DISA STIG • Operating System
Windows 11
| Vuln ID | STIG ID | CAT | Finding | Responsibility |
|---|---|---|---|---|
| V-253259 | WN11-00-000030 | CAT I | Windows 11 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest. | — |
| V-253260 | WN11-00-000031 | CAT I | Windows 11 systems must use a BitLocker PIN for pre-boot authentication. | — |
| V-253263 | WN11-00-000040 | CAT I | Windows 11 systems must be maintained at a supported servicing level. | — |
| V-253264 | WN11-00-000045 | CAT I | The Windows 11 system must use an antivirus program. | — |
| V-253265 | WN11-00-000050 | CAT I | Local volumes must be formatted using NTFS. | — |
| V-253269 | WN11-00-000070 | CAT I | Only accounts responsible for the administration of a system must have Administrator rights on the system. | — |
| V-253275 | WN11-00-000100 | CAT I | Internet Information System (IIS) or its subcomponents must not be installed on a workstation. | — |
| V-253284 | WN11-00-000150 | CAT I | Structured Exception Handling Overwrite Protection (SEHOP) must be enabled. | — |
| V-253294 | WN11-00-000240 | CAT I | Administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email. | — |
| V-253305 | WN11-AC-000045 | CAT I | Reversible password encryption must be disabled. | — |
| V-253370 | WN11-CC-000075 | CAT I | Credential Guard must be running on Windows 11 domain-joined systems. | — |
| V-253382 | WN11-CC-000155 | CAT I | Solicited Remote Assistance must not be allowed. | — |
| V-253386 | WN11-CC-000180 | CAT I | Autoplay must be turned off for non-volume devices. | — |
| V-253387 | WN11-CC-000185 | CAT I | The default autorun behavior must be configured to prevent autorun commands. | — |
| V-253388 | WN11-CC-000190 | CAT I | Autoplay must be disabled for all drives. | — |
| V-253411 | WN11-CC-000315 | CAT I | The Windows Installer feature "Always install with elevated privileges" must be disabled. | — |
| V-253416 | WN11-CC-000330 | CAT I | The Windows Remote Management (WinRM) client must not use Basic authentication. | — |
| V-253418 | WN11-CC-000345 | CAT I | The Windows Remote Management (WinRM) service must not use Basic authentication. | — |
| V-253452 | WN11-SO-000140 | CAT I | Anonymous SID/Name translation must not be allowed. | — |
| V-253453 | WN11-SO-000145 | CAT I | Anonymous enumeration of SAM accounts must not be allowed. | — |
| V-253454 | WN11-SO-000150 | CAT I | Anonymous enumeration of shares must be restricted. | — |
| V-253456 | WN11-SO-000165 | CAT I | Anonymous access to Named Pipes and Shares must be restricted. | — |
| V-253461 | WN11-SO-000195 | CAT I | The system must be configured to prevent the storage of the LAN Manager hash of passwords. | — |
| V-253462 | WN11-SO-000205 | CAT I | The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. | — |
| V-253481 | WN11-UR-000015 | CAT I | The "Act as part of the operating system" user right must not be assigned to any groups or accounts. | — |
| V-253486 | WN11-UR-000045 | CAT I | The "Create a token object" user right must not be assigned to any groups or accounts. | — |
| V-253490 | WN11-UR-000065 | CAT I | The "Debug programs" user right must only be assigned to the Administrators group. | — |
| V-253254 | WN11-00-000005 | CAT II | Domain-joined systems must use Windows 11 Enterprise Edition 64-bit version. | — |
| V-253255 | WN11-00-000010 | CAT II | Windows 11 domain-joined systems must have a Trusted Platform Module (TPM) enabled. | — |
| V-253256 | WN11-00-000015 | CAT II | Windows 11 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. | — |
| V-253257 | WN11-00-000020 | CAT II | Secure Boot must be enabled on Windows 11 systems. | — |
| V-253258 | WN11-00-000025 | CAT II | Windows 11 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: Continuously, where ESS is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | — |
| V-253261 | WN11-00-000032 | CAT II | Windows 11 systems must use a BitLocker PIN with a minimum length of six digits for pre-boot authentication. | — |
| V-253262 | WN11-00-000035 | CAT II | The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | — |
| V-253266 | WN11-00-000055 | CAT II | Alternate operating systems must not be permitted on the same system. | — |
| V-253267 | WN11-00-000060 | CAT II | Non-system-created file shares on a system must limit access to groups that require it. | — |
| V-253270 | WN11-00-000075 | CAT II | Only accounts responsible for the backup operations must be members of the Backup Operators group. | — |
| V-253271 | WN11-00-000080 | CAT II | Only authorized user accounts must be allowed to create or run virtual machines on Windows 11 systems. | — |
| V-253273 | WN11-00-000090 | CAT II | Accounts must be configured to require password expiration. | — |
| V-253274 | WN11-00-000095 | CAT II | Permissions for system files and directories must conform to minimum requirements. | — |
| V-253276 | WN11-00-000105 | CAT II | Simple Network Management Protocol (SNMP) must not be installed on the system. | — |
| V-253277 | WN11-00-000110 | CAT II | Simple TCP/IP Services must not be installed on the system. | — |
| V-253278 | WN11-00-000115 | CAT II | The Telnet Client must not be installed on the system. | — |
| V-253279 | WN11-00-000120 | CAT II | The TFTP Client must not be installed on the system. | — |
| V-268317 | WN11-00-000125 | CAT II | Copilot must be disabled for Windows 11. | — |
| V-279688 | WN11-00-000126 | CAT II | Windows 11 systems must block consumer account user authentication. | — |
| V-253280 | WN11-00-000130 | CAT II | Software certificate installation files must be removed from Windows 11. | — |
| V-253281 | WN11-00-000135 | CAT II | A host-based firewall must be installed and enabled on the system. | — |
| V-253282 | WN11-00-000140 | CAT II | Inbound exceptions to the firewall on Windows 11 domain workstations must only allow authorized remote management hosts. | — |
| V-253285 | WN11-00-000155 | CAT II | The Windows PowerShell 2.0 feature must be disabled on the system. | — |
| V-253286 | WN11-00-000160 | CAT II | The Server Message Block (SMB) v1 protocol must be disabled on the system. | — |
| V-253287 | WN11-00-000165 | CAT II | The Server Message Block (SMB) v1 protocol must be disabled on the SMB server. | — |
| V-253288 | WN11-00-000170 | CAT II | The Server Message Block (SMB) v1 protocol must be disabled on the SMB client. | — |
| V-253289 | WN11-00-000175 | CAT II | The Secondary Logon service must be disabled on Windows 11. | — |
| V-253290 | WN11-00-000190 | CAT II | Orphaned security identifiers (SIDs) must be removed from user rights on Windows 11. | — |
| V-253291 | WN11-00-000210 | CAT II | Bluetooth must be turned off unless approved by the organization. | — |
| V-253293 | WN11-00-000230 | CAT II | The system must notify the user when a Bluetooth device attempts to connect. | — |
| V-253295 | WN11-00-000250 | CAT II | Windows 11 nonpersistent VM sessions must not exceed 24 hours. | — |
| V-257592 | WN11-00-000395 | CAT II | Windows 11 must not have portproxy enabled or in use. | — |
| V-253297 | WN11-AC-000005 | CAT II | Windows 11 account lockout duration must be configured to 15 minutes or greater. | — |
| V-253298 | WN11-AC-000010 | CAT II | The number of allowed bad logon attempts must be configured to three or less. | — |
| V-253299 | WN11-AC-000015 | CAT II | The period of time before the bad logon counter is reset must be configured to 15 minutes. | — |
| V-253300 | WN11-AC-000020 | CAT II | The password history must be configured to 24 passwords remembered. | — |
| V-253301 | WN11-AC-000025 | CAT II | The maximum password age must be configured to 60 days or less. | — |
| V-253302 | WN11-AC-000030 | CAT II | The minimum password age must be configured to at least 1 day. | — |
| V-253303 | WN11-AC-000035 | CAT II | Passwords must, at a minimum, be 14 characters. | — |
| V-253304 | WN11-AC-000040 | CAT II | The built-in Microsoft password complexity filter must be enabled. | — |
| V-253306 | WN11-AU-000005 | CAT II | The system must be configured to audit Account Logon - Credential Validation failures. | — |
| V-253307 | WN11-AU-000010 | CAT II | The system must be configured to audit Account Logon - Credential Validation successes. | — |
| V-253308 | WN11-AU-000030 | CAT II | The system must be configured to audit Account Management - Security Group Management successes. | — |
| V-253309 | WN11-AU-000035 | CAT II | The system must be configured to audit Account Management - User Account Management failures. | — |
| V-253310 | WN11-AU-000040 | CAT II | The system must be configured to audit Account Management - User Account Management successes. | — |
| V-253311 | WN11-AU-000045 | CAT II | The system must be configured to audit Detailed Tracking - PNP Activity successes. | — |
| V-253312 | WN11-AU-000050 | CAT II | The system must be configured to audit Detailed Tracking - Process Creation successes. | — |
| V-253313 | WN11-AU-000054 | CAT II | The system must be configured to audit Logon/Logoff - Account Lockout failures. | — |
| V-253314 | WN11-AU-000060 | CAT II | The system must be configured to audit Logon/Logoff - Group Membership successes. | — |
| V-253315 | WN11-AU-000065 | CAT II | The system must be configured to audit Logon/Logoff - Logoff successes. | — |
| V-253316 | WN11-AU-000070 | CAT II | The system must be configured to audit Logon/Logoff - Logon failures. | — |
| V-253317 | WN11-AU-000075 | CAT II | The system must be configured to audit Logon/Logoff - Logon successes. | — |
| V-253318 | WN11-AU-000080 | CAT II | The system must be configured to audit Logon/Logoff - Special Logon successes. | — |
| V-253319 | WN11-AU-000081 | CAT II | Windows 11 must be configured to audit Object Access - File Share failures. | — |
| V-253320 | WN11-AU-000082 | CAT II | Windows 11 must be configured to audit Object Access - File Share successes. | — |
| V-253321 | WN11-AU-000083 | CAT II | Windows 11 must be configured to audit Object Access - Other Object Access Events successes. | — |
| V-253322 | WN11-AU-000084 | CAT II | Windows 11 must be configured to audit Object Access - Other Object Access Events failures. | — |
| V-253323 | WN11-AU-000085 | CAT II | The system must be configured to audit Object Access - Removable Storage failures. | — |
| V-253324 | WN11-AU-000090 | CAT II | The system must be configured to audit Object Access - Removable Storage successes. | — |
| V-253325 | WN11-AU-000100 | CAT II | The system must be configured to audit Policy Change - Audit Policy Change successes. | — |
| V-253326 | WN11-AU-000105 | CAT II | The system must be configured to audit Policy Change - Authentication Policy Change successes. | — |
| V-253327 | WN11-AU-000107 | CAT II | The system must be configured to audit Policy Change - Authorization Policy Change successes. | — |
| V-253328 | WN11-AU-000110 | CAT II | The system must be configured to audit Privilege Use - Sensitive Privilege Use failures. | — |
| V-253329 | WN11-AU-000115 | CAT II | The system must be configured to audit Privilege Use - Sensitive Privilege Use successes. | — |
| V-253330 | WN11-AU-000120 | CAT II | The system must be configured to audit System - IPsec Driver failures. | — |
| V-253331 | WN11-AU-000130 | CAT II | The system must be configured to audit System - Other System Events successes. | — |
| V-253332 | WN11-AU-000135 | CAT II | The system must be configured to audit System - Other System Events failures. | — |
| V-253333 | WN11-AU-000140 | CAT II | The system must be configured to audit System - Security State Change successes. | — |
| V-253334 | WN11-AU-000150 | CAT II | The system must be configured to audit System - Security System Extension successes. | — |
| V-253335 | WN11-AU-000155 | CAT II | The system must be configured to audit System - System Integrity failures. | — |
| V-253336 | WN11-AU-000160 | CAT II | The system must be configured to audit System - System Integrity successes. | — |
| V-253337 | WN11-AU-000500 | CAT II | The Application event log size must be configured to 32768 KB or greater. | — |
| V-253338 | WN11-AU-000505 | CAT II | The Security event log size must be configured to 1024000 KB or greater. | — |
| V-253339 | WN11-AU-000510 | CAT II | The System event log size must be configured to 32768 KB or greater. | — |
| V-253340 | WN11-AU-000515 | CAT II | Windows 11 permissions for the Application event log must prevent access by non-privileged accounts. | — |
| V-253341 | WN11-AU-000520 | CAT II | Windows 11 permissions for the Security event log must prevent access by non-privileged accounts. | — |
| V-253342 | WN11-AU-000525 | CAT II | Windows 11 permissions for the System event log must prevent access by non-privileged accounts. | — |
| V-253344 | WN11-AU-000555 | CAT II | Windows 11 must be configured to audit Other Policy Change Events Failures. | — |
| V-253345 | WN11-AU-000560 | CAT II | Windows 11 must be configured to audit other Logon/Logoff Events Successes. | — |
| V-253346 | WN11-AU-000565 | CAT II | Windows 11 must be configured to audit other Logon/Logoff Events Failures. | — |
| V-253347 | WN11-AU-000570 | CAT II | Windows 11 must be configured to audit Detailed File Share Failures. | — |
| V-253348 | WN11-AU-000575 | CAT II | Windows 11 must be configured to audit MPSSVC Rule-Level Policy Change Successes. | — |
| V-253349 | WN11-AU-000580 | CAT II | Windows 11 must be configured to audit MPSSVC Rule-Level Policy Change Failures. | — |
| V-278926 | WN11-AU-000581 | CAT II | Windows 11 must be configured to audit file system failures. | — |
| V-278927 | WN11-AU-000582 | CAT II | Windows 11 must be configured to audit file system successes. | — |
| V-278928 | WN11-AU-000583 | CAT II | Windows 11 must be configured to audit handle manipulation failures. | — |
| V-278929 | WN11-AU-000584 | CAT II | Windows 11 must be configured to audit handle manipulation successes. | — |
| V-257770 | WN11-AU-000585 | CAT II | Windows 11 must have command line process auditing events enabled for failures. | — |
| V-278931 | WN11-AU-000586 | CAT II | Windows 11 must be configured to audit registry successes. | — |
| V-278932 | WN11-AU-000587 | CAT II | Windows 11 must be configured to audit sensitive privilege use successes. | — |
| V-278933 | WN11-AU-000588 | CAT II | Windows 11 must be configured to audit sensitive privilege use failures. | — |
| V-278930 | WN11-AU-000589 | CAT II | Windows 11 must be configured to audit registry failures. | — |
| V-253350 | WN11-CC-000005 | CAT II | Camera access from the lock screen must be disabled. | — |
| V-253351 | WN11-CC-000007 | CAT II | Windows 11 must cover or disable the built-in or attached camera when not in use. | — |
| V-253352 | WN11-CC-000010 | CAT II | The display of slide shows on the lock screen must be disabled. | — |
| V-253353 | WN11-CC-000020 | CAT II | IPv6 source routing must be configured to highest protection. | — |
| V-253354 | WN11-CC-000025 | CAT II | The system must be configured to prevent IP source routing. | — |
| V-253357 | WN11-CC-000037 | CAT II | Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems. | — |
| V-253358 | WN11-CC-000038 | CAT II | WDigest Authentication must be disabled. | — |
| V-253359 | WN11-CC-000039 | CAT II | Run as different user must be removed from context menus. | — |
| V-253360 | WN11-CC-000040 | CAT II | Insecure logons to an SMB server must be disabled. | — |
| V-253361 | WN11-CC-000044 | CAT II | Internet connection sharing must be disabled. | — |
| V-253362 | WN11-CC-000050 | CAT II | Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares. | — |
| V-253363 | WN11-CC-000052 | CAT II | Windows 11 must be configured to prioritize ECC Curves with longer key lengths first. | — |
| V-253364 | WN11-CC-000055 | CAT II | Simultaneous connections to the internet or a Windows domain must be limited. | — |
| V-253365 | WN11-CC-000060 | CAT II | Connections to non-domain networks when connected to a domain authenticated network must be blocked. | — |
| V-268318 | WN11-CC-000063 | CAT II | Windows 11 systems must use either Group Policy or an approved Mobile Device Management (MDM) product to enforce STIG compliance. | — |
| V-253366 | WN11-CC-000065 | CAT II | Wi-Fi Sense must be disabled. | — |
| V-253367 | WN11-CC-000066 | CAT II | Command line data must be included in process creation events. | — |
| V-253368 | WN11-CC-000068 | CAT II | Windows 11 must be configured to enable Remote host allows delegation of non-exportable credentials. | — |
| V-253369 | WN11-CC-000070 | CAT II | Virtualization-based Security must be enabled on Windows 11 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. | — |
| V-253371 | WN11-CC-000080 | CAT II | Virtualization-based protection of code integrity must be enabled. | — |
| V-253372 | WN11-CC-000085 | CAT II | Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers. | — |
| V-253373 | WN11-CC-000090 | CAT II | Group Policy objects must be reprocessed even if they have not changed. | — |
| V-253374 | WN11-CC-000100 | CAT II | Downloading print driver packages over HTTP must be prevented. | — |
| V-253375 | WN11-CC-000105 | CAT II | Web publishing and online ordering wizards must be prevented from downloading a list of providers. | — |
| V-253376 | WN11-CC-000110 | CAT II | Printing over HTTP must be prevented. | — |
| V-253377 | WN11-CC-000115 | CAT II | Systems must at least attempt device authentication using certificates. | — |
| V-253378 | WN11-CC-000120 | CAT II | The network selection user interface (UI) must not be displayed on the logon screen. | — |
| V-253379 | WN11-CC-000130 | CAT II | Local users on domain-joined computers must not be enumerated. | — |
| V-253380 | WN11-CC-000145 | CAT II | Users must be prompted for a password on resume from sleep (on battery). | — |
| V-253381 | WN11-CC-000150 | CAT II | The user must be prompted for a password on resume from sleep (plugged in). | — |
| V-253383 | WN11-CC-000165 | CAT II | Unauthenticated RPC clients must be restricted from connecting to the RPC server. | — |
| V-253389 | WN11-CC-000195 | CAT II | Enhanced anti-spoofing for facial recognition must be enabled on Windows 11. | — |
| V-253391 | WN11-CC-000200 | CAT II | Administrator accounts must not be enumerated during elevation. | — |
| V-253392 | WN11-CC-000204 | CAT II | Enhanced diagnostic data must be limited to the minimum required to support Windows Analytics. | — |
| V-253393 | WN11-CC-000205 | CAT II | Windows Telemetry must not be configured to Full. | — |
| V-253395 | WN11-CC-000210 | CAT II | The Microsoft Defender SmartScreen for Explorer must be enabled. | — |
| V-253396 | WN11-CC-000215 | CAT II | Explorer Data Execution Prevention must be enabled. | — |
| V-253398 | WN11-CC-000225 | CAT II | File Explorer shell protocol must run in protected mode. | — |
| V-253399 | WN11-CC-000252 | CAT II | Windows 11 must be configured to disable Windows Game Recording and Broadcasting. | — |
| V-253400 | WN11-CC-000255 | CAT II | The use of a hardware security device with Windows Hello for Business must be enabled. | — |
| V-253401 | WN11-CC-000260 | CAT II | Windows 11 must be configured to require a minimum pin length of six characters or greater. | — |
| V-253402 | WN11-CC-000270 | CAT II | Passwords must not be saved in the Remote Desktop Client. | — |
| V-253403 | WN11-CC-000275 | CAT II | Local drives must be prevented from sharing with Remote Desktop Session Hosts. | — |
| V-253404 | WN11-CC-000280 | CAT II | Remote Desktop Services must always prompt a client for passwords upon connection. | — |
| V-253405 | WN11-CC-000285 | CAT II | The Remote Desktop Session Host must require secure RPC communications. | — |
| V-253406 | WN11-CC-000290 | CAT II | Remote Desktop Services must be configured with the client connection encryption set to the required level. | — |
| V-253407 | WN11-CC-000295 | CAT II | Attachments must be prevented from being downloaded from RSS feeds. | — |
| V-253408 | WN11-CC-000300 | CAT II | Basic authentication for RSS feeds over HTTP must not be used. | — |
| V-253409 | WN11-CC-000305 | CAT II | Indexing of encrypted files must be turned off. | — |
| V-253410 | WN11-CC-000310 | CAT II | Users must be prevented from changing installation options. | — |
| V-253412 | WN11-CC-000320 | CAT II | Users must be notified if a web-based program attempts to install software. | — |
| V-253413 | WN11-CC-000325 | CAT II | Automatically signing in the last interactive user after a system-initiated restart must be disabled. | — |
| V-253414 | WN11-CC-000326 | CAT II | PowerShell script block logging must be enabled on Windows 11. | — |
| V-253415 | WN11-CC-000327 | CAT II | PowerShell Transcription must be enabled on Windows 11. | — |
| V-253417 | WN11-CC-000335 | CAT II | The Windows Remote Management (WinRM) client must not allow unencrypted traffic. | — |
| V-253419 | WN11-CC-000350 | CAT II | The Windows Remote Management (WinRM) service must not allow unencrypted traffic. | — |
| V-253420 | WN11-CC-000355 | CAT II | The Windows Remote Management (WinRM) service must not store RunAs credentials. | — |
| V-253421 | WN11-CC-000360 | CAT II | The Windows Remote Management (WinRM) client must not use Digest authentication. | — |
| V-253422 | WN11-CC-000365 | CAT II | Windows 11 must be configured to prevent Windows apps from being activated by voice while the system is locked. | — |
| V-253423 | WN11-CC-000370 | CAT II | The convenience PIN for Windows 11 must be disabled. | — |
| V-253424 | WN11-CC-000385 | CAT II | Windows Ink Workspace must be configured to disallow access above the lock. | — |
| V-256893 | WN11-CC-000391 | CAT II | Internet Explorer must be disabled for Windows 11. | — |
| V-253426 | WN11-EP-000310 | CAT II | Windows 11 Kernel (Direct Memory Access) DMA Protection must be enabled. | — |
| V-253427 | WN11-PK-000005 | CAT II | The DoD Root CA certificates must be installed in the Trusted Root Store. | — |
| V-253428 | WN11-PK-000010 | CAT II | The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems. | — |
| V-253429 | WN11-PK-000015 | CAT II | The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems. | — |
| V-253430 | WN11-PK-000020 | CAT II | The US DOD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems. | — |
| V-253431 | WN11-RG-000005 | CAT II | Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | — |
| V-253433 | WN11-SO-000010 | CAT II | The built-in guest account must be disabled. | — |
| V-253434 | WN11-SO-000015 | CAT II | Local accounts with blank passwords must be restricted to prevent access from the network. | — |
| V-253435 | WN11-SO-000020 | CAT II | The built-in administrator account must be renamed. | — |
| V-253436 | WN11-SO-000025 | CAT II | The built-in guest account must be renamed. | — |
| V-253437 | WN11-SO-000030 | CAT II | Audit policy using subcategories must be enabled. | — |
| V-253438 | WN11-SO-000035 | CAT II | Outgoing secure channel traffic must be encrypted or signed. | — |
| V-253439 | WN11-SO-000040 | CAT II | Outgoing secure channel traffic must be encrypted. | — |
| V-253440 | WN11-SO-000045 | CAT II | Outgoing secure channel traffic must be signed. | — |
| V-253443 | WN11-SO-000060 | CAT II | The system must be configured to require a strong session key. | — |
| V-253444 | WN11-SO-000070 | CAT II | The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver. | — |
| V-253445 | WN11-SO-000075 | CAT II | The required legal notice must be configured to display before console logon. | — |
| V-253448 | WN11-SO-000095 | CAT II | The Smart Card removal option must be configured to Force Logoff or Lock Workstation. | — |
| V-253449 | WN11-SO-000100 | CAT II | The Windows SMB client must be configured to always perform SMB packet signing. | — |
| V-253450 | WN11-SO-000110 | CAT II | Unencrypted passwords must not be sent to third-party SMB Servers. | — |
| V-253451 | WN11-SO-000120 | CAT II | The Windows SMB server must be configured to always perform SMB packet signing. | — |
| V-253455 | WN11-SO-000160 | CAT II | The system must be configured to prevent anonymous users from having the same rights as the Everyone group. | — |
| V-253457 | WN11-SO-000167 | CAT II | Remote calls to the Security Account Manager (SAM) must be restricted to Administrators. | — |
| V-253458 | WN11-SO-000180 | CAT II | NTLM must be prevented from falling back to a Null session. | — |
| V-253459 | WN11-SO-000185 | CAT II | PKU2U authentication using online identities must be prevented. | — |
| V-253460 | WN11-SO-000190 | CAT II | Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. | — |
| V-253463 | WN11-SO-000210 | CAT II | The system must be configured to the required LDAP client signing level. | — |
| V-253464 | WN11-SO-000215 | CAT II | The system must be configured to meet the minimum session security requirement for NTLM SSP based clients. | — |
| V-253465 | WN11-SO-000220 | CAT II | The system must be configured to meet the minimum session security requirement for NTLM SSP based servers. | — |
| V-253466 | WN11-SO-000230 | CAT II | The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. | — |
| V-253468 | WN11-SO-000245 | CAT II | User Account Control approval mode for the built-in Administrator must be enabled. | — |
| V-253469 | WN11-SO-000250 | CAT II | User Account Control must prompt administrators for consent on the secure desktop. | — |
| V-253470 | WN11-SO-000251 | CAT II | Windows 11 must use multifactor authentication for local and network access to privileged and nonprivileged accounts. | — |
| V-253471 | WN11-SO-000255 | CAT II | User Account Control must automatically deny elevation requests for standard users. | — |
| V-253472 | WN11-SO-000260 | CAT II | User Account Control must be configured to detect application installations and prompt for elevation. | — |
| V-253473 | WN11-SO-000265 | CAT II | User Account Control must only elevate UIAccess applications that are installed in secure locations. | — |
| V-253474 | WN11-SO-000270 | CAT II | User Account Control must run all administrators in Admin Approval Mode, enabling UAC. | — |
| V-253475 | WN11-SO-000275 | CAT II | User Account Control must virtualize file and registry write failures to per-user locations. | — |
| V-253476 | WN11-SO-000280 | CAT II | Passwords for enabled local Administrator accounts must be changed at least every 60 days. | — |
| V-253478 | WN11-UC-000020 | CAT II | Zone information must be preserved when saving attachments. | — |
| V-253479 | WN11-UR-000005 | CAT II | The "Access Credential Manager as a trusted caller" user right must not be assigned to any groups or accounts. | — |
| V-253480 | WN11-UR-000010 | CAT II | The "Access this computer from the network" user right must only be assigned to the Administrators and Remote Desktop Users groups. | — |
| V-253482 | WN11-UR-000025 | CAT II | The "Allow log on locally" user right must only be assigned to the Administrators and Users groups. | — |
| V-253483 | WN11-UR-000030 | CAT II | The "Back up files and directories" user right must only be assigned to the Administrators group. | — |
| V-253484 | WN11-UR-000035 | CAT II | The "Change the system time" user right must only be assigned to Administrators and Local Service. | — |
| V-253485 | WN11-UR-000040 | CAT II | The "Create a pagefile" user right must only be assigned to the Administrators group. | — |
| V-253487 | WN11-UR-000050 | CAT II | The "Create global objects" user right must only be assigned to Administrators, Service, Local Service, and Network Service. | — |
| V-253488 | WN11-UR-000055 | CAT II | The "Create permanent shared objects" user right must not be assigned to any groups or accounts. | — |
| V-253489 | WN11-UR-000060 | CAT II | The "Create symbolic links" user right must only be assigned to the Administrators group. | — |
| V-253491 | WN11-UR-000070 | CAT II | The "Deny access to this computer from the network" user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. | — |
| V-253492 | WN11-UR-000075 | CAT II | The "Deny log on as a batch job" user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts. | — |
| V-253493 | WN11-UR-000080 | CAT II | The "Deny log on as a service" user right on Windows 11 domain-joined workstations must be configured to prevent access from highly privileged domain accounts. | — |
| V-253494 | WN11-UR-000085 | CAT II | The "Deny log on locally" user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems. | — |
| V-253495 | WN11-UR-000090 | CAT II | The "Deny log on through Remote Desktop Services" user right on Windows 11 workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. | — |
| V-253496 | WN11-UR-000095 | CAT II | The "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts. | — |
| V-253497 | WN11-UR-000100 | CAT II | The "Force shutdown from a remote system" user right must only be assigned to the Administrators group. | — |
| V-253498 | WN11-UR-000110 | CAT II | The "Impersonate a client after authentication" user right must only be assigned to Administrators, Service, Local Service, and Network Service. | — |
| V-253499 | WN11-UR-000120 | CAT II | The "Load and unload device drivers" user right must only be assigned to the Administrators group. | — |
| V-253500 | WN11-UR-000125 | CAT II | The "Lock pages in memory" user right must not be assigned to any groups or accounts. | — |
| V-253501 | WN11-UR-000130 | CAT II | The "Manage auditing and security log" user right must only be assigned to the Administrators group. | — |
| V-253502 | WN11-UR-000140 | CAT II | The "Modify firmware environment values" user right must only be assigned to the Administrators group. | — |
| V-253503 | WN11-UR-000145 | CAT II | The "Perform volume maintenance tasks" user right must only be assigned to the Administrators group. | — |
| V-253504 | WN11-UR-000150 | CAT II | The "Profile single process" user right must only be assigned to the Administrators group. | — |
| V-253505 | WN11-UR-000160 | CAT II | The "Restore files and directories" user right must only be assigned to the Administrators group. | — |
| V-253506 | WN11-UR-000165 | CAT II | The "Take ownership of files or other objects" user right must only be assigned to the Administrators group. | — |
| V-253268 | WN11-00-000065 | CAT III | Unused accounts must be disabled or removed from the system after 35 days of inactivity. | — |
| V-253272 | WN11-00-000085 | CAT III | Standard local user accounts must not exist on a system in a domain. | — |
| V-253296 | WN11-00-000260 | CAT III | The Windows 11 time service must synchronize with an appropriate DOD time source. | — |
| V-253355 | WN11-CC-000030 | CAT III | The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes. | — |
| V-253356 | WN11-CC-000035 | CAT III | The system must be configured to ignore NetBIOS name release requests except from WINS servers. | — |
| V-253384 | WN11-CC-000170 | CAT III | The setting to allow Microsoft accounts to be optional for modern style apps must be enabled. | — |
| V-253385 | WN11-CC-000175 | CAT III | The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. | — |
| V-253390 | WN11-CC-000197 | CAT III | Microsoft consumer experiences must be turned off. | — |
| V-253394 | WN11-CC-000206 | CAT III | Windows Update must not obtain updates from other PCs on the internet. | — |
| V-253397 | WN11-CC-000220 | CAT III | File Explorer heap termination on corruption must be disabled. | — |
| V-253425 | WN11-CC-000390 | CAT III | Windows 11 must be configured to prevent users from receiving suggestions for third-party or additional applications. | — |
| V-253441 | WN11-SO-000050 | CAT III | The computer account password must not be prevented from being reset. | — |
| V-253442 | WN11-SO-000055 | CAT III | The maximum age for machine account passwords must be configured to 30 days or less. | — |
| V-253446 | WN11-SO-000080 | CAT III | The Windows message title for the legal notice must be configured. | — |
| V-253447 | WN11-SO-000085 | CAT III | Caching of logon credentials must be limited. | — |
| V-253467 | WN11-SO-000240 | CAT III | The default permissions of global system objects must be increased. | — |
| V-253477 | WN11-UC-000015 | CAT III | Toast notifications to the lock screen must be turned off. | — |
No rules match your search.