12-AC-000004
- Vuln IDs
-
- V-226059
- V-1107
- Rule IDs
-
- SV-226059r794296_rule
- SV-52853
Checks: C-27761r475500_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding.
Fix: F-27749r475501_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Enforce password history" to "24" passwords remembered.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000199
- Version
- WN12-AC-000005
- Vuln IDs
-
- V-226060
- V-1104
- Rule IDs
-
- SV-226060r794295_rule
- SV-52851
Checks: C-27762r475503_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. If the value for the "Maximum password age" is greater than "60" days, this is a finding. If the value is set to "0" (never expires), this is a finding.
Fix: F-27750r475504_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> "Maximum password age" to "60" days or less (excluding "0" which is unacceptable).
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000198
- Version
- WN12-AC-000006
- Vuln IDs
-
- V-226061
- V-1105
- Rule IDs
-
- SV-226061r794294_rule
- SV-52852
Checks: C-27763r475506_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. If the value for the "Minimum password age" is set to "0" days ("Password can be changed immediately."), this is a finding.
Fix: F-27751r475507_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> "Minimum password age" to at least "1" day.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000205
- Version
- WN12-AC-000007
- Vuln IDs
-
- V-226062
- V-6836
- Rule IDs
-
- SV-226062r794298_rule
- SV-52938
Checks: C-27764r475509_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. If the value for the "Minimum password length," is less than "14" characters, this is a finding.
Fix: F-27752r475510_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> "Minimum password length" to "14" characters.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000192
- Version
- WN12-AC-000008
- Vuln IDs
-
- V-226063
- V-1150
- Rule IDs
-
- SV-226063r794292_rule
- SV-52863
Checks: C-27765r475512_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding. Note: If an external password filter is in use that enforces all 4 character types and requires this setting be set to "Disabled", this would not be considered a finding. If this setting does not affect the use of an external password filter, it must be enabled for fallback purposes.
Fix: F-27753r475513_fix
Configure the policy value for Computer Configuration >> Windows Settings -> Security Settings >> Account Policies >> Password Policy >> "Password must meet complexity requirements" to "Enabled".
- RMF Control
- IA-5
- Severity
- H
- CCI
- CCI-000196
- Version
- WN12-AC-000009
- Vuln IDs
-
- V-226064
- V-2372
- Rule IDs
-
- SV-226064r794293_rule
- SV-52880
Checks: C-27766r475515_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. If the value for "Store password using reversible encryption" is not set to "Disabled", this is a finding.
Fix: F-27754r475516_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> "Store password using reversible encryption" to "Disabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-AC-000010-DC
- Vuln IDs
-
- V-226065
- V-2376
- Rule IDs
-
- SV-226065r794383_rule
- SV-51160
Checks: C-27767r475518_chk
Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). Right click on the "Default Domain Policy". Select Edit. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding.
Fix: F-27755r475519_fix
Configure the policy value in the Default Domain Policy for Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Kerberos Policy -> "Enforce user logon restrictions" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-AC-000011-DC
- Vuln IDs
-
- V-226066
- V-2377
- Rule IDs
-
- SV-226066r794792_rule
- SV-51162
Checks: C-27768r475521_chk
Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). Right click on the "Default Domain Policy". Select Edit. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. If the value for "Maximum lifetime for service ticket" is 0 or greater than 600 minutes, this is a finding.
Fix: F-27756r794791_fix
Configure the policy value in the Default Domain Policy for Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Kerberos Policy -> "Maximum lifetime for service ticket" to a maximum of 600 minutes, but not 0, which equates to "Ticket doesn't expire".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-AC-000012-DC
- Vuln IDs
-
- V-226067
- V-2378
- Rule IDs
-
- SV-226067r794794_rule
- SV-51164
Checks: C-27769r475524_chk
Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). Right click on the "Default Domain Policy". Select Edit. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. If the value for "Maximum lifetime for user ticket" is 0 or greater than 10 hours, this is a finding.
Fix: F-27757r794793_fix
Configure the policy value in the Default Domain Policy for Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Kerberos Policy -> "Maximum lifetime for user ticket" to a maximum of 10 hours, but not 0, which equates to "Ticket doesn't expire".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-AC-000013-DC
- Vuln IDs
-
- V-226068
- V-2379
- Rule IDs
-
- SV-226068r794388_rule
- SV-51166
Checks: C-27770r475527_chk
Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). Right click on the "Default Domain Policy". Select Edit. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. If the "Maximum lifetime for user ticket renewal" is greater than 7 days, this is a finding.
Fix: F-27758r475528_fix
Configure the policy value in the Default Domain Policy for Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Kerberos Policy -> "Maximum lifetime for user ticket renewal" to a maximum of 7 days or less.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-001941
- Version
- WN12-AC-000014-DC
- Vuln IDs
-
- V-226069
- V-2380
- Rule IDs
-
- SV-226069r794309_rule
- SV-51168
Checks: C-27771r475530_chk
Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). Right click on the "Default Domain Policy". Select Edit. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. If the "Maximum tolerance for computer clock synchronization" is greater than 5 minutes, this is a finding.
Fix: F-27759r475531_fix
Configure the policy value in the Default Domain Policy for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Kerberos Policy -> "Maximum tolerance for computer clock synchronization" to a maximum of 5 minutes or less.
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN12-AD-000001-DC
- Vuln IDs
-
- V-226070
- V-8316
- Rule IDs
-
- SV-226070r794318_rule
- SV-51175
Checks: C-27772r475533_chk
Verify the permissions on the content of the NTDS directory. Open the registry editor (regedit). Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters. Note the directory locations in the values for: Database log files path DSA Database file By default they will be \Windows\NTDS. If the locations are different, the following will need to be run for each. Open an elevated command prompt (Win+x, Command Prompt (Admin)). Navigate to the NTDS directory (\Windows\NTDS by default). Run "icacls *.*". If the permissions on each file are not at least as restrictive as the following, this is a finding. NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) (I) - permission inherited from parent container (F) - full access Do not use File Explorer to attempt to view permissions of the NTDS folder. Accessing the folder through File Explorer will change the permissions on the folder.
Fix: F-27760r475534_fix
Ensure the permissions on NTDS database and log files are at least as restrictive as the following: NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) (I) - permission inherited from parent container (F) - full access
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN12-AD-000002-DC
- Vuln IDs
-
- V-226071
- V-39331
- Rule IDs
-
- SV-226071r794770_rule
- SV-51176
Checks: C-27773r794319_chk
Verify the permissions on the SYSVOL directory. Open a command prompt. Run "net share". Make note of the directory location of the SYSVOL share. By default this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level. Alternately, use Icacls.exe to view the permissions of the SYSVOL directory. Open a command prompt. Run "icacls c:\Windows\SYSVOL The following results should be displayed: NT AUTHORITY\Authenticated Users:(RX) NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE) BUILTIN\Server Operators:(RX) BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE) BUILTIN\Administrators:(M,WDAC,WO) BUILTIN\Administrators:(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M,WDAC,WO) CREATOR OWNER:(OI)(CI)(IO)(F) (RX) - Read & execute Run "icacls /help" to view definitions of other permission codes. If the above results are not displayed, this is a finding.
Fix: F-27761r794769_fix
Ensure the permissions on SYSVOL directory do not allow greater than read & execute for standard user accounts or groups. The defaults below meet this requirement. Type - Allow Principal - Authenticated Users Access - Read & execute Inherited from - None Applies to - This folder, subfolder and files Type - Allow Principal - Server Operators Access - Read & execute Inherited from - None Applies to - This folder, subfolder and files Type - Allow Principal - Administrators Access - Special Inherited from - None Applies to - This folder only (Access - Special - Basic Permissions: all selected except Full control) Type - Allow Principal - CREATOR OWNER Access - Full control Inherited from - None Applies to - Subfolders and files only Type - Allow Principal - Administrators Access - Full control Inherited from - None Applies to - Subfolders and files only Type - Allow Principal - SYSTEM Access - Full control Inherited from - None Applies to - This folder, subfolders and files
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN12-AD-000003-DC
- Vuln IDs
-
- V-226072
- V-33673
- Rule IDs
-
- SV-226072r794772_rule
- SV-51177
Checks: C-27774r475539_chk
Verify the permissions on Group Policy objects. Open "Group Policy Management". (Available from various menus or run "gpmc.msc".) Navigate to "Group Policy Objects" in the domain being reviewed (Forest > Domains > Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the Delegation tab in the right pane. Select the Advanced button. If any standard user accounts or groups have greater than Allow permissions of Read and Apply group policy, this is a finding. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. The default permissions noted below meet this requirement. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next Advanced button, selecting the desired Permission entry, and the Edit button. Authenticated Users - Read, Apply group policy, Special permissions The Special permissions for Authenticated Users are for Read type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. The Special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default group policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created group policy objects. The Anonymous Logon, Guests, or any group that contains those groups (in which users are not uniquely identified and authenticated) must not have any access permissions unless the group and justification is explicitly documented with the ISSO.
Fix: F-27762r794771_fix
Ensure the permissions on Group Policy objects do not allow greater than Read and Apply group policy for standard user accounts or groups. The default permissions below meet this requirement. Authenticated Users - Read, Apply group policy, Special permissions The Special permissions for Authenticated Users are for Read type Properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Document any other access permissions that allow the objects to be updated with the ISSO. The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default group policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created group policy objects.
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN12-AD-000004-DC
- Vuln IDs
-
- V-226073
- V-39332
- Rule IDs
-
- SV-226073r794774_rule
- SV-51178
Checks: C-27775r475542_chk
Verify the permissions on the Domain Controllers OU. Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) Select Advanced Features in the View menu if not previously selected. Navigate to the Domain Controllers OU (folder in folder icon). Right click the OU and select Properties. Select the Security tab. If the permissions on the Domain Controllers OU do not restrict changes to System, Domain Admins, Enterprise Admins and Administrators, this is a finding. The default permissions listed below satisfy this requirement. Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions and are not a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the Advanced button, selecting the desired Permission entry, and the Edit button. SELF - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Enterprise Admins - Full Control Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
Fix: F-27763r794773_fix
Limit the permissions on the Domain Controllers OU to restrict changes to System, Domain Admins, Enterprise Admins and Administrators. The default permissions listed below satisfy this requirement. Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions. SELF - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Enterprise Admins - Full Control Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN12-AD-000005-DC
- Vuln IDs
-
- V-226074
- V-39333
- Rule IDs
-
- SV-226074r794776_rule
- SV-51179
Checks: C-27776r475545_chk
Verifying the permissions on domain defined OUs. Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) Ensure Advanced Features is selected in the View menu. For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: Right click the OU and select Properties. Select the Security tab. If the permissions on the OU are not at least as restrictive as those below, this is a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next Advanced button, selecting the desired Permission entry and the Edit button. Self - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO.
Fix: F-27764r794775_fix
Ensure the permissions on domain defined OUs are at least as restrictive as the defaults below. Document any additional permissions above read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented. Self - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Severity Override Guidance: If any OU with improper permissions includes identification or authentication data (e.g., accounts, passwords, or password hash data) used by systems to determine access control, the severity is CAT I (e.g., OUs that include user accounts, including service/application accounts). If the OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs).
- RMF Control
- SC-2
- Severity
- M
- CCI
- CCI-001082
- Version
- WN12-AD-000006-DC
- Vuln IDs
-
- V-226075
- V-8317
- Rule IDs
-
- SV-226075r794310_rule
- SV-51180
Checks: C-27777r475548_chk
Refer to the AD database location obtained in check V-8316. Note the logical drive (e.g., C:) on which the files are located. Determine if the server is currently providing file sharing services to users with the following command. Enter "net share" at a command prompt. Note the logical drive(s) or file system partition for any site-created data shares. Ignore all system shares (e.g., Windows NETLOGON, SYSVOL, and administrative shares ending in $). User shares that are hidden (ending with $) should not be ignored. If user shares are located on the same logical partition as the directory server data files, this is a finding.
Fix: F-27765r475549_fix
Ensure files owned by users are stored on a different logical partition then the directory server data files.
- RMF Control
- AU-8
- Severity
- M
- CCI
- CCI-001891
- Version
- WN12-AD-000007-DC
- Vuln IDs
-
- V-226076
- V-8322
- Rule IDs
-
- SV-226076r794807_rule
- SV-51181
Checks: C-27778r475551_chk
Determine if a time synchronization tool has been implemented on the Windows domain controller. If the Windows Time Service is used, verify the following registry values. If they are not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\ Value Name: Enabled Type: REG_DWORD Value: 1 Registry Path: \System\CurrentControlSet\Services\W32Time\Parameters\ Value Name: Type Type: REG_SZ Value: NT5DS (preferred), NTP or Allsync If these Windows checks indicate a finding because the NtpClient is not enabled, determine if an alternate time synchronization tool is installed and enabled. If the Windows Time Service is not enabled and no alternate tool is enabled, this is a finding.
Fix: F-27766r794806_fix
Ensure the Windows Time Service is configured as follows or install and enable another time synchronization tool. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\ Value Name: Enabled Type: REG_DWORD Value: 1 Registry Path: \System\CurrentControlSet\Services\W32Time\ Parameters\ Value Name: Type Type: REG_SZ Value: NT5DS (preferred), NTP or Allsync
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-AD-000008-DC
- Vuln IDs
-
- V-226077
- V-8324
- Rule IDs
-
- SV-226077r794796_rule
- SV-51182
Checks: C-27779r475554_chk
Verify logging is configured to capture time source switches. If the Windows Time Service is used, verify the following registry value. If it is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\W32Time\Config\ Value Name: EventLogFlags Type: REG_DWORD Value: 2 or 3 If another time synchronization tool is used, review the available configuration options and logs. If the tool has time source logging capability and it is not enabled, this is a finding.
Fix: F-27767r794795_fix
Configure the time synchronization tool to log time source switching. If the Windows Time Service is used, configure the following registry value. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\W32Time\Config\ Value Name: EventLogFlags Type: REG_DWORD Value: 2 or 3
- RMF Control
- SC-2
- Severity
- M
- CCI
- CCI-001082
- Version
- WN12-AD-000009-DC
- Vuln IDs
-
- V-226078
- V-8326
- Rule IDs
-
- SV-226078r794311_rule
- SV-51183
Checks: C-27780r475557_chk
Review the roles and services the domain controller is running. Run "services.msc" to display the Services console. Determine if any running services are application components. Examples of services indicating the presence of applications are: -DHCP Server for DHCP server -IIS Admin Service for IIS web server -Microsoft Exchange System Attendant for Exchange -MSSQLServer for SQL Server. If any application-related components have the "Started" status, this is a finding. Installed roles can be displayed by viewing Server Roles in the Add (or Remove) Roles and Features wizard. (Cancel before any changes are made.) Determine if any additional server roles are installed. A basic domain controller set up will include the following: -Active Directory Domain Services -DNS Server -File and Storage Services If any roles not requiring installation on a domain controller are installed, this is a finding. Supplemental Notes: A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements. Some directory servers utilize specialized web servers for administrative functions and databases for data management. These web and database servers are permitted as long as they are dedicated to directory server support and only administrative users have access to them.
Fix: F-27768r475558_fix
Remove additional roles or applications such as web, database, and email from the domain controller.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-AD-000010-DC
- Vuln IDs
-
- V-226079
- V-8327
- Rule IDs
-
- SV-226079r794798_rule
- SV-51184
Checks: C-27781r475560_chk
Run "services.msc" to display the Services console. Verify the Startup Type for the following Windows services: - Active Directory Domain Services - DFS Replication - DNS Client - DNS server - Group Policy Client - Intersite Messaging - Kerberos Key Distribution Center - NetLogon - Windows Time (not required if another time synchronization tool is implemented to start automatically) If the Startup Type for any of these services is not Automatic, this is a finding.
Fix: F-27769r794797_fix
Ensure the following services that are critical for directory server operation are configured for automatic startup. - Active Directory Domain Services - DFS Replication - DNS Client - DNS server - Group Policy Client - Intersite Messaging - Kerberos Key Distribution Center - NetLogon - Windows Time (not required if another time synchronization tool is implemented to start automatically)
- RMF Control
- SC-13
- Severity
- M
- CCI
- CCI-002450
- Version
- WN12-AD-000011-DC
- Vuln IDs
-
- V-226080
- V-14783
- Rule IDs
-
- SV-226080r794334_rule
- SV-51185
Checks: C-27782r475563_chk
With the assistance of the SA, NSO, or network reviewer as required, review the site network diagram(s) or documentation to determine the level of classification for the network(s) over which replication data is transmitted. Determine the classification level of the Windows domain controller. If the classification level of the Windows domain controller is higher than the level of the networks, review the site network diagram(s) and directory implementation documentation to determine if NSA-approved encryption is used to protect the replication network traffic. If the classification level of the Windows domain controller is higher than the level of the network traversed and NSA-approved encryption is not used, this is a finding.
Fix: F-27770r475564_fix
Configure NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level that transfers replication data through a network cleared to a lower level than the data.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-AD-000012-DC
- Vuln IDs
-
- V-226081
- V-14797
- Rule IDs
-
- SV-226081r794800_rule
- SV-51186
Checks: C-27783r475566_chk
At this time, this is a finding for all Windows domain controllers for sensitive or classified levels as Windows Active Directory Domain Services (AD DS) does not provide a method to restrict anonymous access to the root DSE on domain controllers. The following can be used to verify anonymous access is allowed. Open a command prompt (not elevated). Run "ldp.exe". From the Connection menu, select Bind. Clear the User, Password, and Domain fields. Select Simple bind for the Bind type, Click OK. RootDSE attributes should display, such as various namingContexts. Confirmation of anonymous access will be displayed at the end: res = ldap_simple_bind_s Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'
Fix: F-27771r794799_fix
Implement network protections to reduce the risk of anonymous access. Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address. Severity Override Guidance: The following network controls allow the finding severity to be downgraded to not a finding since these measures lower the risk associated with anonymous access.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- WN12-AD-000013-DC
- Vuln IDs
-
- V-226082
- V-14798
- Rule IDs
-
- SV-226082r794802_rule
- SV-51187
Checks: C-27784r475569_chk
Verify anonymous access is not allowed to the AD domain naming context. Open a command prompt (not elevated). Run "ldp.exe". From the Connection menu, select Bind. Clear the User, Password, and Domain fields. Select Simple bind for the Bind type, Click OK. Confirmation of anonymous access will be displayed at the end: res = ldap_simple_bind_s Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON' From the Browse menu, select Search. In the Search dialog, enter the DN of the domain naming context (generally something like "dc=disaost,dc=mil") in the Base DN field. Clear the Attributes field and select Run. Error messages should display related to bind and user not authenticated. If attribute data is displayed, anonymous access is enabled to the domain naming context and this is a finding.
Fix: F-27772r794801_fix
Configure directory data (outside the root DSE) of a non-public directory to prevent anonymous access. For AD, there are multiple configuration items that could enable anonymous access. Changing the access permissions on the domain naming context object (from the secure defaults) could enable anonymous access. If the check procedures indicate this is the cause, the process that was used to change the permissions should be reversed. This could have been through the Windows Support Tools ADSI Edit console (adsiedit.msc). The dsHeuristics option is used. This is addressed in check V-8555 in the AD Forest STIG. Severity Override Guidance: The following network controls allow the finding severity to be downgraded to a CAT II since these measures lower the risk associated with anonymous access. Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address.
- RMF Control
- SC-10
- Severity
- L
- CCI
- CCI-001133
- Version
- WN12-AD-000014-DC
- Vuln IDs
-
- V-226083
- V-14831
- Rule IDs
-
- SV-226083r794805_rule
- SV-51188
Checks: C-27785r794803_chk
Verify the value for MaxConnIdleTime. Open an elevated command prompt. Enter "ntdsutil". At the "ntdsutil:" prompt, enter "LDAP policies". At the "ldap policy:" prompt, enter "connections". At the "server connections:" prompt, enter "connect to server [host-name]". (Where [host-name] is the computer name of the domain controller.) At the "server connections:" prompt, enter "q". At the "ldap policy:" prompt, enter "show values". If the value for MaxConnIdleTime is greater than 300 (the value for five minutes) or it is not specified, this is a finding. Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit. Alternately, Dsquery can be used to display MaxConnIdleTime: Open an elevated command prompt. Enter the following command (on a single line). dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil).
Fix: F-27773r794804_fix
Configure the directory service to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity. Open an elevated command prompt. Enter "ntdsutil". At the "ntdsutil:" prompt, enter "LDAP policies". At the "ldap policy:" prompt, enter "connections". At the "server connections:" prompt, enter "connect to server [host-name]". (Where [host-name] is the computer name of the domain controller.) At the "server connections:" prompt, enter "q". At the "ldap policy:" prompt, enter "Set MaxConnIdleTime to 300". Enter "Commit Changes" to save. Enter "Show values" to verify changes. Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-AD-000015-DC
- Vuln IDs
-
- V-226084
- V-91777
- Rule IDs
-
- SV-226084r794809_rule
- SV-101879
Checks: C-27786r475575_chk
This requirement is applicable to domain controllers; it is NA for other systems. Open "Windows PowerShell". Enter "Get-ADUser krbtgt -Property PasswordLastSet". If the "PasswordLastSet" date is more than 180 days old, this is a finding.
Fix: F-27774r794808_fix
Reset the password for the krbtgt account a least every 180 days. The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected. PowerShell scripts are available to accomplish this such as at the following link: https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" in the "View" menu if not previously selected. Select the "Users" node. Right click on the krbtgt account and select "Reset password". Enter a password that meets password complexity requirements. Clear the "User must change password at next logon" check box. The system will automatically change this to a system generated complex password.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000001
- Vuln IDs
-
- V-226085
- V-26529
- Rule IDs
-
- SV-226085r794339_rule
- SV-53013
Checks: C-27787r475578_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Account Logon -> Credential Validation - Success
Fix: F-27775r475579_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> "Audit Credential Validation" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000002
- Vuln IDs
-
- V-226086
- V-26530
- Rule IDs
-
- SV-226086r794340_rule
- SV-53011
Checks: C-27788r475581_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Account Logon -> Credential Validation - Failure
Fix: F-27776r475582_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> "Audit Credential Validation" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000011-DC
- Vuln IDs
-
- V-226087
- V-26531
- Rule IDs
-
- SV-226087r794341_rule
- SV-52234
Checks: C-27789r475584_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Account Management >> Computer Account Management - Success
Fix: F-27777r475585_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit Computer Account Management" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000015
- Vuln IDs
-
- V-226088
- V-26533
- Rule IDs
-
- SV-226088r794342_rule
- SV-53009
Checks: C-27790r475587_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Account Management -> Other Account Management Events - Success
Fix: F-27778r475588_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> "Audit Other Account Management Events" with "Success" selected.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- WN12-AU-000017
- Vuln IDs
-
- V-226089
- V-26535
- Rule IDs
-
- SV-226089r794274_rule
- SV-53007
Checks: C-27791r475590_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Account Management -> Security Group Management - Success
Fix: F-27779r475591_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> "Audit Security Group Management" with "Success" selected.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- WN12-AU-000019
- Vuln IDs
-
- V-226090
- V-26537
- Rule IDs
-
- SV-226090r794275_rule
- SV-53003
Checks: C-27792r475593_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Account Management -> User Account Management - Success
Fix: F-27780r475594_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> "Audit User Account Management" with "Success" selected.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- WN12-AU-000020
- Vuln IDs
-
- V-226091
- V-26538
- Rule IDs
-
- SV-226091r794276_rule
- SV-53001
Checks: C-27793r475596_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Account Management -> User Account Management - Failure
Fix: F-27781r475597_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> "Audit User Account Management" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000023
- Vuln IDs
-
- V-226092
- V-26539
- Rule IDs
-
- SV-226092r794343_rule
- SV-52999
Checks: C-27794r475599_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Detailed Tracking -> Process Creation - Success
Fix: F-27782r475600_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> "Audit Process Creation" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000030
- Vuln IDs
-
- V-226093
- V-78057
- Rule IDs
-
- SV-226093r794360_rule
- SV-92765
Checks: C-27795r475602_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Logon/Logoff >> Account Lockout - Success
Fix: F-27783r475603_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Account Lockout" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000031
- Vuln IDs
-
- V-226094
- V-78059
- Rule IDs
-
- SV-226094r794361_rule
- SV-92769
Checks: C-27796r475605_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Logon/Logoff >> Account Lockout - Failure
Fix: F-27784r475606_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Account Lockout" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000031-DC
- Vuln IDs
-
- V-226095
- V-33663
- Rule IDs
-
- SV-226095r794782_rule
- SV-51151
Checks: C-27797r475608_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding. DS Access -> Directory Service Access - Success
Fix: F-27785r794781_fix
Detailed auditing subcategories are configured in Security Settings -> Advanced Audit Policy Configuration. The summary level settings under Security Settings -> Local Policies -> Audit Policy will not be enforced (see V-14230). Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> "Directory Service Access" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000032-DC
- Vuln IDs
-
- V-226096
- V-33664
- Rule IDs
-
- SV-226096r794784_rule
- SV-51152
Checks: C-27798r475611_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding. DS Access -> Directory Service Access - Failure
Fix: F-27786r794783_fix
Detailed auditing subcategories are configured in Security Settings -> Advanced Audit Policy Configuration. The summary level settings under Security Settings -> Local Policies -> Audit Policy will not be enforced (see V-14230). Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> "Directory Service Access" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000035-DC
- Vuln IDs
-
- V-226097
- V-33665
- Rule IDs
-
- SV-226097r794786_rule
- SV-51153
Checks: C-27799r475614_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding. DS Access -> Directory Service Changes - Success
Fix: F-27787r794785_fix
Detailed auditing subcategories are configured in Security Settings -> Advanced Audit Policy Configuration. The summary level settings under Security Settings -> Local Policies -> Audit Policy will not be enforced (see V-14230). Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> "Directory Service Changes" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000036-DC
- Vuln IDs
-
- V-226098
- V-33666
- Rule IDs
-
- SV-226098r794788_rule
- SV-51155
Checks: C-27800r475617_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding. DS Access -> Directory Service Changes - Failure
Fix: F-27788r794787_fix
Detailed auditing subcategories are configured in Security Settings -> Advanced Audit Policy Configuration. The summary level settings under Security Settings -> Local Policies -> Audit Policy will not be enforced (see V-14230). Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> "Directory Service Changes" with "Failure" selected.
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000067
- Version
- WN12-AU-000045
- Vuln IDs
-
- V-226099
- V-26540
- Rule IDs
-
- SV-226099r794279_rule
- SV-52996
Checks: C-27801r475620_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Logon/Logoff -> Logoff - Success
Fix: F-27789r475621_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> "Audit Logoff" with "Success" selected.
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000067
- Version
- WN12-AU-000047
- Vuln IDs
-
- V-226100
- V-26541
- Rule IDs
-
- SV-226100r794280_rule
- SV-52994
Checks: C-27802r475623_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Logon/Logoff -> Logon - Success
Fix: F-27790r475624_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> "Audit Logon" with "Success" selected.
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000067
- Version
- WN12-AU-000048
- Vuln IDs
-
- V-226101
- V-26542
- Rule IDs
-
- SV-226101r794281_rule
- SV-52993
Checks: C-27803r475626_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Logon/Logoff -> Logon - Failure
Fix: F-27791r475627_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> "Audit Logon" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000053
- Vuln IDs
-
- V-226102
- V-26543
- Rule IDs
-
- SV-226102r794335_rule
- SV-52987
Checks: C-27804r475629_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Logon/Logoff -> Special Logon - Success
Fix: F-27792r475630_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> "Audit Special Logon" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000059
- Vuln IDs
-
- V-226103
- V-40202
- Rule IDs
-
- SV-226103r794362_rule
- SV-52161
Checks: C-27805r475632_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Object Access -> Central Policy Staging - Success
Fix: F-27793r475633_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> "Audit Central Access Policy Staging" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000060
- Vuln IDs
-
- V-226104
- V-40200
- Rule IDs
-
- SV-226104r794363_rule
- SV-52159
Checks: C-27806r475635_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Object Access -> Central Policy Staging - Failure
Fix: F-27794r475636_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> "Audit Central Access Policy Staging" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000081
- Vuln IDs
-
- V-226105
- V-36668
- Rule IDs
-
- SV-226105r794364_rule
- SV-51601
Checks: C-27807r475638_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Object Access >> Removable Storage - Success Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding.
Fix: F-27795r475639_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000082
- Vuln IDs
-
- V-226106
- V-36667
- Rule IDs
-
- SV-226106r794365_rule
- SV-51604
Checks: C-27808r475641_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Object Access >> Removable Storage - Failure Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding.
Fix: F-27796r475642_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000085
- Vuln IDs
-
- V-226107
- V-26546
- Rule IDs
-
- SV-226107r794336_rule
- SV-52983
Checks: C-27809r475644_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Policy Change -> Audit Policy Change - Success
Fix: F-27797r475645_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> "Audit Audit Policy Change" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000086
- Vuln IDs
-
- V-226108
- V-26547
- Rule IDs
-
- SV-226108r794352_rule
- SV-52982
Checks: C-27810r475647_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Policy Change -> Audit Policy Change - Failure
Fix: F-27798r475648_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> "Audit Audit Policy Change" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000087
- Vuln IDs
-
- V-226109
- V-26548
- Rule IDs
-
- SV-226109r794353_rule
- SV-52981
Checks: C-27811r475650_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Policy Change -> Authentication Policy Change - Success
Fix: F-27799r475651_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> "Audit Authentication Policy Change" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000089
- Vuln IDs
-
- V-226110
- V-57633
- Rule IDs
-
- SV-226110r794366_rule
- SV-72043
Checks: C-27812r475653_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Policy Change -> Authorization Policy Change - Success
Fix: F-27800r475654_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> "Audit Authorization Policy Change" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000101
- Vuln IDs
-
- V-226111
- V-26549
- Rule IDs
-
- SV-226111r794354_rule
- SV-52980
Checks: C-27813r475656_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Privilege Use -> Sensitive Privilege Use - Success
Fix: F-27801r475657_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Privilege Use -> "Audit Sensitive Privilege Use" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000102
- Vuln IDs
-
- V-226112
- V-26550
- Rule IDs
-
- SV-226112r794355_rule
- SV-52979
Checks: C-27814r475659_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Privilege Use -> Sensitive Privilege Use - Failure
Fix: F-27802r475660_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Privilege Use -> "Audit Sensitive Privilege Use" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000103
- Vuln IDs
-
- V-226113
- V-26551
- Rule IDs
-
- SV-226113r794367_rule
- SV-52978
Checks: C-27815r475662_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. System -> IPsec Driver - Success
Fix: F-27803r475663_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> "Audit IPsec Driver" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000104
- Vuln IDs
-
- V-226114
- V-26552
- Rule IDs
-
- SV-226114r794368_rule
- SV-52977
Checks: C-27816r475665_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. System -> IPsec Driver - Failure
Fix: F-27804r475666_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> "Audit IPsec Driver" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000105
- Vuln IDs
-
- V-226115
- V-78061
- Rule IDs
-
- SV-226115r794290_rule
- SV-92773
Checks: C-27817r475668_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*" Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. System >> Other System Events - Success
Fix: F-27805r475669_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Other System Events" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000106
- Vuln IDs
-
- V-226116
- V-78063
- Rule IDs
-
- SV-226116r794291_rule
- SV-92781
Checks: C-27818r475671_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. System >> Other System Events - Failure
Fix: F-27806r475672_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Other System Events" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000107
- Vuln IDs
-
- V-226117
- V-26553
- Rule IDs
-
- SV-226117r794356_rule
- SV-52976
Checks: C-27819r475674_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. System -> Security State Change - Success
Fix: F-27807r475675_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> "Audit Security State Change" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000109
- Vuln IDs
-
- V-226118
- V-26555
- Rule IDs
-
- SV-226118r794357_rule
- SV-52974
Checks: C-27820r475677_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. System -> Security System Extension - Success
Fix: F-27808r475678_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> "Audit Security System Extension" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000111
- Vuln IDs
-
- V-226119
- V-26557
- Rule IDs
-
- SV-226119r794358_rule
- SV-52972
Checks: C-27821r475680_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. System -> System Integrity - Success
Fix: F-27809r475681_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> "Audit System Integrity" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000112
- Vuln IDs
-
- V-226120
- V-26558
- Rule IDs
-
- SV-226120r794359_rule
- SV-52971
Checks: C-27822r475683_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. System -> System Integrity - Failure
Fix: F-27810r475684_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> "Audit System Integrity" with "Failure" selected.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-AU-000200
- Vuln IDs
-
- V-226121
- V-36670
- Rule IDs
-
- SV-226121r794316_rule
- SV-51561
Checks: C-27823r475686_chk
Determine whether audit logs are reviewed on a predetermined schedule. If audit logs are not reviewed on a regular basis, this is a finding.
Fix: F-27811r475687_fix
Review audit logs on a predetermined scheduled.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-AU-000201
- Vuln IDs
-
- V-226122
- V-36671
- Rule IDs
-
- SV-226122r794317_rule
- SV-51563
Checks: C-27824r475689_chk
Determine whether audit data is retained for at least one year. If the audit data is not retained for at least a year, this is a finding.
Fix: F-27812r475690_fix
Ensure the audit data is retained for at least a year.
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001851
- Version
- WN12-AU-000203-01
- Vuln IDs
-
- V-226123
- V-36672
- Rule IDs
-
- SV-226123r794330_rule
- SV-51566
Checks: C-27825r475692_chk
Determine if a process to back up log data to a different system or media than the system being audited has been implemented. If it has not, this is a finding.
Fix: F-27813r475693_fix
Establish and implement a process for backing up log data to another system or media other than the system being audited.
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001851
- Version
- WN12-AU-000203-02
- Vuln IDs
-
- V-226124
- V-57719
- Rule IDs
-
- SV-226124r794331_rule
- SV-72133
Checks: C-27826r475695_chk
Verify the operating system, at a minimum, off-loads audit records of interconnected systems in real time and off-loads standalone systems weekly. If it does not, this is a finding.
Fix: F-27814r475696_fix
Configure the operating system to, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- WN12-AU-000204
- Vuln IDs
-
- V-226125
- V-36722
- Rule IDs
-
- SV-226125r794760_rule
- SV-51569
Checks: C-27827r475698_chk
Verify the permissions on the Application event log (Application.evtx). Standard user accounts or groups must not have greater than Read access. The default permissions listed below satisfy this requirement: Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.
Fix: F-27815r794759_fix
Ensure the permissions on the Application event log (Application.evtx) are configured to prevent standard user accounts or groups from having greater than Read access. The default permissions listed below satisfy this requirement: Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- WN12-AU-000205
- Vuln IDs
-
- V-226126
- V-36723
- Rule IDs
-
- SV-226126r794762_rule
- SV-51571
Checks: C-27828r475701_chk
Verify the permissions on the Security event log (Security.evtx). Standard user accounts or groups must not have access. The default permissions listed below satisfy this requirement: Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.
Fix: F-27816r794761_fix
Ensure the permissions on the Security event log (Security.evtx) are configured to prevent standard user accounts or groups from having access. The default permissions listed below satisfy this requirement: Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- WN12-AU-000206
- Vuln IDs
-
- V-226127
- V-36724
- Rule IDs
-
- SV-226127r794764_rule
- SV-51572
Checks: C-27829r475704_chk
Verify the permissions on the System event log (System.evtx). Standard user accounts or groups must not have greater than Read access. The default permissions listed below satisfy this requirement: Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.
Fix: F-27817r794763_fix
Ensure the permissions on the System event log (System.evtx) are configured to prevent standard user accounts or groups from having greater than Read access. The default permissions listed below satisfy this requirement: Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000207-DC
- Vuln IDs
-
- V-226128
- V-39325
- Rule IDs
-
- SV-226128r794780_rule
- SV-51169
Checks: C-27830r475707_chk
Review the auditing configuration for all Group Policy objects. Open "Group Policy Management". (Available from various menus, or run "gpmc.msc".) Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy Object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select the "Advanced" button again and then the "Auditing" tab. If the audit settings for any Group Policy object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects
Fix: F-27818r794779_fix
Configure the audit settings for Group Policy objects to include the following. This can be done at the Policy level in Active Directory to apply to all group policies. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" from the "View" Menu. Navigate to [Domain] >> System >> Policies in the left panel. Right click "Policies", select "Properties". Select the "Security" tab. Select the "Advanced" button. Select the "Auditing" tab. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000208-DC
- Vuln IDs
-
- V-226129
- V-39326
- Rule IDs
-
- SV-226129r794489_rule
- SV-51170
Checks: C-27831r475710_chk
Verify the auditing configuration for the Domain object. Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) Ensure Advanced Features is selected in the View menu. Select the domain being reviewed in the left pane. Right click the domain name and select Properties. Select the Security tab. Select the Advanced button and then the Auditing tab. If the audit settings on the Domain object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object only The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - None Applies to - Special Type - Success Principal - Domain Users Access - All extended rights Inherited from - None Applies to - This object only Type - Success Principal - Administrators Access - All extended rights Inherited from - None Applies to - This object only Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Permissions: Write all properties, Modify permissions, Modify owner)
Fix: F-27819r475711_fix
Configure the audit settings for Domain object to include the following. Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object only The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - None Applies to - Special Type - Success Principal - Domain Users Access - All extended rights Inherited from - None Applies to - This object only Type - Success Principal - Administrators Access - All extended rights Inherited from - None Applies to - This object only Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Permissions: Write all properties, Modify permissions, Modify owner.)
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000209-DC
- Vuln IDs
-
- V-226130
- V-39327
- Rule IDs
-
- SV-226130r794490_rule
- SV-51171
Checks: C-27832r475713_chk
Verify the auditing configuration for Infrastructure object. Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) Ensure Advanced Features is selected in the View menu. Select the domain being reviewed in the left pane. Right click the Infrastructure object in the right pane and select Properties. Select the Security tab. Select the Advanced button and then the Auditing tab. If the audit settings on the Infrastructure object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None (Access - Special = Permissions: Write all properties, All extended rights, Change infrastructure master) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain)
Fix: F-27820r475714_fix
Configure the audit settings for Infrastructure object to include the following. Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None (Access - Special = Permissions: Write all properties, All extended rights, Change infrastructure master) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain)
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000210-DC
- Vuln IDs
-
- V-226131
- V-39328
- Rule IDs
-
- SV-226131r794491_rule
- SV-51172
Checks: C-27833r475716_chk
Verify the auditing configuration for the Domain Controller OU object. Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) Ensure Advanced Features is selected in the View menu. Select the Domain Controllers OU under the domain being reviewed in the left pane. Right click the Domain Controllers OU object and select Properties. Select the Security tab. Select the Advanced button and then the Auditing tab. If the audit settings on the Domain Controllers OU object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object and all descendant objects The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Permissions: all create, delete and modify permissions) Type - Success Principal - Everyone Access - Write all properties Inherited from - None Applies to - This object and all descendant objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects
Fix: F-27821r475717_fix
Configure the audit settings for Domain Controllers OU object to include the following. Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Permissions: all create, delete and modify permissions) Type - Success Principal - Everyone Access - Write all properties Inherited from - None Applies to - This object and all descendant objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000211-DC
- Vuln IDs
-
- V-226132
- V-39329
- Rule IDs
-
- SV-226132r794492_rule
- SV-51173
Checks: C-27834r475719_chk
Verify the auditing configuration for the AdminSDHolder object. Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) Ensure Advanced Features is selected in the View menu. Select System under the domain being reviewed in the left pane. Right click the AdminSDHolder object in the right pane and select Properties. Select the Security tab. Select the Advanced button and then the Auditing tab. If the audit settings on the AdminSDHolder object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object only The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Write all properties, Modify permissions, Modify owner) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects
Fix: F-27822r475720_fix
Configure the audit settings for AdminSDHolder object to include the following. Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object only The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Write all properties, Modify permissions, Modify owner) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN12-AU-000212-DC
- Vuln IDs
-
- V-226133
- V-39330
- Rule IDs
-
- SV-226133r794493_rule
- SV-51174
Checks: C-27835r475722_chk
Verify the auditing configuration for the RID Manager$ object. Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) Ensure Advanced Features is selected in the View menu. Select System under the domain being reviewed in the left pane. Right-click the RID Manager$ object in the right pane and select Properties. Select the Security tab. Select the Advanced button and then the Auditing tab. If the audit settings on the RID Manager$ object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None (Access - Special = Write all properties, All extended rights, Change RID master) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain)
Fix: F-27823r475723_fix
Configure the audit settings for RID Manager$ object to include the following. Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None (Access - Special = Write all properties, All extended rights, Change RID master) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain)
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001494
- Version
- WN12-AU-000213
- Vuln IDs
-
- V-226134
- V-57721
- Rule IDs
-
- SV-226134r794458_rule
- SV-72135
Checks: C-27836r475725_chk
Verify the permissions on Event Viewer only allow TrustedInstaller permissions to change or modify. If any groups or accounts other than TrustedInstaller have Full control or Modify, this is a finding. Navigate to "%SystemRoot%\SYSTEM32". View the permissions on "Eventvwr.exe". The default permissions below satisfy this requirement. TrustedInstaller - Full Control Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES - Read & Execute
Fix: F-27824r475726_fix
Ensure only TrustedInstaller has permissions to change or modify Event Viewer ("%SystemRoot%\SYSTEM32\Eventvwr.exe). The default permissions below satisfy this requirement. TrustedInstaller - Full Control Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES - Read & Execute
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000001
- Vuln IDs
-
- V-226135
- V-15696
- Rule IDs
-
- SV-226135r794411_rule
- SV-53072
Checks: C-27837r475728_chk
If the following registry values do not exist or are not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ Value Name: AllowLLTDIOOndomain Value Name: AllowLLTDIOOnPublicNet Value Name: EnableLLTDIO Value Name: ProhibitLLTDIOOnPrivateNet Type: REG_DWORD Value: 0
Fix: F-27825r475729_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Link-Layer Topology Discovery -> "Turn on Mapper I/O (LLTDIO) driver" to "Disabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000002
- Vuln IDs
-
- V-226136
- V-15697
- Rule IDs
-
- SV-226136r794412_rule
- SV-53081
Checks: C-27838r475731_chk
If the following registry values do not exist or are not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ Value Name: AllowRspndrOndomain Value Name: AllowRspndrOnPublicNet Value Name: EnableRspndr Value Name: ProhibitRspndrOnPrivateNet Type: REG_DWORD Value: 0
Fix: F-27826r475732_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Link-Layer Topology Discovery -> "Turn on Responder (RSPNDR) driver" to "Disabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000003
- Vuln IDs
-
- V-226137
- V-15666
- Rule IDs
-
- SV-226137r794413_rule
- SV-53012
Checks: C-27839r475734_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Peernet\ Value Name: Disabled Type: REG_DWORD Value: 1
Fix: F-27827r475735_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Microsoft Peer-to-Peer Networking Services -> "Turn off Microsoft Peer-to-Peer Networking Services" to "Enabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000004
- Vuln IDs
-
- V-226138
- V-15667
- Rule IDs
-
- SV-226138r794414_rule
- SV-53014
Checks: C-27840r475737_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\ Value Name: NC_AllowNetBridge_NLA Type: REG_DWORD Value: 0
Fix: F-27828r475738_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> "Prohibit installation and configuration of Network Bridge on your DNS domain network" to "Enabled".
- RMF Control
- SC-3
- Severity
- L
- CCI
- CCI-001084
- Version
- WN12-CC-000005
- Vuln IDs
-
- V-226139
- V-21960
- Rule IDs
-
- SV-226139r794452_rule
- SV-53182
Checks: C-27841r475740_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\ Value Name: NC_StdDomainUserSetLocation Type: REG_DWORD Value: 1
Fix: F-27829r475741_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> "Require domain users to elevate when setting a network's location" to "Enabled".
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-CC-000006
- Vuln IDs
-
- V-226140
- V-21961
- Rule IDs
-
- SV-226140r794494_rule
- SV-53183
Checks: C-27842r475743_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ Value Name: Force_Tunneling Type: REG_SZ Value: Enabled
Fix: F-27830r475744_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> "Route all traffic through the internal network" to "Enabled: Enabled State".
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-CC-000011
- Vuln IDs
-
- V-226145
- V-36673
- Rule IDs
-
- SV-226145r794495_rule
- SV-51605
Checks: C-27847r475758_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableIPAutoConfigurationLimits Type: REG_DWORD Value: 1
Fix: F-27835r475759_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> TCPIP Settings -> Parameters -> "Set IP Stateless Autoconfiguration Limits State" to "Enabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000012
- Vuln IDs
-
- V-226146
- V-15698
- Rule IDs
-
- SV-226146r794417_rule
- SV-53085
Checks: C-27848r475761_chk
If the following registry values do not exist or are not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ Value Name: DisableFlashConfigRegistrar Value Name: DisableInBand802DOT11Registrar Value Name: DisableUPnPRegistrar Value Name: DisableWPDRegistrar Value Name: EnableRegistrars Type: REG_DWORD Value: 0
Fix: F-27836r475762_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Windows Connect Now -> "Configuration of wireless settings using Windows Connect Now" to "Disabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000013
- Vuln IDs
-
- V-226147
- V-15699
- Rule IDs
-
- SV-226147r794418_rule
- SV-53089
Checks: C-27849r475764_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WCN\UI\ Value Name: DisableWcnUi Type: REG_DWORD Value: 1
Fix: F-27837r475765_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Windows Connect Now -> "Prohibit access of the Windows Connect Now wizards" to "Enabled".
- RMF Control
- CM-11
- Severity
- L
- CCI
- CCI-001812
- Version
- WN12-CC-000016
- Vuln IDs
-
- V-226148
- V-21963
- Rule IDs
-
- SV-226148r794467_rule
- SV-53184
Checks: C-27850r475767_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ Value Name: DoNotInstallCompatibleDriverFromWindowsUpdate Type: REG_DWORD Value: 1
Fix: F-27838r475768_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Printers -> "Extend Point and Print connection to search Windows Update" to "Disabled".
- RMF Control
- CM-11
- Severity
- L
- CCI
- CCI-001812
- Version
- WN12-CC-000018
- Vuln IDs
-
- V-226149
- V-36677
- Rule IDs
-
- SV-226149r794468_rule
- SV-51606
Checks: C-27851r475770_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Servicing\ Value Name: UseWindowsUpdate Type: REG_DWORD Value: 2
Fix: F-27839r475771_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> "Specify settings for optional component installation and component repair" to "Enabled" and with "Never attempt to download payload from Windows Update" selected.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000019
- Vuln IDs
-
- V-226150
- V-15700
- Rule IDs
-
- SV-226150r794419_rule
- SV-53094
Checks: C-27852r475773_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ Value Name: AllowRemoteRPC Type: REG_DWORD Value: 0
Fix: F-27840r475774_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Device Installation -> "Allow remote access to the Plug and Play interface" to "Disabled".
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000381
- Version
- WN12-CC-000020
- Vuln IDs
-
- V-226151
- V-15702
- Rule IDs
-
- SV-226151r794420_rule
- SV-53105
Checks: C-27853r475776_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ Value Name: DisableSendGenericDriverNotFoundToWER Type: REG_DWORD Value: 1
Fix: F-27841r475777_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Device Installation -> "Do not send a Windows error report when a generic driver is installed on a device" to "Enabled".
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-CC-000021
- Vuln IDs
-
- V-226152
- V-15701
- Rule IDs
-
- SV-226152r794496_rule
- SV-53099
Checks: C-27854r475779_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ Value Name: DisableSystemRestore Type: REG_DWORD Value: 0
Fix: F-27842r475780_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Device Installation -> "Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point" to "Disabled".
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000381
- Version
- WN12-CC-000022
- Vuln IDs
-
- V-226153
- V-21964
- Rule IDs
-
- SV-226153r794421_rule
- SV-53185
Checks: C-27855r475782_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Device Metadata\ Value Name: PreventDeviceMetadataFromNetwork Value Type: REG_DWORD Value: 1
Fix: F-27843r475783_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Installation >> "Prevent device metadata retrieval from the Internet" to "Enabled".
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000381
- Version
- WN12-CC-000023
- Vuln IDs
-
- V-226154
- V-28504
- Rule IDs
-
- SV-226154r794422_rule
- SV-52962
Checks: C-27856r475785_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ Value Name: DisableSendRequestAdditionalSoftwareToWER Type: REG_DWORD Value: 1
Fix: F-27844r475786_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Device Installation -> "Prevent Windows from sending an error report when a device driver requests additional software during installation" to "Enabled".
- RMF Control
- CM-11
- Severity
- L
- CCI
- CCI-001812
- Version
- WN12-CC-000024
- Vuln IDs
-
- V-226155
- V-21965
- Rule IDs
-
- SV-226155r794469_rule
- SV-53186
Checks: C-27857r475788_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ Value Name: SearchOrderConfig Type: REG_DWORD Value: 0
Fix: F-27845r475789_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Device Installation -> "Specify search order for device driver source locations" to "Enabled: Do not search Windows Update".
- RMF Control
- CM-11
- Severity
- L
- CCI
- CCI-001812
- Version
- WN12-CC-000025
- Vuln IDs
-
- V-226156
- V-36678
- Rule IDs
-
- SV-226156r794470_rule
- SV-51607
Checks: C-27858r475791_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ Value Name: DriverServerSelection Type: REG_DWORD Value: 1
Fix: F-27846r475792_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Device Installation -> "Specify the search server for device driver updates" to "Enabled" with "Search Managed Server" selected.
- RMF Control
- CM-11
- Severity
- L
- CCI
- CCI-001812
- Version
- WN12-CC-000026
- Vuln IDs
-
- V-226157
- V-15703
- Rule IDs
-
- SV-226157r794471_rule
- SV-53115
Checks: C-27859r475794_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ Value Name: DontPromptForWindowsUpdate Type: REG_DWORD Value: 1
Fix: F-27847r475795_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Driver Installation -> "Turn off Windows Update device driver search prompt" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-CC-000027
- Vuln IDs
-
- V-226158
- V-36679
- Rule IDs
-
- SV-226158r794497_rule
- SV-51608
Checks: C-27860r475797_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Policies\EarlyLaunch\ Value Name: DriverLoadPolicy Type: REG_DWORD Value: 1
Fix: F-27848r475798_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Early Launch Antimalware -> "Boot-Start Driver Initialization Policy" to "Enabled" with "Good and Unknown" selected.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-CC-000028
- Vuln IDs
-
- V-226159
- V-4448
- Rule IDs
-
- SV-226159r794498_rule
- SV-52933
Checks: C-27861r475800_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\ Value Name: NoGPOListChanges Type: REG_DWORD Value: 0
Fix: F-27849r475801_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Group Policy -> "Configure registry policy processing" to "Enabled" and select the option "Process even if the Group Policy objects have not changed".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-CC-000029
- Vuln IDs
-
- V-226160
- V-3469
- Rule IDs
-
- SV-226160r794499_rule
- SV-52906
Checks: C-27862r475803_chk
Review the registry. If the following registry value does not exist, this is not a finding (this is the expected result from configuring the policy as outlined in the Fix section.): If the following registry value exists but is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\system\ Value Name: DisableBkGndGroupPolicy Type: REG_DWORD Value: 0
Fix: F-27850r475804_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Group Policy -> "Turn off background refresh of Group Policy" to "Disabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-CC-000030
- Vuln IDs
-
- V-226161
- V-36680
- Rule IDs
-
- SV-226161r794423_rule
- SV-51609
Checks: C-27863r475806_chk
The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoUseStoreOpenWith Type: REG_DWORD Value: 1
Fix: F-27851r475807_fix
If the \Windows\WinStore directory exists, configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> "Turn off access to the Store" to "Enabled". Alternately, uninstall the "Desktop Experience" feature from Windows 2012. This is located under "User Interfaces and Infrastructure" in the "Add Roles and Features Wizard". The \Windows\WinStore directory may need to be manually deleted after this.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000032
- Vuln IDs
-
- V-226162
- V-14260
- Rule IDs
-
- SV-226162r794424_rule
- SV-52998
Checks: C-27864r475809_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableWebPnPDownload Type: REG_DWORD Value: 1
Fix: F-27852r475810_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off downloading of print drivers over HTTP" to "Enabled".
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000381
- Version
- WN12-CC-000033
- Vuln IDs
-
- V-226163
- V-15672
- Rule IDs
-
- SV-226163r794425_rule
- SV-53017
Checks: C-27865r475812_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\EventViewer\ Value Name: MicrosoftEventVwrDisableLinks Type: REG_DWORD Value: 1
Fix: F-27853r475813_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off Event Viewer "Events.asp" links" to "Enabled".
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000381
- Version
- WN12-CC-000035
- Vuln IDs
-
- V-226164
- V-15704
- Rule IDs
-
- SV-226164r794426_rule
- SV-53116
Checks: C-27866r475815_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\HandwritingErrorReports\ Value Name: PreventHandwritingErrorReports Type: REG_DWORD Value: 1
Fix: F-27854r475816_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off handwriting recognition error reporting" to "Enabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000038
- Vuln IDs
-
- V-226165
- V-15674
- Rule IDs
-
- SV-226165r794427_rule
- SV-53021
Checks: C-27867r475818_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoInternetOpenWith Type: REG_DWORD Value: 1
Fix: F-27855r475819_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off Internet File Association service" to "Enabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000039
- Vuln IDs
-
- V-226166
- V-14259
- Rule IDs
-
- SV-226166r794428_rule
- SV-52997
Checks: C-27868r475821_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableHTTPPrinting Type: REG_DWORD Value: 1
Fix: F-27856r475822_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off printing over HTTP" to "Enabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000045
- Vuln IDs
-
- V-226167
- V-16020
- Rule IDs
-
- SV-226167r794429_rule
- SV-53143
Checks: C-27869r475824_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\SQMClient\Windows\ Value Name: CEIPEnable Type: REG_DWORD Value: 0
Fix: F-27857r475825_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication Settings -> "Turn off Windows Customer Experience Improvement Program" to "Enabled".
- RMF Control
- CM-11
- Severity
- M
- CCI
- CCI-001812
- Version
- WN12-CC-000047
- Vuln IDs
-
- V-226168
- V-14261
- Rule IDs
-
- SV-226168r794472_rule
- SV-53000
Checks: C-27870r475827_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ Value Name: DontSearchWindowsUpdate Type: REG_DWORD Value: 1
Fix: F-27858r475828_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off Windows Update device driver searching" to "Enabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000048
- Vuln IDs
-
- V-226169
- V-36681
- Rule IDs
-
- SV-226169r794430_rule
- SV-51610
Checks: C-27871r475830_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Control Panel\International\ Value Name: BlockUserInputMethodsForSignIn Type: REG_DWORD Value: 1
Fix: F-27859r475831_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Locale Services -> "Disallow copying of user input methods to the system account for sign-in" to "Enabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000051
- Vuln IDs
-
- V-226170
- V-36684
- Rule IDs
-
- SV-226170r794431_rule
- SV-51611
Checks: C-27872r475833_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\System\ Value Name: EnumerateLocalUsers Type: REG_DWORD Value: 0
Fix: F-27860r475834_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Logon -> "Enumerate local users on domain-joined computers" to "Disabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000052
- Vuln IDs
-
- V-226171
- V-36687
- Rule IDs
-
- SV-226171r794432_rule
- SV-51612
Checks: C-27873r475836_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\System\ Value Name: DisableLockScreenAppNotifications Type: REG_DWORD Value: 1
Fix: F-27861r475837_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Logon -> "Turn off app notifications on the lock screen" to "Enabled".
- RMF Control
- IA-11
- Severity
- M
- CCI
- CCI-002038
- Version
- WN12-CC-000054
- Vuln IDs
-
- V-226172
- V-15705
- Rule IDs
-
- SV-226172r794480_rule
- SV-53131
Checks: C-27874r475839_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: DCSettingIndex Type: REG_DWORD Value: 1
Fix: F-27862r475840_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Power Management -> Sleep Settings -> "Require a password when a computer wakes (on battery)" to "Enabled".
- RMF Control
- IA-11
- Severity
- M
- CCI
- CCI-002038
- Version
- WN12-CC-000055
- Vuln IDs
-
- V-226173
- V-15706
- Rule IDs
-
- SV-226173r794481_rule
- SV-53132
Checks: C-27875r475842_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: ACSettingIndex Type: REG_DWORD Value: 1
Fix: F-27863r475843_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Power Management -> Sleep Settings -> "Require a password when a computer wakes (plugged in)" to "Enabled".
- RMF Control
- SC-4
- Severity
- M
- CCI
- CCI-001090
- Version
- WN12-CC-000058
- Vuln IDs
-
- V-226174
- V-3470
- Rule IDs
-
- SV-226174r794454_rule
- SV-52917
Checks: C-27876r475845_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fAllowUnsolicited Type: REG_DWORD Value: 0
Fix: F-27864r475846_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Remote Assistance -> "Configure Offer Remote Assistance" to "Disabled".
- RMF Control
- SC-4
- Severity
- H
- CCI
- CCI-001090
- Version
- WN12-CC-000059
- Vuln IDs
-
- V-226175
- V-3343
- Rule IDs
-
- SV-226175r794455_rule
- SV-52885
Checks: C-27877r475848_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fAllowToGetHelp Type: REG_DWORD Value: 0
Fix: F-27865r475849_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Remote Assistance -> "Configure Solicited Remote Assistance" to "Disabled".
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-CC-000062
- Vuln IDs
-
- V-226176
- V-15707
- Rule IDs
-
- SV-226176r794500_rule
- SV-53133
Checks: C-27878r475851_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: LoggingEnabled Type: REG_DWORD Value: 1
Fix: F-27866r475852_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Remote Assistance -> "Turn on session logging" to "Enabled".
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000381
- Version
- WN12-CC-000065
- Vuln IDs
-
- V-226177
- V-36696
- Rule IDs
-
- SV-226177r794433_rule
- SV-51737
Checks: C-27879r475854_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\AppCompat\ Value Name: DisablePcaUI Type: REG_DWORD Value: 0
Fix: F-27867r475855_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Application Compatibility Diagnostics -> "Detect compatibility issues for applications and drivers" to "Disabled".
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000381
- Version
- WN12-CC-000066
- Vuln IDs
-
- V-226178
- V-21967
- Rule IDs
-
- SV-226178r794434_rule
- SV-53187
Checks: C-27880r475857_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\ Value Name: DisableQueryRemoteServer Type: REG_DWORD Value: 0
Fix: F-27868r475858_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Microsoft Support Diagnostic Tool -> "Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider" to "Disabled".
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000381
- Version
- WN12-CC-000067
- Vuln IDs
-
- V-226179
- V-21969
- Rule IDs
-
- SV-226179r794435_rule
- SV-53188
Checks: C-27881r475860_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\ Value Name: EnableQueryRemoteServer Type: REG_DWORD Value: 0
Fix: F-27869r475861_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Scripted Diagnostics -> "Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS)" to "Disabled".
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000381
- Version
- WN12-CC-000068
- Vuln IDs
-
- V-226180
- V-21970
- Rule IDs
-
- SV-226180r794436_rule
- SV-53128
Checks: C-27882r475863_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ Value Name: ScenarioExecutionEnabled Type: REG_DWORD Value: 0
Fix: F-27870r475864_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Windows Performance PerfTrack -> "Enable/Disable PerfTrack" to "Disabled".
- RMF Control
- AU-8
- Severity
- L
- CCI
- CCI-001891
- Version
- WN12-CC-000069
- Vuln IDs
-
- V-226181
- V-3472
- Rule IDs
-
- SV-226181r794507_rule
- SV-52919
Checks: C-27883r475866_chk
Open "Windows PowerShell" or an elevated "Command Prompt" (run as administrator). Enter "W32tm /query /configuration". Domain-joined systems are automatically configured with a "Type" of "NT5DS" to synchronize with domain controllers and would not be a finding. If systems are configured with a "Type" of "NTP", including standalone systems and the forest root domain controller with the PDC Emulator role, and do not have a DoD time server defined for "NTPServer", this is a finding. (See V-8557 in the Active Directory Forest STIG for the time source requirement of the forest root domain PDC emulator.) If an alternate time synchronization tool is used and is not enabled or not configured to synchronize with a DoD time source, this is a finding. The US Naval Observatory operates stratum 1 time servers, identified at http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a hierarchy of time servers down to the local level. Clients and lower-level servers will synchronize with an authorized time server in the hierarchy.
Fix: F-27871r475867_fix
If the system needs to be configured to an NTP server, configure the system to point to an authorized time server by setting the policy value for Computer Configuration >> Administrative Templates >> System >> Windows Time Service >> Time Providers >> "Configure Windows NTP Client" to "Enabled", and configure the "NtpServer" field to point to an authorized time server. The US Naval Observatory operates stratum 1 time servers, identified at http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a hierarchy of time servers down to the local level. Clients and lower-level servers will synchronize with an authorized time server in the hierarchy.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-CC-000070
- Vuln IDs
-
- V-226182
- V-36697
- Rule IDs
-
- SV-226182r794437_rule
- SV-51738
Checks: C-27884r475869_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Appx\ Value Name: AllowAllTrustedApps Type: REG_DWORD Value: 1
Fix: F-27872r475870_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> App Package Deployment -> "Allow all trusted apps to install" to "Enabled".
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000381
- Version
- WN12-CC-000071
- Vuln IDs
-
- V-226183
- V-21971
- Rule IDs
-
- SV-226183r794438_rule
- SV-53127
Checks: C-27885r475872_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\AppCompat\ Value Name: DisableInventory Type: REG_DWORD Value: 1
Fix: F-27873r475873_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Application Compatibility -> "Turn off Inventory Collector" to "Enabled".
- RMF Control
- CM-7
- Severity
- H
- CCI
- CCI-001764
- Version
- WN12-CC-000072
- Vuln IDs
-
- V-226184
- V-21973
- Rule IDs
-
- SV-226184r794477_rule
- SV-53126
Checks: C-27886r475875_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ Value Name: NoAutoplayfornonVolume Type: REG_DWORD Value: 1
Fix: F-27874r475876_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> AutoPlay Policies -> "Disallow Autoplay for non-volume devices" to "Enabled".
- RMF Control
- CM-7
- Severity
- H
- CCI
- CCI-001764
- Version
- WN12-CC-000073
- Vuln IDs
-
- V-226185
- V-22692
- Rule IDs
-
- SV-226185r794478_rule
- SV-53124
Checks: C-27887r475878_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoAutorun Type: REG_DWORD Value: 1
Fix: F-27875r475879_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> AutoPlay Policies -> "Set the default behavior for AutoRun" to "Enabled:Do not execute any autorun commands".
- RMF Control
- CM-7
- Severity
- H
- CCI
- CCI-001764
- Version
- WN12-CC-000074
- Vuln IDs
-
- V-226186
- V-2374
- Rule IDs
-
- SV-226186r794479_rule
- SV-52879
Checks: C-27888r475881_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ Value Name: NoDriveTypeAutoRun Type: REG_DWORD Value: 0x000000ff (255)
Fix: F-27876r475882_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> AutoPlay Policies -> "Turn off AutoPlay" to "Enabled:All Drives".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000075
- Vuln IDs
-
- V-226187
- V-36698
- Rule IDs
-
- SV-226187r794439_rule
- SV-51739
Checks: C-27889r475884_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Biometrics\ Value Name: Enabled Type: REG_DWORD Value: 0
Fix: F-27877r475885_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Biometrics -> "Allow the use of biometrics" to "Disabled".
- RMF Control
- IA-6
- Severity
- M
- CCI
- CCI-000206
- Version
- WN12-CC-000076
- Vuln IDs
-
- V-226188
- V-36700
- Rule IDs
-
- SV-226188r794410_rule
- SV-51740
Checks: C-27890r475887_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\CredUI\ Value Name: DisablePasswordReveal Type: REG_DWORD Value: 1
Fix: F-27878r475888_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Credential User Interface -> "Do not display the password reveal button" to "Enabled".
- RMF Control
- SC-3
- Severity
- M
- CCI
- CCI-001084
- Version
- WN12-CC-000077
- Vuln IDs
-
- V-226189
- V-14243
- Rule IDs
-
- SV-226189r794453_rule
- SV-52955
Checks: C-27891r475890_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\ Value Name: EnumerateAdministrators Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-27879r475891_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Credential User Interface >> "Enumerate administrator accounts on elevation" to "Disabled".
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001849
- Version
- WN12-CC-000084
- Vuln IDs
-
- V-226190
- V-26579
- Rule IDs
-
- SV-226190r794463_rule
- SV-52966
Checks: C-27892r475893_chk
If the system is configured to write events directly to an audit server, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ Value Name: MaxSize Type: REG_DWORD Value: 0x00008000 (32768) (or greater)
Fix: F-27880r475894_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Application >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater.
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001849
- Version
- WN12-CC-000085
- Vuln IDs
-
- V-226191
- V-26580
- Rule IDs
-
- SV-226191r794464_rule
- SV-52965
Checks: C-27893r475896_chk
If the system is configured to write events directly to an audit server, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ Value Name: MaxSize Type: REG_DWORD Value: 0x00030000 (196608) (or greater)
Fix: F-27881r475897_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Security >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "196608" or greater.
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001849
- Version
- WN12-CC-000086
- Vuln IDs
-
- V-226192
- V-26581
- Rule IDs
-
- SV-226192r794465_rule
- SV-52964
Checks: C-27894r475899_chk
If the system is configured to write events directly to an audit server, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup\ Value Name: MaxSize Type: REG_DWORD Value: 0x00008000 (32768) (or greater)
Fix: F-27882r475900_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Setup >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater.
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001849
- Version
- WN12-CC-000087
- Vuln IDs
-
- V-226193
- V-26582
- Rule IDs
-
- SV-226193r794466_rule
- SV-52963
Checks: C-27895r475902_chk
If the system is configured to write events directly to an audit server, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ Value Name: MaxSize Type: REG_DWORD Value: 0x00008000 (32768) (or greater)
Fix: F-27883r475903_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> System >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000088
- Vuln IDs
-
- V-226194
- V-36707
- Rule IDs
-
- SV-226194r794440_rule
- SV-51747
Checks: C-27896r475905_chk
This is applicable to unclassified systems; for other systems, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Type: REG_DWORD Value: 0x00000001 (1) (Give user a warning…) Or 0x00000002 (2) (Require approval…)
Fix: F-27884r475906_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Configure Windows SmartScreen" to "Enabled" with either "Give user a warning before running downloaded unknown software" or "Require approval from an administrator before running downloaded unknown software" selected. Microsoft has changed this setting several times in the Windows 10 administrative templates, which will affect group policies in a domain if later templates are used. v1607 of Windows 10 and Windows Server 2016 changed the setting to only Enabled or Disabled without additional selections. Enabled is effectively "Give user a warning…". v1703 of Windows 10 or later administrative templates changed the policy name to "Configure Windows Defender SmartScreen", and the selectable options are "Warn" and "Warn and prevent bypass". When either of these are applied to a Windows 2012/2012 R2 system, it will configure the registry equivalent of "Give user a warning…").
- RMF Control
- SI-16
- Severity
- M
- CCI
- CCI-002824
- Version
- WN12-CC-000089
- Vuln IDs
-
- V-226195
- V-21980
- Rule IDs
-
- SV-226195r794488_rule
- SV-53125
Checks: C-27897r475908_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ Value Name: NoDataExecutionPrevention Type: REG_DWORD Value: 0
Fix: F-27885r475909_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> File Explorer -> "Turn off Data Execution Prevention for Explorer" to "Disabled".
- RMF Control
- SC-5
- Severity
- L
- CCI
- CCI-002385
- Version
- WN12-CC-000090
- Vuln IDs
-
- V-226196
- V-15718
- Rule IDs
-
- SV-226196r794487_rule
- SV-53137
Checks: C-27898r475911_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ Value Name: NoHeapTerminationOnCorruption Type: REG_DWORD Value: 0
Fix: F-27886r475912_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> File Explorer -> "Turn off heap termination on corruption" to "Disabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-CC-000091
- Vuln IDs
-
- V-226197
- V-15683
- Rule IDs
-
- SV-226197r794501_rule
- SV-53045
Checks: C-27899r475914_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: PreXPSP2ShellProtocolBehavior Type: REG_DWORD Value: 0
Fix: F-27887r475915_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> File Explorer -> "Turn off shell protocol protected mode" to "Disabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000095
- Vuln IDs
-
- V-226198
- V-36708
- Rule IDs
-
- SV-226198r794441_rule
- SV-51748
Checks: C-27900r475917_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\LocationAndSensors\ Value Name: DisableLocation Type: REG_DWORD Value: 1 (Enabled) If location services are approved for the system by the organization, this may be set to "Disabled" (0). This must be documented with the ISSO.
Fix: F-27888r475918_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Location and Sensors -> "Turn off location" to "Enabled". If location services are approved by the organization for a device, this must be documented.
- RMF Control
- IA-11
- Severity
- M
- CCI
- CCI-002038
- Version
- WN12-CC-000096
- Vuln IDs
-
- V-226199
- V-14247
- Rule IDs
-
- SV-226199r794482_rule
- SV-52958
Checks: C-27901r475920_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: DisablePasswordSaving Type: REG_DWORD Value: 1
Fix: F-27889r475921_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Connection Client -> "Do not allow passwords to be saved" to "Enabled".
- RMF Control
- SC-4
- Severity
- M
- CCI
- CCI-001090
- Version
- WN12-CC-000098
- Vuln IDs
-
- V-226200
- V-14249
- Rule IDs
-
- SV-226200r794456_rule
- SV-52959
Checks: C-27902r475923_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDisableCdm Type: REG_DWORD Value: 1
Fix: F-27890r475924_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Device and Resource Redirection -> "Do not allow drive redirection" to "Enabled".
- RMF Control
- IA-11
- Severity
- M
- CCI
- CCI-002038
- Version
- WN12-CC-000099
- Vuln IDs
-
- V-226201
- V-3453
- Rule IDs
-
- SV-226201r794483_rule
- SV-52898
Checks: C-27903r475926_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fPromptForPassword Type: REG_DWORD Value: 1
Fix: F-27891r475927_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security -> "Always prompt for password upon connection" to "Enabled".
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000068
- Version
- WN12-CC-000100
- Vuln IDs
-
- V-226202
- V-3454
- Rule IDs
-
- SV-226202r794408_rule
- SV-52899
Checks: C-27904r475929_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: MinEncryptionLevel Type: REG_DWORD Value: 3
Fix: F-27892r475930_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security -> "Set client connection encryption level" to "Enabled" and "High Level".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-CC-000103
- Vuln IDs
-
- V-226203
- V-3456
- Rule IDs
-
- SV-226203r794502_rule
- SV-52901
Checks: C-27905r475932_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: DeleteTempDirsOnExit Type: REG_DWORD Value: 1
Fix: F-27893r475933_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Temporary Folders -> "Do not delete temp folder upon exit" to "Disabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-CC-000104
- Vuln IDs
-
- V-226204
- V-3455
- Rule IDs
-
- SV-226204r794503_rule
- SV-52900
Checks: C-27906r475935_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: PerSessionTempDir Type: REG_DWORD Value: 1
Fix: F-27894r475936_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Temporary Folders -> "Do not use temporary folders per session" to "Disabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-CC-000105
- Vuln IDs
-
- V-226205
- V-15682
- Rule IDs
-
- SV-226205r794504_rule
- SV-53040
Checks: C-27907r475938_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: DisableEnclosureDownload Type: REG_DWORD Value: 1
Fix: F-27895r475939_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> RSS Feeds -> "Prevent downloading of enclosures" to "Enabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000106
- Vuln IDs
-
- V-226206
- V-36709
- Rule IDs
-
- SV-226206r794442_rule
- SV-51749
Checks: C-27908r475941_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: AllowBasicAuthInClear Type: REG_DWORD Value: 0
Fix: F-27896r475942_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> RSS Feeds -> "Turn on Basic feed authentication over HTTP" to "Disabled".
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-CC-000109
- Vuln IDs
-
- V-226207
- V-36710
- Rule IDs
-
- SV-226207r794443_rule
- SV-51750
Checks: C-27909r475944_chk
The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Windows 2012 R2: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\ Value Name: AutoDownload Type: REG_DWORD Value: 0x00000002 (2) Windows 2012: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\WindowsUpdate\ Value Name: AutoDownload Type: REG_DWORD Value: 0x00000002 (2)
Fix: F-27897r475945_fix
The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. Windows 2012 R2: Windows 2012 R2 split the original policy that configures this setting into two separate ones. Configuring either one to "Enabled" will update the registry value as identified in the Check section. Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Store -> "Turn off Automatic Download of updates on Win8 machines" or "Turn off Automatic Download and install of updates" to "Enabled". Windows 2012: Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Store -> "Turn off Automatic Download of updates" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-CC-000110
- Vuln IDs
-
- V-226208
- V-36711
- Rule IDs
-
- SV-226208r794444_rule
- SV-51751
Checks: C-27910r475947_chk
The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\ Value Name: RemoveWindowsStore Type: REG_DWORD Value: 1
Fix: F-27898r475948_fix
The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Store -> "Turn off the Store application" to "Enabled".
- RMF Control
- CM-11
- Severity
- M
- CCI
- CCI-001812
- Version
- WN12-CC-000115
- Vuln IDs
-
- V-226209
- V-15685
- Rule IDs
-
- SV-226209r794473_rule
- SV-53061
Checks: C-27911r475950_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Installer\ Value Name: EnableUserControl Type: REG_DWORD Value: 0
Fix: F-27899r475951_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> "Allow user control over installs" to "Disabled".
- RMF Control
- CM-11
- Severity
- H
- CCI
- CCI-001812
- Version
- WN12-CC-000116
- Vuln IDs
-
- V-226210
- V-34974
- Rule IDs
-
- SV-226210r794474_rule
- SV-52954
Checks: C-27912r475953_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Type: REG_DWORD Value: 0
Fix: F-27900r475954_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> "Always install with elevated privileges" to "Disabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-CC-000117
- Vuln IDs
-
- V-226211
- V-15684
- Rule IDs
-
- SV-226211r794505_rule
- SV-53056
Checks: C-27913r475956_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Installer\ Value Name: SafeForScripting Type: REG_DWORD Value: 0
Fix: F-27901r475957_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> "Prevent Internet Explorer security prompt for Windows Installer scripts" to "Disabled".
- RMF Control
- CM-11
- Severity
- L
- CCI
- CCI-001812
- Version
- WN12-CC-000118
- Vuln IDs
-
- V-226212
- V-15686
- Rule IDs
-
- SV-226212r794475_rule
- SV-53065
Checks: C-27914r475959_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Installer\ Value Name: DisableLUAPatching Type: REG_DWORD Value: 1
Fix: F-27902r475960_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> "Prohibit non-administrators from applying vendor signed updates" to "Enabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000120
- Vuln IDs
-
- V-226213
- V-15722
- Rule IDs
-
- SV-226213r794445_rule
- SV-53139
Checks: C-27915r475962_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\WMDRM\ Value Name: DisableOnline Type: REG_DWORD Value: 1
Fix: F-27903r475963_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Media Digital Rights Management -> "Prevent Windows Media DRM Internet Access" to "Enabled".
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-CC-000121
- Vuln IDs
-
- V-226214
- V-15687
- Rule IDs
-
- SV-226214r794506_rule
- SV-53069
Checks: C-27916r475965_chk
Windows Media Player is not installed by default. If it is not installed, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ Value Name: GroupPrivacyAcceptance Type: REG_DWORD Value: 1
Fix: F-27904r475966_fix
If Windows Media Player is installed, configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Media Player -> "Do Not Show First Use Dialog Boxes" to "Enabled".
- RMF Control
- CM-11
- Severity
- M
- CCI
- CCI-001812
- Version
- WN12-CC-000122
- Vuln IDs
-
- V-226215
- V-3480
- Rule IDs
-
- SV-226215r794476_rule
- SV-53130
Checks: C-27917r475968_chk
Windows Media Player is not installed by default. If it is not installed, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ Value Name: DisableAutoupdate Type: REG_DWORD Value: 1
Fix: F-27905r475969_fix
If Windows Media Player is installed, configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Media Player -> "Prevent Automatic Updates" to "Enabled".
- RMF Control
- MA-4
- Severity
- H
- CCI
- CCI-000877
- Version
- WN12-CC-000123
- Vuln IDs
-
- V-226216
- V-36712
- Rule IDs
-
- SV-226216r794449_rule
- SV-51752
Checks: C-27918r475971_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowBasic Type: REG_DWORD Value: 0
Fix: F-27906r475972_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Client -> "Allow Basic authentication" to "Disabled".
- RMF Control
- MA-4
- Severity
- M
- CCI
- CCI-002890
- Version
- WN12-CC-000124
- Vuln IDs
-
- V-226217
- V-36713
- Rule IDs
-
- SV-226217r794485_rule
- SV-51753
Checks: C-27919r475974_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowUnencryptedTraffic Type: REG_DWORD Value: 0
Fix: F-27907r475975_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Client -> "Allow unencrypted traffic" to "Disabled".
- RMF Control
- MA-4
- Severity
- M
- CCI
- CCI-000877
- Version
- WN12-CC-000125
- Vuln IDs
-
- V-226218
- V-36714
- Rule IDs
-
- SV-226218r794450_rule
- SV-51754
Checks: C-27920r475977_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowDigest Type: REG_DWORD Value: 0
Fix: F-27908r475978_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Client -> "Disallow Digest authentication" to "Enabled".
- RMF Control
- MA-4
- Severity
- H
- CCI
- CCI-000877
- Version
- WN12-CC-000126
- Vuln IDs
-
- V-226219
- V-36718
- Rule IDs
-
- SV-226219r794451_rule
- SV-51755
Checks: C-27921r475980_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowBasic Type: REG_DWORD Value: 0
Fix: F-27909r475981_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service -> "Allow Basic authentication" to "Disabled".
- RMF Control
- MA-4
- Severity
- M
- CCI
- CCI-002890
- Version
- WN12-CC-000127
- Vuln IDs
-
- V-226220
- V-36719
- Rule IDs
-
- SV-226220r794486_rule
- SV-51756
Checks: C-27922r475983_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowUnencryptedTraffic Type: REG_DWORD Value: 0
Fix: F-27910r475984_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service -> "Allow unencrypted traffic" to "Disabled".
- RMF Control
- IA-11
- Severity
- M
- CCI
- CCI-002038
- Version
- WN12-CC-000128
- Vuln IDs
-
- V-226221
- V-36720
- Rule IDs
-
- SV-226221r794484_rule
- SV-51757
Checks: C-27923r475986_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ Value Name: DisableRunAs Type: REG_DWORD Value: 1
Fix: F-27911r475987_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service -> "Disallow WinRM from storing RunAs credentials" to "Enabled".
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-001453
- Version
- WN12-CC-000130
- Vuln IDs
-
- V-226222
- V-4447
- Rule IDs
-
- SV-226222r794457_rule
- SV-52932
Checks: C-27924r475989_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fEncryptRPCTraffic Type: REG_DWORD Value: 1
Fix: F-27912r475990_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security -> "Require secure RPC communication" to "Enabled".
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-002314
- Version
- WN12-CC-000132
- Vuln IDs
-
- V-226224
- V-15997
- Rule IDs
-
- SV-226224r794459_rule
- SV-52224
Checks: C-27926r475995_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDisableCcm Type: REG_DWORD Value: 1
Fix: F-27914r475996_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Device and Resource Redirection -> "Do not allow COM port redirection" to "Enabled".
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-002314
- Version
- WN12-CC-000133
- Vuln IDs
-
- V-226225
- V-15998
- Rule IDs
-
- SV-226225r794460_rule
- SV-52226
Checks: C-27927r475998_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDisableLPT Type: REG_DWORD Value: 1
Fix: F-27915r475999_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Device and Resource Redirection -> "Do not allow LPT port redirection" to "Enabled".
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-002314
- Version
- WN12-CC-000134
- Vuln IDs
-
- V-226226
- V-16000
- Rule IDs
-
- SV-226226r794461_rule
- SV-52230
Checks: C-27928r476001_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fEnableSmartCard Type: REG_DWORD Value: 1
Fix: F-27916r476002_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Device and Resource Redirection -> "Do not allow smart card device redirection" to "Disabled".
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-002314
- Version
- WN12-CC-000135
- Vuln IDs
-
- V-226227
- V-15999
- Rule IDs
-
- SV-226227r794462_rule
- SV-52229
Checks: C-27929r476004_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDisablePNPRedir Type: REG_DWORD Value: 1
Fix: F-27917r476005_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Device and Resource Redirection -> "Do not allow supported Plug and Play device redirection" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-CC-000136
- Vuln IDs
-
- V-226228
- V-40204
- Rule IDs
-
- SV-226228r794448_rule
- SV-52163
Checks: C-27930r476007_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: RedirectOnlyDefaultClientPrinter Type: REG_DWORD Value: 1
Fix: F-27918r476008_fix
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Printer Redirection -> "Redirect only the default client printer" to "Enabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000138
- Vuln IDs
-
- V-226229
- V-43238
- Rule IDs
-
- SV-226229r794446_rule
- SV-56343
Checks: C-27931r476531_chk
This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ Value Name: NoLockScreenSlideshow Value Type: REG_DWORD Value: 1
Fix: F-27919r476532_fix
This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. Configure the policy value for Computer Configuration -> Administrative Templates -> Control Panel -> Personalization -> "Prevent enabling lock screen slide show" to "Enabled".
- RMF Control
- AU-3
- Severity
- M
- CCI
- CCI-000135
- Version
- WN12-CC-000139
- Vuln IDs
-
- V-226230
- V-43239
- Rule IDs
-
- SV-226230r794409_rule
- SV-56344
Checks: C-27932r476534_chk
This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ Value Name: ProcessCreationIncludeCmdLine_Enabled Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-27920r476535_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Audit Process Creation >> "Include command line in process creation events" to "Enabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000140
- Vuln IDs
-
- V-226231
- V-43240
- Rule IDs
-
- SV-226231r794532_rule
- SV-56346
Checks: C-27933r476537_chk
This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: DontDisplayNetworkSelectionUI Value Type: REG_DWORD Value: 1
Fix: F-27921r476538_fix
This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Logon -> "Do not display network selection UI" to "Enabled".
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-CC-000141
- Vuln IDs
-
- V-226232
- V-43241
- Rule IDs
-
- SV-226232r794574_rule
- SV-56353
Checks: C-27934r476540_chk
This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Value Name: MSAOptional Value Type: REG_DWORD Value: 1
Fix: F-27922r476541_fix
This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> App Runtime -> "Allow Microsoft accounts to be optional" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-CC-000142
- Vuln IDs
-
- V-226233
- V-102619
- Rule IDs
-
- SV-226233r794560_rule
- SV-111569
Checks: C-27935r476543_chk
If the following registry values do not exist or are not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Value Name: NoPreviewPane Value Type: REG_DWORD Value: 1 Registry Hive: HKEY_CURRENT_USER Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Value Name: NoReadingPane Value Type: REG_DWORD Value: 1
Fix: F-27923r476544_fix
Ensure the following settings are configured for Windows 2012 locally or applied through group policy. Configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> File Explorer >> Explorer Frame Pane "Turn off Preview Pane" to "Enabled". Configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> File Explorer >> Explorer Frame Pane "Turn on or off details pane" to "Enabled" and "Configure details pane" to "Always hide".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-CC-000145
- Vuln IDs
-
- V-226234
- V-43245
- Rule IDs
-
- SV-226234r794575_rule
- SV-56355
Checks: C-27936r476546_chk
This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableAutomaticRestartSignOn Value Type: REG_DWORD Value: 1
Fix: F-27924r476547_fix
This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Logon Options -> "Sign-in last interactive user automatically after a system-initiated restart" to "Disabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-CC-000150
- Vuln IDs
-
- V-226235
- V-72753
- Rule IDs
-
- SV-226235r794533_rule
- SV-87391
Checks: C-27937r476549_chk
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\ Value Name: UseLogonCredential Type: REG_DWORD Value: 0x00000000 (0) Note: Microsoft Security Advisory update 2871997 is required for this setting to be effective on Windows 2012. It is not required for Windows 2012 R2.
Fix: F-27925r476550_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "WDigest Authentication (disabling may require KB2871997)" to "Disabled". Note: Microsoft Security Advisory update 2871997 is required for this setting to be effective on Windows 2012. It is not required for Windows 2012 R2. This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-FW-000001
- Vuln IDs
-
- V-226236
- V-42420
- Rule IDs
-
- SV-226236r794607_rule
- SV-55085
Checks: C-27938r476552_chk
Determine if a host-based firewall is installed and enabled on the system. If a host-based firewall is not installed and enabled on the system, this is a finding. The configuration requirements will be determined by the applicable firewall STIG.
Fix: F-27926r476553_fix
Install and enable a host-based firewall on the system.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- WN12-GE-000001
- Vuln IDs
-
- V-226237
- V-1073
- Rule IDs
-
- SV-226237r794611_rule
- SV-53189
Checks: C-27939r476555_chk
Run "winver.exe". If the "About Windows" dialog box does not display "Microsoft Windows Server Version 6.2 (Build 9200)" or greater, this is a finding. No preview versions will be used in a production environment. Unsupported Service Packs/Releases: Windows 2012 - any release candidates or versions prior to the initial release.
Fix: F-27927r476556_fix
Update the system to a supported release or service pack level.
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN12-GE-000004-DC
- Vuln IDs
-
- V-226238
- V-1127
- Rule IDs
-
- SV-226238r794556_rule
- SV-51157
Checks: C-27940r476558_chk
Review the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. Standard user accounts must not be members of the local administrator group. If prohibited accounts are members of the local administrators group, this is a finding. The built-in Administrator account or other required administrative accounts would not be a finding.
Fix: F-27928r476559_fix
Configure the system to include only administrator groups or accounts that are responsible for the system in the Administrators group. Remove any standard user accounts.
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- WN12-GE-000005
- Vuln IDs
-
- V-226239
- V-1081
- Rule IDs
-
- SV-226239r794530_rule
- SV-52843
Checks: C-27941r476561_chk
Open "Computer Management". Select "Disk Management" under "Storage". For each local volume, if the file system does not indicate "NTFS", this is a finding. "ReFS" (Resilient File System) is also acceptable and would not be a finding. “CSV” (Cluster Share Volumes) is also acceptable and would not be a finding. This does not apply to system partitions such as the Recovery and EFI System Partition.
Fix: F-27929r476562_fix
Format local volumes to use NTFS or ReFS.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-002165
- Version
- WN12-GE-000006
- Vuln IDs
-
- V-226240
- V-40178
- Rule IDs
-
- SV-226240r794554_rule
- SV-52136
Checks: C-27942r476564_chk
The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. Verify the default permissions for the system drive's root directory (usually C:\). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) Viewing in File Explorer: View the Properties of system drive root directory. Select the "Security" tab, and the "Advanced" button. C:\ Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full control - This folder, subfolders and files Administrators - Full control - This folder, subfolders and files Users - Read & execute - This folder, subfolders and files Users - Create folders / append data - This folder and subfolders Users - Create files / write data - Subfolders only CREATOR OWNER - Full Control - Subfolders and files only Alternately, use Icacls: Open a Command prompt (admin). Enter icacls followed by the directory: icacls c:\ The following results should be displayed: c:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) BUILTIN\Users:(CI)(AD) BUILTIN\Users:(CI)(IO)(WD) CREATOR OWNER:(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files
Fix: F-27930r476565_fix
Maintain the default permissions for the system drive's root directory and configure the Security Option: "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (V-3377). Default Permissions C:\ Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full control - This folder, subfolders and files Administrators - Full control - This folder, subfolders and files Users - Read & execute - This folder, subfolders and files Users - Create folders / append data - This folder and subfolders Users - Create files / write data - Subfolders only CREATOR OWNER - Full Control - Subfolders and files only
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-002165
- Version
- WN12-GE-000007
- Vuln IDs
-
- V-226241
- V-40177
- Rule IDs
-
- SV-226241r794555_rule
- SV-52135
Checks: C-27943r476567_chk
The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. Verify the default permissions for the program file directories (Program Files and Program Files (x86)). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab, and the "Advanced" button. Default Permissions: \Program Files and \Program Files (x86) Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files Alternately, use Icacls: Open a Command prompt (admin). Enter icacls followed by the directory: icacls "c:\program files" icacls "c:\program files (x86)" The following results should be displayed as each is entered: c:\program files NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files
Fix: F-27931r476568_fix
Maintain the default permissions for the program file directories and configure the Security Option: "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (V-3377). Default Permissions: \Program Files and \Program Files (x86) Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- WN12-GE-000008
- Vuln IDs
-
- V-226242
- V-40179
- Rule IDs
-
- SV-226242r794553_rule
- SV-52137
Checks: C-27944r476570_chk
The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. Verify the default permissions for the Windows installation directory (usually C:\Windows). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) Viewing in File Explorer: View the Properties of the folder. Select the "Security" tab, and the "Advanced" button. Default Permissions: \Windows Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files Alternately, use Icacls: Open a Command prompt (admin). Enter icacls followed by the directory: icacls c:\windows The following results should be displayed: c:\windows NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files
Fix: F-27932r476571_fix
Maintain the default file ACLs and configure the Security Option: "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (V-3377). Default Permissions: Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-GE-000010
- Vuln IDs
-
- V-226243
- V-1119
- Rule IDs
-
- SV-226243r794576_rule
- SV-52858
Checks: C-27945r476573_chk
Verify the local system boots directly into Windows. Open Control Panel. Select "System". Select the "Advanced System Settings" link. Select the "Advanced" tab. Click the "Startup and Recovery" Settings button. If the drop-down list box "Default operating system:" shows any operating system other than Windows Server 2012, this is a finding.
Fix: F-27933r476574_fix
Ensure Windows Server 2012 is the only operating system installed for the system to boot into. Remove alternate operating systems.
- RMF Control
- AC-3
- Severity
- L
- CCI
- CCI-000213
- Version
- WN12-GE-000012
- Vuln IDs
-
- V-226244
- V-1135
- Rule IDs
-
- SV-226244r794531_rule
- SV-52213
Checks: C-27946r476576_chk
Open "Devices and Printers" in Control Panel or through Search. If there are no printers configured, this is NA.(Exclude Microsoft Print to PDF and Microsoft XPS Document Writer, which do not support sharing.) For each configured printer: Right click on the printer. Select "Printer Properties". Select the "Sharing" tab. View whether "Share this printer" is checked. For any printers with "Share this printer" selected: Select the Security tab. If any standard user accounts or groups have permissions other than "Print", this is a finding. Standard users will typically be given "Print" permission through the Everyone group. "All APPLICATION PACKAGES" and "CREATOR OWNER" are not considered standard user accounts for this requirement.
Fix: F-27934r476577_fix
Configure the permissions on shared printers to restrict standard users to only have Print permissions. This is typically given through the Everyone group by default.
- RMF Control
- IA-4
- Severity
- L
- CCI
- CCI-000795
- Version
- WN12-GE-000014
- Vuln IDs
-
- V-226245
- V-1112
- Rule IDs
-
- SV-226245r794538_rule
- SV-52854
Checks: C-27947r476579_chk
Run "PowerShell". Member servers and standalone systems: Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.) "([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach { $user = ([ADSI]$_.Path) $lastLogin = $user.Properties.LastLogin.Value $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2 if ($lastLogin -eq $null) { $lastLogin = 'Never' } Write-Host $user.Name $lastLogin $enabled }" This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). For example: User1 10/31/2015 5:49:56 AM True Domain Controllers: Enter the following command in PowerShell. "Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00" This will return accounts that have not been logged on to for 35 days, along with various attributes such as the Enabled status and LastLogonDate. Review the list of accounts returned by the above queries to determine the finding validity for each account reported. Exclude the following accounts: Built-in administrator account (Renamed, SID ending in 500) Built-in guest account (Renamed, Disabled, SID ending in 501) Application accounts If any enabled accounts have not been logged on to within the past 35 days, this is a finding. Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.
Fix: F-27935r476580_fix
Regularly review accounts to determine if they are still active. Disable or delete any active accounts that have not been used in the last 35 days.
- RMF Control
- IA-2
- Severity
- H
- CCI
- CCI-000764
- Version
- WN12-GE-000015
- Vuln IDs
-
- V-226246
- V-7002
- Rule IDs
-
- SV-226246r794535_rule
- SV-52940
Checks: C-27948r476582_chk
Review the password required status for enabled user accounts. Open "Windows PowerShell". Domain Controllers: Enter "Get-ADUser -Filter * -Properties PasswordNotRequired | Where PasswordNotRequired -eq True | FT Name, PasswordNotRequired, Enabled". Exclude disabled accounts (e.g., Guest) and Trusted Domain Objects (TDOs). If "PasswordNotRequired" is "True" for any enabled user account, this is a finding. Member servers and standalone systems: Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordRequired=False and LocalAccount=True" | FT Name, PasswordRequired, Disabled, LocalAccount'. Exclude disabled accounts (e.g., Guest). If any enabled user accounts are returned with a "PasswordRequired" status of "False", this is a finding.
Fix: F-27936r476583_fix
Configure all enabled accounts to require passwords. The password required flag can be set by entering the following on a command line: "Net user [username] /passwordreq:yes", substituting [username] with the name of the user account.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000199
- Version
- WN12-GE-000016
- Vuln IDs
-
- V-226247
- V-6840
- Rule IDs
-
- SV-226247r794529_rule
- SV-52939
Checks: C-27949r476585_chk
Review the password never expires status for enabled user accounts. Open "Windows PowerShell" with elevated privileges (run as administrator). Domain Controllers: Enter "Search-ADAccount -PasswordNeverExpires -UsersOnly | Where PasswordNeverExpires -eq True | FT Name, PasswordNeverExpires, Enabled". Exclude application accounts and disabled accounts (e.g., Guest). Domain accounts requiring smart card (CAC/PIV) may also be excluded. If any enabled user accounts are returned with a "PasswordNeverExpires" status of "True", this is a finding. Member servers and standalone systems: Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | FT Name, PasswordExpires, Disabled, LocalAccount'. Exclude application accounts and disabled accounts (e.g., Guest). If any enabled user accounts are returned with a "PasswordExpires" status of "False", this is a finding.
Fix: F-27937r476586_fix
Configure all enabled user account passwords to expire. Uncheck "Password never expires" for all enabled user accounts in Active Directory Users and Computers for domain accounts and Users in Computer Management for member servers and standalone systems. Document any exceptions with the ISSO.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-GE-000017
- Vuln IDs
-
- V-226248
- V-2907
- Rule IDs
-
- SV-226248r794614_rule
- SV-52215
Checks: C-27950r794613_chk
Determine whether the site monitors system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) on servers for unauthorized changes against a baseline on a weekly basis. If system files are not monitored for unauthorized changes, this is a finding. A properly configured and approved DoD ESS solution that supports a File Integrity Monitor (FIM) module will meet the requirement for file integrity checking.
Fix: F-27938r476589_fix
Monitor system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) on servers for unauthorized changes against a baseline on a weekly basis. This can be done with the use of various monitoring tools.
- RMF Control
- SC-4
- Severity
- M
- CCI
- CCI-001090
- Version
- WN12-GE-000018
- Vuln IDs
-
- V-226249
- V-3245
- Rule IDs
-
- SV-226249r794543_rule
- SV-52881
Checks: C-27951r476591_chk
If only system-created shares such as "ADMIN$", "C$", and "IPC$" exist on the system, this is NA. (System-created shares will display a message that it has been shared for administrative purposes when "Properties" is selected.) Run "Computer Management". Navigate to System Tools >> Shared Folders >> Shares. Right click any non-system-created shares. Select "Properties". Select the "Share Permissions" tab. If the file shares have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding. Select the "Security" tab. If the NTFS permissions have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding.
Fix: F-27939r476592_fix
If a non-system-created share is required on a system, configure the share and NTFS permissions to limit access to the specific groups or accounts that require it. Remove any unnecessary non-system-created shares.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-GE-000020
- Vuln IDs
-
- V-226251
- V-15823
- Rule IDs
-
- SV-226251r794577_rule
- SV-53141
Checks: C-27953r476597_chk
Search all drives for *.p12 and *.pfx files. If any files with these extensions exist, this is a finding. This does not apply to server-based applications that have a requirement for certificate files or Adobe PreFlight certificate files. Some applications create files with extensions of .p12 that are not certificate installation files. Removal of non-certificate installation files from systems is not required. These must be documented with the ISSO.
Fix: F-27941r476598_fix
Remove any certificate installation files (*.p12 and *.pfx) found on a system. This does not apply to server-based applications that have a requirement for certificate files, Adobe PreFlight certificate files, or non-certificate installation files with the same extension.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-GE-000021
- Vuln IDs
-
- V-226252
- V-3487
- Rule IDs
-
- SV-226252r794534_rule
- SV-52218
Checks: C-27954r476600_chk
Required services will vary between organizations, and on the role of the individual system. Organizations will develop their own list of services which will be documented and justified with the ISSO. The site's list will be provided for any security review. Services common to multiple systems can be addressed in one document. Exceptions for individual systems should be identified separately by system. Individual services specifically required to be disabled per the STIG are identified in separate requirements. If the site has not documented the services required for their system(s), this is a finding. The following can be used to view the services on a system: Run "Services.msc". Services for Windows Server 2012 roles are managed automatically, adding those necessary for a particular role. The following lists the default services for a baseline installation as a reference. This can be used as a basis for documenting the services necessary. Default Installation Name - Startup Type Application Experience - Manual (Trigger Start) Application Identity - Manual (Trigger Start) Application Information - Manual Application Layer Gateway Service - Manual Application Management - Manual Background Intelligent Transfer Service - Automatic (Delayed Start) Background Tasks Infrastructure Service - Automatic Base Filtering Engine - Automatic Certificate Propagation - Manual CNG Key Isolation - Manual (Trigger Start) COM+ Event System - Automatic COM+ System Application - Manual Computer Browser - Disabled Credential Manager - Manual Cryptographic Services - Automatic DCOM Server Process Launcher - Automatic Device Association Service - Manual (Trigger Start) Device Install Service - Manual (Trigger Start) Device Setup Manager - Manual (Trigger Start) DHCP Client - Automatic Diagnostic Policy Service - Automatic (Delayed Start) Diagnostic Service Host - Manual Diagnostic System Host - Manual Distributed Link Tracking Client - Automatic Distributed Transaction Coordinator - Automatic (Delayed Start) DNS Client - Automatic (Trigger Start) Encrypting File System (EFS) - Manual (Trigger Start) Extensible Authentication Protocol - Manual Function Discovery Provider Host - Manual Function Discovery Resource Publication - Manual Group Policy Client - Automatic (Trigger Start) Health Key and Certificate Management - Manual Human Interface Device Access - Manual (Trigger Start) Hyper-V Data Exchange Service - Manual (Trigger Start) Hyper-V Guest Shutdown Service - Manual (Trigger Start) Hyper-V Heartbeat Service - Manual (Trigger Start) Hyper-V Remote Desktop Virtualization Service - Manual (Trigger Start) Hyper-V Time Synchronization Service - Manual (Trigger Start) Hyper-V Volume Shadow Copy Requestor - Manual (Trigger Start) IKE and AuthIP IPsec Keying Modules - Manual (Trigger Start) Interactive Services Detection - Manual Internet Connection Sharing (ICS) - Disabled IP Helper - Automatic IPsec Policy Agent - Manual (Trigger Start) KDC Proxy Server service (KPS) - Manual KtmRm for Distributed Transaction Coordinator - Manual (Trigger Start) Link-Layer Topology Discovery Mapper - Manual Local Session Manager - Automatic Microsoft iSCSI Initiator Service - Manual Microsoft Software Shadow Copy Provider - Manual Multimedia Class Scheduler - Manual Net.Tcp Port Sharing Service - Disabled Netlogon - Manual Network Access Protection Agent - Manual Network Connections - Manual Network Connectivity Assistant - Manual (Trigger Start) Network List Service - Manual Network Location Awareness - Automatic Network Store Interface Service - Automatic Optimize drives - Manual Performance Counter DLL Host - Manual Performance Logs & Alerts - Manual Plug and Play - Manual Portable Device Enumerator Service - Manual (Trigger Start) Power - Automatic Print Spooler - Automatic Printer Extensions and Notifications - Manual Problem Reports and Solutions Control Panel Support - Manual Remote Access Auto Connection Manager - Manual Remote Access Connection Manager - Manual Remote Desktop Configuration - Manual Remote Desktop Services - Manual Remote Desktop Services UserMode Port Redirector - Manual Remote Procedure Call (RPC) - Automatic Remote Procedure Call (RPC) Locator - Manual Remote Registry - Automatic (Trigger Start) Resultant Set of Policy Provider - Manual Routing and Remote Access - Disabled RPC Endpoint Mapper - Automatic Secondary Logon - Manual Secure Socket Tunneling Protocol Service - Manual Security Accounts Manager - Automatic Server - Automatic Shell Hardware Detection - Automatic Smart Card - Disabled Smart Card Removal Policy - Manual SNMP Trap - Manual Software Protection - Automatic (Delayed Start, Trigger Start) Special Administration Console Helper - Manual Spot Verifier - Manual (Trigger Start) SSDP Discovery - Disabled Superfetch - Manual System Event Notification Service - Automatic Task Scheduler - Automatic TCP/IP NetBIOS Helper - Automatic (Trigger Start) Telephony - Manual Themes - Automatic Thread Ordering Server - Manual UPnP Device Host - Disabled User Access Logging Service - Automatic (Delayed Start) User Profile Service - Automatic Virtual Disk - Manual Volume Shadow Copy - Manual Windows All-User Install Agent - Manual (Trigger Start) Windows Audio - Manual Windows Audio Endpoint Builder - Manual Windows Color System - Manual Windows Driver Foundation - User-mode Driver Framework - Manual (Trigger Start) Windows Error Reporting Service - Manual (Trigger Start) Windows Event Collector - Manual Windows Event Log - Automatic Windows Firewall - Automatic Windows Font Cache Service - Automatic Windows Installer - Manual Windows Licensing Monitoring Service - Automatic Windows Management Instrumentation - Automatic Windows Modules Installer - Manual Windows Remote Management (WS-Management) - Automatic Windows Store Service (WSService) - Manual (Trigger Start) Windows Time - Manual (Trigger Start) Windows Update - Manual WinHTTP Web Proxy Auto-Discovery Service - Manual Wired AutoConfig - Manual WMI Performance Adapter - Manual Workstation - Automatic
Fix: F-27942r476601_fix
Document the services required for the system to operate. Remove or disable any services that are not required.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-GE-000022
- Vuln IDs
-
- V-226253
- V-3289
- Rule IDs
-
- SV-226253r794618_rule
- SV-52105
Checks: C-27955r794617_chk
Determine whether there is a host-based Intrusion Detection System on each server. If the HIPS component of ESS is installed and active on the host and the Alerts of blocked activity are being logged and monitored, this will meet the requirement of this finding. A HID device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the site ISSO. If a host-based Intrusion Detection System is not installed on the system, this is a finding.
Fix: F-27943r476604_fix
Install a host-based Intrusion Detection System on each server.
- RMF Control
- SI-2
- Severity
- M
- CCI
- CCI-001233
- Version
- WN12-GE-000023
- Vuln IDs
-
- V-226254
- V-36734
- Rule IDs
-
- SV-226254r794616_rule
- SV-51582
Checks: C-27956r794615_chk
Verify DoD-approved ESS software is installed and properly operating. Ask the site ISSM for documentation of the ESS software installation and configuration. If the ISSM is not able to provide a documented configuration for an installed ESS or if the ESS software is not properly maintained or used, this is a finding. Note: Example of documentation can be a copy of the site's CCB approved Software Baseline with version of software noted or a memo from the ISSM stating current ESS software and version.
Fix: F-27944r641873_fix
Install DoD-approved ESS software and ensure it is operating continuously.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-GE-000024
- Vuln IDs
-
- V-226255
- V-36735
- Rule IDs
-
- SV-226255r794612_rule
- SV-51583
Checks: C-27957r476609_chk
Verify the organization has an automated process to install security-related software updates. If it does not, this is a finding.
Fix: F-27945r476610_fix
Establish a process to automatically install security-related software updates.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-GE-000025
- Vuln IDs
-
- V-226256
- V-36736
- Rule IDs
-
- SV-226256r794542_rule
- SV-51584
Checks: C-27958r476612_chk
Verify the system has software installed and running that provides certificate validation and revocation checking. If it does not, this is a finding.
Fix: F-27946r476613_fix
Install software that provides certificate validation and revocation checking.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-GE-000026
- Vuln IDs
-
- V-226257
- V-1120
- Rule IDs
-
- SV-226257r794578_rule
- SV-52106
Checks: C-27959r476615_chk
If FTP is not installed on the system, this is NA. Determine the IP address and port number assigned to FTP sites from documentation or configuration. If Microsoft FTP is used, open "Internet Information Services (IIS) Manager". Select "Sites" under the server name. For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed. Open a "Command Prompt". Attempt to log on as the user "anonymous" with the following commands: Note: Returned results may vary depending on the FTP server software. C:\> "ftp" ftp> "Open IP Address Port" (Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".) (Connected to IP Address 220 Microsoft FTP Service) User (IP Address): "anonymous" (331 Anonymous access allowed, send identity (e-mail name) as password.) Password: "password" (230 User logged in.) ftp> If the response indicates that an anonymous FTP login was permitted, this is a finding. If accounts with administrator privileges are used to access FTP, this is a CAT I finding.
Fix: F-27947r476616_fix
Configure the FTP service to prevent anonymous logons.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- WN12-GE-000027
- Vuln IDs
-
- V-226258
- V-1121
- Rule IDs
-
- SV-226258r794579_rule
- SV-52212
Checks: C-27960r476618_chk
If FTP is not installed on the system, this is NA. Determine the IP address and port number assigned to FTP sites from documentation or configuration. If Microsoft FTP is used, open "Internet Information Services (IIS) Manager". Select "Sites" under the server name. For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed. Open a "Command Prompt". Access the FTP site and review accessible directories with the following commands: Note: Returned results may vary depending on the FTP server software. C:\> "ftp" ftp> "Open IP Address Port" (Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".) (Connected to IP Address 220 Microsoft FTP Service) User (IP Address): "FTP User" (Substituting [FTP User] with an account identified that is allowed access. If it was determined that anonymous access was allowed to the site [see V-1120], also review access using "anonymous".) (331 Password required) Password: "Password" (Substituting [Password] with password for the account attempting access.) (230 User ftpuser logged in.) ftp> "Dir" If the FTP session indicates access to areas of the system other than the specific folder for FTP data, such as the root of the drive, Program Files or Windows directories, this is a finding.
Fix: F-27948r476619_fix
Configure the system to only allow FTP access to specific folders containing the data to be available through the service.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000016
- Version
- WN12-GE-000056
- Vuln IDs
-
- V-226259
- V-57653
- Rule IDs
-
- SV-226259r794508_rule
- SV-72063
Checks: C-27961r476621_chk
Determine if temporary user accounts are used and identify any that exist. If none exist, this is NA. Review temporary user accounts for expiration dates. Open "PowerShell". Domain Controllers: Enter "Search-ADAccount -AccountExpiring -TimeSpan 3:00:00:00 | FT Name, AccountExpirationDate" This will return any accounts configured to expire within the next 3 days. (The "TimeSpan" value to can be changed to find accounts configured to expire at various times such as 30 for the next month.) If any accounts identified as temporary are not listed, this is a finding. For any temporary accounts returned by the previous query: Enter "Get-ADUser -Identity [Name] -Property WhenCreated" to determine when the account was created. If the "WhenCreated" date and "AccountExpirationDate" from the previous query are greater than 3 days apart, this is a finding. Member servers and standalone systems: Enter "Net User [username]", where [username] is the name of the temporary user account. If "Account expires" has not been defined within 72 hours for any temporary user account, this is a finding. If the "Password last set" date and "Account expires" date are greater than 72 hours apart, this is a finding. (Net User does not provide an account creation date.)
Fix: F-27949r476622_fix
Configure temporary user accounts to automatically expire within 72 hours. Domain account can be configured with an account expiration date, under "Account" properties. Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where username is the name of the temporary user account. Delete any temporary user accounts that are no longer necessary.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-001682
- Version
- WN12-GE-000057
- Vuln IDs
-
- V-226260
- V-57655
- Rule IDs
-
- SV-226260r794541_rule
- SV-72065
Checks: C-27962r476624_chk
Determine if emergency administrator accounts are used and identify any that exist. If none exist, this is NA. If emergency administrator accounts cannot be configured with an expiration date due to an ongoing crisis, the accounts must be disabled or removed when the crisis is resolved. If emergency administrator accounts have not been configured with an expiration date or have not been disabled or removed following the resolution of a crisis, this is a finding. Domain Controllers: Enter "Search-ADAccount -AccountExpiring -TimeSpan 3:00:00:00 | FT Name, AccountExpirationDate" This will return any accounts configured to expire within the next 3 days. (The "TimeSpan" value to can be changed to find accounts configured to expire at various times such as 30 for the next month.) If any accounts identified as emergency administrator accounts are not listed, this is a finding. For any emergency administrator accounts returned by the previous query: Enter "Get-ADUser -Identity [Name] -Property WhenCreated" to determine when the account was created. If the "WhenCreated" date and "AccountExpirationDate" from the previous query are greater than 3 days apart, this is a finding. Member servers and standalone systems: Enter "Net User [username]", where [username] is the name of the emergency administrator accounts. If "Account expires" has not been defined within 72 hours for any emergency administrator accounts, this is a finding. If the "Password last set" date and "Account expires" date are greater than 72 hours apart, this is a finding. (Net User does not provide an account creation date.)
Fix: F-27950r476625_fix
Remove emergency administrator accounts after a crisis has been resolved or configure the accounts to automatically expire within 72 hours. Domain accounts can be configured with an account expiration date, under "Account" properties. Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where username is the name of the emergency administrator account.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000185
- Version
- WN12-PK-000001
- Vuln IDs
-
- V-226261
- V-32272
- Rule IDs
-
- SV-226261r819682_rule
- SV-52961
Checks: C-27963r819680_chk
Verify the DoD Root CA certificates are installed as Trusted Root Certification Authorities. The certificates and thumbprints referenced below apply to unclassified systems; see PKE documentation for other networks. Run "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter If the following certificate "Subject" and "Thumbprint" information is not displayed, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB NotAfter: 12/30/2029 Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 NotAfter: 7/25/2032 Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B NotAfter: 6/14/2041 Alternately, use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates", click "Add". Select "Computer account", click "Next". Select "Local computer: (the computer this console is running on)", click "Finish". Click "OK". Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". For each of the DoD Root CA certificates noted below: Right-click on the certificate and select "Open". Select the "Details" tab. Scroll to the bottom and select "Thumbprint". If the DoD Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. DoD Root CA 3 Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB Valid to: Sunday, December 30, 2029 DoD Root CA 4 Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 Valid to: Sunday, July 25, 2032 DoD Root CA 5 Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B Valid to: Friday, June 14, 2041
Fix: F-27951r819681_fix
Install the DoD Root CA certificates: DoD Root CA 3 DoD Root CA 4 DoD Root CA 5 The InstallRoot tool is available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000185
- Version
- WN12-PK-000003
- Vuln IDs
-
- V-226262
- V-32274
- Rule IDs
-
- SV-226262r819685_rule
- SV-52957
Checks: C-27964r819683_chk
Verify the DoD Interoperability cross-certificates are installed on unclassified systems as Untrusted Certificates. Run "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341 NotAfter: 1/22/2022 10:22:56 AM Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477 NotAfter: 11/16/2024 9:57:16 AM Alternately, use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates", click "Add". Select "Computer account", click "Next". Select "Local computer: (the computer this console is running on)", click "Finish". Click "OK". Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". For each certificate with "DoD Root CA…" under "Issued To" and "DoD Interoperability Root CA…" under "Issued By": Right-click on the certificate and select "Open". Select the "Details" tab. Scroll to the bottom and select "Thumbprint". If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. Issued To: DoD Root CA 3 Issued By: DoD Interoperability Root CA 2 Thumbprint: A8C27332CCB4CA49554CE55D34062A7DD2850C02 Valid to: Friday, August 26, 2022 Issued To: DoD Root CA 3 Issued By: DoD Interoperability Root CA 2 Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477 Valid to: Wednesday, November 16, 2024
Fix: F-27952r819684_fix
Install the DoD Interoperability Root CA cross-certificates on unclassified systems. Issued To - Issued By - Thumbprint DoD Root CA 3 - DoD Interoperability Root CA 2 - 49CBE933151872E17C8EAE7F0ABA97FB610F6477 DoD Root CA 3 - DoD Interoperability Root CA 2 - AC06108CA348CC03B53795C64BF84403C1DBD341 The certificates can be installed using the InstallRoot tool. The tool and user guide are available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000185
- Version
- WN12-PK-000004
- Vuln IDs
-
- V-226263
- V-40237
- Rule IDs
-
- SV-226263r794522_rule
- SV-52196
Checks: C-27965r794520_chk
Verify the US DoD CCEB Interoperability Root CA cross-certificate is installed on unclassified systems as an Untrusted Certificate. Run "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 NotAfter: 8/26/2022 Alternately use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates", click "Add". Select "Computer account", click "Next". Select "Local computer: (the computer this console is running on)", click "Finish". Click "OK". Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By": Right-click on the certificate and select "Open". Select the "Details" Tab. Scroll to the bottom and select "Thumbprint". If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. Issued To: DoD Root CA 3 Issuer by: US DoD CCEB Interoperability Root CA 2 Thumbprint: AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 Valid: Friday, August 26, 2022
Fix: F-27953r794521_fix
Install the US DoD CCEB Interoperability Root CA cross-certificate on unclassified systems. Issued To - Issued By - Thumbprint DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 The certificates can be installed using the InstallRoot tool. The tool and user guide are available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000185
- Version
- WN12-PK-000005-DC
- Vuln IDs
-
- V-226264
- V-39334
- Rule IDs
-
- SV-226264r794523_rule
- SV-51189
Checks: C-27966r476636_chk
Verify the domain controller has a PKI server certificate. Run "mmc". Select "Add/Remove Snap-in" from the File menu. Select "Certificates" in the left pane and click the "Add >" button. Select "Computer Account", click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage.", click "Finish". Click "OK". Select and expand the Certificates (Local Computer) entry in the left pane. Select and expand the Personal entry in the left pane. Select the Certificates entry in the left pane. If no certificate for the domain controller exists in the right pane, this is a finding.
Fix: F-27954r476637_fix
Obtain a server certificate for the domain controller.
- RMF Control
- IA-5
- Severity
- H
- CCI
- CCI-000185
- Version
- WN12-PK-000006-DC
- Vuln IDs
-
- V-226265
- V-14820
- Rule IDs
-
- SV-226265r794525_rule
- SV-51190
Checks: C-27967r476639_chk
Verify the source of the domain controller's server certificate. Run "mmc". Select "Add/Remove Snap-in" from the File menu. Select "Certificates" in the left pane and click the "Add >" button. Select "Computer Account", click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage.", click "Finish". Click "OK". Select and expand the Certificates (Local Computer) entry in the left pane. Select and expand the Personal entry in the left pane. Select the Certificates entry in the left pane. In the right pane, examine the Issued By field for the certificate to determine the issuing CA. If the Issued By field of the PKI certificate being used by the domain controller does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, this is a finding. There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE. http://iase.disa.mil/pki-pke/function_pages/tools.html
Fix: F-27955r794524_fix
Obtain PKI certificates issued by the DoD PKI or an approved External Certificate Authority (ECA). Severity Override Guidance: If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding. IA Controls: IAKM-1, IAKM-2, IATS-1, IATS-2
- RMF Control
- IA-5
- Severity
- H
- CCI
- CCI-000185
- Version
- WN12-PK-000007-DC
- Vuln IDs
-
- V-226266
- V-26683
- Rule IDs
-
- SV-226266r794526_rule
- SV-51191
Checks: C-27968r476642_chk
Open "PowerShell" as Administrator. Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled -AutoSize". Review the User Principal Name (UPN) of user accounts, including administrators. Exclude the built-in accounts such as Administrator and Guest. If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding. For standard NIPRNET certificates the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI). Alt Tokens and other certificates may use a different UPN format than the EDI-PI, which vary by organization. Verify these with the organization. NIPRNET Example: Name - User Principal Name User1 - 1234567890@mil See PKE documentation for other network domain suffixes. If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding.
Fix: F-27956r476643_fix
Map user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000765
- Version
- WN12-PK-000008-DC
- Vuln IDs
-
- V-226267
- V-15488
- Rule IDs
-
- SV-226267r794536_rule
- SV-51192
Checks: C-27969r476645_chk
Verify active directory user accounts, including administrators, have "Smart card is required for interactive logon" selected. Run "PowerShell". Enter the following: "Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | FT Name" ("DistinguishedName" may be substituted for "Name" for more detailed output.) If any user accounts are listed, this is a finding. Alternately: To view sample accounts in "Active Directory Users and Computers" (Available from various menus or run "dsa.msc"): Select the Organizational Unit (OU) where the User accounts are located. (By default this is the Users node; however, accounts may be under other organization-defined OUs.) Right click the sample User account and select "Properties". Select the "Account" tab. If any User accounts do not have "Smart card is required for interactive logon" checked in the "Account Options" area, this is a finding.
Fix: F-27957r476646_fix
Configure all user accounts, including administrator accounts, in Active Directory to enable the option "Smart card is required for interactive logon". Run "Active Directory Users and Computers" (Available from various menus or run "dsa.msc"): Select the Organizational Unit (OU) where the user accounts are located. (By default this is the Users node; however, accounts may be under other organization-defined OUs.) Right click the user account and select "Properties". Select the "Account" tab. Check "Smart card is required for interactive logon" in the "Account Options" area.
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN12-RG-000001
- Vuln IDs
-
- V-226268
- V-26070
- Rule IDs
-
- SV-226268r794557_rule
- SV-53123
Checks: C-27970r476648_chk
Run "Regedit". Navigate to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Right-click on "WinLogon" and select "Permissions…". Select "Advanced". If the permissions are not as restrictive as the defaults listed below, this is a finding. The following are the same for each permission listed: Type - Allow Inherited from - MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion Applies to - This key and subkeys Columns: Principal - Access TrustedInstaller - Full Control SYSTEM - Full Control Administrators - Full Control Users - Read ALL APPLICATION PACKAGES - Read
Fix: F-27958r476649_fix
Maintain permissions at least as restrictive as the defaults listed below for the "WinLogon" registry key. It is recommended to not change the permissions from the defaults. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ The following are the same for each permission listed: Type - Allow Inherited from - MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion Applies to - This key and subkeys Columns: Principal - Access TrustedInstaller - Full Control SYSTEM - Full Control Administrators - Full Control Users - Read ALL APPLICATION PACKAGES - Read
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN12-RG-000002
- Vuln IDs
-
- V-226269
- V-32282
- Rule IDs
-
- SV-226269r794558_rule
- SV-52956
Checks: C-27971r476651_chk
Run "Regedit". Navigate to the following registry keys and review the permissions: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ (64-bit systems) If the default permissions listed below have been changed, this is a finding. Users - Read Administrators - Full Control SYSTEM - Full Control CREATOR OWNER - Full Control (Subkeys only) ALL APPLICATION PACKAGES - Read
Fix: F-27959r476652_fix
Maintain the default permissions of the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ (64-bit systems only) Users - Read Administrators - Full Control SYSTEM - Full Control CREATOR OWNER - Full Control (Subkeys only) ALL APPLICATION PACKAGES - Read
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN12-RG-000004
- Vuln IDs
-
- V-226270
- V-1152
- Rule IDs
-
- SV-226270r794559_rule
- SV-52864
Checks: C-27972r476654_chk
Run "Regedit". Navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\ If the key does not exist, this is a finding. Right-click on "winreg" and select "Permissions…". Select "Advanced". If the permissions are not as restrictive as the defaults listed below, this is a finding. The following are the same for each permission listed: Type - Allow Inherited from - None Columns: Principal - Access - Applies to Administrators - Full Control - This key and subkeys Backup Operators - Read - This key only LOCAL SERVICE - Read - This key and subkeys
Fix: F-27960r476655_fix
Maintain permissions at least as restrictive as the defaults listed below for the "winreg" registry key. It is recommended to not change the permissions from the defaults. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\ The following are the same for each permission listed: Type - Allow Inherited from - None Columns: Principal - Access - Applies to Administrators - Full Control - This key and subkeys Backup Operators - Read - This key only LOCAL SERVICE - Read - This key and subkeys
- RMF Control
- IA-8
- Severity
- M
- CCI
- CCI-000804
- Version
- WN12-SO-000003
- Vuln IDs
-
- V-226271
- V-1113
- Rule IDs
-
- SV-226271r794540_rule
- SV-52855
Checks: C-27973r476657_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding.
Fix: F-27961r476658_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Accounts: Guest account status" to "Disabled".
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- WN12-SO-000004
- Vuln IDs
-
- V-226272
- V-3344
- Rule IDs
-
- SV-226272r794580_rule
- SV-52886
Checks: C-27974r476660_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse Value Type: REG_DWORD Value: 1
Fix: F-27962r476661_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Accounts: Limit local account use of blank passwords to console logon only" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-SO-000005
- Vuln IDs
-
- V-226273
- V-1115
- Rule IDs
-
- SV-226273r794581_rule
- SV-52857
Checks: C-27975r476663_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. If the value for "Accounts: Rename administrator account" is not set to a value other than "Administrator", this is a finding.
Fix: F-27963r476664_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Accounts: Rename administrator account" to a name other than "Administrator".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-SO-000006
- Vuln IDs
-
- V-226274
- V-1114
- Rule IDs
-
- SV-226274r794582_rule
- SV-52856
Checks: C-27976r476666_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. If the value for "Accounts: Rename guest account" is not set to a value other than "Guest", this is a finding.
Fix: F-27964r476667_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Accounts: Rename guest account" to a name other than "Guest".
- RMF Control
- SC-5
- Severity
- M
- CCI
- CCI-001095
- Version
- WN12-SO-000007
- Vuln IDs
-
- V-226275
- V-14228
- Rule IDs
-
- SV-226275r794551_rule
- SV-53129
Checks: C-27977r476669_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: AuditBaseObjects Value Type: REG_DWORD Value: 0
Fix: F-27965r476670_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Audit: Audit the access of global system objects" to "Disabled".
- RMF Control
- SC-5
- Severity
- M
- CCI
- CCI-001095
- Version
- WN12-SO-000008
- Vuln IDs
-
- V-226276
- V-14229
- Rule IDs
-
- SV-226276r794552_rule
- SV-52943
Checks: C-27978r476672_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: FullPrivilegeAuditing Value Type: REG_BINARY Value: 00
Fix: F-27966r476673_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Audit: Audit the use of Backup and Restore privilege" to "Disabled".
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000169
- Version
- WN12-SO-000009
- Vuln IDs
-
- V-226277
- V-14230
- Rule IDs
-
- SV-226277r794513_rule
- SV-52944
Checks: C-27979r476675_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy Value Type: REG_DWORD Value: 1
Fix: F-27967r476676_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-SO-000011
- Vuln IDs
-
- V-226278
- V-1171
- Rule IDs
-
- SV-226278r794583_rule
- SV-52875
Checks: C-27980r476678_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: AllocateDASD Value Type: REG_SZ Value: 0
Fix: F-27968r476679_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Devices: Allowed to format and eject removable media" to "Administrators".
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- WN12-SO-000012
- Vuln IDs
-
- V-226279
- V-6831
- Rule IDs
-
- SV-226279r794566_rule
- SV-52934
Checks: C-27981r476681_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal Value Type: REG_DWORD Value: 1
Fix: F-27969r476682_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain member: Digitally encrypt or sign secure channel data (always)" to "Enabled".
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- WN12-SO-000013
- Vuln IDs
-
- V-226280
- V-1163
- Rule IDs
-
- SV-226280r794567_rule
- SV-52871
Checks: C-27982r476684_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SealSecureChannel Value Type: REG_DWORD Value: 1 If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this can be NA (see V-6831).
Fix: F-27970r476685_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally encrypt secure channel data (when possible)" to "Enabled".
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- WN12-SO-000014
- Vuln IDs
-
- V-226281
- V-1164
- Rule IDs
-
- SV-226281r794568_rule
- SV-52872
Checks: C-27983r476687_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SignSecureChannel Value Type: REG_DWORD Value: 1 If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this can be NA (see V-6831).
Fix: F-27971r476688_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally sign secure channel data (when possible)" to "Enabled".
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-SO-000015
- Vuln IDs
-
- V-226282
- V-1165
- Rule IDs
-
- SV-226282r794584_rule
- SV-52873
Checks: C-27984r476690_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange Value Type: REG_DWORD Value: 0
Fix: F-27972r476691_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain member: Disable machine account password changes" to "Disabled".
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-SO-000016
- Vuln IDs
-
- V-226283
- V-3373
- Rule IDs
-
- SV-226283r794585_rule
- SV-52887
Checks: C-27985r476693_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge Value Type: REG_DWORD Value: 30 (or less, but not 0)
Fix: F-27973r476694_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain member: Maximum machine account password age" to "30" or less (excluding "0" which is unacceptable).
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- WN12-SO-000017
- Vuln IDs
-
- V-226284
- V-3374
- Rule IDs
-
- SV-226284r794569_rule
- SV-52888
Checks: C-27986r476696_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value Type: REG_DWORD Value: 1 This setting may prevent a system from being joined to a domain if not configured consistently between systems.
Fix: F-27974r476697_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain member: Require strong (Windows 2000 or Later) session key" to "Enabled".
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-SO-000018
- Vuln IDs
-
- V-226285
- V-11806
- Rule IDs
-
- SV-226285r794586_rule
- SV-52941
Checks: C-27987r476699_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DontDisplayLastUserName Value Type: REG_DWORD Value: 1
Fix: F-27975r476700_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive logon: Do not display last user name" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-SO-000019
- Vuln IDs
-
- V-226286
- V-1154
- Rule IDs
-
- SV-226286r794587_rule
- SV-52866
Checks: C-27988r476702_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableCAD Value Type: REG_DWORD Value: 0
Fix: F-27976r476703_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive Logon: Do not require CTRL+ALT+DEL" to "Disabled".
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000057
- Version
- WN12-SO-000021
- Vuln IDs
-
- V-226287
- V-36773
- Rule IDs
-
- SV-226287r794511_rule
- SV-51596
Checks: C-27989r476705_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs Value Type: REG_DWORD Value: 0x00000384 (900) (or less, excluding "0" which is effectively disabled)
Fix: F-27977r476706_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive logon: Machine inactivity limit" to "900" seconds" or less, excluding "0" which is effectively disabled.
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-000048
- Version
- WN12-SO-000022
- Vuln IDs
-
- V-226288
- V-1089
- Rule IDs
-
- SV-226288r794509_rule
- SV-52845
Checks: C-27990r476708_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeText Value Type: REG_SZ Value: See message text below You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Fix: F-27978r476709_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Message text for users attempting to log on" to the following: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
- RMF Control
- AC-8
- Severity
- L
- CCI
- CCI-000048
- Version
- WN12-SO-000023
- Vuln IDs
-
- V-226289
- V-26359
- Rule IDs
-
- SV-226289r794510_rule
- SV-53121
Checks: C-27991r476711_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeCaption Value Type: REG_SZ Value: See message title options below "DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or a site-defined equivalent. If a site-defined title is used, it can in no case contravene or modify the language of the banner text required in V-1089. Automated tools may only search for the titles defined above. If a site-defined title is used, a manual review will be required.
Fix: F-27979r476712_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive Logon: Message title for users attempting to log on" to "DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or a site-defined equivalent. If a site-defined title is used, it can in no case contravene or modify the language of the banner text required in V-1089.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-SO-000024
- Vuln IDs
-
- V-226290
- V-1090
- Rule IDs
-
- SV-226290r794588_rule
- SV-52846
Checks: C-27992r476714_chk
If the system is not a member of a domain, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: CachedLogonsCount Value Type: REG_SZ Value: 4 (or less)
Fix: F-27980r476715_fix
If the system is not a member of a domain, this is NA. Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)" to "4" logons or less.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-SO-000025
- Vuln IDs
-
- V-226291
- V-1172
- Rule IDs
-
- SV-226291r794589_rule
- SV-52876
Checks: C-27993r476717_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: PasswordExpiryWarning Value Type: REG_DWORD Value: 14 (or greater)
Fix: F-27981r476718_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive Logon: Prompt user to change password before expiration" to "14" days or more.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-SO-000027
- Vuln IDs
-
- V-226292
- V-1157
- Rule IDs
-
- SV-226292r794590_rule
- SV-52867
Checks: C-27994r476720_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: SCRemoveOption Value Type: REG_SZ Value: 1 (Lock Workstation) or 2 (Force Logoff) If configuring this on servers causes issues such as terminating users' remote sessions and the site has a policy in place that any other sessions on the servers such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO.
Fix: F-27982r476721_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive logon: Smart card removal behavior" to "Lock Workstation" or "Force Logoff".
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- WN12-SO-000028
- Vuln IDs
-
- V-226293
- V-6832
- Rule IDs
-
- SV-226293r794570_rule
- SV-52935
Checks: C-27995r476723_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature Value Type: REG_DWORD Value: 1
Fix: F-27983r476724_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft network client: Digitally sign communications (always)" to "Enabled".
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- WN12-SO-000029
- Vuln IDs
-
- V-226294
- V-1166
- Rule IDs
-
- SV-226294r794571_rule
- SV-52874
Checks: C-27996r476726_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature Value Type: REG_DWORD Value: 1
Fix: F-27984r476727_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft network client: Digitally sign communications (if server agrees)" to "Enabled".
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000197
- Version
- WN12-SO-000030
- Vuln IDs
-
- V-226295
- V-1141
- Rule IDs
-
- SV-226295r794528_rule
- SV-52861
Checks: C-27997r476729_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnablePlainTextPassword Value Type: REG_DWORD Value: 0
Fix: F-27985r476730_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft Network Client: Send unencrypted password to third-party SMB servers" to "Disabled".
- RMF Control
- SC-10
- Severity
- L
- CCI
- CCI-001133
- Version
- WN12-SO-000031
- Vuln IDs
-
- V-226296
- V-1174
- Rule IDs
-
- SV-226296r794608_rule
- SV-52878
Checks: C-27998r476732_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: autodisconnect Value Type: REG_DWORD Value: 0x0000000f (15) (or less)
Fix: F-27986r476733_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft Network Server: Amount of idle time required before suspending session" to "15" minutes or less.
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- WN12-SO-000032
- Vuln IDs
-
- V-226297
- V-6833
- Rule IDs
-
- SV-226297r794572_rule
- SV-52936
Checks: C-27999r476735_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature Value Type: REG_DWORD Value: 1
Fix: F-27987r476736_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft network server: Digitally sign communications (always)" to "Enabled".
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- WN12-SO-000033
- Vuln IDs
-
- V-226298
- V-1162
- Rule IDs
-
- SV-226298r794573_rule
- SV-52870
Checks: C-28000r476738_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature Value Type: REG_DWORD Value: 1
Fix: F-27988r476739_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft network server: Digitally sign communications (if client agrees)" to "Enabled".
- RMF Control
- SC-10
- Severity
- L
- CCI
- CCI-001133
- Version
- WN12-SO-000034
- Vuln IDs
-
- V-226299
- V-1136
- Rule IDs
-
- SV-226299r794609_rule
- SV-52860
Checks: C-28001r476741_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableForcedLogoff Value Type: REG_DWORD Value: 1
Fix: F-27989r476742_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft network server: Disconnect clients when logon hours expire" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-SO-000035
- Vuln IDs
-
- V-226300
- V-21950
- Rule IDs
-
- SV-226300r794591_rule
- SV-53175
Checks: C-28002r476744_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanmanServer\Parameters\ Value Name: SmbServerNameHardeningLevel Type: REG_DWORD Value: 0
Fix: F-27990r476745_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft network server: Server SPN target name validation level" to "Off".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-SO-000036
- Vuln IDs
-
- V-226301
- V-1145
- Rule IDs
-
- SV-226301r794593_rule
- SV-52107
Checks: C-28003r476747_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: AutoAdminLogon Type: REG_SZ Value: 0
Fix: F-27991r794592_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)" to "Disabled". Ensure no passwords are stored in the "DefaultPassword" registry value noted below: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: DefaultPassword (See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.) Severity Override Guidance: If the DefaultName or DefaultDomainName in the same registry path contain an administrator account name and the DefaultPassword contains a value, this is a CAT I finding.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-SO-000037
- Vuln IDs
-
- V-226302
- V-21955
- Rule IDs
-
- SV-226302r794594_rule
- SV-53180
Checks: C-28004r476750_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ Value Name: DisableIPSourceRouting Type: REG_DWORD Value: 2
Fix: F-27992r476751_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)" to "Highest protection, source routing is completely disabled". (See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-SO-000038
- Vuln IDs
-
- V-226303
- V-4110
- Rule IDs
-
- SV-226303r794595_rule
- SV-52924
Checks: C-28005r476753_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: DisableIPSourceRouting Value Type: REG_DWORD Value: 2
Fix: F-27993r476754_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" to "Highest protection, source routing is completely disabled". (See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-SO-000039
- Vuln IDs
-
- V-226304
- V-4111
- Rule IDs
-
- SV-226304r794596_rule
- SV-52925
Checks: C-28006r476756_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableICMPRedirect Value Type: REG_DWORD Value: 0
Fix: F-27994r476757_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" to "Disabled". (See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)
- RMF Control
- SC-5
- Severity
- L
- CCI
- CCI-002385
- Version
- WN12-SO-000041
- Vuln IDs
-
- V-226305
- V-4113
- Rule IDs
-
- SV-226305r794561_rule
- SV-52927
Checks: C-28007r476759_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: KeepAliveTime Value Type: REG_DWORD Value: 300000 (or less)
Fix: F-27995r476760_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds" to "300000 or 5 minutes (recommended)" or less. (See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-SO-000042
- Vuln IDs
-
- V-226306
- V-14232
- Rule IDs
-
- SV-226306r794597_rule
- SV-52945
Checks: C-28008r476762_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\IPSEC\ Value Name: NoDefaultExempt Value Type: REG_DWORD Value: 3
Fix: F-27996r476763_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic" to "Only ISAKMP is exempt (recommended for Windows Server 2003)". (See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)
- RMF Control
- SC-5
- Severity
- L
- CCI
- CCI-002385
- Version
- WN12-SO-000043
- Vuln IDs
-
- V-226307
- V-4116
- Rule IDs
-
- SV-226307r794562_rule
- SV-52928
Checks: C-28009r476765_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ Value Name: NoNameReleaseOnDemand Value Type: REG_DWORD Value: 1
Fix: F-27997r476766_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" to "Enabled". (See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)
- RMF Control
- SC-5
- Severity
- L
- CCI
- CCI-002385
- Version
- WN12-SO-000044
- Vuln IDs
-
- V-226308
- V-4112
- Rule IDs
-
- SV-226308r794563_rule
- SV-52926
Checks: C-28010r476768_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: PerformRouterDiscovery Value Type: REG_DWORD Value: 0
Fix: F-27998r476769_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)" to "Disabled". (See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-SO-000045
- Vuln IDs
-
- V-226309
- V-3479
- Rule IDs
-
- SV-226309r794598_rule
- SV-52920
Checks: C-28011r476771_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Session Manager\ Value Name: SafeDllSearchMode Value Type: REG_DWORD Value: 1
Fix: F-27999r476772_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)" to "Enabled". (See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-SO-000046
- Vuln IDs
-
- V-226310
- V-4442
- Rule IDs
-
- SV-226310r794599_rule
- SV-52930
Checks: C-28012r476774_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: ScreenSaverGracePeriod Value Type: REG_SZ Value: 5 (or less)
Fix: F-28000r476775_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" to "5" or less. (See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)
- RMF Control
- SC-5
- Severity
- L
- CCI
- CCI-002385
- Version
- WN12-SO-000047
- Vuln IDs
-
- V-226311
- V-21956
- Rule IDs
-
- SV-226311r794564_rule
- SV-53181
Checks: C-28013r476777_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ Value Name: TcpMaxDataRetransmissions Value Type: REG_DWORD Value: 3 (or less)
Fix: F-28001r476778_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)" to "3" or less. (See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)
- RMF Control
- SC-5
- Severity
- L
- CCI
- CCI-002385
- Version
- WN12-SO-000048
- Vuln IDs
-
- V-226312
- V-4438
- Rule IDs
-
- SV-226312r794565_rule
- SV-52929
Checks: C-28014r476780_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: TcpMaxDataRetransmissions Value Type: REG_DWORD Value: 3 (or less)
Fix: F-28002r476781_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)" to "3" or less. (See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)
- RMF Control
- AU-5
- Severity
- L
- CCI
- CCI-000139
- Version
- WN12-SO-000049
- Vuln IDs
-
- V-226313
- V-4108
- Rule IDs
-
- SV-226313r794512_rule
- SV-52923
Checks: C-28015r476783_chk
If the system is configured to write to an audit server, or is configured to automatically archive full logs, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Eventlog\Security\ Value Name: WarningLevel Value Type: REG_DWORD Value: 90 (or less)
Fix: F-28003r476784_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" to "90" or less. (See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- WN12-SO-000050
- Vuln IDs
-
- V-226314
- V-3337
- Rule IDs
-
- SV-226314r794600_rule
- SV-52882
Checks: C-28016r476786_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding.
Fix: F-28004r476787_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Allow anonymous SID/Name translation" to "Disabled".
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- WN12-SO-000051
- Vuln IDs
-
- V-226315
- V-26283
- Rule IDs
-
- SV-226315r794601_rule
- SV-53122
Checks: C-28017r476789_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM Value Type: REG_DWORD Value: 1
Fix: F-28005r476790_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Do not allow anonymous enumeration of SAM accounts" to "Enabled".
- RMF Control
- SC-4
- Severity
- H
- CCI
- CCI-001090
- Version
- WN12-SO-000052
- Vuln IDs
-
- V-226316
- V-1093
- Rule IDs
-
- SV-226316r794544_rule
- SV-52847
Checks: C-28018r476792_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous Value Type: REG_DWORD Value: 1
Fix: F-28006r476793_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Do not allow anonymous enumeration of SAM accounts and shares" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-SO-000054
- Vuln IDs
-
- V-226317
- V-3377
- Rule IDs
-
- SV-226317r794602_rule
- SV-52890
Checks: C-28019r476795_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous Value Type: REG_DWORD Value: 0
Fix: F-28007r476796_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Let everyone permissions apply to anonymous users" to "Disabled".
- RMF Control
- SC-4
- Severity
- H
- CCI
- CCI-001090
- Version
- WN12-SO-000055-DC
- Vuln IDs
-
- V-226318
- V-3338
- Rule IDs
-
- SV-226318r794545_rule
- SV-51138
Checks: C-28020r476798_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: NullSessionPipes Value Type: REG_MULTI_SZ Value: netlogon, samr, lsarpc The default configuration of systems promoted to domain controllers may include a blank entry in the first line prior to "netlogon", "samr", and "lsarpc". This will appear in the registry as a blank entry when viewing the registry key summary; however the value data for "NullSessionPipes" will contain the default entries. Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions.
Fix: F-28008r476799_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Named pipes that can be accessed anonymously" to only include "netlogon, samr, lsarpc".
- RMF Control
- SC-4
- Severity
- H
- CCI
- CCI-001090
- Version
- WN12-SO-000056
- Vuln IDs
-
- V-226319
- V-3339
- Rule IDs
-
- SV-226319r794546_rule
- SV-52883
Checks: C-28021r476801_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\ Value Name: Machine Value Type: REG_MULTI_SZ Value: see below System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions.
Fix: F-28009r476802_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Remotely accessible registry paths" with the following entries: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion
- RMF Control
- SC-4
- Severity
- H
- CCI
- CCI-001090
- Version
- WN12-SO-000057
- Vuln IDs
-
- V-226320
- V-4443
- Rule IDs
-
- SV-226320r794547_rule
- SV-52931
Checks: C-28022r476804_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\ Value Name: Machine Value Type: REG_MULTI_SZ Value: see below Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Perflib Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration System\CurrentControlSet\Services\Eventlog System\CurrentControlSet\Services\Sysmonlog Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions.
Fix: F-28010r476805_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Remotely accessible registry paths and sub-paths" with the following entries: Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Perflib Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration System\CurrentControlSet\Services\Eventlog System\CurrentControlSet\Services\Sysmonlog
- RMF Control
- SC-4
- Severity
- H
- CCI
- CCI-001090
- Version
- WN12-SO-000058
- Vuln IDs
-
- V-226321
- V-6834
- Rule IDs
-
- SV-226321r794548_rule
- SV-52937
Checks: C-28023r476807_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess Value Type: REG_DWORD Value: 1
Fix: F-28011r476808_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Restrict anonymous access to Named Pipes and Shares" to "Enabled".
- RMF Control
- SC-4
- Severity
- H
- CCI
- CCI-001090
- Version
- WN12-SO-000059
- Vuln IDs
-
- V-226322
- V-3340
- Rule IDs
-
- SV-226322r794549_rule
- SV-52884
Checks: C-28024r476810_chk
If the following registry value does not exist, this is not a finding: If the following registry value does exist and is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: NullSessionShares Value Type: REG_MULTI_SZ Value: (Blank)
Fix: F-28012r476811_fix
Ensure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Shares that can be accessed anonymously" contains no entries (blank).
- RMF Control
- SC-4
- Severity
- M
- CCI
- CCI-001090
- Version
- WN12-SO-000060
- Vuln IDs
-
- V-226323
- V-3378
- Rule IDs
-
- SV-226323r794550_rule
- SV-52891
Checks: C-28025r476813_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: ForceGuest Value Type: REG_DWORD Value: 0
Fix: F-28013r476814_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Sharing and security model for local accounts" to "Classic - local users authenticate as themselves".
- RMF Control
- IA-3
- Severity
- M
- CCI
- CCI-000778
- Version
- WN12-SO-000061
- Vuln IDs
-
- V-226324
- V-21951
- Rule IDs
-
- SV-226324r794537_rule
- SV-53176
Checks: C-28026r476816_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\LSA\ Value Name: UseMachineId Type: REG_DWORD Value: 1
Fix: F-28014r476817_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Allow Local System to use computer identity for NTLM" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-SO-000062
- Vuln IDs
-
- V-226325
- V-21952
- Rule IDs
-
- SV-226325r794603_rule
- SV-53177
Checks: C-28027r476819_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\LSA\MSV1_0\ Value Name: allownullsessionfallback Type: REG_DWORD Value: 0
Fix: F-28015r476820_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Allow LocalSystem NULL session fallback" to "Disabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-SO-000063
- Vuln IDs
-
- V-226326
- V-21953
- Rule IDs
-
- SV-226326r794604_rule
- SV-53178
Checks: C-28028r476822_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\LSA\pku2u\ Value Name: AllowOnlineID Type: REG_DWORD Value: 0
Fix: F-28016r476823_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Allow PKU2U authentication requests to this computer to use online identities" to "Disabled".
- RMF Control
- IA-7
- Severity
- M
- CCI
- CCI-000803
- Version
- WN12-SO-000064
- Vuln IDs
-
- V-226327
- V-21954
- Rule IDs
-
- SV-226327r794539_rule
- SV-53179
Checks: C-28029r476825_chk
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ Value Name: SupportedEncryptionTypes Value Type: REG_DWORD Value: 0x7ffffff8 (2147483640) Note: Removing the previously allowed RC4_HMAC_MD5 encryption suite may have operational impacts and must be thoroughly tested for the environment before changing. This includes but is not limited to parent\child trusts where RC4 is still enabled; selecting "The other domain supports Kerberos AES Encryption" may be required on the domain trusts to allow client communication across the trust relationship.
Fix: F-28017r476826_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Configure encryption types allowed for Kerberos" to "Enabled" with only the following selected: AES128_HMAC_SHA1 AES256_HMAC_SHA1 Future encryption types Note: Removing the previously allowed RC4_HMAC_MD5 encryption suite may have operational impacts and must be thoroughly tested for the environment before changing. This includes but is not limited to parent\child trusts where RC4 is still enabled; selecting "The other domain supports Kerberos AES Encryption" may be required on the domain trusts to allow client communication across the trust relationship.
- RMF Control
- IA-5
- Severity
- H
- CCI
- CCI-000196
- Version
- WN12-SO-000065
- Vuln IDs
-
- V-226328
- V-3379
- Rule IDs
-
- SV-226328r794527_rule
- SV-52892
Checks: C-28030r476828_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash Value Type: REG_DWORD Value: 1
Fix: F-28018r476829_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Do not store LAN Manager hash value on next password change" to "Enabled".
- RMF Control
- SC-10
- Severity
- M
- CCI
- CCI-001133
- Version
- WN12-SO-000066
- Vuln IDs
-
- V-226329
- V-3380
- Rule IDs
-
- SV-226329r794610_rule
- SV-52893
Checks: C-28031r476831_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. If the value for "Network security: Force logoff when logon hours expire" is not set to "Enabled", this is a finding.
Fix: F-28019r476832_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Force logoff when logon hours expire" to "Enabled".
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- WN12-SO-000067
- Vuln IDs
-
- V-226330
- V-1153
- Rule IDs
-
- SV-226330r794605_rule
- SV-52865
Checks: C-28032r476834_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: LmCompatibilityLevel Value Type: REG_DWORD Value: 5
Fix: F-28020r476835_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: LAN Manager authentication level" to "Send NTLMv2 response only. Refuse LM & NTLM".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-SO-000068
- Vuln IDs
-
- V-226331
- V-3381
- Rule IDs
-
- SV-226331r794606_rule
- SV-52894
Checks: C-28033r476837_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity Value Type: REG_DWORD Value: 1
Fix: F-28021r476838_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: LDAP client signing requirements" to "Negotiate signing" at a minimum.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-SO-000069
- Vuln IDs
-
- V-226332
- V-3382
- Rule IDs
-
- SV-226332r794678_rule
- SV-52895
Checks: C-28034r476840_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec Value Type: REG_DWORD Value: 0x20080000 (537395200)
Fix: F-28022r476841_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-SO-000070
- Vuln IDs
-
- V-226333
- V-3666
- Rule IDs
-
- SV-226333r794679_rule
- SV-52922
Checks: C-28035r476843_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec Value Type: REG_DWORD Value: 0x20080000 (537395200)
Fix: F-28023r476844_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-SO-000073
- Vuln IDs
-
- V-226334
- V-1075
- Rule IDs
-
- SV-226334r794680_rule
- SV-52840
Checks: C-28036r476846_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ShutdownWithoutLogon Value Type: REG_DWORD Value: 0
Fix: F-28024r476847_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Shutdown: Allow system to be shutdown without having to log on" to "Disabled".
- RMF Control
- SC-13
- Severity
- M
- CCI
- CCI-002450
- Version
- WN12-SO-000074
- Vuln IDs
-
- V-226335
- V-3383
- Rule IDs
-
- SV-226335r794676_rule
- SV-52896
Checks: C-28037r476849_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value Type: REG_DWORD Value: 1 Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS, or the browser will not be able to connect to a secure site.
Fix: F-28025r476850_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-SO-000075
- Vuln IDs
-
- V-226336
- V-3385
- Rule IDs
-
- SV-226336r794681_rule
- SV-52897
Checks: C-28038r476852_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Session Manager\Kernel\ Value Name: ObCaseInsensitive Value Type: REG_DWORD Value: 1
Fix: F-28026r476853_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "System objects: Require case insensitivity for non-Windows subsystems" to "Enabled".
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-SO-000076
- Vuln IDs
-
- V-226337
- V-1173
- Rule IDs
-
- SV-226337r794682_rule
- SV-52877
Checks: C-28039r476855_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Session Manager\ Value Name: ProtectionMode Value Type: REG_DWORD Value: 1
Fix: F-28027r476856_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" to "Enabled".
- RMF Control
- IA-11
- Severity
- M
- CCI
- CCI-002038
- Version
- WN12-SO-000077
- Vuln IDs
-
- V-226338
- V-14234
- Rule IDs
-
- SV-226338r794673_rule
- SV-52946
Checks: C-28040r476858_chk
UAC requirements are NA on Server Core installations. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken Value Type: REG_DWORD Value: 1
Fix: F-28028r476859_fix
UAC requirements are NA on Server Core installations. Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Admin Approval Mode for the Built-in Administrator account" to "Enabled".
- RMF Control
- SC-3
- Severity
- M
- CCI
- CCI-001084
- Version
- WN12-SO-000078
- Vuln IDs
-
- V-226339
- V-14235
- Rule IDs
-
- SV-226339r794642_rule
- SV-52947
Checks: C-28041r476861_chk
UAC requirements are NA on Server Core installations. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorAdmin Value Type: REG_DWORD Value: 4 (Prompt for consent) 3 (Prompt for credentials) 2 (Prompt for consent on the secure desktop) 1 (Prompt for credentials on the secure desktop)
Fix: F-28029r476862_fix
UAC requirements are NA on Server Core installations. Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" to "Prompt for consent". More secure options for this setting would also be acceptable (e.g., Prompt for credentials, Prompt for consent (or credentials) on the secure desktop).
- RMF Control
- IA-11
- Severity
- M
- CCI
- CCI-002038
- Version
- WN12-SO-000079
- Vuln IDs
-
- V-226340
- V-14236
- Rule IDs
-
- SV-226340r794674_rule
- SV-52948
Checks: C-28042r476864_chk
UAC requirements are NA on Server Core installations. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser Value Type: REG_DWORD Value: 0
Fix: F-28030r476865_fix
UAC requirements are NA on Server Core installations. Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Behavior of the elevation prompt for standard users" to "Automatically deny elevation requests".
- RMF Control
- SC-3
- Severity
- M
- CCI
- CCI-001084
- Version
- WN12-SO-000080
- Vuln IDs
-
- V-226341
- V-14237
- Rule IDs
-
- SV-226341r794643_rule
- SV-52949
Checks: C-28043r476867_chk
UAC requirements are NA on Server Core installations. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection Value Type: REG_DWORD Value: 1
Fix: F-28031r476868_fix
UAC requirements are NA on Server Core installations. Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Detect application installations and prompt for elevation" to "Enabled".
- RMF Control
- SC-3
- Severity
- M
- CCI
- CCI-001084
- Version
- WN12-SO-000081
- Vuln IDs
-
- V-226342
- V-16008
- Rule IDs
-
- SV-226342r794644_rule
- SV-53142
Checks: C-28044r476870_chk
UAC requirements are NA on Server Core installations. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ValidateAdminCodeSignatures Value Type: REG_DWORD Value: 0
Fix: F-28032r476871_fix
UAC requirements are NA on Server Core installations. Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Only elevate executables that are signed and validated" to "Disabled".
- RMF Control
- SC-3
- Severity
- M
- CCI
- CCI-001084
- Version
- WN12-SO-000082
- Vuln IDs
-
- V-226343
- V-14239
- Rule IDs
-
- SV-226343r794645_rule
- SV-52950
Checks: C-28045r476873_chk
UAC requirements are NA on Server Core installations. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths Value Type: REG_DWORD Value: 1
Fix: F-28033r476874_fix
UAC requirements are NA on Server Core installations. Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Only elevate UIAccess applications that are installed in secure locations" to "Enabled".
- RMF Control
- IA-11
- Severity
- M
- CCI
- CCI-002038
- Version
- WN12-SO-000083
- Vuln IDs
-
- V-226344
- V-14240
- Rule IDs
-
- SV-226344r794675_rule
- SV-52951
Checks: C-28046r476876_chk
UAC requirements are NA on Server Core installations. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA Value Type: REG_DWORD Value: 1
Fix: F-28034r476877_fix
UAC requirements are NA on Server Core installations. Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Run all administrators in Admin Approval Mode" to "Enabled".
- RMF Control
- SC-3
- Severity
- M
- CCI
- CCI-001084
- Version
- WN12-SO-000084
- Vuln IDs
-
- V-226345
- V-14241
- Rule IDs
-
- SV-226345r794646_rule
- SV-52952
Checks: C-28047r476879_chk
UAC requirements are NA on Server Core installations. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: PromptOnSecureDesktop Value Type: REG_DWORD Value: 1
Fix: F-28035r476880_fix
UAC requirements are NA on Server Core installations. Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Switch to the secure desktop when prompting for elevation" to "Enabled".
- RMF Control
- SC-3
- Severity
- M
- CCI
- CCI-001084
- Version
- WN12-SO-000085
- Vuln IDs
-
- V-226346
- V-14242
- Rule IDs
-
- SV-226346r794647_rule
- SV-52953
Checks: C-28048r476882_chk
UAC requirements are NA on Server Core installations. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization Value Type: REG_DWORD Value: 1
Fix: F-28036r476883_fix
UAC requirements are NA on Server Core installations. Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Virtualize file and registry write failures to per-user locations" to "Enabled".
- RMF Control
- SC-3
- Severity
- M
- CCI
- CCI-001084
- Version
- WN12-SO-000086
- Vuln IDs
-
- V-226347
- V-15991
- Rule IDs
-
- SV-226347r794648_rule
- SV-52223
Checks: C-28049r476885_chk
UAC requirements are NA on Server Core installations. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle Value Type: REG_DWORD Value: 0
Fix: F-28037r476886_fix
UAC requirements are NA on Server Core installations. Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" to "Disabled".
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000381
- Version
- WN12-SO-000088
- Vuln IDs
-
- V-226348
- V-4445
- Rule IDs
-
- SV-226348r794632_rule
- SV-52219
Checks: C-28050r476888_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Session Manager\Subsystems\ Value Name: Optional Value Type: REG_MULTI_SZ Value: (Blank)
Fix: F-28038r476889_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "System settings: Optional subsystems" to "Blank" (Configured with no entries).
- RMF Control
- CM-11
- Severity
- L
- CCI
- CCI-001812
- Version
- WN12-SO-000089
- Vuln IDs
-
- V-226349
- V-1151
- Rule IDs
-
- SV-226349r794671_rule
- SV-52214
Checks: C-28051r476891_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\ Value Name: AddPrinterDrivers Value Type: REG_DWORD Value: 1
Fix: F-28039r476892_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Devices: Prevent users from installing printer drivers" to "Enabled".
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- WN12-SO-000090-DC
- Vuln IDs
-
- V-226350
- V-4407
- Rule IDs
-
- SV-226350r794677_rule
- SV-51140
Checks: C-28052r476894_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\NTDS\Parameters\ Value Name: LDAPServerIntegrity Value Type: REG_DWORD Value: 2
Fix: F-28040r476895_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain controller: LDAP server signing requirements" to "Require signing".
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN12-SO-000091-DC
- Vuln IDs
-
- V-226351
- V-4408
- Rule IDs
-
- SV-226351r794683_rule
- SV-51141
Checks: C-28053r476897_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RefusePasswordChange Value Type: REG_DWORD Value: 0
Fix: F-28041r476898_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain controller: Refuse machine account password changes" to "Disabled".
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000186
- Version
- WN12-SO-000092
- Vuln IDs
-
- V-226352
- V-57639
- Rule IDs
-
- SV-226352r794622_rule
- SV-72049
Checks: C-28054r476900_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\ Value Name: ForceKeyProtection Type: REG_DWORD Value: 2
Fix: F-28042r476901_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Force strong key protection for user keys stored on the computer" to "User must enter a password each time they use a key".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-SV-000100
- Vuln IDs
-
- V-226353
- V-26600
- Rule IDs
-
- SV-226353r794633_rule
- SV-52236
Checks: C-28055r476903_chk
Verify the Fax (fax) service is not installed or is disabled. Run "Services.msc". If the following is installed and not disabled, this is a finding: Fax (fax)
Fix: F-28043r476904_fix
Remove or disable the Fax (fax) service.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- WN12-SV-000101
- Vuln IDs
-
- V-226354
- V-26602
- Rule IDs
-
- SV-226354r794640_rule
- SV-52237
Checks: C-28056r476906_chk
If the server has the role of an FTP server, this is NA. Run "Services.msc". If the "Microsoft FTP Service" (Service name: FTPSVC) is installed and not disabled, this is a finding.
Fix: F-28044r476907_fix
Remove or disable the "Microsoft FTP Service" (Service name: FTPSVC). To remove the "FTP Server" role from a system: Start "Server Manager" Select the server with the "FTP Server" role. Scroll down to "ROLES AND FEATURES" in the left pane. Select "Remove Roles and Features" from the drop down "TASKS" list. Select the appropriate server on the "Server Selection" page, click "Next". De-select "FTP Server" under "Web Server (IIS). Click "Next" and "Remove" as prompted.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-SV-000103
- Vuln IDs
-
- V-226355
- V-26604
- Rule IDs
-
- SV-226355r794634_rule
- SV-52238
Checks: C-28057r476909_chk
Verify the Peer Network Identity Manager (p2pimsvc) service is not installed or is disabled. Run "Services.msc". If the following is installed and not disabled, this is a finding: Peer Networking Identity Manager (p2pimsvc)
Fix: F-28045r476910_fix
Remove or disable the Peer Networking Identity Manager (p2pimsvc) service.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-SV-000104
- Vuln IDs
-
- V-226356
- V-26605
- Rule IDs
-
- SV-226356r794635_rule
- SV-52239
Checks: C-28058r476912_chk
Verify the Simple TCP/IP (simptcp) service is not installed or is disabled. Run "Services.msc". If the following is installed and not disabled, this is a finding: Simple TCP/IP Services (simptcp)
Fix: F-28046r476913_fix
Remove or disable the Simple TCP/IP Services (simptcp) service.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- WN12-SV-000105
- Vuln IDs
-
- V-226357
- V-26606
- Rule IDs
-
- SV-226357r794641_rule
- SV-52240
Checks: C-28059r476915_chk
Verify the Telnet (tlntsvr) service is not installed or is disabled. Run "Services.msc". If the following is installed and not disabled, this is a finding: Telnet (tlntsvr)
Fix: F-28047r476916_fix
Remove or disable the Telnet (tlntsvr) service.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-SV-000106
- Vuln IDs
-
- V-226358
- V-40206
- Rule IDs
-
- SV-226358r794684_rule
- SV-52165
Checks: C-28060r476918_chk
Verify the Smart Card Removal Policy service is configured to "Automatic". Run "Services.msc". If the Startup Type for Smart Card Removal Policy is not set to Automatic, this is a finding.
Fix: F-28048r476919_fix
Configure the Startup Type for the Smart Card Removal Policy service to "Automatic".
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000060
- Version
- WN12-UC-000001
- Vuln IDs
-
- V-226359
- V-36656
- Rule IDs
-
- SV-226359r794620_rule
- SV-51758
Checks: C-28061r476921_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ Value Name: ScreenSaveActive Type: REG_SZ Value: 1 Applications requiring continuous, real-time screen display (e.g., network management products) require the following and must be documented with the ISSO: -The logon session does not have administrator rights. -The display station (e.g., keyboard, monitor, etc.) is located in a controlled access area.
Fix: F-28049r476922_fix
Configure the policy value for User Configuration -> Administrative Templates -> Control Panel -> Personalization -> "Enable screen saver" to "Enabled".
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000056
- Version
- WN12-UC-000003
- Vuln IDs
-
- V-226360
- V-36657
- Rule IDs
-
- SV-226360r794619_rule
- SV-51760
Checks: C-28062r476924_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ Value Name: ScreenSaverIsSecure Type: REG_SZ Value: 1
Fix: F-28050r476925_fix
Configure the policy value for User Configuration -> Administrative Templates -> Control Panel -> Personalization -> "Password protect the screen saver" to "Enabled".
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000381
- Version
- WN12-UC-000005
- Vuln IDs
-
- V-226361
- V-36776
- Rule IDs
-
- SV-226361r794636_rule
- SV-51762
Checks: C-28063r476927_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\ Value Name: NoCloudApplicationNotification Type: REG_DWORD Value: 1
Fix: F-28051r476928_fix
Configure the policy value for User Configuration -> Administrative Templates -> Start Menu and Taskbar -> Notifications -> "Turn off notifications network usage" to "Enabled".
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000381
- Version
- WN12-UC-000006
- Vuln IDs
-
- V-226362
- V-36777
- Rule IDs
-
- SV-226362r794637_rule
- SV-51763
Checks: C-28064r476930_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\ Value Name: NoToastApplicationNotificationOnLockScreen Type: REG_DWORD Value: 1
Fix: F-28052r476931_fix
Configure the policy value for User Configuration -> Administrative Templates -> Start Menu and Taskbar -> Notifications -> "Turn off toast notifications on the lock screen" to "Enabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-UC-000007
- Vuln IDs
-
- V-226363
- V-16021
- Rule IDs
-
- SV-226363r794638_rule
- SV-53144
Checks: C-28065r476933_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Policies\Microsoft\Assistance\Client\1.0\ Value Name: NoImplicitFeedback Type: REG_DWORD Value: 1
Fix: F-28053r476934_fix
Configure the policy value for User Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication Settings -> "Turn off Help Experience Improvement Program" to "Enabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN12-UC-000008
- Vuln IDs
-
- V-226364
- V-16048
- Rule IDs
-
- SV-226364r794639_rule
- SV-53145
Checks: C-28066r476936_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Policies\Microsoft\Assistance\Client\1.0\ Value Name: NoExplicitFeedback Type: REG_DWORD Value: 1
Fix: F-28054r476937_fix
Configure the policy value for User Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication Settings -> "Turn off Help Ratings" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-UC-000009
- Vuln IDs
-
- V-226365
- V-14268
- Rule IDs
-
- SV-226365r794685_rule
- SV-53002
Checks: C-28067r476939_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ Value Name: SaveZoneInformation Type: REG_DWORD Value: 2
Fix: F-28055r476940_fix
Configure the policy value for User Configuration -> Administrative Templates -> Windows Components -> Attachment Manager -> "Do not preserve zone information in file attachments" to "Disabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-UC-000010
- Vuln IDs
-
- V-226366
- V-14269
- Rule IDs
-
- SV-226366r794686_rule
- SV-53004
Checks: C-28068r476942_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ Value Name: HideZoneInfoOnProperties Type: REG_DWORD Value: 1
Fix: F-28056r476943_fix
Configure the policy value for User Configuration -> Administrative Templates -> Windows Components -> Attachment Manager -> "Hide mechanisms to remove zone information" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-UC-000011
- Vuln IDs
-
- V-226367
- V-14270
- Rule IDs
-
- SV-226367r794687_rule
- SV-53006
Checks: C-28069r476945_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ Value Name: ScanWithAntiVirus Type: REG_DWORD Value: 3
Fix: F-28057r476946_fix
Configure the policy value for User Configuration -> Administrative Templates -> Windows Components -> Attachment Manager -> "Notify antivirus programs when opening attachments" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN12-UC-000012
- Vuln IDs
-
- V-226368
- V-15727
- Rule IDs
-
- SV-226368r794688_rule
- SV-53140
Checks: C-28070r476948_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoInPlaceSharing Type: REG_DWORD Value: 1
Fix: F-28058r476949_fix
Configure the policy value for User Configuration -> Administrative Templates -> Windows Components -> Network Sharing -> "Prevent users from sharing files within their profile" to "Enabled".
- RMF Control
- CM-11
- Severity
- M
- CCI
- CCI-001812
- Version
- WN12-UC-000013
- Vuln IDs
-
- V-226369
- V-3481
- Rule IDs
-
- SV-226369r794672_rule
- SV-52921
Checks: C-28071r476951_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ Value Name: PreventCodecDownload Type: REG_DWORD Value: 1
Fix: F-28059r476952_fix
Configure the policy value for User Configuration -> Administrative Templates -> Windows Components -> Windows Media Player -> Playback -> "Prevent Codec Download" to "Enabled".
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN12-UR-000001
- Vuln IDs
-
- V-226370
- V-26469
- Rule IDs
-
- SV-226370r794649_rule
- SV-53120
Checks: C-28072r476954_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Access Credential Manager as a trusted caller" user right, this is a finding.
Fix: F-28060r476955_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access Credential Manager as a trusted caller" to be defined but containing no entries (blank).
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN12-UR-000002-DC
- Vuln IDs
-
- V-226371
- V-26470
- Rule IDs
-
- SV-226371r794624_rule
- SV-51142
Checks: C-28073r476957_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. If any accounts or groups other than the following are granted the "Access this computer from the network" right, this is a finding: Administrators Authenticated Users Enterprise Domain Controllers
Fix: F-28061r794623_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Access this computer from the network" to only include the following accounts or groups: Administrators Authenticated Users Enterprise Domain Controllers Severity Override Guidance: If an application requires this user right, this can be downgraded to not a finding if the following conditions are met: - Vendor documentation must support the requirement for having the user right. - The requirement must be documented with the ISSO. - The application account must meet requirements for application account passwords, such as length (V-36661) and required changes frequency (V-36662).
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN12-UR-000003
- Vuln IDs
-
- V-226372
- V-1102
- Rule IDs
-
- SV-226372r794650_rule
- SV-52108
Checks: C-28074r476960_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).
Fix: F-28062r476961_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Act as part of the operating system" to be defined but containing no entries (blank).
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN12-UR-000005
- Vuln IDs
-
- V-226373
- V-26472
- Rule IDs
-
- SV-226373r794625_rule
- SV-52110
Checks: C-28075r476963_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding: Administrators If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).
Fix: F-28063r476964_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on locally" to only include the following accounts or groups: Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN12-UR-000007
- Vuln IDs
-
- V-226374
- V-26474
- Rule IDs
-
- SV-226374r794651_rule
- SV-52111
Checks: C-28077r476968_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Back up files and directories" user right, this is a finding: Administrators If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).
Fix: F-28065r476969_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Back up files and directories" to only include the following accounts or groups: Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN12-UR-000011
- Vuln IDs
-
- V-226375
- V-26478
- Rule IDs
-
- SV-226375r794652_rule
- SV-53063
Checks: C-28078r476971_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Create a pagefile" user right, this is a finding: Administrators
Fix: F-28066r476972_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a pagefile" to only include the following accounts or groups: Administrators
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN12-UR-000012
- Vuln IDs
-
- V-226376
- V-26479
- Rule IDs
-
- SV-226376r794653_rule
- SV-52113
Checks: C-28079r476974_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Create a token object" user right, this is a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).
Fix: F-28067r476975_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a token object" to be defined but containing no entries (blank).
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN12-UR-000013
- Vuln IDs
-
- V-226377
- V-26480
- Rule IDs
-
- SV-226377r794654_rule
- SV-52114
Checks: C-28080r476977_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Create global objects" user right, this is a finding: Administrators Service Local Service Network Service If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).
Fix: F-28068r476978_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create global objects" to only include the following accounts or groups: Administrators Service Local Service Network Service
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN12-UR-000014
- Vuln IDs
-
- V-226378
- V-26481
- Rule IDs
-
- SV-226378r794655_rule
- SV-53059
Checks: C-28081r476980_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Create permanent shared objects" user right, this is a finding.
Fix: F-28069r476981_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create permanent shared objects" to be defined but containing no entries (blank).
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN12-UR-000015
- Vuln IDs
-
- V-226379
- V-26482
- Rule IDs
-
- SV-226379r794656_rule
- SV-53054
Checks: C-28082r476983_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Create symbolic links" user right, this is a finding: Administrators Systems that have the Hyper-V role will also have "Virtual Machines" given this user right (this may be displayed as "NT Virtual Machine\Virtual Machines"). This is not a finding.
Fix: F-28070r476984_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create symbolic links" to only include the following accounts or groups: Administrators Systems that have the Hyper-V role will also have "Virtual Machines" given this user right. If this needs to be added manually, enter it as "NT Virtual Machine\Virtual Machines".
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN12-UR-000016
- Vuln IDs
-
- V-226380
- V-18010
- Rule IDs
-
- SV-226380r794657_rule
- SV-52115
Checks: C-28083r476986_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Debug programs" user right, this is a finding: Administrators If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).
Fix: F-28071r476987_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Debug programs" to only include the following accounts or groups: Administrators
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN12-UR-000017-DC
- Vuln IDs
-
- V-226381
- V-1155
- Rule IDs
-
- SV-226381r794626_rule
- SV-51144
Checks: C-28084r476989_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding: Guests Group
Fix: F-28072r476990_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny access to this computer from the network" to include the following: Guests Group
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN12-UR-000018-DC
- Vuln IDs
-
- V-226382
- V-26483
- Rule IDs
-
- SV-226382r794627_rule
- SV-51145
Checks: C-28085r476992_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on as a batch job" user right, this is a finding: Guests Group
Fix: F-28073r476993_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny log on as a batch job" to include the following: Guests Group
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN12-UR-000019-DC
- Vuln IDs
-
- V-226383
- V-26484
- Rule IDs
-
- SV-226383r794628_rule
- SV-51146
Checks: C-28086r476995_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. If any accounts or groups are defined for the "Deny log on as a service" user right, this is a finding.
Fix: F-28074r476996_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny log on as a service" to include no entries (blank).
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN12-UR-000020-DC
- Vuln IDs
-
- V-226384
- V-26485
- Rule IDs
-
- SV-226384r794629_rule
- SV-51147
Checks: C-28087r476998_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding: Guests Group
Fix: F-28075r476999_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny log on locally" to include the following: Guests Group
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN12-UR-000021-DC
- Vuln IDs
-
- V-226385
- V-26486
- Rule IDs
-
- SV-226385r794630_rule
- SV-51148
Checks: C-28088r477001_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding: Guests Group
Fix: F-28076r477002_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny log on through Remote Desktop Services" to include the following: Guests Group
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN12-UR-000022-DC
- Vuln IDs
-
- V-226386
- V-26487
- Rule IDs
-
- SV-226386r794658_rule
- SV-51149
Checks: C-28089r477004_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. If any accounts or groups other than the following are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding: Administrators
Fix: F-28077r477005_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Enable computer and user accounts to be trusted for delegation" to only include the following accounts or groups: Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN12-UR-000023
- Vuln IDs
-
- V-226387
- V-26488
- Rule IDs
-
- SV-226387r794659_rule
- SV-53050
Checks: C-28090r477007_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Force shutdown from a remote system" user right, this is a finding: Administrators
Fix: F-28078r477008_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Force shutdown from a remote system" to only include the following accounts or groups: Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN12-UR-000024
- Vuln IDs
-
- V-226388
- V-26489
- Rule IDs
-
- SV-226388r794660_rule
- SV-52116
Checks: C-28091r477010_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Generate security audits" user right, this is a finding: Local Service Network Service If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).
Fix: F-28079r477011_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Generate security audits" to only include the following accounts or groups: Local Service Network Service
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN12-UR-000025
- Vuln IDs
-
- V-226389
- V-26490
- Rule IDs
-
- SV-226389r794661_rule
- SV-52117
Checks: C-28092r477013_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Impersonate a client after authentication" user right, this is a finding: Administrators Service Local Service Network Service If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).
Fix: F-28080r477014_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Impersonate a client after authentication" to only include the following accounts or groups: Administrators Service Local Service Network Service
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN12-UR-000027
- Vuln IDs
-
- V-226390
- V-26492
- Rule IDs
-
- SV-226390r794662_rule
- SV-52118
Checks: C-28093r477016_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Increase scheduling priority" user right, this is a finding: Administrators If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).
Fix: F-28081r477017_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Increase scheduling priority" to only include the following accounts or groups: Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN12-UR-000028
- Vuln IDs
-
- V-226391
- V-26493
- Rule IDs
-
- SV-226391r794663_rule
- SV-53043
Checks: C-28094r477019_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Load and unload device drivers" user right, this is a finding: Administrators
Fix: F-28082r477020_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Load and unload device drivers" to only include the following accounts or groups: Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN12-UR-000029
- Vuln IDs
-
- V-226392
- V-26494
- Rule IDs
-
- SV-226392r794664_rule
- SV-52119
Checks: C-28095r477022_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Lock pages in memory" user right, this is a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).
Fix: F-28083r477023_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Lock pages in memory" to be defined but containing no entries (blank).
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- WN12-UR-000032
- Vuln IDs
-
- V-226393
- V-26496
- Rule IDs
-
- SV-226393r794621_rule
- SV-53039
Checks: C-28096r477025_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding: Administrators If the organization has an Auditors group, the assignment of this group to the user right would not be a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).
Fix: F-28084r477026_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Manage auditing and security log" to only include the following accounts or groups: Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN12-UR-000034
- Vuln IDs
-
- V-226394
- V-26498
- Rule IDs
-
- SV-226394r794665_rule
- SV-53029
Checks: C-28097r477028_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Modify firmware environment values" user right, this is a finding: Administrators
Fix: F-28085r477029_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Modify firmware environment values" to only include the following accounts or groups: Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN12-UR-000035
- Vuln IDs
-
- V-226395
- V-26499
- Rule IDs
-
- SV-226395r794666_rule
- SV-53025
Checks: C-28098r477031_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Perform volume maintenance tasks" user right, this is a finding: Administrators
Fix: F-28086r477032_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Perform volume maintenance tasks" to only include the following accounts or groups: Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN12-UR-000036
- Vuln IDs
-
- V-226396
- V-26500
- Rule IDs
-
- SV-226396r794667_rule
- SV-53022
Checks: C-28099r477034_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Profile single process" user right, this is a finding: Administrators
Fix: F-28087r477035_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Profile single process" to only include the following accounts or groups: Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN12-UR-000040
- Vuln IDs
-
- V-226397
- V-26504
- Rule IDs
-
- SV-226397r794668_rule
- SV-52122
Checks: C-28100r477037_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Restore files and directories" user right, this is a finding: Administrators If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).
Fix: F-28088r477038_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Restore files and directories" to only include the following accounts or groups: Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN12-UR-000042
- Vuln IDs
-
- V-226398
- V-26506
- Rule IDs
-
- SV-226398r794669_rule
- SV-52123
Checks: C-28101r477040_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Take ownership of files or other objects" user right, this is a finding: Administrators If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).
Fix: F-28089r477041_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Take ownership of files or other objects" to only include the following accounts or groups: Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN12-UR-000044-DC
- Vuln IDs
-
- V-226399
- V-30016
- Rule IDs
-
- SV-226399r794670_rule
- SV-51143
Checks: C-28102r477043_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. If any accounts or groups other than the following are granted the "Add workstations to domain" right, this is a finding: Administrators
Fix: F-28090r477044_fix
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Add workstations to domain" to only include the following accounts or groups: Administrators
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN12-UR-000006-DC
- Vuln IDs
-
- V-226400
- V-26473
- Rule IDs
-
- SV-226400r794631_rule
- SV-53119
Checks: C-28104r477049_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Allow log on through Remote Desktop Services" user right, this is a finding: Administrators
Fix: F-28092r477050_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on through Remote Desktop Services" to only include the following accounts or groups: Administrators