Microsoft Windows Server 2019 Security Technical Implementation Guide
Pick two releases to diff their requirements.
Open a previous version of this STIG.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000016
- Version
- WN19-00-000300
- Vuln IDs
-
- V-205624
- V-92975
- Rule IDs
-
- SV-205624r958364_rule
- SV-103063
Checks: C-5889r857300_chk
Review temporary user accounts for expiration dates. Determine if temporary user accounts are used and identify any that exist. If none exist, this is NA. Domain Controllers: Open "PowerShell". Enter "Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate". If "AccountExpirationDate" has not been defined within 72 hours for any temporary user account, this is a finding. Member servers and standalone or nondomain-joined systems: Open "Command Prompt". Run "Net user [username]", where [username] is the name of the temporary user account. If "Account expires" has not been defined within 72 hours for any temporary user account, this is a finding.
Fix: F-5889r354791_fix
Configure temporary user accounts to automatically expire within 72 hours. Domain accounts can be configured with an account expiration date, under "Account" properties. Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where username is the name of the temporary user account. Delete any temporary user accounts that are no longer necessary.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- WN19-AU-000100
- Vuln IDs
-
- V-205625
- V-92979
- Rule IDs
-
- SV-205625r958368_rule
- SV-103067
Checks: C-5890r354793_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Account Management >> Security Group Management - Success
Fix: F-5890r354794_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit Security Group Management" with "Success" selected.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- WN19-AU-000110
- Vuln IDs
-
- V-205626
- V-92981
- Rule IDs
-
- SV-205626r958368_rule
- SV-103069
Checks: C-5891r354796_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Account Management >> User Account Management - Success
Fix: F-5891r354797_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit User Account Management" with "Success" selected.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- WN19-AU-000120
- Vuln IDs
-
- V-205627
- V-92983
- Rule IDs
-
- SV-205627r958368_rule
- SV-103071
Checks: C-5892r354799_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Account Management >> User Account Management - Failure
Fix: F-5892r354800_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit User Account Management" with "Failure" selected.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- WN19-DC-000230
- Vuln IDs
-
- V-205628
- V-92985
- Rule IDs
-
- SV-205628r958368_rule
- SV-103073
Checks: C-5893r354802_chk
This applies to domain controllers. It is NA for other systems. Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Account Management >> Computer Account Management - Success
Fix: F-5893r354803_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit Computer Account Management" with "Success" selected.
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-000044
- Version
- WN19-AC-000020
- Vuln IDs
-
- V-205629
- V-93141
- Rule IDs
-
- SV-205629r958388_rule
- SV-103229
Checks: C-5894r354805_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. If the "Account lockout threshold" is "0" or more than "3" attempts, this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "LockoutBadCount" equals "0" or is greater than "3" in the file, this is a finding.
Fix: F-5894r354806_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout threshold" to "3" or fewer invalid logon attempts (excluding "0", which is unacceptable).
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-000044
- Version
- WN19-AC-000030
- Vuln IDs
-
- V-205630
- V-93143
- Rule IDs
-
- SV-205630r958388_rule
- SV-103231
Checks: C-5895r354808_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "ResetLockoutCount" is less than "15" in the file, this is a finding.
Fix: F-5895r354809_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Reset account lockout counter after" to at least "15" minutes.
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-000048
- Version
- WN19-SO-000130
- Vuln IDs
-
- V-205631
- V-93147
- Rule IDs
-
- SV-205631r958390_rule
- SV-103235
Checks: C-5896r354811_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeText Value Type: REG_SZ Value: See message text below You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Fix: F-5896r354812_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Message text for users attempting to log on" to the following: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
- RMF Control
- AC-8
- Severity
- L
- CCI
- CCI-000048
- Version
- WN19-SO-000140
- Vuln IDs
-
- V-205632
- V-93149
- Rule IDs
-
- SV-205632r958390_rule
- SV-103237
Checks: C-5897r890531_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeCaption Value Type: REG_SZ Value: Refer to message title options below "DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN19-SO-000130. Automated tools may only search for the titles defined above. If an organization-defined title is used, a manual review will be required.
Fix: F-5897r890532_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Message title for users attempting to log on" to "DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. If an organization-defined title is used, it can in no case contravene or modify the language of the message text required in WN19-SO-000130.
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000056
- Version
- WN19-SO-000120
- Vuln IDs
-
- V-205633
- V-92961
- Rule IDs
-
- SV-205633r958400_rule
- SV-103049
Checks: C-5898r354817_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs Value Type: REG_DWORD Value: 0x00000384 (900) (or less, excluding "0" which is effectively disabled)
Fix: F-5898r354818_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Machine inactivity limit" to "900" seconds or less, excluding "0" which is effectively disabled.
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000067
- Version
- WN19-AU-000190
- Vuln IDs
-
- V-205634
- V-92967
- Rule IDs
-
- SV-205634r958406_rule
- SV-103055
Checks: C-5899r354820_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Logon/Logoff >> Logon - Success
Fix: F-5899r354821_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logon" with "Success" selected.
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000067
- Version
- WN19-AU-000200
- Vuln IDs
-
- V-205635
- V-92969
- Rule IDs
-
- SV-205635r958406_rule
- SV-103057
Checks: C-5900r354823_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Logon/Logoff >> Logon - Failure
Fix: F-5900r354824_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logon" with "Failure" selected.
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000068
- Version
- WN19-CC-000370
- Vuln IDs
-
- V-205636
- V-92971
- Rule IDs
-
- SV-205636r958408_rule
- SV-103059
Checks: C-5901r354826_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fEncryptRPCTraffic Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-5901r354827_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Require secure RPC communication" to "Enabled".
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000068
- Version
- WN19-CC-000380
- Vuln IDs
-
- V-205637
- V-92973
- Rule IDs
-
- SV-205637r958408_rule
- SV-103061
Checks: C-5902r354829_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: MinEncryptionLevel Type: REG_DWORD Value: 0x00000003 (3)
Fix: F-5902r354830_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Set client connection encryption level" to "Enabled" with "High Level" selected.
- RMF Control
- AU-3
- Severity
- M
- CCI
- CCI-000135
- Version
- WN19-CC-000090
- Vuln IDs
-
- V-205638
- V-93173
- Rule IDs
-
- SV-205638r958422_rule
- SV-103261
Checks: C-5903r354832_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ Value Name: ProcessCreationIncludeCmdLine_Enabled Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-5903r354833_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Audit Process Creation >> "Include command line in process creation events" to "Enabled".
- RMF Control
- AU-3
- Severity
- M
- CCI
- CCI-000135
- Version
- WN19-CC-000460
- Vuln IDs
-
- V-205639
- V-93175
- Rule IDs
-
- SV-205639r958422_rule
- SV-103263
Checks: C-5904r472878_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-5904r354836_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> "Turn on PowerShell Script Block Logging" to "Enabled".
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- WN19-AU-000030
- Vuln IDs
-
- V-205640
- V-93189
- Rule IDs
-
- SV-205640r958434_rule
- SV-103277
Checks: C-5905r354838_chk
Navigate to the Application event log file. The default location is the "%SystemRoot%\System32\winevt\Logs" folder. However, the logs may have been moved to another folder. If the permissions for the "Application.evtx" file are not as restrictive as the default permissions listed below, this is a finding: Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control
Fix: F-5905r354839_fix
Configure the permissions on the Application event log file (Application.evtx) to prevent access by non-privileged accounts. The default permissions listed below satisfy this requirement: Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control The default location is the "%SystemRoot%\System32\winevt\Logs" folder. If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- WN19-AU-000040
- Vuln IDs
-
- V-205641
- V-93191
- Rule IDs
-
- SV-205641r958434_rule
- SV-103279
Checks: C-5906r354841_chk
Navigate to the Security event log file. The default location is the "%SystemRoot%\System32\winevt\Logs" folder. However, the logs may have been moved to another folder. If the permissions for the "Security.evtx" file are not as restrictive as the default permissions listed below, this is a finding: Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control
Fix: F-5906r354842_fix
Configure the permissions on the Security event log file (Security.evtx) to prevent access by non-privileged accounts. The default permissions listed below satisfy this requirement: Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control The default location is the "%SystemRoot%\System32\winevt\Logs" folder. If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- WN19-AU-000050
- Vuln IDs
-
- V-205642
- V-93193
- Rule IDs
-
- SV-205642r958434_rule
- SV-103281
Checks: C-5907r354844_chk
Navigate to the System event log file. The default location is the "%SystemRoot%\System32\winevt\Logs" folder. However, the logs may have been moved to another folder. If the permissions for the "System.evtx" file are not as restrictive as the default permissions listed below, this is a finding: Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control
Fix: F-5907r354845_fix
Configure the permissions on the System event log file (System.evtx) to prevent access by non-privileged accounts. The default permissions listed below satisfy this requirement: Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control The default location is the "%SystemRoot%\System32\winevt\Logs" folder. If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- WN19-UR-000170
- Vuln IDs
-
- V-205643
- V-93197
- Rule IDs
-
- SV-205643r958434_rule
- SV-103285
Checks: C-5908r354847_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeSecurityPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) If the organization has an Auditors group, the assignment of this group to the user right would not be a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).
Fix: F-5908r354848_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Manage auditing and security log" to include only the following accounts or groups: - Administrators
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000169
- Version
- WN19-SO-000050
- Vuln IDs
-
- V-205644
- V-93151
- Rule IDs
-
- SV-205644r958442_rule
- SV-103239
Checks: C-5909r354850_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-5909r354851_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" to "Enabled".
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000185
- Version
- WN19-DC-000280
- Vuln IDs
-
- V-205645
- V-93481
- Rule IDs
-
- SV-205645r958448_rule
- SV-103567
Checks: C-5910r354853_chk
This applies to domain controllers. It is NA for other systems. Run "MMC". Select "Add/Remove Snap-in" from the "File" menu. Select "Certificates" in the left pane and click the "Add >" button. Select "Computer Account" and click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage" and click "Finish". Click "OK". Select and expand the Certificates (Local Computer) entry in the left pane. Select and expand the Personal entry in the left pane. Select the Certificates entry in the left pane. If no certificate for the domain controller exists in the right pane, this is a finding.
Fix: F-5910r354854_fix
Obtain a server certificate for the domain controller.
- RMF Control
- IA-5
- Severity
- H
- CCI
- CCI-000185
- Version
- WN19-DC-000290
- Vuln IDs
-
- V-205646
- V-93483
- Rule IDs
-
- SV-205646r1153437_rule
- SV-103569
Checks: C-5911r1153435_chk
This applies to domain controllers. It is NA for other systems. Run "MMC". Select "Add/Remove Snap-in" from the "File" menu. Select "Certificates" in the left pane, and then click "Add >". Select "Computer Account", and then click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage", and then click "Finish". Click "OK". Select and expand the "Certificates (Local Computer)" entry in the left pane. Select and expand the "Personal" entry in the left pane. Select the "Certificates" entry in the left pane. In the right pane, examine the "Issued By" field for the certificate to determine the issuing CA. If the "Issued By" field of the PKI certificate being used by the domain controller does not indicate the issuing CA is part of the DOD PKI or an approved ECA, this is a finding. If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding. There are multiple sources from which lists of valid DOD CAs and approved ECAs can be obtained: The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. DOD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DOD supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on Cyber Exchange: https://www.cyber.mil/pki-pke/tools-configuration-files.
Fix: F-5911r1153436_fix
Obtain a server certificate for the domain controller issued by the DOD PKI or an approved ECA.
- RMF Control
- IA-5
- Severity
- H
- CCI
- CCI-000185
- Version
- WN19-DC-000300
- Vuln IDs
-
- V-205647
- V-93485
- Rule IDs
-
- SV-205647r958448_rule
- SV-103571
Checks: C-5912r354859_chk
This applies to domain controllers. It is NA for other systems. Review user account mappings to PKI certificates. Open "Windows PowerShell". Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled". Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account. If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding. For standard NIPRNet certificates, the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI). Alt Tokens and other certificates may use a different UPN format than the EDI-PI which vary by organization. Verified these with the organization. NIPRNet Example: Name - User Principal Name User1 - 1234567890@mil See PKE documentation for other network domain suffixes. If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding.
Fix: F-5912r354860_fix
Map user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000185
- Version
- WN19-PK-000010
- Vuln IDs
-
- V-205648
- V-93487
- Rule IDs
-
- SV-205648r958448_rule
- SV-103573
Checks: C-5913r921946_chk
Certificates and thumbprints referenced below apply to unclassified systems; refer to PKE documentation for other networks. Open "Windows PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter If the following certificate "Subject" and "Thumbprint" information is not displayed, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB NotAfter: 12/30/2029 Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 NotAfter: 7/25/2032 Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B NotAfter: 6/14/2041 Subject: CN=DoD Root CA 6, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF NotAfter: 1/24/2053 11:36:17 AM Alternately, use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates" and click "Add". Select "Computer account" and click "Next". Select "Local computer: (the computer this console is running on)" and click "Finish". Click "OK". Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". For each of the DoD Root CA certificates noted below: Right-click on the certificate and select "Open". Select the "Details" tab. Scroll to the bottom and select "Thumbprint". If the DoD Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. DoD Root CA 3 Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB Valid to: Sunday, December 30, 2029 DoD Root CA 4 Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 Valid to: Sunday, July 25, 2032 DoD Root CA 5 Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B Valid to: Friday, June 14, 2041 DoD Root CA 6 Thumbprint: D37ECF61C0B4ED88681EF3630C4E2FC787B37AEFB Valid to: Friday, January 24, 2053
Fix: F-5913r921947_fix
Install the DoD Root CA certificates: DoD Root CA 3 DoD Root CA 4 DoD Root CA 5 DoD Root CA 6 The InstallRoot tool is available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. Certificate bundles published by the PKI can be found at https://crl.gds.disa.mil/.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000185
- Version
- WN19-PK-000020
- Vuln IDs
-
- V-205649
- V-93489
- Rule IDs
-
- SV-205649r958448_rule
- SV-103575
Checks: C-5914r894615_chk
This is applicable to unclassified systems. It is NA for others. Open "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477 NotAfter: 11/16/2024 9:57:16 AM Alternately, use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates" and click "Add". Select "Computer account" and click "Next". Select "Local computer: (the computer this console is running on)" and click "Finish". Click "OK". Expand "Certificates" and navigate to Untrusted Certificates >> Certificates. For each certificate with "DoD Root CA..." under "Issued To" and "DoD Interoperability Root CA..." under "Issued By": Right-click on the certificate and select "Open". Select the "Details" tab. Scroll to the bottom and select "Thumbprint". If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. Issued to: DoD Root CA 3 Issued By: DoD Interoperability Root CA 2 Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477 Valid to: 11/16/2024 9:57:16 AM
Fix: F-5914r894340_fix
Install the DoD Interoperability Root CA cross-certificates on unclassified systems. Issued To - Issued By - Thumbprint DoD Root CA 3 - DoD Interoperability Root CA 2 - 49CBE933151872E17C8EAE7F0ABA97FB610F6477 Administrators should run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user. The FBCA Cross-Certificate Remover Tool and User Guide are available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000185
- Version
- WN19-PK-000030
- Vuln IDs
-
- V-205650
- V-93491
- Rule IDs
-
- SV-205650r1107646_rule
- SV-103577
Checks: C-5915r1016377_chk
This is applicable to unclassified systems. It is NA for others. Open "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 NotAfter: 7/18/2025 9:56:22 AM Subject: CN=DoD Root CA 6, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D471CA32F7A692CE6CBB6196BD3377FE4DBCD106 NotAfter: 7/18/2026 12:15:05 PM Alternately, use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates" and click "Add". Select "Computer account" and click "Next". Select "Local computer: (the computer this console is running on)" and click "Finish". Click "OK". Expand "Certificates" and navigate to Untrusted Certificates >> Certificates. For each certificate with "US DoD CCEB Interoperability Root CA ..." under "Issued By": Right-click on the certificate and select "Open". Select the "Details" tab. Scroll to the bottom and select "Thumbprint". If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 NotAfter: 7/18/2025 9:56:22 AM Subject: CN=DoD Root CA 6, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D471CA32F7A692CE6CBB6196BD3377FE4DBCD106 NotAfter: 7/18/2026 12:15:05 PM
Fix: F-5915r1107645_fix
Install the US DoD CCEB Interoperability Root CA cross-certificate on unclassified systems. Issued To - Issued By - Thumbprint DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - 9B74964506C7ED9138070D08D5F8B969866560C8 DoD Root CA 6 - US DOD CCEB Interoperability Root CA 2 -D471CA32F7A692CE6CBB6196BD3377FE4DBCD106 Administrators should run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user. The FBCA Cross-Certificate Remover Tool and User Guide are available on Cyber Exchange at https://dl.cyber.mil/pki-pke/msi/InstallRoot_5.6x32.msi. Certificate bundles published by the PKI can be found at https://crl.gds.disa.mil/.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000186
- Version
- WN19-SO-000350
- Vuln IDs
-
- V-205651
- V-93493
- Rule IDs
-
- SV-205651r958450_rule
- SV-103579
Checks: C-5916r354871_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\ Value Name: ForceKeyProtection Type: REG_DWORD Value: 0x00000002 (2)
Fix: F-5916r354872_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Force strong key protection for user keys stored on the computer" to "User must enter a password each time they use a key".
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- WN19-AC-000080
- Vuln IDs
-
- V-205652
- V-93459
- Rule IDs
-
- SV-205652r1051061_rule
- SV-103545
Checks: C-5917r354874_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "PasswordComplexity" equals "0" in the file, this is a finding. Note: If an external password filter is in use that enforces all four character types and requires this setting to be set to "Disabled", this would not be considered a finding. If this setting does not affect the use of an external password filter, it must be enabled for fallback purposes.
Fix: F-5917r354875_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Password must meet complexity requirements" to "Enabled".
- RMF Control
- Severity
- H
- CCI
- CCI-004062
- Version
- WN19-AC-000090
- Vuln IDs
-
- V-205653
- V-93465
- Rule IDs
-
- SV-205653r1051062_rule
- SV-103551
Checks: C-5918r354877_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for "Store passwords using reversible encryption" is not set to "Disabled", this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "ClearTextPassword" equals "1" in the file, this is a finding.
Fix: F-5918r354878_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Store passwords using reversible encryption" to "Disabled".
- RMF Control
- Severity
- H
- CCI
- CCI-004062
- Version
- WN19-SO-000300
- Vuln IDs
-
- V-205654
- V-93467
- Rule IDs
-
- SV-205654r1051063_rule
- SV-103553
Checks: C-5919r354880_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-5919r354881_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Do not store LAN Manager hash value on next password change" to "Enabled".
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000197
- Version
- WN19-SO-000180
- Vuln IDs
-
- V-205655
- V-93469
- Rule IDs
-
- SV-205655r987796_rule
- SV-103555
Checks: C-5920r354883_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnablePlainTextPassword Value Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-5920r354884_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft Network Client: Send unencrypted password to third-party SMB servers" to "Disabled".
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- WN19-AC-000060
- Vuln IDs
-
- V-205656
- V-93471
- Rule IDs
-
- SV-205656r1051064_rule
- SV-103557
Checks: C-5921r354886_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for the "Minimum password age" is set to "0" days ("Password can be changed immediately"), this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "MinimumPasswordAge" equals "0" in the file, this is a finding.
Fix: F-5921r354887_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Minimum password age" to at least "1" day.
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- WN19-00-000020
- Vuln IDs
-
- V-205657
- V-93473
- Rule IDs
-
- SV-205657r1153431_rule
- SV-103559
Checks: C-5922r1153429_chk
If there are no enabled local Administrator accounts, this is Not Applicable. Review the password last set date for the enabled local Administrator account. On the stand alone or domain-joined server: Open "PowerShell". Enter "Get-LocalUser | Where-Object {$_.SID -like "*500"} | ForEach-Object ($_.PasswordLastSet){"$($_.Name) password is: $([int]((Get-Date) - $_.PasswordLastSet).TotalDays) days old"}". If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer, this is a finding. Verify LAPS is configured and operational. If the system is a stand alone member server, the LAPS portion of this requirement is Not Applicable. Navigate to Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> LAPS >> Password Settings >> Set to enabled. Password Complexity, large letters + small letters + numbers + special, Password Length 14, Password Age 60. If not configured as shown, this is a finding. Verify LAPS Operational logs >> Event Viewer >> Applications and Services Logs >> Microsoft >> Windows >> LAPS >> Operational. Verify LAPS policy process is completing. If it is not, this is a finding.
Fix: F-5922r1153430_fix
Change the enabled local Administrator account password at least every 60 days. For domain-joined systems, Windows LAPS must be used to change the built-in Administrator account password. More information is available at: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747 https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- WN19-00-000210
- Vuln IDs
-
- V-205658
- V-93475
- Rule IDs
-
- SV-205658r1051066_rule
- SV-103561
Checks: C-5923r857295_chk
Review the password never expires status for enabled user accounts. Open "PowerShell". Domain Controllers: Enter "Search-ADAccount -PasswordNeverExpires -UsersOnly | FT Name, PasswordNeverExpires, Enabled". Exclude application accounts, disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account. If any enabled user accounts are returned with a "PasswordNeverExpires" status of "True", this is a finding. Member servers and standalone or nondomain-joined systems: Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | FT Name, PasswordExpires, Disabled, LocalAccount'. Exclude application accounts and disabled accounts (e.g., DefaultAccount, Guest). If any enabled user accounts are returned with a "PasswordExpires" status of "False", this is a finding.
Fix: F-5923r857296_fix
Configure all enabled user account passwords to expire. Uncheck "Password never expires" for all enabled user accounts in Active Directory Users and Computers for domain accounts and Users in Computer Management for member servers and standalone or nondomain-joined systems. Document any exceptions with the ISSO.
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- WN19-AC-000050
- Vuln IDs
-
- V-205659
- V-93477
- Rule IDs
-
- SV-205659r1051067_rule
- SV-103563
Checks: C-5924r354895_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for the "Maximum password age" is greater than "60" days, this is a finding. If the value is set to "0" (never expires), this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "MaximumPasswordAge" is greater than "60" or equal to "0" in the file, this is a finding.
Fix: F-5924r354896_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Maximum password age" to "60" days or less (excluding "0", which is unacceptable).
- RMF Control
- Severity
- M
- CCI
- CCI-004061
- Version
- WN19-AC-000040
- Vuln IDs
-
- V-205660
- V-93479
- Rule IDs
-
- SV-205660r1000129_rule
- SV-103565
Checks: C-5925r354898_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "PasswordHistorySize" is less than "24" in the file, this is a finding.
Fix: F-5925r354899_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Enforce password history" to "24" passwords remembered.
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- WN19-00-000050
- Vuln IDs
-
- V-205661
- V-93461
- Rule IDs
-
- SV-205661r1051068_rule
- SV-103547
Checks: C-5926r951108_chk
Determine if manually managed application/service accounts exist. If none exist, this is NA. Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least 14 characters in length. If such a policy does not exist or has not been implemented, this is a finding.
Fix: F-5926r951109_fix
Establish a policy that requires application/service account passwords that are manually managed to be at least 14 characters in length. Ensure the policy is enforced.
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- WN19-AC-000070
- Vuln IDs
-
- V-205662
- V-93463
- Rule IDs
-
- SV-205662r1051069_rule
- SV-103549
Checks: C-5927r354904_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for the "Minimum password length," is less than "14" characters, this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "MinimumPasswordLength" is less than "14" in the file, this is a finding.
Fix: F-5927r354905_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Minimum password length" to "14" characters.
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- WN19-00-000130
- Vuln IDs
-
- V-205663
- V-92991
- Rule IDs
-
- SV-205663r1137691_rule
- SV-103079
Checks: C-5928r1106629_chk
Open "Computer Management". Select "Disk Management" under "Storage". For each local volume, if the file system does not indicate "NTFS", this is a finding. Resilient file system (ReFS) and Cluster Shared Volumes (CSV) are also acceptable and are not findings. This does not apply to system partitions such the Recovery and EFI System Partition.
Fix: F-5928r1106515_fix
Format volumes to use NTFS, ReFS, or CSV.
- RMF Control
- AC-3
- Severity
- L
- CCI
- CCI-000213
- Version
- WN19-00-000180
- Vuln IDs
-
- V-205664
- V-92993
- Rule IDs
-
- SV-205664r1137691_rule
- SV-103081
Checks: C-5929r354910_chk
Open "Printers & scanners" in "Settings". If there are no printers configured, this is NA. (Exclude Microsoft Print to PDF and Microsoft XPS Document Writer, which do not support sharing.) For each printer: Select the printer and "Manage". Select "Printer Properties". Select the "Sharing" tab. If "Share this printer" is checked, select the "Security" tab. If any standard user accounts or groups have permissions other than "Print", this is a finding. The default is for the "Everyone" group to be given "Print" permission. "All APPLICATION PACKAGES" and "CREATOR OWNER" are not standard user accounts.
Fix: F-5929r354911_fix
Configure the permissions on shared printers to restrict standard users to only have Print permissions.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN19-DC-000340
- Vuln IDs
-
- V-205665
- V-92995
- Rule IDs
-
- SV-205665r1137691_rule
- SV-103083
Checks: C-5930r354913_chk
This applies to domain controllers. It is NA for other systems. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Access this computer from the network" right, this is a finding. - Administrators - Authenticated Users - Enterprise Domain Controllers For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeNetworkLogonRight" user right, this is a finding. S-1-5-32-544 (Administrators) S-1-5-11 (Authenticated Users) S-1-5-9 (Enterprise Domain Controllers) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).
Fix: F-5930r354914_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access this computer from the network" to include only the following accounts or groups: - Administrators - Authenticated Users - Enterprise Domain Controllers
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN19-DC-000360
- Vuln IDs
-
- V-205666
- V-92997
- Rule IDs
-
- SV-205666r1137691_rule
- SV-103085
Checks: C-5931r354916_chk
This applies to domain controllers, it is NA for other systems. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Allow log on through Remote Desktop Services" user right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeRemoteInteractiveLogonRight" user right, this is a finding. S-1-5-32-544 (Administrators)
Fix: F-5931r354917_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on through Remote Desktop Services" to include only the following accounts or groups: - Administrators
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN19-DC-000370
- Vuln IDs
-
- V-205667
- V-92999
- Rule IDs
-
- SV-205667r1137691_rule
- SV-103087
Checks: C-5932r354919_chk
This applies to domain controllers. A separate version applies to other systems. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding: - Guests Group For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SIDs are not defined for the "SeDenyNetworkLogonRight" user right, this is a finding. S-1-5-32-546 (Guests)
Fix: F-5932r354920_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny access to this computer from the network" to include the following: - Guests Group
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN19-DC-000380
- Vuln IDs
-
- V-205668
- V-93001
- Rule IDs
-
- SV-205668r1137691_rule
- SV-103089
Checks: C-5933r354922_chk
This applies to domain controllers. A separate version applies to other systems. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on as a batch job" user right, this is a finding: - Guests Group For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SID(s) are not defined for the "SeDenyBatchLogonRight" user right, this is a finding: S-1-5-32-546 (Guests)
Fix: F-5933r354923_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a batch job" to include the following: - Guests Group
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN19-DC-000390
- Vuln IDs
-
- V-205669
- V-93003
- Rule IDs
-
- SV-205669r1137691_rule
- SV-103091
Checks: C-5934r354925_chk
This applies to domain controllers. A separate version applies to other systems. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are defined for the "Deny log on as a service" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeDenyServiceLogonRight" user right, this is a finding.
Fix: F-5934r354926_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a service" to include no entries (blank).
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN19-DC-000400
- Vuln IDs
-
- V-205670
- V-93005
- Rule IDs
-
- SV-205670r1137691_rule
- SV-103093
Checks: C-5935r354928_chk
This applies to domain controllers. A separate version applies to other systems. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding: - Guests Group For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SID(s) are not defined for the "SeDenyInteractiveLogonRight" user right, this is a finding: S-1-5-32-546 (Guests)
Fix: F-5935r354929_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on locally" to include the following: - Guests Group
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN19-MS-000070
- Vuln IDs
-
- V-205671
- V-93007
- Rule IDs
-
- SV-205671r1137691_rule
- SV-103095
Checks: C-5936r857330_chk
This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Access this computer from the network" user right, this is a finding: - Administrators - Authenticated Users For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeNetworkLogonRight" user right, this is a finding: S-1-5-32-544 (Administrators) S-1-5-11 (Authenticated Users) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).
Fix: F-5936r354932_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access this computer from the network" to include only the following accounts or groups: - Administrators - Authenticated Users
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN19-MS-000080
- Vuln IDs
-
- V-205672
- V-93009
- Rule IDs
-
- SV-205672r1137691_rule
- SV-103097
Checks: C-5937r857332_chk
This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding: Domain Systems Only: - Enterprise Admins group - Domain Admins group - "Local account and member of Administrators group" or "Local account" (see Note below) All Systems: - Guests group For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SIDs are not defined for the "SeDenyNetworkLogonRight" user right, this is a finding. Domain Systems Only: S-1-5-root domain-519 (Enterprise Admins) S-1-5-domain-512 (Domain Admins) S-1-5-114 ("Local account and member of Administrators group") or S-1-5-113 ("Local account") All Systems: S-1-5-32-546 (Guests) Note: These are built-in security groups. "Local account" is more restrictive but may cause issues on servers such as systems that provide failover clustering.
Fix: F-5937r354935_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny access to this computer from the network" to include the following: Domain Systems Only: - Enterprise Admins group - Domain Admins group - "Local account and member of Administrators group" or "Local account" (see Note below) All Systems: - Guests group Note: These are built-in security groups. "Local account" is more restrictive but may cause issues on servers such as systems that provide failover clustering.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN19-MS-000090
- Vuln IDs
-
- V-205673
- V-93011
- Rule IDs
-
- SV-205673r1137691_rule
- SV-103099
Checks: C-5938r857334_chk
This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on as a batch job" user right, this is a finding: Domain Systems Only: - Enterprise Admins Group - Domain Admins Group All Systems: - Guests Group For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SIDs are not defined for the "SeDenyBatchLogonRight" user right, this is a finding. Domain Systems Only: S-1-5-root domain-519 (Enterprise Admins) S-1-5-domain-512 (Domain Admins) All Systems: S-1-5-32-546 (Guests)
Fix: F-5938r354938_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a batch job" to include the following: Domain Systems Only: - Enterprise Admins Group - Domain Admins Group All Systems: - Guests Group
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN19-MS-000100
- Vuln IDs
-
- V-205674
- V-93013
- Rule IDs
-
- SV-205674r1137691_rule
- SV-103101
Checks: C-5939r891848_chk
This applies to member servers only. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on as a service" user right on domain-joined systems, this is a finding: - Enterprise Admins Group - Domain Admins Group If any accounts or groups are defined for the "Deny log on as a service" user right on nondomain-joined systems, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SIDs are not defined for the "SeDenyServiceLogonRight" user right on domain-joined systems, this is a finding: S-1-5-root domain-519 (Enterprise Admins) S-1-5-domain-512 (Domain Admins) If any SIDs are defined for the user right, this is a finding.
Fix: F-5939r354941_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a service" to include the following: Domain systems: - Enterprise Admins Group - Domain Admins Group
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN19-MS-000110
- Vuln IDs
-
- V-205675
- V-93015
- Rule IDs
-
- SV-205675r1137691_rule
- SV-103103
Checks: C-5940r857336_chk
This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding: Domain Systems Only: - Enterprise Admins Group - Domain Admins Group All Systems: - Guests Group For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SIDs are not defined for the "SeDenyInteractiveLogonRight" user right, this is a finding: Domain Systems Only: S-1-5-root domain-519 (Enterprise Admins) S-1-5-domain-512 (Domain Admins) All Systems: S-1-5-32-546 (Guests)
Fix: F-5940r354944_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on locally" to include the following: Domain Systems Only: - Enterprise Admins Group - Domain Admins Group All Systems: - Guests Group
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN19-UR-000030
- Vuln IDs
-
- V-205676
- V-93017
- Rule IDs
-
- SV-205676r1137691_rule
- SV-103105
Checks: C-5941r354946_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeInteractiveLogonRight" user right, this is a finding: S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).
Fix: F-5941r354947_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on locally" to include only the following accounts or groups: - Administrators
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN19-00-000270
- Vuln IDs
-
- V-205677
- V-93381
- Rule IDs
-
- SV-205677r1186380_rule
- SV-103467
Checks: C-5942r1186379_chk
Required roles and features will vary based on the function of the individual system. Roles and features specifically required to be disabled per the STIG are identified in separate requirements. If the organization has not documented the roles and features required for the system(s), this is a finding. The PowerShell command "Get-WindowsFeature | Where-Object {$_. installstate -eq "Installed"} | Format-List Displayname, Name, Featuretype" will list all roles and features with an "Installed" state.
Fix: F-5942r354950_fix
Document the roles and features required for the system to operate. Uninstall any that are not required.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN19-00-000320
- Vuln IDs
-
- V-205678
- V-93383
- Rule IDs
-
- SV-205678r958478_rule
- SV-103469
Checks: C-5943r354952_chk
Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq Fax". If "Installed State" is "Installed", this is a finding. An Installed State of "Available" or "Removed" is not a finding.
Fix: F-5943r354953_fix
Uninstall the "Fax Server" role. Start "Server Manager". Select the server with the role. Scroll down to "ROLES AND FEATURES" in the right pane. Select "Remove Roles and Features" from the drop-down "TASKS" list. Select the appropriate server on the "Server Selection" page and click "Next". Deselect "Fax Server" on the "Roles" page. Click "Next" and "Remove" as prompted.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN19-00-000340
- Vuln IDs
-
- V-205679
- V-93385
- Rule IDs
-
- SV-205679r958478_rule
- SV-103471
Checks: C-5944r354955_chk
Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq PNRP". If "Installed State" is "Installed", this is a finding. An Installed State of "Available" or "Removed" is not a finding.
Fix: F-5944r354956_fix
Uninstall the "Peer Name Resolution Protocol" feature. Start "Server Manager". Select the server with the feature. Scroll down to "ROLES AND FEATURES" in the right pane. Select "Remove Roles and Features" from the drop-down "TASKS" list. Select the appropriate server on the "Server Selection" page and click "Next". Deselect "Peer Name Resolution Protocol" on the "Features" page. Click "Next" and "Remove" as prompted.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN19-00-000350
- Vuln IDs
-
- V-205680
- V-93387
- Rule IDs
-
- SV-205680r958478_rule
- SV-103473
Checks: C-5945r354958_chk
Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq Simple-TCPIP". If "Installed State" is "Installed", this is a finding. An Installed State of "Available" or "Removed" is not a finding.
Fix: F-5945r354959_fix
Uninstall the "Simple TCP/IP Services" feature. Start "Server Manager". Select the server with the feature. Scroll down to "ROLES AND FEATURES" in the right pane. Select "Remove Roles and Features" from the drop-down "TASKS" list. Select the appropriate server on the "Server Selection" page and click "Next". Deselect "Simple TCP/IP Services" on the "Features" page. Click "Next" and "Remove" as prompted.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN19-00-000370
- Vuln IDs
-
- V-205681
- V-93389
- Rule IDs
-
- SV-205681r958478_rule
- SV-103475
Checks: C-5946r354961_chk
Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq TFTP-Client". If "Installed State" is "Installed", this is a finding. An Installed State of "Available" or "Removed" is not a finding.
Fix: F-5946r354962_fix
Uninstall the "TFTP Client" feature. Start "Server Manager". Select the server with the feature. Scroll down to "ROLES AND FEATURES" in the right pane. Select "Remove Roles and Features" from the drop-down "TASKS" list. Select the appropriate server on the "Server Selection" page and click "Next". Deselect "TFTP Client" on the "Features" page. Click "Next" and "Remove" as prompted.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN19-00-000380
- Vuln IDs
-
- V-205682
- V-93391
- Rule IDs
-
- SV-205682r958478_rule
- SV-103477
Checks: C-5947r819710_chk
Different methods are available to disable SMBv1 on Windows Server 2019. This is the preferred method; however, if WN19-00-000390 and WN19-00-000400 are configured, this is NA. Open "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-WindowsFeature -Name FS-SMB1". If "Installed State" is "Installed", this is a finding. An Installed State of "Available" or "Removed" is not a finding.
Fix: F-5947r354965_fix
Uninstall the SMBv1 protocol. Open "Windows PowerShell" with elevated privileges (run as administrator). Enter "Uninstall-WindowsFeature -Name FS-SMB1 -Restart". (Omit the Restart parameter if an immediate restart of the system cannot be done.) Alternately: Start "Server Manager". Select the server with the feature. Scroll down to "ROLES AND FEATURES" in the right pane. Select "Remove Roles and Features" from the drop-down "TASKS" list. Select the appropriate server on the "Server Selection" page and click "Next". Deselect "SMB 1.0/CIFS File Sharing Support" on the "Features" page. Click "Next" and "Remove" as prompted.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN19-00-000390
- Vuln IDs
-
- V-205683
- V-93393
- Rule IDs
-
- SV-205683r958478_rule
- SV-103479
Checks: C-5948r354967_chk
Different methods are available to disable SMBv1 on Windows Server 2019, if WN19-00-000380 is configured, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ Value Name: SMB1 Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-5948r354968_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 Server" to "Disabled". The system must be restarted for the change to take effect. This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN19-00-000400
- Vuln IDs
-
- V-205684
- V-93395
- Rule IDs
-
- SV-205684r958478_rule
- SV-103481
Checks: C-5949r354970_chk
Different methods are available to disable SMBv1 on Windows Server 2019, if WN19-00-000380 is configured, this is NA. If the following registry value is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\mrxsmb10\ Value Name: Start Type: REG_DWORD Value: 0x00000004 (4)
Fix: F-5949r354971_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 client driver" to "Enabled" with "Disable driver (recommended)" selected for "Configure MrxSmb10 driver". The system must be restarted for the changes to take effect. This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN19-00-000410
- Vuln IDs
-
- V-205685
- V-93397
- Rule IDs
-
- SV-205685r958478_rule
- SV-103483
Checks: C-5950r354973_chk
Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq PowerShell-v2". If "Installed State" is "Installed", this is a finding. An Installed State of "Available" or "Removed" is not a finding.
Fix: F-5950r354974_fix
Uninstall the "Windows PowerShell 2.0 Engine". Start "Server Manager". Select the server with the feature. Scroll down to "ROLES AND FEATURES" in the right pane. Select "Remove Roles and Features" from the drop-down "TASKS" list. Select the appropriate server on the "Server Selection" page and click "Next". Deselect "Windows PowerShell 2.0 Engine" under "Windows PowerShell" on the "Features" page. Click "Next" and "Remove" as prompted.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN19-CC-000010
- Vuln IDs
-
- V-205686
- V-93399
- Rule IDs
-
- SV-205686r958478_rule
- SV-103485
Checks: C-5951r354976_chk
Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ Value Name: NoLockScreenSlideshow Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-5951r354977_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Control Panel >> Personalization >> "Prevent enabling lock screen slide show" to "Enabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN19-CC-000020
- Vuln IDs
-
- V-205687
- V-93401
- Rule IDs
-
- SV-205687r958478_rule
- SV-103487
Checks: C-5952r354979_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\ Value Name: UseLogonCredential Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-5952r354980_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "WDigest Authentication (disabling may require KB2871997)" to "Disabled". This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and " SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN19-CC-000150
- Vuln IDs
-
- V-205688
- V-93403
- Rule IDs
-
- SV-205688r958478_rule
- SV-103489
Checks: C-5953r354982_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableWebPnPDownload Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-5953r354983_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> "Turn off downloading of print drivers over HTTP" to "Enabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN19-CC-000160
- Vuln IDs
-
- V-205689
- V-93405
- Rule IDs
-
- SV-205689r958478_rule
- SV-103491
Checks: C-5954r354985_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableHTTPPrinting Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-5954r354986_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> "Turn off printing over HTTP" to "Enabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN19-CC-000170
- Vuln IDs
-
- V-205690
- V-93407
- Rule IDs
-
- SV-205690r958478_rule
- SV-103493
Checks: C-5955r354988_chk
Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: DontDisplayNetworkSelectionUI Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-5955r354989_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> "Do not display network selection UI" to "Enabled".
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000381
- Version
- WN19-CC-000200
- Vuln IDs
-
- V-205691
- V-93409
- Rule IDs
-
- SV-205691r958478_rule
- SV-103495
Checks: C-5956r354991_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\AppCompat\ Value Name: DisableInventory Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-5956r354992_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Application Compatibility >> "Turn off Inventory Collector" to "Enabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN19-CC-000300
- Vuln IDs
-
- V-205692
- V-93411
- Rule IDs
-
- SV-205692r958478_rule
- SV-103497
Checks: C-5957r354994_chk
This is applicable to unclassified systems; for other systems, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-5957r354995_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Configure Windows Defender SmartScreen" to "Enabled" with either option "Warn" or "Warn and prevent bypass" selected. Windows 2019 includes duplicate policies for this setting. It can also be configured under Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender SmartScreen >> Explorer.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN19-CC-000400
- Vuln IDs
-
- V-205693
- V-93413
- Rule IDs
-
- SV-205693r958478_rule
- SV-103499
Checks: C-5958r354997_chk
The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections. If the registry value name below does not exist, this is not a finding. If it exists and is configured with a value of "0", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: AllowBasicAuthInClear Value Type: REG_DWORD Value: 0x00000000 (0) (or if the Value Name does not exist)
Fix: F-5958r354998_fix
The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections. If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> "Turn on Basic feed authentication over HTTP" to "Not Configured" or "Disabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN19-CC-000410
- Vuln IDs
-
- V-205694
- V-93415
- Rule IDs
-
- SV-205694r958478_rule
- SV-103501
Checks: C-5959r355000_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Windows Search\ Value Name: AllowIndexingEncryptedStoresOrItems Value Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-5959r355001_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Search >> "Allow indexing of encrypted files" to "Disabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN19-DC-000130
- Vuln IDs
-
- V-205695
- V-93417
- Rule IDs
-
- SV-205695r958478_rule
- SV-103503
Checks: C-5960r355003_chk
This applies to domain controllers, it is NA for other systems. Review the installed roles the domain controller is supporting. Start "Server Manager". Select "AD DS" in the left pane and the server name under "Servers" to the right. Select "Add (or Remove) Roles and Features" from "Tasks" in the "Roles and Features" section. (Cancel before any changes are made.) Determine if any additional server roles are installed. A basic domain controller setup will include the following: - Active Directory Domain Services - DNS Server - File and Storage Services If any roles not requiring installation on a domain controller are installed, this is a finding. A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements. Run "Programs and Features". Review installed applications. If any applications are installed that are not required for the domain controller, this is a finding.
Fix: F-5960r355004_fix
Remove additional roles or applications such as web, database, and email from the domain controller.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- WN19-MS-000030
- Vuln IDs
-
- V-205696
- V-93419
- Rule IDs
-
- SV-205696r958478_rule
- SV-103505
Checks: C-5961r857321_chk
This applies to member servers. For domain controllers and standalone or nondomain-joined systems, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnumerateLocalUsers Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-5961r355007_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> "Enumerate local users on domain-joined computers" to "Disabled".
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- WN19-00-000330
- Vuln IDs
-
- V-205697
- V-93421
- Rule IDs
-
- SV-205697r958480_rule
- SV-103507
Checks: C-5962r355009_chk
If the server has the role of an FTP server, this is NA. Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq Web-Ftp-Service". If "Installed State" is "Installed", this is a finding. An Installed State of "Available" or "Removed" is not a finding. If the system has the role of an FTP server, this must be documented with the ISSO.
Fix: F-5962r355010_fix
Uninstall the "FTP Server" role. Start "Server Manager". Select the server with the role. Scroll down to "ROLES AND FEATURES" in the right pane. Select "Remove Roles and Features" from the drop-down "TASKS" list. Select the appropriate server on the "Server Selection" page and click "Next". Deselect "FTP Server" under "Web Server (IIS)" on the "Roles" page. Click "Next" and "Remove" as prompted.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- WN19-00-000360
- Vuln IDs
-
- V-205698
- V-93423
- Rule IDs
-
- SV-205698r958480_rule
- SV-103509
Checks: C-5963r355012_chk
Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq Telnet-Client". If "Installed State" is "Installed", this is a finding. An Installed State of "Available" or "Removed" is not a finding.
Fix: F-5963r355013_fix
Uninstall the "Telnet Client" feature. Start "Server Manager". Select the server with the feature. Scroll down to "ROLES AND FEATURES" in the right pane. Select "Remove Roles and Features" from the drop-down "TASKS" list. Select the appropriate server on the "Server Selection" page and click "Next". Deselect "Telnet Client" on the "Features" page. Click "Next" and "Remove" as prompted.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- WN19-00-000070
- Vuln IDs
-
- V-205699
- V-93437
- Rule IDs
-
- SV-205699r958482_rule
- SV-103523
Checks: C-5964r355015_chk
Determine whether any shared accounts exist. If no shared accounts exist, this is NA. Shared accounts, such as required by an application, may be approved by the organization. This must be documented with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity. If unapproved shared accounts exist, this is a finding.
Fix: F-5964r355016_fix
Remove unapproved shared accounts from the system. Document required shared accounts with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- WN19-00-000200
- Vuln IDs
-
- V-205700
- V-93439
- Rule IDs
-
- SV-205700r958482_rule
- SV-103525
Checks: C-5965r857293_chk
Review the password required status for enabled user accounts. Open "PowerShell". Domain Controllers: Enter "Get-Aduser -Filter * -Properties Passwordnotrequired |FT Name, Passwordnotrequired, Enabled". Exclude disabled accounts (e.g., DefaultAccount, Guest) and Trusted Domain Objects (TDOs). If "Passwordnotrequired" is "True" or blank for any enabled user account, this is a finding. Member servers and standalone or nondomain-joined systems: Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordRequired=False and LocalAccount=True" | FT Name, PasswordRequired, Disabled, LocalAccount'. Exclude disabled accounts (e.g., DefaultAccount, Guest). If any enabled user accounts are returned with a "PasswordRequired" status of "False", this is a finding.
Fix: F-5965r355019_fix
Configure all enabled accounts to require passwords. The password required flag can be set by entering the following on a command line: "Net user [username] /passwordreq:yes", substituting [username] with the name of the user account.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000767
- Version
- WN19-DC-000310
- Vuln IDs
-
- V-205701
- V-93441
- Rule IDs
-
- SV-205701r1051070_rule
- SV-103527
Checks: C-5966r355021_chk
This applies to domain controllers. It is NA for other systems. Open "PowerShell". Enter the following: "Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | FT Name" ("DistinguishedName" may be substituted for "Name" for more detailed output.) If any user accounts, including administrators, are listed, this is a finding. Alternately: To view sample accounts in "Active Directory Users and Computers" (available from various menus or run "dsa.msc"): Select the Organizational Unit (OU) where the user accounts are located. (By default, this is the Users node; however, accounts may be under other organization-defined OUs.) Right-click the sample user account and select "Properties". Select the "Account" tab. If any user accounts, including administrators, do not have "Smart card is required for interactive logon" checked in the "Account Options" area, this is a finding.
Fix: F-5966r355022_fix
Configure all user accounts, including administrator accounts, in Active Directory to enable the option "Smart card is required for interactive logon". Run "Active Directory Users and Computers" (available from various menus or run "dsa.msc"): Select the OU where the user accounts are located. (By default this is the Users node; however, accounts may be under other organization-defined OUs.) Right-click the user account and select "Properties". Select the "Account" tab. Check "Smart card is required for interactive logon" in the "Account Options" area.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-001942
- Version
- WN19-DC-000020
- Vuln IDs
-
- V-205702
- V-93443
- Rule IDs
-
- SV-205702r1051071_rule
- SV-103529
Checks: C-5967r355024_chk
This applies to domain controllers. It is NA for other systems. Verify the following is configured in the Default Domain Policy: Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". Select "Edit". Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding.
Fix: F-5967r355025_fix
Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Enforce user logon restrictions" to "Enabled".
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-001941
- Version
- WN19-DC-000030
- Vuln IDs
-
- V-205703
- V-93445
- Rule IDs
-
- SV-205703r1051072_rule
- SV-103531
Checks: C-5968r355027_chk
This applies to domain controllers. It is NA for other systems. Verify the following is configured in the Default Domain Policy: Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". Select "Edit". Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. If the value for "Maximum lifetime for service ticket" is "0" or greater than "600" minutes, this is a finding.
Fix: F-5968r355028_fix
Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum lifetime for service ticket" to a maximum of "600" minutes, but not "0", which equates to "Ticket doesn't expire".
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-001941
- Version
- WN19-DC-000040
- Vuln IDs
-
- V-205704
- V-93447
- Rule IDs
-
- SV-205704r1051073_rule
- SV-103533
Checks: C-5969r355030_chk
This applies to domain controllers. It is NA for other systems. Verify the following is configured in the Default Domain Policy: Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". Select "Edit". Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. If the value for "Maximum lifetime for user ticket" is "0" or greater than "10" hours, this is a finding.
Fix: F-5969r355031_fix
Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum lifetime for user ticket" to a maximum of "10" hours but not "0", which equates to "Ticket doesn't expire".
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-001941
- Version
- WN19-DC-000050
- Vuln IDs
-
- V-205705
- V-93449
- Rule IDs
-
- SV-205705r1051074_rule
- SV-103535
Checks: C-5970r355033_chk
This applies to domain controllers. It is NA for other systems. Verify the following is configured in the Default Domain Policy: Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". Select "Edit". Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. If the "Maximum lifetime for user ticket renewal" is greater than "7" days, this is a finding.
Fix: F-5970r355034_fix
Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum lifetime for user ticket renewal" to a maximum of "7" days or less.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-001941
- Version
- WN19-DC-000060
- Vuln IDs
-
- V-205706
- V-93451
- Rule IDs
-
- SV-205706r1051075_rule
- SV-103537
Checks: C-5971r355036_chk
This applies to domain controllers. It is NA for other systems. Verify the following is configured in the Default Domain Policy: Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". Select "Edit". Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. If the "Maximum tolerance for computer clock synchronization" is greater than "5" minutes, this is a finding.
Fix: F-5971r355037_fix
Configure the policy value in the Default Domain Policy for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum tolerance for computer clock synchronization" to a maximum of "5" minutes or less.
- RMF Control
- Severity
- M
- CCI
- CCI-003627
- Version
- WN19-00-000190
- Vuln IDs
-
- V-205707
- V-93457
- Rule IDs
-
- SV-205707r1051076_rule
- SV-103543
Checks: C-5972r997836_chk
Open "Windows PowerShell". Domain Controllers: Enter "Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00" This will return accounts that have not been logged on to for 35 days, along with various attributes such as the Enabled status and LastLogonDate. Member servers and standalone or nondomain-joined systems: Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.) "([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach { $user = ([ADSI]$_.Path) $lastLogin = $user.Properties.LastLogin.Value $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2 if ($lastLogin -eq $null) { $lastLogin = 'Never' } Write-Host $user.Name $lastLogin $enabled }" This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). For example: User1 10/31/2015 5:49:56 AM True Review the list of accounts returned by the above queries to determine the finding validity for each account reported. Exclude the following accounts: - Built-in administrator account (Renamed, SID ending in 500) - Built-in guest account (Renamed, Disabled, SID ending in 501) - Application accounts If any enabled accounts have not been logged on to within the past 35 days, this is a finding. Inactive accounts that have been reviewed and deemed to be required must be documented with the information system security officer (ISSO).
Fix: F-5972r355040_fix
Regularly review accounts to determine if they are still active. Remove or disable accounts that have not been used in the last 35 days.
- RMF Control
- IA-7
- Severity
- M
- CCI
- CCI-000803
- Version
- WN19-SO-000290
- Vuln IDs
-
- V-205708
- V-93495
- Rule IDs
-
- SV-205708r971535_rule
- SV-103581
Checks: C-5973r355042_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ Value Name: SupportedEncryptionTypes Value Type: REG_DWORD Value: 0x7ffffff8 (2147483640)
Fix: F-5973r355043_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Configure encryption types allowed for Kerberos" to "Enabled" with only the following selected: AES128_HMAC_SHA1 AES256_HMAC_SHA1 Future encryption types Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting "The other domain supports Kerberos AES Encryption" on domain trusts, may be required to allow client communication across the trust relationship.
- RMF Control
- IA-8
- Severity
- M
- CCI
- CCI-000804
- Version
- WN19-SO-000010
- Vuln IDs
-
- V-205709
- V-93497
- Rule IDs
-
- SV-205709r958504_rule
- SV-103583
Checks: C-5974r355045_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "EnableGuestAccount" equals "1" in the file, this is a finding.
Fix: F-5974r355046_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Guest account status" to "Disabled".
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-001682
- Version
- WN19-00-000310
- Vuln IDs
-
- V-205710
- V-92977
- Rule IDs
-
- SV-205710r958508_rule
- SV-103065
Checks: C-5975r857302_chk
Determine if emergency administrator accounts are used and identify any that exist. If none exist, this is NA. If emergency administrator accounts cannot be configured with an expiration date due to an ongoing crisis, the accounts must be disabled or removed when the crisis is resolved. If emergency administrator accounts have not been configured with an expiration date or have not been disabled or removed following the resolution of a crisis, this is a finding. Domain Controllers: Open "PowerShell". Enter "Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate". If "AccountExpirationDate" has been defined and is not within 72 hours for an emergency administrator account, this is a finding. Member servers and standalone or nondomain-joined systems: Open "Command Prompt". Run "Net user [username]", where [username] is the name of the emergency account. If "Account expires" has been defined and is not within 72 hours for an emergency administrator account, this is a finding.
Fix: F-5975r355049_fix
Remove emergency administrator accounts after a crisis has been resolved or configure the accounts to automatically expire within 72 hours. Domain accounts can be configured with an account expiration date, under "Account" properties. Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where username is the name of the temporary user account.
- RMF Control
- MA-4
- Severity
- H
- CCI
- CCI-000877
- Version
- WN19-CC-000470
- Vuln IDs
-
- V-205711
- V-93503
- Rule IDs
-
- SV-205711r958510_rule
- SV-103589
Checks: C-5976r355051_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowBasic Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-5976r355052_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Allow Basic authentication" to "Disabled".
- RMF Control
- MA-4
- Severity
- M
- CCI
- CCI-000877
- Version
- WN19-CC-000490
- Vuln IDs
-
- V-205712
- V-93505
- Rule IDs
-
- SV-205712r958510_rule
- SV-103591
Checks: C-5977r355054_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowDigest Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-5977r355055_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Disallow Digest authentication" to "Enabled".
- RMF Control
- MA-4
- Severity
- H
- CCI
- CCI-000877
- Version
- WN19-CC-000500
- Vuln IDs
-
- V-205713
- V-93507
- Rule IDs
-
- SV-205713r958510_rule
- SV-103593
Checks: C-5978r355057_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowBasic Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-5978r355058_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Allow Basic authentication" to "Disabled".
- RMF Control
- SC-3
- Severity
- M
- CCI
- CCI-001084
- Version
- WN19-CC-000240
- Vuln IDs
-
- V-205714
- V-93517
- Rule IDs
-
- SV-205714r958518_rule
- SV-103603
Checks: C-5979r355060_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\ Value Name: EnumerateAdministrators Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-5979r355061_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Credential User Interface >> "Enumerate administrator accounts on elevation" to "Disabled".
- RMF Control
- SC-3
- Severity
- M
- CCI
- CCI-001084
- Version
- WN19-MS-000020
- Vuln IDs
-
- V-205715
- V-93519
- Rule IDs
-
- SV-205715r958518_rule
- SV-103605
Checks: C-5980r857318_chk
This applies to member servers. For domain controllers and standalone or nondomain-joined systems, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Value Name: LocalAccountTokenFilterPolicy Type: REG_DWORD Value: 0x00000000 (0) This setting may cause issues with some network scanning tools if local administrative accounts are used remotely. Scans should use domain accounts where possible. If a local administrative account must be used, temporarily enabling the privileged token by configuring the registry value to "1" may be required.
Fix: F-5980r857319_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Apply UAC restrictions to local accounts on network logons" to "Enabled". This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
- RMF Control
- SC-3
- Severity
- M
- CCI
- CCI-001084
- Version
- WN19-SO-000390
- Vuln IDs
-
- V-205716
- V-93521
- Rule IDs
-
- SV-205716r958518_rule
- SV-103607
Checks: C-5981r355066_chk
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle Value Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-5981r355067_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" to "Disabled".
- RMF Control
- SC-3
- Severity
- M
- CCI
- CCI-001084
- Version
- WN19-SO-000400
- Vuln IDs
-
- V-205717
- V-93523
- Rule IDs
-
- SV-205717r958518_rule
- SV-103609
Checks: C-5982r355069_chk
UAC requirements are NA for Server Core installations (this is default installation option for Windows Server 2019 versus Server with Desktop Experience). If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorAdmin Value Type: REG_DWORD Value: 0x00000002 (2) (Prompt for consent on the secure desktop) 0x00000001 (1) (Prompt for credentials on the secure desktop)
Fix: F-5982r355070_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" to "Prompt for consent on the secure desktop". The more secure option for this setting, "Prompt for credentials on the secure desktop", would also be acceptable.
- RMF Control
- SC-3
- Severity
- M
- CCI
- CCI-001084
- Version
- WN19-SO-000420
- Vuln IDs
-
- V-205718
- V-93525
- Rule IDs
-
- SV-205718r958518_rule
- SV-103611
Checks: C-5983r355072_chk
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-5983r355073_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Detect application installations and prompt for elevation" to "Enabled".
- RMF Control
- SC-3
- Severity
- M
- CCI
- CCI-001084
- Version
- WN19-SO-000430
- Vuln IDs
-
- V-205719
- V-93527
- Rule IDs
-
- SV-205719r958518_rule
- SV-103613
Checks: C-5984r355075_chk
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-5984r355076_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Only elevate UIAccess applications that are installed in secure locations" to "Enabled".
- RMF Control
- SC-3
- Severity
- M
- CCI
- CCI-001084
- Version
- WN19-SO-000450
- Vuln IDs
-
- V-205720
- V-93529
- Rule IDs
-
- SV-205720r958518_rule
- SV-103615
Checks: C-5985r355078_chk
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-5985r355079_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Virtualize file and registry write failures to per-user locations" to "Enabled".
- RMF Control
- SC-4
- Severity
- M
- CCI
- CCI-001090
- Version
- WN19-00-000230
- Vuln IDs
-
- V-205721
- V-93531
- Rule IDs
-
- SV-205721r1137695_rule
- SV-103617
Checks: C-5986r355081_chk
If only system-created shares such as "ADMIN$", "C$", and "IPC$" exist on the system, this is NA. (System-created shares will display a message that it has been shared for administrative purposes when "Properties" is selected.) Run "Computer Management". Navigate to System Tools >> Shared Folders >> Shares. Right-click any non-system-created shares. Select "Properties". Select the "Share Permissions" tab. If the file shares have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding. Select the "Security" tab. If the permissions have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding.
Fix: F-5986r355082_fix
If a non-system-created share is required on a system, configure the share and NTFS permissions to limit access to the specific groups or accounts that require it. Remove any unnecessary non-system-created shares.
- RMF Control
- SC-4
- Severity
- M
- CCI
- CCI-001090
- Version
- WN19-CC-000350
- Vuln IDs
-
- V-205722
- V-93533
- Rule IDs
-
- SV-205722r1137695_rule
- SV-103619
Checks: C-5987r355084_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDisableCdm Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-5987r355085_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection >> "Do not allow drive redirection" to "Enabled".
- RMF Control
- SC-4
- Severity
- M
- CCI
- CCI-001090
- Version
- WN19-DC-000120
- Vuln IDs
-
- V-205723
- V-93535
- Rule IDs
-
- SV-205723r1137695_rule
- SV-103621
Checks: C-5988r355087_chk
This applies to domain controllers. It is NA for other systems. Run "Regedit". Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters". Note the directory locations in the values for "DSA Database file". Open "Command Prompt". Enter "net share". Note the logical drive(s) or file system partition for any organization-created data shares. Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative shares ending in $). User shares that are hidden (ending with $) should not be ignored. If user shares are located on the same logical partition as the directory server data files, this is a finding.
Fix: F-5988r355088_fix
Move shares used to store files owned by users to a different logical partition than the directory server data files.
- RMF Control
- SC-4
- Severity
- H
- CCI
- CCI-001090
- Version
- WN19-SO-000230
- Vuln IDs
-
- V-205724
- V-93537
- Rule IDs
-
- SV-205724r1137695_rule
- SV-103623
Checks: C-5989r355090_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-5989r355091_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Do not allow anonymous enumeration of SAM accounts and shares" to "Enabled".
- RMF Control
- SC-4
- Severity
- H
- CCI
- CCI-001090
- Version
- WN19-SO-000250
- Vuln IDs
-
- V-205725
- V-93539
- Rule IDs
-
- SV-205725r1137695_rule
- SV-103625
Checks: C-5990r355093_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-5990r355094_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Restrict anonymous access to Named Pipes and Shares" to "Enabled".
- RMF Control
- SC-10
- Severity
- L
- CCI
- CCI-001133
- Version
- WN19-DC-000160
- Vuln IDs
-
- V-205726
- V-93509
- Rule IDs
-
- SV-205726r970703_rule
- SV-103595
Checks: C-5991r355096_chk
This applies to domain controllers. It is NA for other systems. Open an elevated "Command Prompt" (run as administrator). Enter "ntdsutil". At the "ntdsutil:" prompt, enter "LDAP policies". At the "ldap policy:" prompt, enter "connections". At the "server connections:" prompt, enter "connect to server [host-name]" (where [host-name] is the computer name of the domain controller). At the "server connections:" prompt, enter "q". At the "ldap policy:" prompt, enter "show values". If the value for MaxConnIdleTime is greater than "300" (5 minutes) or is not specified, this is a finding. Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit. Alternately, Dsquery can be used to display MaxConnIdleTime: Open "Command Prompt (Admin)". Enter the following command (on a single line). dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil). If the results do not specify a "MaxConnIdleTime" or it has a value greater than "300" (5 minutes), this is a finding.
Fix: F-5991r355097_fix
Configure the directory service to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity. Open an elevated "Command prompt" (run as administrator). Enter "ntdsutil". At the "ntdsutil:" prompt, enter "LDAP policies". At the "ldap policy:" prompt, enter "connections". At the "server connections:" prompt, enter "connect to server [host-name]" (where [host-name] is the computer name of the domain controller). At the "server connections:" prompt, enter "q". At the "ldap policy:" prompt, enter "Set MaxConnIdleTime to 300". Enter "Commit Changes" to save. Enter "Show values" to verify changes. Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit.
- RMF Control
- SC-28
- Severity
- H
- CCI
- CCI-001199
- Version
- WN19-00-000250
- Vuln IDs
-
- V-205727
- V-93515
- Rule IDs
-
- SV-205727r958552_rule
- SV-103601
Checks: C-5992r355099_chk
Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest. If they do not, this is a finding.
Fix: F-5992r355100_fix
Configure systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data to employ encryption to protect the confidentiality and integrity of all information at rest.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000160
- Vuln IDs
-
- V-205730
- V-92989
- Rule IDs
-
- SV-205730r991552_rule
- SV-103077
Checks: C-5995r355108_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Logon/Logoff >> Account Lockout - Failure
Fix: F-5995r355109_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Account Lockout" with "Failure" selected.
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001494
- Version
- WN19-AU-000060
- Vuln IDs
-
- V-205731
- V-93195
- Rule IDs
-
- SV-205731r991558_rule
- SV-103283
Checks: C-5996r951112_chk
This is not applicable for Windows Core Editions Navigate to "%SystemRoot%\System32". View the permissions on "Eventvwr.exe". If any groups or accounts other than TrustedInstaller have "Full control" or "Modify" permissions, this is a finding. The default permissions below satisfy this requirement: TrustedInstaller - Full Control Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED APPLICATION PACKAGES - Read & Execute
Fix: F-5996r355112_fix
Configure the permissions on the "Eventvwr.exe" file to prevent modification by any groups or accounts other than TrustedInstaller. The default permissions listed below satisfy this requirement: TrustedInstaller - Full Control Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED APPLICATION PACKAGES - Read & Execute The default location is the "%SystemRoot%\System32" folder.
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-002314
- Version
- WN19-DC-000410
- Vuln IDs
-
- V-205732
- V-92963
- Rule IDs
-
- SV-205732r958672_rule
- SV-103051
Checks: C-5997r355114_chk
This applies to domain controllers. A separate version applies to other systems. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding: - Guests Group For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SID(s) are not defined for the "SeDenyRemoteInteractiveLogonRight" user right, this is a finding. S-1-5-32-546 (Guests)
Fix: F-5997r355115_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on through Remote Desktop Services" to include the following: - Guests Group
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-002314
- Version
- WN19-MS-000120
- Vuln IDs
-
- V-205733
- V-92965
- Rule IDs
-
- SV-205733r958672_rule
- SV-103053
Checks: C-5998r857338_chk
This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding: Domain Systems Only: - Enterprise Admins group - Domain Admins group - Local account (see Note below) All Systems: - Guests group For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SIDs are not defined for the "SeDenyRemoteInteractiveLogonRight" user right, this is a finding. Domain Systems Only: S-1-5-root domain-519 (Enterprise Admins) S-1-5-domain-512 (Domain Admins) S-1-5-113 ("Local account") All Systems: S-1-5-32-546 (Guests) Note: "Local account" is referring to the Windows built-in security group.
Fix: F-5998r355118_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on through Remote Desktop Services" to include the following: Domain Systems Only: - Enterprise Admins group - Domain Admins group - Local account (see Note below) All Systems: - Guests group Note: "Local account" is referring to the Windows built-in security group.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-002165
- Version
- WN19-00-000140
- Vuln IDs
-
- V-205734
- V-93019
- Rule IDs
-
- SV-205734r958702_rule
- SV-103107
Checks: C-5999r355120_chk
The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN19-SO-000240). Review the permissions for the system drive's root directory (usually C:\). Non-privileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions except where noted as defaults. Individual accounts must not be used to assign permissions. If permissions are not as restrictive as the default permissions listed below, this is a finding. Viewing in File Explorer: View the Properties of the system drive's root directory. Select the "Security" tab, and the "Advanced" button. Default permissions: C:\ Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full control - This folder, subfolders, and files Administrators - Full control - This folder, subfolders, and files Users - Read & execute - This folder, subfolders, and files Users - Create folders/append data - This folder and subfolders Users - Create files/write data - Subfolders only CREATOR OWNER - Full Control - Subfolders and files only Alternately, use icacls: Open "Command Prompt (Admin)". Enter "icacls" followed by the directory: "icacls c:\" The following results should be displayed: c:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) BUILTIN\Users:(CI)(AD) BUILTIN\Users:(CI)(IO)(WD) CREATOR OWNER:(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files
Fix: F-5999r355121_fix
Maintain the default permissions for the system drive's root directory and configure the Security Option "Network access: Let Everyone permissions apply to anonymous users" to "Disabled" (WN19-SO-000240). Default Permissions C:\ Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full control - This folder, subfolders, and files Administrators - Full control - This folder, subfolders, and files Users - Read & execute - This folder, subfolders, and files Users - Create folders/append data - This folder and subfolders Users - Create files/write data - Subfolders only CREATOR OWNER - Full Control - Subfolders and files only
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-002165
- Version
- WN19-00-000150
- Vuln IDs
-
- V-205735
- V-93021
- Rule IDs
-
- SV-205735r958702_rule
- SV-103109
Checks: C-6000r355123_chk
The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN19-SO-000240). Review the permissions for the program file directories (Program Files and Program Files [x86]). Non-privileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions. Individual accounts must not be used to assign permissions. If permissions are not as restrictive as the default permissions listed below, this is a finding. Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab, and the "Advanced" button. Default permissions: \Program Files and \Program Files (x86) Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files Alternately, use icacls: Open a Command prompt (admin). Enter "icacls" followed by the directory: 'icacls "c:\program files"' 'icacls "c:\program files (x86)"' The following results should be displayed for each when entered: c:\program files (c:\program files (x86)) NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files
Fix: F-6000r355124_fix
Maintain the default permissions for the program file directories and configure the Security Option "Network access: Let Everyone permissions apply to anonymous users" to "Disabled" (WN19-SO-000240). Default permissions: \Program Files and \Program Files (x86) Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders, and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-002165
- Version
- WN19-00-000160
- Vuln IDs
-
- V-205736
- V-93023
- Rule IDs
-
- SV-205736r1016383_rule
- SV-103111
Checks: C-6001r1016382_chk
The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN19-SO-000240). Review the permissions for the Windows installation directory (usually C:\Windows). Non-privileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions. Individual accounts must not be used to assign permissions. If permissions are not as restrictive as the default permissions listed below, this is a finding: For each folder, view the Properties. Select the "Security" tab and the "Advanced" button. Default permissions: \Windows Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders, and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files Alternately, use icacls: Open a Command prompt (admin). Enter "icacls" followed by the directory: "icacls c:\windows" The following results should be displayed for each when entered: c:\windows NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files
Fix: F-6001r355127_fix
Maintain the default file ACLs and configure the Security Option "Network access: Let Everyone permissions apply to anonymous users" to "Disabled" (WN19-SO-000240). Default permissions: Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders, and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-00-000170
- Vuln IDs
-
- V-205737
- V-93025
- Rule IDs
-
- SV-205737r1153434_rule
- SV-103113
Checks: C-6002r1153432_chk
Review the registry permissions for the keys of the HKEY_LOCAL_MACHINE hive noted below. If any nonprivileged groups such as Everyone, Users, or Authenticated Users have greater than Read permission, this is a finding. If permissions are not as restrictive as the default permissions listed below, this is a finding: Run "Regedit". Right-click on the registry areas noted below. Select "Permissions" and "Advanced". HKEY_LOCAL_MACHINE\SECURITY Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full Control - This key and subkeys Administrators - Special - This key and subkeys HKEY_LOCAL_MACHINE\SOFTWARE Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys ALL APPLICATION PACKAGES - Read - This key and subkeys HKEY_LOCAL_MACHINE\SYSTEM Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Authenticated Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - Subkeys only ALL APPLICATION PACKAGES - Read - This key and subkeys Server Operators – Read – This Key and subkeys (Domain controllers only) Other examples under the noted keys may also be sampled. There may be some instances where non-privileged groups have greater than Read permission. Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2019 to the following SID, this is currently not a finding. S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 If the defaults have not been changed, these are not a finding.
Fix: F-6002r1153433_fix
Maintain the default permissions for the HKEY_LOCAL_MACHINE registry hive. The default permissions of the higher-level keys are noted below. HKEY_LOCAL_MACHINE\SECURITY Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full Control - This key and subkeys Administrators - Special - This key and subkeys HKEY_LOCAL_MACHINE\SOFTWARE Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys ALL APPLICATION PACKAGES - Read - This key and subkeys HKEY_LOCAL_MACHINE\SYSTEM Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Authenticated Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - Subkeys only ALL APPLICATION PACKAGES - Read - This key and subkeys Server Operators – Read – This Key and subkeys (Domain controllers only) Microsoft has also given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2019 to the following SID: S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN19-DC-000010
- Vuln IDs
-
- V-205738
- V-93027
- Rule IDs
-
- SV-205738r958726_rule
- SV-103115
Checks: C-6003r355132_chk
This applies to domain controllers. A separate version applies to other systems. Review the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. Standard user accounts must not be members of the local administrator group. If prohibited accounts are members of the local administrators group, this is a finding. If the built-in Administrator account or other required administrative accounts are found on the system, this is not a finding.
Fix: F-6003r355133_fix
Configure the Administrators group to include only administrator groups or accounts that are responsible for the system. Remove any standard user accounts.
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN19-DC-000070
- Vuln IDs
-
- V-205739
- V-93029
- Rule IDs
-
- SV-205739r958726_rule
- SV-103117
Checks: C-6004r355135_chk
This applies to domain controllers. It is NA for other systems. Run "Regedit". Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters". Note the directory locations in the values for: Database log files path DSA Database file By default, they will be \Windows\NTDS. If the locations are different, the following will need to be run for each. Open "Command Prompt (Admin)". Navigate to the NTDS directory (\Windows\NTDS by default). Run "icacls *.*". If the permissions on each file are not as restrictive as the following, this is a finding: NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) (I) - permission inherited from parent container (F) - full access
Fix: F-6004r355136_fix
Maintain the permissions on NTDS database and log files as follows: NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) (I) - permission inherited from parent container (F) - full access
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN19-DC-000080
- Vuln IDs
-
- V-205740
- V-93031
- Rule IDs
-
- SV-205740r958726_rule
- SV-103119
Checks: C-6005r852440_chk
This applies to domain controllers. It is NA for other systems. Open a command prompt. Run "net share". Make note of the directory location of the SYSVOL share. By default, this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level. If any standard user accounts or groups have greater than "Read & execute" permissions, this is a finding. The default permissions noted below meet this requirement: Open "Command Prompt". Run "icacls c:\Windows\SYSVOL". The following results should be displayed: NT AUTHORITY\Authenticated Users:(RX) NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE) BUILTIN\Server Operators:(RX) BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE) BUILTIN\Administrators:(M,WDAC,WO) BUILTIN\Administrators:(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) CREATOR OWNER:(OI)(CI)(IO)(F) (RX) - Read & execute Run "icacls /help" to view definitions of other permission codes.
Fix: F-6005r355139_fix
Maintain the permissions on the SYSVOL directory. Do not allow greater than "Read & execute" permissions for standard user accounts or groups. The defaults below meet this requirement: C:\Windows\SYSVOL Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Authenticated Users - Read & execute - This folder, subfolder, and files Server Operators - Read & execute- This folder, subfolder, and files Administrators - Special - This folder only (Special = Basic Permissions: all selected except Full control) CREATOR OWNER - Full control - Subfolders and files only Administrators - Full control - Subfolders and files only SYSTEM - Full control - This folder, subfolders, and files
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN19-DC-000090
- Vuln IDs
-
- V-205741
- V-93033
- Rule IDs
-
- SV-205741r1081998_rule
- SV-103121
Checks: C-6006r1081998_chk
This applies to domain controllers. It is NA for other systems. Review the permissions on Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select "Advanced". Select each Group or user name. View the permissions. If any standard user accounts or groups have "Allow" permissions greater than "Read" and "Apply group policy", this is a finding. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. The default permissions noted below satisfy this requirement. The permissions shown are at the summary level. To view more detailed permissions, select the next "Advanced" button, the desired Permission entry, and then click "Edit". Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. The special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties: CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
Fix: F-6006r1081064_fix
Maintain the permissions on Group Policy objects to not allow greater than "Read" and "Apply group policy" for standard user accounts or groups. The default permissions below meet this requirement: Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Document any other access permissions that allow the objects to be updated with the ISSO.
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN19-DC-000100
- Vuln IDs
-
- V-205742
- V-93035
- Rule IDs
-
- SV-205742r958726_rule
- SV-103123
Checks: C-6007r355144_chk
This applies to domain controllers. It is NA for other systems. Review the permissions on the Domain Controllers OU. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" in the "View" menu if not previously selected. Select the "Domain Controllers" OU (folder in folder icon). Right-click and select "Properties". Select the "Security" tab. If the permissions on the Domain Controllers OU do not restrict changes to System, Domain Admins, Enterprise Admins and Administrators, this is a finding. The default permissions listed below satisfy this requirement. Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions and are not a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "View" or "Edit" button. Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. CREATOR OWNER - Special permissions SELF - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
Fix: F-6007r355145_fix
Limit the permissions on the Domain Controllers OU to restrict changes to System, Domain Admins, Enterprise Admins and Administrators. The default permissions listed below satisfy this requirement. Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions. CREATOR OWNER - Special permissions SELF - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read types. SYSTEM - Full Control Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The special permissions for Pre-Windows 2000 Compatible Access are Read types. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN19-DC-000110
- Vuln IDs
-
- V-205743
- V-93037
- Rule IDs
-
- SV-205743r958726_rule
- SV-103125
Checks: C-6008r355147_chk
This applies to domain controllers. It is NA for other systems. Review the permissions on domain-defined OUs. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: Right-click the OU and select "Properties". Select the "Security" tab. If the Allow type permissions on the OU are not at least as restrictive as those below, this is a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "Edit" or "View" button. Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO. If any OU with improper permissions includes identification or authentication data (e.g., accounts, passwords, or password hash data) used by systems to determine access control, the severity is CAT I (e.g., OUs that include user accounts, including service/application accounts). If an OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs).
Fix: F-6008r355148_fix
Maintain the Allow type permissions on domain-defined OUs to be at least as restrictive as the defaults below. Document any additional permissions above Read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read type. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The special permissions for Pre-Windows 2000 Compatible Access are for Read types. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-DC-000350
- Vuln IDs
-
- V-205744
- V-93039
- Rule IDs
-
- SV-205744r958726_rule
- SV-103127
Checks: C-6009r355150_chk
This applies to domain controllers. It is NA for other systems. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Add workstations to domain" right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeMachineAccountPrivilege" user right, this is a finding. S-1-5-32-544 (Administrators)
Fix: F-6009r355151_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Add workstations to domain" to include only the following accounts or groups: - Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-DC-000420
- Vuln IDs
-
- V-205745
- V-93041
- Rule IDs
-
- SV-205745r958726_rule
- SV-103129
Checks: C-6010r355153_chk
This applies to domain controllers. A separate version applies to other systems. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeEnableDelegationPrivilege" user right, this is a finding. S-1-5-32-544 (Administrators)
Fix: F-6010r355154_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Enable computer and user accounts to be trusted for delegation" to include only the following accounts or groups: - Administrators
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN19-MS-000010
- Vuln IDs
-
- V-205746
- V-93043
- Rule IDs
-
- SV-205746r958726_rule
- SV-103131
Checks: C-6011r857316_chk
This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Open "Computer Management". Navigate to "Groups" under "Local Users and Groups". Review the local "Administrators" group. Only administrator groups or accounts responsible for administration of the system may be members of the group. For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group. Standard user accounts must not be members of the local Administrator group. If accounts that do not have responsibility for administration of the system are members of the local Administrators group, this is a finding. If the built-in Administrator account or other required administrative accounts are found on the system, this is not a finding.
Fix: F-6011r355157_fix
Configure the local "Administrators" group to include only administrator groups or accounts responsible for administration of the system. For domain-joined member servers, replace the Domain Admins group with a domain member server administrator group. Remove any standard user accounts.
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-MS-000060
- Vuln IDs
-
- V-205747
- V-93045
- Rule IDs
-
- SV-205747r1106518_rule
- SV-103133
Checks: C-6012r857327_chk
This applies to member servers and standalone or nondomain-joined systems. It is NA for domain controllers. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictRemoteSAM Value Type: REG_SZ Value: O:BAG:BAD:(A;;RC;;;BA)
Fix: F-6012r1106517_fix
Navigate to the policy Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Restrict clients allowed to make remote calls to SAM". Select "Edit Security" to configure the "Security descriptor:". Add "Administrators" in "Group or user names:" if it is not already listed (this is the default). Select "Administrators" in "Group or user names:". Select "Allow" for "Remote Access" in "Permissions for "Administrators". Click "OK". The "Security descriptor:" must be populated with "O:BAG:BAD:(A;;RC;;;BA) for the policy to be enforced. If an application requires this user right, this is not a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented and approved by the information system security officer (ISSO).
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-MS-000130
- Vuln IDs
-
- V-205748
- V-93047
- Rule IDs
-
- SV-205748r958726_rule
- SV-103135
Checks: C-6013r857340_chk
This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeEnableDelegationPrivilege" user right, this is a finding.
Fix: F-6013r355163_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Enable computer and user accounts to be trusted for delegation" to be defined but containing no entries (blank).
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-UR-000010
- Vuln IDs
-
- V-205749
- V-93049
- Rule IDs
-
- SV-205749r958726_rule
- SV-103137
Checks: C-6014r355165_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Access Credential Manager as a trusted caller" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeTrustedCredManAccessPrivilege" user right, this is a finding.
Fix: F-6014r355166_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access Credential Manager as a trusted caller" to be defined but containing no entries (blank).
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN19-UR-000020
- Vuln IDs
-
- V-205750
- V-93051
- Rule IDs
-
- SV-205750r958726_rule
- SV-103139
Checks: C-6015r355168_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeTcbPrivilege" user right, this is a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060). Passwords for accounts with this user right must be protected as highly privileged accounts.
Fix: F-6015r355169_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Act as part of the operating system" to be defined but containing no entries (blank).
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-UR-000040
- Vuln IDs
-
- V-205751
- V-93053
- Rule IDs
-
- SV-205751r958726_rule
- SV-103141
Checks: C-6016r355171_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Back up files and directories" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeBackupPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).
Fix: F-6016r355172_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Back up files and directories" to include only the following accounts or groups: - Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-UR-000050
- Vuln IDs
-
- V-205752
- V-93055
- Rule IDs
-
- SV-205752r958726_rule
- SV-103143
Checks: C-6017r355174_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Create a pagefile" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeCreatePagefilePrivilege" user right, this is a finding: S-1-5-32-544 (Administrators)
Fix: F-6017r355175_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a pagefile" to include only the following accounts or groups: - Administrators
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN19-UR-000060
- Vuln IDs
-
- V-205753
- V-93057
- Rule IDs
-
- SV-205753r958726_rule
- SV-103145
Checks: C-6018r355177_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Create a token object" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeCreateTokenPrivilege" user right, this is a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060). Passwords for application accounts with this user right must be protected as highly privileged accounts.
Fix: F-6018r355178_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a token object" to be defined but containing no entries (blank).
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-UR-000070
- Vuln IDs
-
- V-205754
- V-93059
- Rule IDs
-
- SV-205754r958726_rule
- SV-103147
Checks: C-6019r355180_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Create global objects" user right, this is a finding: - Administrators - Service - Local Service - Network Service For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeCreateGlobalPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) S-1-5-6 (Service) S-1-5-19 (Local Service) S-1-5-20 (Network Service) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).
Fix: F-6019r355181_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create global objects" to include only the following accounts or groups: - Administrators - Service - Local Service - Network Service
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-UR-000080
- Vuln IDs
-
- V-205755
- V-93061
- Rule IDs
-
- SV-205755r958726_rule
- SV-103149
Checks: C-6020r355183_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Create permanent shared objects" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeCreatePermanentPrivilege" user right, this is a finding.
Fix: F-6020r355184_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create permanent shared objects" to be defined but containing no entries (blank).
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-UR-000090
- Vuln IDs
-
- V-205756
- V-93063
- Rule IDs
-
- SV-205756r958726_rule
- SV-103151
Checks: C-6021r355186_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Create symbolic links" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeCreateSymbolicLinkPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) Systems that have the Hyper-V role will also have "Virtual Machines" given this user right (this may be displayed as "NT Virtual Machine\Virtual Machines", SID S-1-5-83-0). This is not a finding.
Fix: F-6021r355187_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create symbolic links" to include only the following accounts or groups: - Administrators Systems that have the Hyper-V role will also have "Virtual Machines" given this user right. If this needs to be added manually, enter it as "NT Virtual Machine\Virtual Machines".
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- WN19-UR-000100
- Vuln IDs
-
- V-205757
- V-93065
- Rule IDs
-
- SV-205757r958726_rule
- SV-103153
Checks: C-6022r355189_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Debug programs" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeDebugPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060). Passwords for application accounts with this user right must be protected as highly privileged accounts.
Fix: F-6022r355190_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Debug programs" to include only the following accounts or groups: - Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-UR-000110
- Vuln IDs
-
- V-205758
- V-93067
- Rule IDs
-
- SV-205758r958726_rule
- SV-103155
Checks: C-6023r355192_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Force shutdown from a remote system" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeRemoteShutdownPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators)
Fix: F-6023r355193_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Force shutdown from a remote system" to include only the following accounts or groups: - Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-UR-000120
- Vuln IDs
-
- V-205759
- V-93069
- Rule IDs
-
- SV-205759r958726_rule
- SV-103157
Checks: C-6024r355195_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Generate security audits" user right, this is a finding: - Local Service - Network Service For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeAuditPrivilege" user right, this is a finding: S-1-5-19 (Local Service) S-1-5-20 (Network Service) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).
Fix: F-6024r355196_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Generate security audits" to include only the following accounts or groups: - Local Service - Network Service
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-UR-000130
- Vuln IDs
-
- V-205760
- V-93071
- Rule IDs
-
- SV-205760r958726_rule
- SV-103159
Checks: C-6025r355198_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Impersonate a client after authentication" user right, this is a finding: - Administrators - Service - Local Service - Network Service For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeImpersonatePrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) S-1-5-6 (Service) S-1-5-19 (Local Service) S-1-5-20 (Network Service) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).
Fix: F-6025r355199_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Impersonate a client after authentication" to include only the following accounts or groups: - Administrators - Service - Local Service - Network Service
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-UR-000140
- Vuln IDs
-
- V-205761
- V-93073
- Rule IDs
-
- SV-205761r958726_rule
- SV-103161
Checks: C-6026r355201_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Increase scheduling priority" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeIncreaseBasePriorityPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).
Fix: F-6026r355202_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Increase scheduling priority" to include only the following accounts or groups: - Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-UR-000150
- Vuln IDs
-
- V-205762
- V-93075
- Rule IDs
-
- SV-205762r958726_rule
- SV-103163
Checks: C-6027r355204_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Load and unload device drivers" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeLoadDriverPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators)
Fix: F-6027r355205_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Load and unload device drivers" to include only the following accounts or groups: - Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-UR-000160
- Vuln IDs
-
- V-205763
- V-93077
- Rule IDs
-
- SV-205763r958726_rule
- SV-103165
Checks: C-6028r355207_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Lock pages in memory" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeLockMemoryPrivilege" user right, this is a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).
Fix: F-6028r355208_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Lock pages in memory" to be defined but containing no entries (blank).
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-UR-000180
- Vuln IDs
-
- V-205764
- V-93079
- Rule IDs
-
- SV-205764r958726_rule
- SV-103167
Checks: C-6029r355210_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Modify firmware environment values" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeSystemEnvironmentPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators)
Fix: F-6029r355211_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Modify firmware environment values" to include only the following accounts or groups: - Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-UR-000190
- Vuln IDs
-
- V-205765
- V-93081
- Rule IDs
-
- SV-205765r958726_rule
- SV-103169
Checks: C-6030r355213_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Perform volume maintenance tasks" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeManageVolumePrivilege" user right, this is a finding: S-1-5-32-544 (Administrators)
Fix: F-6030r355214_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Perform volume maintenance tasks" to include only the following accounts or groups: - Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-UR-000200
- Vuln IDs
-
- V-205766
- V-93083
- Rule IDs
-
- SV-205766r958726_rule
- SV-103171
Checks: C-6031r355216_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Profile single process" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeProfileSingleProcessPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators)
Fix: F-6031r355217_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Profile single process" to include only the following accounts or groups: - Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-UR-000210
- Vuln IDs
-
- V-205767
- V-93085
- Rule IDs
-
- SV-205767r958726_rule
- SV-103173
Checks: C-6032r355219_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Restore files and directories" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeRestorePrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).
Fix: F-6032r355220_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Restore files and directories" to include only the following accounts or groups: - Administrators
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- WN19-UR-000220
- Vuln IDs
-
- V-205768
- V-93087
- Rule IDs
-
- SV-205768r958726_rule
- SV-103175
Checks: C-6033r355222_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Take ownership of files or other objects" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeTakeOwnershipPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN19-00-000050) and required frequency of changes (WN19-00-000060).
Fix: F-6033r355223_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Take ownership of files or other objects" to include only the following accounts or groups: - Administrators
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000090
- Vuln IDs
-
- V-205769
- V-93089
- Rule IDs
-
- SV-205769r958732_rule
- SV-103177
Checks: C-6034r355225_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding: Account Management >> Other Account Management Events - Success
Fix: F-6034r355226_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit Other Account Management Events" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000140
- Vuln IDs
-
- V-205770
- V-93091
- Rule IDs
-
- SV-205770r958732_rule
- SV-103179
Checks: C-6035r355228_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Detailed Tracking >> Process Creation - Success
Fix: F-6035r355229_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> "Audit Process Creation" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000260
- Vuln IDs
-
- V-205771
- V-93093
- Rule IDs
-
- SV-205771r958732_rule
- SV-103181
Checks: C-6036r355231_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Policy Change >> Audit Policy Change - Success
Fix: F-6036r355232_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Audit Policy Change" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000270
- Vuln IDs
-
- V-205772
- V-93095
- Rule IDs
-
- SV-205772r958732_rule
- SV-103183
Checks: C-6037r355234_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Policy Change >> Audit Policy Change - Failure
Fix: F-6037r355235_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Audit Policy Change" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000280
- Vuln IDs
-
- V-205773
- V-93097
- Rule IDs
-
- SV-205773r958732_rule
- SV-103185
Checks: C-6038r355237_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Policy Change >> Authentication Policy Change - Success
Fix: F-6038r355238_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Authentication Policy Change" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000290
- Vuln IDs
-
- V-205774
- V-93099
- Rule IDs
-
- SV-205774r958732_rule
- SV-103187
Checks: C-6039r355240_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Policy Change >> Authorization Policy Change - Success
Fix: F-6039r355241_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Authorization Policy Change" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000300
- Vuln IDs
-
- V-205775
- V-93101
- Rule IDs
-
- SV-205775r958732_rule
- SV-103189
Checks: C-6040r355243_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Privilege Use >> Sensitive Privilege Use - Success
Fix: F-6040r355244_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> "Audit Sensitive Privilege Use" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000310
- Vuln IDs
-
- V-205776
- V-93103
- Rule IDs
-
- SV-205776r958732_rule
- SV-103191
Checks: C-6041r355246_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Privilege Use >> Sensitive Privilege Use - Failure
Fix: F-6041r355247_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> "Audit Sensitive Privilege Use" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000320
- Vuln IDs
-
- V-205777
- V-93105
- Rule IDs
-
- SV-205777r958732_rule
- SV-103193
Checks: C-6042r355249_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. System >> IPsec Driver - Success
Fix: F-6042r355250_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit IPsec Driver" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000330
- Vuln IDs
-
- V-205778
- V-93107
- Rule IDs
-
- SV-205778r958732_rule
- SV-103195
Checks: C-6043r355252_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. System >> IPsec Driver - Failure
Fix: F-6043r355253_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit IPsec Driver" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000340
- Vuln IDs
-
- V-205779
- V-93109
- Rule IDs
-
- SV-205779r958732_rule
- SV-103197
Checks: C-6044r355699_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. System >> Other System Events - Success
Fix: F-6044r355700_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Other System Events" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000350
- Vuln IDs
-
- V-205780
- V-93111
- Rule IDs
-
- SV-205780r958732_rule
- SV-103199
Checks: C-6045r355702_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. System >> Other System Events - Failure
Fix: F-6045r355703_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Other System Events" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000360
- Vuln IDs
-
- V-205781
- V-93113
- Rule IDs
-
- SV-205781r958732_rule
- SV-103201
Checks: C-6046r355705_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. System >> Security State Change - Success
Fix: F-6046r355706_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Security State Change" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000370
- Vuln IDs
-
- V-205782
- V-93115
- Rule IDs
-
- SV-205782r958732_rule
- SV-103203
Checks: C-6047r355708_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. System >> Security System Extension - Success
Fix: F-6047r355709_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Security System Extension" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000380
- Vuln IDs
-
- V-205783
- V-93117
- Rule IDs
-
- SV-205783r958732_rule
- SV-103205
Checks: C-6048r355711_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. System >> System Integrity - Success
Fix: F-6048r355712_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit System Integrity" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000390
- Vuln IDs
-
- V-205784
- V-93119
- Rule IDs
-
- SV-205784r958732_rule
- SV-103207
Checks: C-6049r355714_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. System >> System Integrity - Failure
Fix: F-6049r355715_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit System Integrity" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-DC-000170
- Vuln IDs
-
- V-205785
- V-93121
- Rule IDs
-
- SV-205785r958732_rule
- SV-103209
Checks: C-6050r355717_chk
This applies to domain controllers. It is NA for other systems. Review the auditing configuration for all Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select the "Advanced" button again and then the "Auditing" tab. If the audit settings for any Group Policy object are not at least as inclusive as those below, this is a finding: Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed: Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects
Fix: F-6050r355718_fix
Configure the audit settings for Group Policy objects to include the following: This can be done at the Policy level in Active Directory to apply to all group policies. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" from the "View" Menu. Navigate to [Domain] >> System >> Policies in the left panel. Right click "Policies", select "Properties". Select the "Security" tab. Select the "Advanced" button. Select the "Auditing" tab. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed: Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-DC-000180
- Vuln IDs
-
- V-205786
- V-93123
- Rule IDs
-
- SV-205786r958732_rule
- SV-103211
Checks: C-6051r355720_chk
This applies to domain controllers. It is NA for other systems. Review the auditing configuration for the Domain object. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select the domain being reviewed in the left pane. Right-click the domain name and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. If the audit settings on the Domain object are not at least as inclusive as those below, this is a finding: Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object only The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Two instances with the following summary information will be listed: Type - Success Principal - Everyone Access - (blank) Inherited from - None Applies to - Special Type - Success Principal - Domain Users Access - All extended rights Inherited from - None Applies to - This object only Type - Success Principal - Administrators Access - All extended rights Inherited from - None Applies to - This object only Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Permissions: Write all properties, Modify permissions, Modify owner)
Fix: F-6051r355721_fix
Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select the domain being reviewed in the left pane. Right-click the domain name and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. Configure the audit settings for Domain object to include the following: Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object only The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Two instances with the following summary information will be listed: Type - Success Principal - Everyone Access - (blank) Inherited from - None Applies to - Special Type - Success Principal - Domain Users Access - All extended rights Inherited from - None Applies to - This object only Type - Success Principal - Administrators Access - All extended rights Inherited from - None Applies to - This object only Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Permissions: Write all properties, Modify permissions, Modify owner.)
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-DC-000190
- Vuln IDs
-
- V-205787
- V-93125
- Rule IDs
-
- SV-205787r958732_rule
- SV-103213
Checks: C-6052r355723_chk
This applies to domain controllers. It is NA for other systems. Review the auditing configuration for Infrastructure object. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select the domain being reviewed in the left pane. Right-click the "Infrastructure" object in the right pane and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. If the audit settings on the Infrastructure object are not at least as inclusive as those below, this is a finding: Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None (Access - Special = Permissions: Write all properties, All extended rights, Change infrastructure master) Two instances with the following summary information will be listed: Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain)
Fix: F-6052r355724_fix
Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select the domain being reviewed in the left pane. Right-click the "Infrastructure" object in the right pane and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. Configure the audit settings for Infrastructure object to include the following: Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None (Access - Special = Permissions: Write all properties, All extended rights, Change infrastructure master) Two instances with the following summary information will be listed: Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain)
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-DC-000200
- Vuln IDs
-
- V-205788
- V-93127
- Rule IDs
-
- SV-205788r958732_rule
- SV-103215
Checks: C-6053r355726_chk
This applies to domain controllers. It is NA for other systems. Review the auditing configuration for the Domain Controller OU object. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select the "Domain Controllers OU" under the domain being reviewed in the left pane. Right-click the "Domain Controllers OU" object and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. If the audit settings on the Domain Controllers OU object are not at least as inclusive as those below, this is a finding: Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object and all descendant objects The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Permissions: all create, delete and modify permissions) Type - Success Principal - Everyone Access - Write all properties Inherited from - None Applies to - This object and all descendant objects Two instances with the following summary information will be listed: Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects
Fix: F-6053r355727_fix
Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select the "Domain Controllers OU" under the domain being reviewed in the left pane. Right-click the "Domain Controllers OU" object and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. Configure the audit settings for Domain Controllers OU object to include the following: Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Permissions: all create, delete and modify permissions) Type - Success Principal - Everyone Access - Write all properties Inherited from - None Applies to - This object and all descendant objects Two instances with the following summary information will be listed: Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-DC-000210
- Vuln IDs
-
- V-205789
- V-93129
- Rule IDs
-
- SV-205789r958732_rule
- SV-103217
Checks: C-6054r355729_chk
This applies to domain controllers. It is NA for other systems. Review the auditing configuration for the "AdminSDHolder" object. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select "System" under the domain being reviewed in the left pane. Right-click the "AdminSDHolder" object in the right pane and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. If the audit settings on the "AdminSDHolder" object are not at least as inclusive as those below, this is a finding: Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object only The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Write all properties, Modify permissions, Modify owner) Two instances with the following summary information will be listed: Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects
Fix: F-6054r355730_fix
Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select "System" under the domain being reviewed in the left pane. Right-click the "AdminSDHolder" object in the right pane and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. Configure the audit settings for AdminSDHolder object to include the following: Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object only The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Write all properties, Modify permissions, Modify owner) Two instances with the following summary information will be listed: Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-DC-000220
- Vuln IDs
-
- V-205790
- V-93131
- Rule IDs
-
- SV-205790r958732_rule
- SV-103219
Checks: C-6055r355732_chk
This applies to domain controllers. It is NA for other systems. Review the auditing configuration for the "RID Manager$" object. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select "System" under the domain being reviewed in the left pane. Right-click the "RID Manager$" object in the right pane and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. If the audit settings on the "RID Manager$" object are not at least as inclusive as those below, this is a finding: Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None (Access - Special = Write all properties, All extended rights, Change RID master) Two instances with the following summary information will be listed: Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain)
Fix: F-6055r355733_fix
Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select "System" under the domain being reviewed in the left pane. Right-click the "RID Manager$" object in the right pane and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. Configure the audit settings for RID Manager$ object to include the following: Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None (Access - Special = Write all properties, All extended rights, Change RID master) Two instances with the following summary information will be listed: Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain)
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-DC-000240
- Vuln IDs
-
- V-205791
- V-93133
- Rule IDs
-
- SV-205791r958732_rule
- SV-103221
Checks: C-6056r355735_chk
This applies to domain controllers. It is NA for other systems. Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. DS Access >> Directory Service Access - Success
Fix: F-6056r355736_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> "Directory Service Access" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-DC-000250
- Vuln IDs
-
- V-205792
- V-93135
- Rule IDs
-
- SV-205792r958732_rule
- SV-103223
Checks: C-6057r355738_chk
This applies to domain controllers. It is NA for other systems. Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. DS Access >> Directory Service Access - Failure
Fix: F-6057r355739_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> "Directory Service Access" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-DC-000260
- Vuln IDs
-
- V-205793
- V-93137
- Rule IDs
-
- SV-205793r958732_rule
- SV-103225
Checks: C-6058r355741_chk
This applies to domain controllers. It is NA for other systems. Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. DS Access >> Directory Service Changes - Success
Fix: F-6058r355742_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> "Directory Service Changes" with "Success" selected.
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-002238
- Version
- WN19-AC-000010
- Vuln IDs
-
- V-205795
- V-93145
- Rule IDs
-
- SV-205795r958736_rule
- SV-103233
Checks: C-6060r355747_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. If the "Account lockout duration" is less than "15" minutes (excluding "0"), this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "LockoutDuration" is less than "15" (excluding "0") in the file, this is a finding. Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding.
Fix: F-6060r355748_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout duration" to "15" minutes or greater. A value of "0" is also acceptable, requiring an administrator to unlock the account.
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001849
- Version
- WN19-CC-000270
- Vuln IDs
-
- V-205796
- V-93177
- Rule IDs
-
- SV-205796r958752_rule
- SV-103265
Checks: C-6061r355750_chk
If the system is configured to write events directly to an audit server, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ Value Name: MaxSize Type: REG_DWORD Value: 0x00008000 (32768) (or greater)
Fix: F-6061r355751_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Application >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater.
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001849
- Version
- WN19-CC-000280
- Vuln IDs
-
- V-205797
- V-93179
- Rule IDs
-
- SV-205797r1186384_rule
- SV-103267
Checks: C-6062r1186382_chk
If the system is configured to write events directly to an audit server, this is not applicable. The registry configuration setting below must be set (at least) to a value equal to the size needed to contain one week's worth of audit records in the security event log. The value used below is an example that assumes a typical week’s log size of 5GB. If the following registry value does not exist or is not configured as specified, this is a finding: Note: The following registry entry is an example; the value must equal at least one week's worth of records. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ Value Name: MaxSize Type: REG_DWORD Value:0x49960800 (5120000) (or greater)
Fix: F-6062r1186383_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Security >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of a value that will contain one week of audit records or greater.
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001849
- Version
- WN19-CC-000290
- Vuln IDs
-
- V-205798
- V-93181
- Rule IDs
-
- SV-205798r958752_rule
- SV-103269
Checks: C-6063r355756_chk
If the system is configured to write events directly to an audit server, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ Value Name: MaxSize Type: REG_DWORD Value: 0x00008000 (32768) (or greater)
Fix: F-6063r355757_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> System >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater.
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001851
- Version
- WN19-AU-000010
- Vuln IDs
-
- V-205799
- V-93183
- Rule IDs
-
- SV-205799r958754_rule
- SV-103271
Checks: C-6064r355759_chk
Determine if a process to back up log data to a different system or media than the system being audited has been implemented. If it has not, this is a finding.
Fix: F-6064r355760_fix
Establish and implement a process for backing up log data to another system or media other than the system being audited.
- RMF Control
- Severity
- L
- CCI
- CCI-004923
- Version
- WN19-00-000440
- Vuln IDs
-
- V-205800
- V-93187
- Rule IDs
-
- SV-205800r1051077_rule
- SV-103275
Checks: C-6065r921951_chk
Review the Windows time service configuration. Open an elevated "Command Prompt" (run as administrator). Enter "W32tm /query /configuration". Domain-joined systems (excluding the domain controller with the PDC emulator role): If the value for "Type" under "NTP Client" is not "NT5DS", this is a finding. Other systems: If systems are configured with a "Type" of "NTP", including standalone or nondomain-joined systems and the domain controller with the PDC Emulator role, and do not have a DOD time server defined for "NTPServer", this is a finding. To determine the domain controller with the PDC Emulator role: Open "PowerShell". Enter "Get-ADDomain | FT PDCEmulator".
Fix: F-6065r921952_fix
Configure the system to synchronize time with an appropriate DOD time source. Domain-joined systems use NT5DS to synchronize time from other systems in the domain by default. If the system needs to be configured to an NTP server, configure the system to point to an authorized time server by setting the policy value for Computer Configuration >> Administrative Templates >> System >> Windows Time Service >> Time Providers >> "Configure Windows NTP Client" to "Enabled", and configure the "NtpServer" field to point to an appropriate DOD time server. The US Naval Observatory operates stratum 1 time servers, which are identified at: https://www.cnmoc.usff.navy.mil/Our-Commands/United-States-Naval-Observatory/Precise-Time-Department/Network-Time-Protocol-NTP/ Time synchronization will occur through a hierarchy of time servers down to the local level. Clients and lower-level servers will synchronize with an authorized time server in the hierarchy.
- RMF Control
- Severity
- M
- CCI
- CCI-003980
- Version
- WN19-CC-000420
- Vuln IDs
-
- V-205801
- V-93199
- Rule IDs
-
- SV-205801r1051078_rule
- SV-103287
Checks: C-6066r355765_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: EnableUserControl Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-6066r355766_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Allow user control over installs" to "Disabled".
- RMF Control
- Severity
- H
- CCI
- CCI-003980
- Version
- WN19-CC-000430
- Vuln IDs
-
- V-205802
- V-93201
- Rule IDs
-
- SV-205802r1051079_rule
- SV-103289
Checks: C-6067r355768_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-6067r355769_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Always install with elevated privileges" to "Disabled".
- RMF Control
- CM-3
- Severity
- M
- CCI
- CCI-001744
- Version
- WN19-00-000220
- Vuln IDs
-
- V-205803
- V-93203
- Rule IDs
-
- SV-205803r958794_rule
- SV-103291
Checks: C-6068r890521_chk
Determine whether the system is monitored for unauthorized changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly basis. If system files are not monitored for unauthorized changes, this is a finding. An approved and properly configured solution will contain both a list of baselines that includes all system file locations and a file comparison task that is scheduled to run at least weekly.
Fix: F-6068r355772_fix
Monitor the system for unauthorized changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly basis. This can be done with the use of various monitoring tools.
- RMF Control
- CM-7
- Severity
- H
- CCI
- CCI-001764
- Version
- WN19-CC-000210
- Vuln IDs
-
- V-205804
- V-93373
- Rule IDs
-
- SV-205804r958804_rule
- SV-103459
Checks: C-6069r355774_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoAutoplayfornonVolume Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6069r355775_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Disallow Autoplay for non-volume devices" to "Enabled".
- RMF Control
- CM-7
- Severity
- H
- CCI
- CCI-001764
- Version
- WN19-CC-000220
- Vuln IDs
-
- V-205805
- V-93375
- Rule IDs
-
- SV-205805r958804_rule
- SV-103461
Checks: C-6070r355777_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoAutorun Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6070r355778_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Set the default behavior for AutoRun" to "Enabled" with "Do not execute any autorun commands" selected.
- RMF Control
- CM-7
- Severity
- H
- CCI
- CCI-001764
- Version
- WN19-CC-000230
- Vuln IDs
-
- V-205806
- V-93377
- Rule IDs
-
- SV-205806r958804_rule
- SV-103463
Checks: C-6071r355780_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ Value Name: NoDriveTypeAutoRun Type: REG_DWORD Value: 0x000000ff (255)
Fix: F-6071r355781_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Turn off AutoPlay" to "Enabled" with "All Drives" selected.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-001774
- Version
- WN19-00-000080
- Vuln IDs
-
- V-205807
- V-93379
- Rule IDs
-
- SV-205807r958808_rule
- SV-103465
Checks: C-6072r890518_chk
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. If an application allowlisting program is not in use on the system, this is a finding. Configuration of allowlisting applications will vary by the program. AppLocker is an allowlisting application built into Windows Server. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules. If AppLocker is used, perform the following to view the configuration of AppLocker: Open "PowerShell". If the AppLocker PowerShell module has not been imported previously, execute the following first: Import-Module AppLocker Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system: Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review. Implementation guidance for AppLocker is available at the following link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide
Fix: F-6072r890519_fix
Configure an application allowlisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. Configuration of allowlisting applications will vary by the program. AppLocker is an allowlisting application built into Windows Server. If AppLocker is used, it is configured through group policy in Computer Configuration >> Windows Settings >> Security Settings >> Application Control Policies >> AppLocker. Implementation guidance for AppLocker is available at the following link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide
- RMF Control
- IA-11
- Severity
- M
- CCI
- CCI-002038
- Version
- WN19-CC-000340
- Vuln IDs
-
- V-205808
- V-93425
- Rule IDs
-
- SV-205808r1051080_rule
- SV-103511
Checks: C-6073r355786_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: DisablePasswordSaving Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6073r355787_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Connection Client >> "Do not allow passwords to be saved" to "Enabled".
- RMF Control
- IA-11
- Severity
- M
- CCI
- CCI-002038
- Version
- WN19-CC-000360
- Vuln IDs
-
- V-205809
- V-93427
- Rule IDs
-
- SV-205809r1051081_rule
- SV-103513
Checks: C-6074r355789_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fPromptForPassword Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6074r355790_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Always prompt for password upon connection" to "Enabled".
- RMF Control
- IA-11
- Severity
- M
- CCI
- CCI-002038
- Version
- WN19-CC-000520
- Vuln IDs
-
- V-205810
- V-93429
- Rule IDs
-
- SV-205810r1051082_rule
- SV-103515
Checks: C-6075r355792_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: DisableRunAs Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6075r355793_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Disallow WinRM from storing RunAs credentials" to "Enabled".
- RMF Control
- IA-11
- Severity
- M
- CCI
- CCI-002038
- Version
- WN19-SO-000380
- Vuln IDs
-
- V-205811
- V-93431
- Rule IDs
-
- SV-205811r1051083_rule
- SV-103517
Checks: C-6076r355795_chk
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6076r355796_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Admin Approval Mode for the Built-in Administrator account" to "Enabled".
- RMF Control
- IA-11
- Severity
- M
- CCI
- CCI-002038
- Version
- WN19-SO-000410
- Vuln IDs
-
- V-205812
- V-93433
- Rule IDs
-
- SV-205812r1051084_rule
- SV-103519
Checks: C-6077r355798_chk
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser Value Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-6077r355799_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Behavior of the elevation prompt for standard users" to "Automatically deny elevation requests".
- RMF Control
- IA-11
- Severity
- M
- CCI
- CCI-002038
- Version
- WN19-SO-000440
- Vuln IDs
-
- V-205813
- V-93435
- Rule IDs
-
- SV-205813r1051085_rule
- SV-103521
Checks: C-6078r355801_chk
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6078r355802_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Run all administrators in Admin Approval Mode" to "Enabled".
- RMF Control
- IA-3
- Severity
- M
- CCI
- CCI-001967
- Version
- WN19-MS-000040
- Vuln IDs
-
- V-205814
- V-93453
- Rule IDs
-
- SV-205814r971545_rule
- SV-103539
Checks: C-6079r857323_chk
This applies to member servers and standalone or nondomain-joined systems. It is NA for domain controllers. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Rpc\ Value Name: RestrictRemoteClients Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6079r355805_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Remote Procedure Call >> "Restrict Unauthenticated RPC clients" to "Enabled" with "Authenticated" selected.
- RMF Control
- IA-3
- Severity
- M
- CCI
- CCI-001967
- Version
- WN19-SO-000090
- Vuln IDs
-
- V-205815
- V-93455
- Rule IDs
-
- SV-205815r971545_rule
- SV-103541
Checks: C-6080r355807_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange Value Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-6080r355808_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Disable machine account password changes" to "Disabled".
- RMF Control
- MA-4
- Severity
- M
- CCI
- CCI-002890
- Version
- WN19-CC-000480
- Vuln IDs
-
- V-205816
- V-93499
- Rule IDs
-
- SV-205816r958848_rule
- SV-103585
Checks: C-6081r355810_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowUnencryptedTraffic Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-6081r355811_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Allow unencrypted traffic" to "Disabled".
- RMF Control
- MA-4
- Severity
- M
- CCI
- CCI-002890
- Version
- WN19-CC-000510
- Vuln IDs
-
- V-205817
- V-93501
- Rule IDs
-
- SV-205817r958848_rule
- SV-103587
Checks: C-6082r355813_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowUnencryptedTraffic Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-6082r355814_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Allow unencrypted traffic" to "Disabled".
- RMF Control
- SC-13
- Severity
- M
- CCI
- CCI-002450
- Version
- WN19-DC-000140
- Vuln IDs
-
- V-205818
- V-93513
- Rule IDs
-
- SV-205818r987791_rule
- SV-103599
Checks: C-6083r355816_chk
This applies to domain controllers. It is NA for other systems. Review the organization network diagram(s) or documentation to determine the level of classification for the network(s) over which replication data is transmitted. Determine the classification level of the Windows domain controller. If the classification level of the Windows domain controller is higher than the level of the networks, review the organization network diagram(s) and directory implementation documentation to determine if NSA-approved encryption is used to protect the replication network traffic. If the classification level of the Windows domain controller is higher than the level of the network traversed and NSA-approved encryption is not used, this is a finding.
Fix: F-6083r355817_fix
Configure NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level that transfer replication data through a network cleared to a lower level than the data.
- RMF Control
- SC-5
- Severity
- L
- CCI
- CCI-002385
- Version
- WN19-CC-000060
- Vuln IDs
-
- V-205819
- V-93541
- Rule IDs
-
- SV-205819r958902_rule
- SV-103627
Checks: C-6084r355819_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ Value Name: NoNameReleaseOnDemand Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6084r355820_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" to "Enabled". This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- WN19-DC-000320
- Vuln IDs
-
- V-205820
- V-93545
- Rule IDs
-
- SV-205820r958908_rule
- SV-103631
Checks: C-6085r355822_chk
This applies to domain controllers. It is NA for other systems. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ Value Name: LDAPServerIntegrity Value Type: REG_DWORD Value: 0x00000002 (2)
Fix: F-6085r355823_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain controller: LDAP server signing requirements" to "Require signing".
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- WN19-SO-000060
- Vuln IDs
-
- V-205821
- V-93547
- Rule IDs
-
- SV-205821r958908_rule
- SV-103633
Checks: C-6086r355825_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6086r355826_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally encrypt or sign secure channel data (always)" to "Enabled".
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- WN19-SO-000070
- Vuln IDs
-
- V-205822
- V-93549
- Rule IDs
-
- SV-205822r958908_rule
- SV-103635
Checks: C-6087r355828_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SealSecureChannel Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6087r355829_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally encrypt secure channel data (when possible)" to "Enabled".
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- WN19-SO-000080
- Vuln IDs
-
- V-205823
- V-93551
- Rule IDs
-
- SV-205823r958908_rule
- SV-103637
Checks: C-6088r355831_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SignSecureChannel Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6088r355832_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally sign secure channel data (when possible)" to "Enabled".
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- WN19-SO-000110
- Vuln IDs
-
- V-205824
- V-93553
- Rule IDs
-
- SV-205824r958908_rule
- SV-103639
Checks: C-6089r355834_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value Type: REG_DWORD Value: 0x00000001 (1) This setting may prevent a system from being joined to a domain if not configured consistently between systems.
Fix: F-6089r355835_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Require strong (Windows 2000 or Later) session key" to "Enabled".
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- WN19-SO-000160
- Vuln IDs
-
- V-205825
- V-93555
- Rule IDs
-
- SV-205825r958908_rule
- SV-103641
Checks: C-6090r355837_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6090r355838_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network client: Digitally sign communications (always)" to "Enabled".
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- WN19-SO-000170
- Vuln IDs
-
- V-205826
- V-93557
- Rule IDs
-
- SV-205826r958908_rule
- SV-103643
Checks: C-6091r355840_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6091r355841_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network client: Digitally sign communications (if server agrees)" to "Enabled".
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- WN19-SO-000190
- Vuln IDs
-
- V-205827
- V-93559
- Rule IDs
-
- SV-205827r958908_rule
- SV-103645
Checks: C-6092r355843_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6092r355844_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network server: Digitally sign communications (always)" to "Enabled".
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- WN19-SO-000200
- Vuln IDs
-
- V-205828
- V-93561
- Rule IDs
-
- SV-205828r958908_rule
- SV-103647
Checks: C-6093r355846_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6093r355847_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network server: Digitally sign communications (if client agrees)" to "Enabled".
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002420
- Version
- WN19-00-000260
- Vuln IDs
-
- V-205829
- V-93543
- Rule IDs
-
- SV-205829r958912_rule
- SV-103629
Checks: C-6094r355849_chk
If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPsec have been implemented. If protection methods have not been implemented, this is a finding.
Fix: F-6094r355850_fix
Configure protection methods such as TLS, encrypted VPNs, or IPsec when the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
- RMF Control
- SI-16
- Severity
- M
- CCI
- CCI-002824
- Version
- WN19-CC-000310
- Vuln IDs
-
- V-205830
- V-93563
- Rule IDs
-
- SV-205830r958928_rule
- SV-103649
Checks: C-6095r355852_chk
The default behavior is for Data Execution Prevention to be turned on for File Explorer. If the registry value name below does not exist, this is not a finding. If it exists and is configured with a value of "0", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoDataExecutionPrevention Value Type: REG_DWORD Value: 0x00000000 (0) (or if the Value Name does not exist)
Fix: F-6095r355853_fix
The default behavior is for data execution prevention to be turned on for File Explorer. If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off Data Execution Prevention for Explorer" to "Not Configured" or "Disabled".
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000070
- Vuln IDs
-
- V-205832
- V-93153
- Rule IDs
-
- SV-205832r991578_rule
- SV-103241
Checks: C-6097r355858_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Account Logon >> Credential Validation - Success
Fix: F-6097r355859_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> "Audit Credential Validation" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000080
- Vuln IDs
-
- V-205833
- V-93155
- Rule IDs
-
- SV-205833r991578_rule
- SV-103243
Checks: C-6098r355861_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Account Logon >> Credential Validation - Failure
Fix: F-6098r355862_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> "Audit Credential Validation" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000170
- Vuln IDs
-
- V-205834
- V-93159
- Rule IDs
-
- SV-205834r991578_rule
- SV-103247
Checks: C-6099r355864_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Logon/Logoff >> Group Membership - Success
Fix: F-6099r355865_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Group Membership" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000210
- Vuln IDs
-
- V-205835
- V-93161
- Rule IDs
-
- SV-205835r991578_rule
- SV-103249
Checks: C-6100r355867_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Logon/Logoff >> Special Logon - Success
Fix: F-6100r355868_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Special Logon" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000220
- Vuln IDs
-
- V-205836
- V-93163
- Rule IDs
-
- SV-205836r991578_rule
- SV-103251
Checks: C-6101r355870_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Object Access >> Other Object Access Events - Success
Fix: F-6101r355871_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Other Object Access Events" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000230
- Vuln IDs
-
- V-205837
- V-93165
- Rule IDs
-
- SV-205837r991578_rule
- SV-103253
Checks: C-6102r355873_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Object Access >> Other Object Access Events - Failure
Fix: F-6102r355874_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Other Object Access Events" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000180
- Vuln IDs
-
- V-205838
- V-93171
- Rule IDs
-
- SV-205838r991581_rule
- SV-103259
Checks: C-6103r355876_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Logon/Logoff >> Logoff - Success
Fix: F-6103r355877_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logoff" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000130
- Vuln IDs
-
- V-205839
- V-93157
- Rule IDs
-
- SV-205839r991583_rule
- SV-103245
Checks: C-6104r355879_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Detailed Tracking >> Plug and Play Events - Success
Fix: F-6104r355880_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> "Audit PNP Activity" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000240
- Vuln IDs
-
- V-205840
- V-93167
- Rule IDs
-
- SV-205840r991583_rule
- SV-103255
Checks: C-6105r355882_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Object Access >> Removable Storage - Success Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding.
Fix: F-6105r355883_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000250
- Vuln IDs
-
- V-205841
- V-93169
- Rule IDs
-
- SV-205841r991583_rule
- SV-103257
Checks: C-6106r355885_chk
Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). Enter "AuditPol /get /category:*" Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. Object Access >> Removable Storage - Failure Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding.
Fix: F-6106r355886_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Failure" selected.
- RMF Control
- SC-13
- Severity
- M
- CCI
- CCI-002450
- Version
- WN19-SO-000360
- Vuln IDs
-
- V-205842
- V-93511
- Rule IDs
-
- SV-205842r1137699_rule
- SV-103597
Checks: C-6107r1028367_chk
This is NA if the host is running SharePoint. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value Type: REG_DWORD Value: 0x00000001 (1) Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS; otherwise. the browser will not be able to connect to a secure site. If the server is hosting SharePoint, this is not applicable.
Fix: F-6107r355889_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" to "Enabled".
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001851
- Version
- WN19-AU-000020
- Vuln IDs
-
- V-205843
- V-93185
- Rule IDs
-
- SV-205843r959008_rule
- SV-103273
Checks: C-6108r857307_chk
Verify the audit records, at a minimum, are offloaded for interconnected systems in real time and offloaded for standalone or nondomain-joined systems weekly. If they are not, this is a finding.
Fix: F-6108r916198_fix
Configure the system to, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- WN19-00-000010
- Vuln IDs
-
- V-205844
- V-93369
- Rule IDs
-
- SV-205844r991589_rule
- SV-103457
Checks: C-6109r355894_chk
Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding.
Fix: F-6109r355895_fix
Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- WN19-00-000030
- Vuln IDs
-
- V-205845
- V-93205
- Rule IDs
-
- SV-205845r991589_rule
- SV-103293
Checks: C-6110r355897_chk
Determine whether organization policy, at a minimum, prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. If it does not, this is a finding. The organization may use technical means such as whitelisting to prevent the use of browsers and mail applications to enforce this requirement.
Fix: F-6110r355898_fix
Establish a policy, at minimum, to prohibit administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. Ensure the policy is enforced. The organization may use technical means such as whitelisting to prevent the use of browsers and mail applications to enforce this requirement.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-00-000040
- Vuln IDs
-
- V-205846
- V-93207
- Rule IDs
-
- SV-205846r991589_rule
- SV-103295
Checks: C-6111r355900_chk
If no accounts are members of the Backup Operators group, this is NA. Verify users with accounts in the Backup Operators group have a separate user account for backup functions and for performing normal user tasks. If users with accounts in the Backup Operators group do not have separate accounts for backup functions and standard user functions, this is a finding.
Fix: F-6111r355901_fix
Ensure each member of the Backup Operators group has separate accounts for backup functions and standard user functions.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-00-000060
- Vuln IDs
-
- V-205847
- V-93209
- Rule IDs
-
- SV-205847r991589_rule
- SV-103297
Checks: C-6112r857287_chk
Determine if manually managed application/service accounts exist. If none exist, this is NA. If passwords for manually managed application/service accounts are not changed at least annually or when an administrator with knowledge of the password leaves the organization, this is a finding. Identify manually managed application/service accounts. To determine the date a password was last changed: Domain controllers: Open "PowerShell". Enter "Get-AdUser -Identity [application account name] -Properties PasswordLastSet | FT Name, PasswordLastSet", where [application account name] is the name of the manually managed application/service account. If the "PasswordLastSet" date is more than one year old, this is a finding. Member servers and standalone or nondomain-joined systems: Open "Command Prompt". Enter 'Net User [application account name] | Find /i "Password Last Set"', where [application account name] is the name of the manually managed application/service account. If the "Password Last Set" date is more than one year old, this is a finding.
Fix: F-6112r355904_fix
Change passwords for manually managed application/service accounts at least annually or when an administrator with knowledge of the password leaves the organization. It is recommended that system-managed service accounts be used whenever possible.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-00-000090
- Vuln IDs
-
- V-205848
- V-93213
- Rule IDs
-
- SV-205848r991589_rule
- SV-103301
Checks: C-6113r902428_chk
For standalone or nondomain-joined systems, this is NA. Verify the system has a TPM and it is ready for use. Run "tpm.msc". Review the sections in the center pane. "Status" must indicate it has been configured with a message such as "The TPM is ready for use" or "The TPM is on and ownership has been taken". TPM Manufacturer Information - Specific Version = 2.0 or 1.2 If a TPM is not found or is not ready for use, this is a finding.
Fix: F-6113r355907_fix
Ensure domain-joined systems have a TPM that is configured for use. (Versions 2.0 or 1.2 support Credential Guard.) The TPM must be enabled in the firmware. Run "tpm.msc" for configuration options in Windows.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- WN19-00-000100
- Vuln IDs
-
- V-205849
- V-93215
- Rule IDs
-
- SV-205849r991589_rule
- SV-103303
Checks: C-6114r355909_chk
Open "Command Prompt". Enter "winver.exe". If the "About Windows" dialog box does not display "Microsoft Windows Server Version 1809 (Build 17763.xxx)" or greater, this is a finding. Preview versions must not be used in a production environment.
Fix: F-6114r355910_fix
Update the system to a Version 1809 (Build 17763.xxx) or greater.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- WN19-00-000110
- Vuln IDs
-
- V-205850
- V-93217
- Rule IDs
-
- SV-205850r991589_rule
- SV-103305
Checks: C-6115r603166_chk
Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. If there is no anti-virus solution installed on the system, this is a finding. Verify if Windows Defender is in use or enabled: Open "PowerShell". Enter “get-service | where {$_.DisplayName -Like "*Defender*"} | Select Status,DisplayName” Verify if third-party anti-virus is in use or enabled: Open "PowerShell". Enter "get-service | where {$_.DisplayName -Like "*mcafee*"} | Select Status,DisplayName” Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayName”
Fix: F-6115r603168_fix
If no anti-virus software is in use, install Windows Defender or third-party anti-virus. Open "PowerShell". Enter "Install-WindowsFeature -Name Windows-Defender”. For third-party anti-virus, install per anti-virus instructions and disable Windows Defender. Open "PowerShell". Enter "Uninstall-WindowsFeature -Name Windows-Defender”.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-00-000120
- Vuln IDs
-
- V-205851
- V-93219
- Rule IDs
-
- SV-205851r1186378_rule
- SV-103307
Checks: C-6116r1186376_chk
Determine if there is a HIDS and HIPS on each server. A HIDS device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the information system security officer (ISSO). If a HIDS and HIPS are not installed on the system, this is a finding.
Fix: F-6116r1186377_fix
Install a HIDS and HIPS on each server.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-00-000240
- Vuln IDs
-
- V-205852
- V-93221
- Rule IDs
-
- SV-205852r991589_rule
- SV-103309
Checks: C-6117r355918_chk
Search all drives for *.p12 and *.pfx files. If any files with these extensions exist, this is a finding. This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files. Some applications create files with extensions of .p12 that are not certificate installation files. Removal of non-certificate installation files from systems is not required. These must be documented with the ISSO.
Fix: F-6117r355919_fix
Remove any certificate installation files (*.p12 and *.pfx) found on a system. Note: This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-00-000420
- Vuln IDs
-
- V-205853
- V-93223
- Rule IDs
-
- SV-205853r991589_rule
- SV-103311
Checks: C-6118r355921_chk
If FTP is not installed on the system, this is NA. Open "Internet Information Services (IIS) Manager". Select the server. Double-click "FTP Authentication". If the "Anonymous Authentication" status is "Enabled", this is a finding.
Fix: F-6118r355922_fix
Configure the FTP service to prevent anonymous logons. Open "Internet Information Services (IIS) Manager". Select the server. Double-click "FTP Authentication". Select "Anonymous Authentication". Select "Disabled" under "Actions".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-00-000430
- Vuln IDs
-
- V-205854
- V-93225
- Rule IDs
-
- SV-205854r991589_rule
- SV-103313
Checks: C-6119r355924_chk
If FTP is not installed on the system, this is NA. Open "Internet Information Services (IIS) Manager". Select "Sites" under the server name. For any sites with a Binding that lists FTP, right-click the site and select "Explore". If the site is not defined to a specific folder for shared FTP resources, this is a finding. If the site includes any system areas such as root of the drive, Program Files, or Windows directories, this is a finding.
Fix: F-6119r355925_fix
Configure the FTP sites to allow access only to specific FTP shared resources. Do not allow access to other areas of the system.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-00-000450
- Vuln IDs
-
- V-205855
- V-93227
- Rule IDs
-
- SV-205855r991589_rule
- SV-103315
Checks: C-6120r355927_chk
Review the effective User Rights setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. Review each User Right listed for any unresolved SIDs to determine whether they are valid, such as due to being temporarily disconnected from the domain. (Unresolved SIDs have the format that begins with "*S-1-".) If any unresolved SIDs exist and are not for currently valid accounts or groups, this is a finding. For server core installations, run the following command: Secedit /export /areas USER_RIGHTS /cfg c:\path\UserRights.txt The results in the file identify user right assignments by SID instead of group name. Review the SIDs for unidentified ones. A list of typical SIDs \ Groups is below, search Microsoft for articles on well-known SIDs for others. If any unresolved SIDs exist and are not for currently valid accounts or groups, this is a finding. SID - Group S-1-5-11 - Authenticated Users S-1-5-113 - Local account S-1-5-114 - Local account and member of Administrators group S-1-5-19 - Local Service S-1-5-20 - Network Service S-1-5-32-544 - Administrators S-1-5-32-546 - Guests S-1-5-6 - Service S-1-5-9 - Enterprise Domain Controllers S-1-5-domain-512 - Domain Admins S-1-5-root domain-519 - Enterprise Admins S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420 - NT Service\WdiServiceHost
Fix: F-6120r355928_fix
Remove any unresolved SIDs found in User Rights assignments and determined to not be for currently valid accounts or groups by removing the accounts or groups from the appropriate group policy.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN19-00-000460
- Vuln IDs
-
- V-205856
- V-93229
- Rule IDs
-
- SV-205856r991589_rule
- SV-103317
Checks: C-6121r355930_chk
Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must run in "UEFI" mode. Verify the system firmware is configured to run in "UEFI" mode, not "Legacy BIOS". Run "System Information". Under "System Summary", if "BIOS Mode" does not display "UEFI", this is a finding.
Fix: F-6121r355931_fix
Configure UEFI firmware to run in "UEFI" mode, not "Legacy BIOS" mode.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN19-00-000470
- Vuln IDs
-
- V-205857
- V-93231
- Rule IDs
-
- SV-205857r991589_rule
- SV-103319
Checks: C-6122r355933_chk
Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled. Run "System Information". Under "System Summary", if "Secure Boot State" does not display "On", this is a finding. On server core installations, run the following PowerShell command: Confirm-SecureBootUEFI If a value of "True" is not returned, this is a finding.
Fix: F-6122r355934_fix
Enable Secure Boot in the system firmware.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN19-CC-000030
- Vuln IDs
-
- V-205858
- V-93233
- Rule IDs
-
- SV-205858r991589_rule
- SV-103321
Checks: C-6123r355936_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ Value Name: DisableIPSourceRouting Type: REG_DWORD Value: 0x00000002 (2)
Fix: F-6123r355937_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)" to "Enabled" with "Highest protection, source routing is completely disabled" selected. This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN19-CC-000040
- Vuln IDs
-
- V-205859
- V-93235
- Rule IDs
-
- SV-205859r991589_rule
- SV-103323
Checks: C-6124r355939_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: DisableIPSourceRouting Value Type: REG_DWORD Value: 0x00000002 (2)
Fix: F-6124r355940_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" to "Enabled" with "Highest protection, source routing is completely disabled" selected. This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN19-CC-000050
- Vuln IDs
-
- V-205860
- V-93237
- Rule IDs
-
- SV-205860r991589_rule
- SV-103325
Checks: C-6125r355942_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableICMPRedirect Value Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-6125r355943_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" to "Disabled". This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-CC-000070
- Vuln IDs
-
- V-205861
- V-93239
- Rule IDs
-
- SV-205861r991589_rule
- SV-103327
Checks: C-6126r355945_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation\ Value Name: AllowInsecureGuestAuth Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-6126r355946_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Network >> Lanman Workstation >> "Enable insecure guest logons" to "Disabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-CC-000080
- Vuln IDs
-
- V-205862
- V-93241
- Rule IDs
-
- SV-205862r991589_rule
- SV-103329
Checks: C-6127r857310_chk
This requirement is applicable to domain-joined systems. For standalone or nondomain-joined systems, this is NA. If the following registry values do not exist or are not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\ Value Name: \\*\NETLOGON Value Type: REG_SZ Value: RequireMutualAuthentication=1, RequireIntegrity=1 Value Name: \\*\SYSVOL Value Type: REG_SZ Value: RequireMutualAuthentication=1, RequireIntegrity=1 Additional entries would not be a finding.
Fix: F-6127r355949_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Network >> Network Provider >> "Hardened UNC Paths" to "Enabled" with at least the following configured in "Hardened UNC Paths" (click the "Show" button to display): Value Name: \\*\SYSVOL Value: RequireMutualAuthentication=1, RequireIntegrity=1 Value Name: \\*\NETLOGON Value: RequireMutualAuthentication=1, RequireIntegrity=1
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-CC-000100
- Vuln IDs
-
- V-205863
- V-93243
- Rule IDs
-
- SV-205863r991589_rule
- SV-103331
Checks: C-6128r355951_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\ Value Name: AllowProtectedCreds Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6128r355952_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Credentials Delegation >> "Remote host allows delegation of non-exportable credentials" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-CC-000110
- Vuln IDs
-
- V-205864
- V-93245
- Rule IDs
-
- SV-205864r991589_rule
- SV-103333
Checks: C-6129r902430_chk
For standalone or nondomain-joined systems, this is NA. Open "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" If "RequiredSecurityProperties" does not include a value of "2" indicating "Secure Boot" (e.g., "{1, 2}"), this is a finding. If "Secure Boot and DMA Protection" is configured, "3" will also be displayed in the results (e.g., "{1, 2, 3}"). If "VirtualizationBasedSecurityStatus" is not a value of "2" indicating "Running", this is a finding. Alternately: Run "System Information". Under "System Summary", verify the following: If "Virtualization based security" does not display "Running", this is a finding. If "Virtualization based Required security Properties" does not display "Base Virtualization Support, Secure Boot", this is a finding. If "Secure Boot and DMA Protection" is configured, "DMA Protection" will also be displayed (e.g., "Base Virtualization Support, Secure Boot, DMA Protection"). The policy settings referenced in the Fix section will configure the following registry values. However, due to hardware requirements, the registry values alone do not ensure proper function. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Name: EnableVirtualizationBasedSecurity Value Type: REG_DWORD Value: 0x00000001 (1) Value Name: RequirePlatformSecurityFeatures Value Type: REG_DWORD Value: 0x00000001 (1) (Secure Boot only) or 0x00000003 (3) (Secure Boot and DMA Protection) A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard
Fix: F-6129r355955_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Secure Boot" or "Secure Boot and DMA Protection" selected. A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-CC-000130
- Vuln IDs
-
- V-205865
- V-93249
- Rule IDs
-
- SV-205865r991589_rule
- SV-103337
Checks: C-6130r355957_chk
The default behavior is for Early Launch Antimalware - Boot-Start Driver Initialization policy to enforce "Good, unknown and bad but critical" (preventing "bad"). If the registry value name below does not exist, this is not a finding. If it exists and is configured with a value of "0x00000007 (7)", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Policies\EarlyLaunch\ Value Name: DriverLoadPolicy Value Type: REG_DWORD Value: 0x00000001 (1), 0x00000003 (3), or 0x00000008 (8) (or if the Value Name does not exist) Possible values for this setting are: 8 - Good only 1 - Good and unknown 3 - Good, unknown and bad but critical 7 - All (which includes "bad" and would be a finding)
Fix: F-6130r355958_fix
The default behavior is for Early Launch Antimalware - Boot-Start Driver Initialization policy to enforce "Good, unknown and bad but critical" (preventing "bad"). If this needs to be corrected or a more secure setting is desired, configure the policy value for Computer Configuration >> Administrative Templates >> System >> Early Launch Antimalware >> "Boot-Start Driver Initialization Policy" to "Not Configured" or "Enabled" with any option other than "All" selected.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-CC-000140
- Vuln IDs
-
- V-205866
- V-93251
- Rule IDs
-
- SV-205866r1135352_rule
- SV-103339
Checks: C-6131r1135326_chk
This requirement is not applicable for Domain Controllers. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\ Value Name: NoGPOListChanges Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-6131r355961_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Group Policy >> "Configure registry policy processing" to "Enabled" with the option "Process even if the Group Policy objects have not changed" selected.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-CC-000180
- Vuln IDs
-
- V-205867
- V-93253
- Rule IDs
-
- SV-205867r991589_rule
- SV-103341
Checks: C-6132r355963_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: DCSettingIndex Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6132r355964_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Power Management >> Sleep Settings >> "Require a password when a computer wakes (on battery)" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-CC-000190
- Vuln IDs
-
- V-205868
- V-93255
- Rule IDs
-
- SV-205868r991589_rule
- SV-103343
Checks: C-6133r355966_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: ACSettingIndex Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6133r355967_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Power Management >> Sleep Settings >> "Require a password when a computer wakes (plugged in)" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-CC-000250
- Vuln IDs
-
- V-205869
- V-93257
- Rule IDs
-
- SV-205869r991589_rule
- SV-103345
Checks: C-6134r355969_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DataCollection\ Value Name: AllowTelemetry Type: REG_DWORD Value: 0x00000000 (0) (Security), 0x00000001 (1) (Basic)
Fix: F-6134r921944_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Data Collection >> "Allow Telemetry" to "Enabled" with "0 - Security [Enterprise Only]" or "1 - Basic" selected in "Options".
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN19-CC-000260
- Vuln IDs
-
- V-205870
- V-93259
- Rule IDs
-
- SV-205870r991589_rule
- SV-103347
Checks: C-6135r355972_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\ Value Name: DODownloadMode Value Type: REG_DWORD Value: 0x00000000 (0) - No peering (HTTP Only) 0x00000001 (1) - Peers on same NAT only (LAN) 0x00000002 (2) - Local Network / Private group peering (Group) 0x00000063 (99) - Simple download mode, no peering (Simple) 0x00000064 (100) - Bypass mode, Delivery Optimization not used (Bypass) A value of 0x00000003 (3), Internet, is a finding.
Fix: F-6135r355973_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Delivery Optimization >> "Download Mode" to "Enabled" with any option except "Internet" selected. Acceptable selections include: Bypass (100) Group (2) HTTP only (0) LAN (1) Simple (99)
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN19-CC-000320
- Vuln IDs
-
- V-205871
- V-93261
- Rule IDs
-
- SV-205871r991589_rule
- SV-103349
Checks: C-6136r355975_chk
The default behavior is for File Explorer heap termination on corruption to be enabled. If the registry Value Name below does not exist, this is not a finding. If it exists and is configured with a value of "0", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoHeapTerminationOnCorruption Value Type: REG_DWORD Value: 0x00000000 (0) (or if the Value Name does not exist)
Fix: F-6136r355976_fix
The default behavior is for File Explorer heap termination on corruption to be disabled. If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off heap termination on corruption" to "Not Configured" or "Disabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-CC-000330
- Vuln IDs
-
- V-205872
- V-93263
- Rule IDs
-
- SV-205872r991589_rule
- SV-103351
Checks: C-6137r355978_chk
The default behavior is for shell protected mode to be turned on for File Explorer. If the registry value name below does not exist, this is not a finding. If it exists and is configured with a value of "0", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: PreXPSP2ShellProtocolBehavior Value Type: REG_DWORD Value: 0x00000000 (0) (or if the Value Name does not exist)
Fix: F-6137r355979_fix
The default behavior is for shell protected mode to be turned on for File Explorer. If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off shell protocol protected mode" to "Not Configured" or "Disabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-CC-000390
- Vuln IDs
-
- V-205873
- V-93265
- Rule IDs
-
- SV-205873r991589_rule
- SV-103353
Checks: C-6138r355981_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: DisableEnclosureDownload Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6138r355982_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> "Prevent downloading of enclosures" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-CC-000440
- Vuln IDs
-
- V-205874
- V-93267
- Rule IDs
-
- SV-205874r991589_rule
- SV-103355
Checks: C-6139r355984_chk
The default behavior is for Internet Explorer to warn users and select whether to allow or refuse installation when a web-based program attempts to install software on the system. If the registry value name below does not exist, this is not a finding. If it exists and is configured with a value of "0", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: SafeForScripting Value Type: REG_DWORD Value: 0x00000000 (0) (or if the Value Name does not exist)
Fix: F-6139r355985_fix
The default behavior is for Internet Explorer to warn users and select whether to allow or refuse installation when a web-based program attempts to install software on the system. If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Prevent Internet Explorer security prompt for Windows Installer scripts" to "Not Configured" or "Disabled".
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- WN19-DC-000150
- Vuln IDs
-
- V-205875
- V-93271
- Rule IDs
-
- SV-205875r991589_rule
- SV-103359
Checks: C-6140r355987_chk
This applies to domain controllers. It is NA for other systems. Open "Command Prompt" (not elevated). Run "ldp.exe". From the "Connection menu", select "Bind". Clear the User, Password, and Domain fields. Select "Simple bind" for the Bind type and click "OK". Confirmation of anonymous access will be displayed at the end: res = ldap_simple_bind_s Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON' From the "Browse" menu, select "Search". In the Search dialog, enter the DN of the domain naming context (generally something like "dc=disaost,dc=mil") in the Base DN field. Clear the Attributes field and select "Run". Error messages should display related to Bind and user not authenticated. If attribute data is displayed, anonymous access is enabled to the domain naming context and this is a finding. The following network controls allow the finding severity to be downgraded to a CAT II since these measures lower the risk associated with anonymous access. Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address.
Fix: F-6140r355988_fix
Configure directory data (outside the root DSE) of a non-public directory to prevent anonymous access. For AD, there are multiple configuration items that could enable anonymous access. Changing the access permissions on the domain naming context object (from the secure defaults) could enable anonymous access. If the check procedures indicate this is the cause, the process that was used to change the permissions should be reversed. This could have been through the Windows Support Tools ADSI Edit console (adsiedit.msc). The dsHeuristics option is used. This is addressed in check V-8555 in the AD Forest STIG.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-DC-000330
- Vuln IDs
-
- V-205876
- V-93273
- Rule IDs
-
- SV-205876r991589_rule
- SV-103361
Checks: C-6141r355990_chk
This applies to domain controllers. It is NA for other systems. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RefusePasswordChange Value Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-6141r355991_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain controller: Refuse machine account password changes" to "Disabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-DC-000430
- Vuln IDs
-
- V-205877
- V-93211
- Rule IDs
-
- SV-205877r991589_rule
- SV-103299
Checks: C-6142r355993_chk
This requirement is applicable to domain controllers; it is NA for other systems. Open "Windows PowerShell". Enter "Get-ADUser krbtgt -Property PasswordLastSet". If the "PasswordLastSet" date is more than 180 days old, this is a finding.
Fix: F-6142r857314_fix
Reset the password for the krbtgt account a least every 180 days. The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to reauthenticate (including application services) but is desired if a compromise is suspected. PowerShell scripts are available to accomplish this such as at the following link: https://docs.microsoft.com/en-us/answers/questions/97108/resetting-the-krbtgt-account-password-in-a-domain.html All scripts should be tested. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" in the "View" menu if not previously selected. Select the "Users" node. Right-click on the krbtgt account and select "Reset password". Enter a password that meets password complexity requirements. Clear the "User must change password at next logon" check box. The system will automatically change this to a system-generated complex password.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-MS-000050
- Vuln IDs
-
- V-205906
- V-93275
- Rule IDs
-
- SV-205906r991589_rule
- SV-103363
Checks: C-6171r857325_chk
This applies to member servers. For domain controllers and standalone or nondomain-joined systems, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: CachedLogonsCount Value Type: REG_SZ Value: 4 (or less)
Fix: F-6171r356081_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)" to "4" logons or less.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- WN19-MS-000140
- Vuln IDs
-
- V-205907
- V-93277
- Rule IDs
-
- SV-205907r991589_rule
- SV-103365
Checks: C-6172r857342_chk
For domain controllers and standalone or nondomain-joined systems, this is NA. Open "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" If "SecurityServicesRunning" does not include a value of "1" (e.g., "{1, 2}"), this is a finding. Alternately: Run "System Information". Under "System Summary", verify the following: If "Device Guard Security Services Running" does not list "Credential Guard", this is a finding. The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Name: LsaCfgFlags Value Type: REG_DWORD Value: 0x00000001 (1) (Enabled with UEFI lock) A Microsoft article on Credential Guard system requirement can be found at the following link: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements
Fix: F-6172r857343_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Enabled with UEFI lock" selected for "Credential Guard Configuration". A Microsoft article on Credential Guard system requirement can be found at the following link: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements Severity Override Guidance: The AO can allow the severity override if they have reviewed the overall protection provided to the affected servers that are not capable of complying with the Credential Guard requirement. Items that should be reviewed/considered for compliance or mitigation for non-Credential Guard compliance are: The use of Microsoft Local Administrator Password Solution (LAPS) or similar products to control different local administrative passwords for all affected servers. This is to include a strict password change requirement (60 days or less). …. Strict separation of roles and duties. Server administrator credentials cannot be used on Windows 10 desktop to administer it. Documentation of all exceptions should be supplied. …. Use of a Privileged Access Workstation (PAW) and adherence to the Clean Source principle for administering affected servers. …. Boundary Protection that is currently in place to protect from vulnerabilities in the network/servers. …. Windows Defender rule block credential stealing from LSASS.exe is applied. This rule can only be applied if Windows Defender is in use. …. The overall number of vulnerabilities that are unmitigated on the network/servers.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- WN19-SO-000020
- Vuln IDs
-
- V-205908
- V-93279
- Rule IDs
-
- SV-205908r991589_rule
- SV-103367
Checks: C-6173r356086_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6173r356087_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Limit local account use of blank passwords to console logon only" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-SO-000030
- Vuln IDs
-
- V-205909
- V-93281
- Rule IDs
-
- SV-205909r991589_rule
- SV-103369
Checks: C-6174r356089_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. If the value for "Accounts: Rename administrator account" is not set to a value other than "Administrator", this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "NewAdministratorName" is not something other than "Administrator" in the file, this is a finding.
Fix: F-6174r356090_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Rename administrator account" to a name other than "Administrator".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-SO-000040
- Vuln IDs
-
- V-205910
- V-93283
- Rule IDs
-
- SV-205910r991589_rule
- SV-103371
Checks: C-6175r356092_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. If the value for "Accounts: Rename guest account" is not set to a value other than "Guest", this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "NewGuestName" is not something other than "Guest" in the file, this is a finding.
Fix: F-6175r356093_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Rename guest account" to a name other than "Guest".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-SO-000100
- Vuln IDs
-
- V-205911
- V-93285
- Rule IDs
-
- SV-205911r991589_rule
- SV-103373
Checks: C-6176r356095_chk
This is the default configuration for this setting (30 days). If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge Value Type: REG_DWORD Value: 0x0000001e (30) (or less, but not 0)
Fix: F-6176r356096_fix
This is the default configuration for this setting (30 days). Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Maximum machine account password age" to "30" or less (excluding "0", which is unacceptable).
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-SO-000150
- Vuln IDs
-
- V-205912
- V-93287
- Rule IDs
-
- SV-205912r991589_rule
- SV-103375
Checks: C-6177r356098_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: scremoveoption Value Type: REG_SZ Value: 1 (Lock Workstation) or 2 (Force Logoff) If configuring this on servers causes issues, such as terminating users' remote sessions, and the organization has a policy in place that any other sessions on the servers, such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO.
Fix: F-6177r356099_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Smart card removal behavior" to "Lock Workstation" or "Force Logoff".
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- WN19-SO-000210
- Vuln IDs
-
- V-205913
- V-93289
- Rule IDs
-
- SV-205913r991589_rule
- SV-103377
Checks: C-6178r356101_chk
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding.
Fix: F-6178r356102_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Allow anonymous SID/Name translation" to "Disabled".
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- WN19-SO-000220
- Vuln IDs
-
- V-205914
- V-93291
- Rule IDs
-
- SV-205914r991589_rule
- SV-103379
Checks: C-6179r356104_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6179r356105_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Do not allow anonymous enumeration of SAM accounts" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-SO-000240
- Vuln IDs
-
- V-205915
- V-93293
- Rule IDs
-
- SV-205915r991589_rule
- SV-103381
Checks: C-6180r356107_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous Value Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-6180r356108_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Let Everyone permissions apply to anonymous users" to "Disabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-SO-000260
- Vuln IDs
-
- V-205916
- V-93295
- Rule IDs
-
- SV-205916r991589_rule
- SV-103383
Checks: C-6181r356110_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\ Value Name: UseMachineId Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6181r356111_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow Local System to use computer identity for NTLM" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-SO-000270
- Vuln IDs
-
- V-205917
- V-93297
- Rule IDs
-
- SV-205917r991589_rule
- SV-103385
Checks: C-6182r356113_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\MSV1_0\ Value Name: allownullsessionfallback Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-6182r356114_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow LocalSystem NULL session fallback" to "Disabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-SO-000280
- Vuln IDs
-
- V-205918
- V-93299
- Rule IDs
-
- SV-205918r991589_rule
- SV-103387
Checks: C-6183r356116_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\pku2u\ Value Name: AllowOnlineID Type: REG_DWORD Value: 0x00000000 (0)
Fix: F-6183r356117_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow PKU2U authentication requests to this computer to use online identities" to "Disabled".
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- WN19-SO-000310
- Vuln IDs
-
- V-205919
- V-93301
- Rule IDs
-
- SV-205919r991589_rule
- SV-103389
Checks: C-6184r356119_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LmCompatibilityLevel Value Type: REG_DWORD Value: 0x00000005 (5)
Fix: F-6184r356120_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: LAN Manager authentication level" to "Send NTLMv2 response only. Refuse LM & NTLM".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-SO-000320
- Vuln IDs
-
- V-205920
- V-93303
- Rule IDs
-
- SV-205920r991589_rule
- SV-103391
Checks: C-6185r356122_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6185r356123_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: LDAP client signing requirements" to "Negotiate signing" at a minimum.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-SO-000330
- Vuln IDs
-
- V-205921
- V-93305
- Rule IDs
-
- SV-205921r991589_rule
- SV-103393
Checks: C-6186r356125_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec Value Type: REG_DWORD Value: 0x20080000 (537395200)
Fix: F-6186r356126_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-SO-000340
- Vuln IDs
-
- V-205922
- V-93307
- Rule IDs
-
- SV-205922r991589_rule
- SV-103395
Checks: C-6187r356128_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec Value Type: REG_DWORD Value: 0x20080000 (537395200)
Fix: F-6187r356129_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- WN19-SO-000370
- Vuln IDs
-
- V-205923
- V-93309
- Rule IDs
-
- SV-205923r991589_rule
- SV-103397
Checks: C-6188r356131_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\ Value Name: ProtectionMode Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6188r356132_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)" to "Enabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-UC-000010
- Vuln IDs
-
- V-205924
- V-93311
- Rule IDs
-
- SV-205924r991589_rule
- SV-103399
Checks: C-6189r356134_chk
The default behavior is for Windows to mark file attachments with their zone information. If the registry Value Name below does not exist, this is not a finding. If it exists and is configured with a value of "2", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_CURRENT_USER Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ Value Name: SaveZoneInformation Value Type: REG_DWORD Value: 0x00000002 (2) (or if the Value Name does not exist)
Fix: F-6189r356135_fix
The default behavior is for Windows to mark file attachments with their zone information. If this needs to be corrected, configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> Attachment Manager >> "Do not preserve zone information in file attachments" to "Not Configured" or "Disabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-CC-000450
- Vuln IDs
-
- V-205925
- V-93269
- Rule IDs
-
- SV-205925r991591_rule
- SV-103357
Checks: C-6190r356137_chk
Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableAutomaticRestartSignOn Value Type: REG_DWORD Value: 0x00000001 (1)
Fix: F-6190r356138_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Logon Options >> "Sign-in last interactive user automatically after a system-initiated restart" to "Disabled".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- WN19-00-000280
- Vuln IDs
-
- V-214936
- V-93571
- Rule IDs
-
- SV-214936r991589_rule
- SV-103657
Checks: C-16136r356140_chk
Determine if a host-based firewall is installed and enabled on the system. If a host-based firewall is not installed and enabled on the system, this is a finding. The configuration requirements will be determined by the applicable firewall STIG.
Fix: F-16134r356141_fix
Install and enable a host-based firewall on the system.
- RMF Control
- AU-3
- Severity
- M
- CCI
- CCI-000134
- Version
- WN19-CC-000530
- Vuln IDs
-
- V-257503
- Rule IDs
-
- SV-257503r958420_rule
Checks: C-61238r921893_chk
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\ Value Name: EnableTranscripting Value Type: REG_DWORD Value: 1
Fix: F-61162r921894_fix
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> "Turn on PowerShell Transcription" to "Enabled". Specify the Transcript output directory to point to a Central Log Server or another secure location to prevent user access.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN19-DC-000391
- Vuln IDs
-
- V-271428
- Rule IDs
-
- SV-271428r1137691_rule
Checks: C-75477r1059561_chk
This applies to domain controllers. This is not applicable for member servers. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: SYSTEM\CurrentControlSet\Services\Kdc Value Name: StrongCertificateBindingEnforcement Value Type: REG_DWORD Value: 0x00000001 (1) or 0x00000002 (2)
Fix: F-75384r1059562_fix
Configure the registry value. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: SYSTEM\CurrentControlSet\Services\Kdc Value Name: StrongCertificateBindingEnforcement Value Type: REG_DWORD Value: 0x00000001 (1) or 0x00000002 (2)
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- WN19-DC-000401
- Vuln IDs
-
- V-271429
- Rule IDs
-
- SV-271429r1137691_rule
Checks: C-75478r1106519_chk
This applies to domain controllers. This is not applicable for member servers. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Or Using the registry, check HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters, Key: UseStrongNameMatches. Or Using GPRESULT, check the applicable GPO for "Allow name-based strong mappings for certificates". Navigate to Local Computer Policy >> Computer Configuration >> Administrative Template >> System >> KDC >> Allow name-based strong mappings for certificates. If "Allow name-based strong mappings for certificates" is not "Enabled", this is a finding.
Fix: F-75385r1059565_fix
Configure the policy value for Computer Configuration >> Administrative Template >> System >> KDC >> Allow name-based strong mappings for certificates to "Enabled".
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000581
- Vuln IDs
-
- V-278934
- Rule IDs
-
- SV-278934r1135330_rule
Checks: C-83468r1135328_chk
Verify that Audit File System auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit File System. If "Audit File System" is not set to "Failure", this is a finding.
Fix: F-83373r1135329_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit File System" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000582
- Vuln IDs
-
- V-278935
- Rule IDs
-
- SV-278935r1135333_rule
Checks: C-83469r1135331_chk
Verify that Audit File System auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit File System. If "Audit File System" is not set to "Success", this is a finding.
Fix: F-83374r1135332_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit File System" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000583
- Vuln IDs
-
- V-278936
- Rule IDs
-
- SV-278936r1135336_rule
Checks: C-83470r1135334_chk
Verify that Audit Handle Manipulation auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Handle Manipulation. If "Audit Handle Manipulation" is not set to "Failure", this is a finding.
Fix: F-83375r1135335_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Handle Manipulation" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000584
- Vuln IDs
-
- V-278937
- Rule IDs
-
- SV-278937r1135339_rule
Checks: C-83471r1135337_chk
Verify that Audit Handle Manipulation auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Handle Manipulation. If "Audit Handle Manipulation" is not set to "Success", this is a finding.
Fix: F-83376r1135338_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Handle Manipulation" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000585
- Vuln IDs
-
- V-278938
- Rule IDs
-
- SV-278938r1135342_rule
Checks: C-83472r1135340_chk
Verify that Audit Registry auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Registry. If "Audit Registry" is not set to "Failure", this is a finding.
Fix: F-83377r1135341_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Registry" with "Failure" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000586
- Vuln IDs
-
- V-278939
- Rule IDs
-
- SV-278939r1135345_rule
Checks: C-83473r1135343_chk
Verify that Audit Registry auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Registry. If "Audit Registry" is not set to "Success", this is a finding.
Fix: F-83378r1135344_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Registry" with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000587
- Vuln IDs
-
- V-278940
- Rule IDs
-
- SV-278940r1141922_rule
Checks: C-83474r1141920_chk
Verify that Audit Sensitive Privilege Use auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use. If "Audit Sensitive Privilege Use" is not set to "Success", this is a finding.
Fix: F-83379r1141921_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use with "Success" selected.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- WN19-AU-000588
- Vuln IDs
-
- V-278941
- Rule IDs
-
- SV-278941r1141925_rule
Checks: C-83475r1141923_chk
Verify that Audit Sensitive Privilege Use auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use. If "Audit Sensitive Privilege Use" is not set to "Failure", this is a finding.
Fix: F-83380r1141924_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use with "Failure" selected.