DISA STIG • Operating System
Windows Server 2022
| Vuln ID | STIG ID | CAT | Finding | Responsibility |
|---|---|---|---|---|
| V-254240 | WN22-00-000030 | CAT I | Windows Server 2022 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email. | — |
| V-254250 | WN22-00-000130 | CAT I | Windows Server 2022 local volumes must use a format that supports NTFS attributes. | — |
| V-254262 | WN22-00-000250 | CAT I | Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | — |
| V-254293 | WN22-AC-000090 | CAT I | Windows Server 2022 reversible password encryption must be disabled. | — |
| V-254352 | WN22-CC-000210 | CAT I | Windows Server 2022 Autoplay must be turned off for nonvolume devices. | — |
| V-254353 | WN22-CC-000220 | CAT I | Windows Server 2022 default AutoRun behavior must be configured to prevent AutoRun commands. | — |
| V-254354 | WN22-CC-000230 | CAT I | Windows Server 2022 AutoPlay must be disabled for all drives. | — |
| V-254374 | WN22-CC-000430 | CAT I | Windows Server 2022 must disable the Windows Installer Always install with elevated privileges option. | — |
| V-254378 | WN22-CC-000470 | CAT I | Windows Server 2022 Windows Remote Management (WinRM) client must not use Basic authentication. | — |
| V-254381 | WN22-CC-000500 | CAT I | Windows Server 2022 Windows Remote Management (WinRM) service must not use Basic authentication. | — |
| V-254385 | WN22-DC-000010 | CAT I | Windows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system. | — |
| V-254391 | WN22-DC-000070 | CAT I | Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access. | — |
| V-254392 | WN22-DC-000080 | CAT I | Windows Server 2022 Active Directory SYSVOL directory must have the proper access control permissions. | — |
| V-254393 | WN22-DC-000090 | CAT I | Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions. | — |
| V-254394 | WN22-DC-000100 | CAT I | Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions. | — |
| V-254395 | WN22-DC-000110 | CAT I | Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions. | — |
| V-254399 | WN22-DC-000150 | CAT I | Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access. | — |
| V-254413 | WN22-DC-000290 | CAT I | Windows Server 2022 domain controller PKI certificates must be issued by the DOD PKI or an approved External Certificate Authority (ECA). | — |
| V-254414 | WN22-DC-000300 | CAT I | Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA). | — |
| V-254428 | WN22-MS-000010 | CAT I | Windows Server 2022 must only allow administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system. | — |
| V-254441 | WN22-MS-000140 | CAT I | Windows Server 2022 must be running Credential Guard on domain-joined member servers. | — |
| V-254446 | WN22-SO-000020 | CAT I | Windows Server 2022 must prevent local accounts with blank passwords from being used from the network. | — |
| V-254465 | WN22-SO-000210 | CAT I | Windows Server 2022 must not allow anonymous SID/Name translation. | — |
| V-254466 | WN22-SO-000220 | CAT I | Windows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts. | — |
| V-254467 | WN22-SO-000230 | CAT I | Windows Server 2022 must not allow anonymous enumeration of shares. | — |
| V-254469 | WN22-SO-000250 | CAT I | Windows Server 2022 must restrict anonymous access to Named Pipes and Shares. | — |
| V-254474 | WN22-SO-000300 | CAT I | Windows Server 2022 must be configured to prevent the storage of the LAN Manager hash of passwords. | — |
| V-254475 | WN22-SO-000310 | CAT I | Windows Server 2022 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM. | — |
| V-254492 | WN22-UR-000020 | CAT I | Windows Server 2022 Act as part of the operating system user right must not be assigned to any groups or accounts. | — |
| V-254496 | WN22-UR-000060 | CAT I | Windows Server 2022 create a token object user right must not be assigned to any groups or accounts. | — |
| V-254500 | WN22-UR-000100 | CAT I | Windows Server 2022 debug programs user right must only be assigned to the Administrators group. | — |
| V-254238 | WN22-00-000010 | CAT II | Windows Server 2022 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks. | — |
| V-254239 | WN22-00-000020 | CAT II | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every 60 days. | — |
| V-254241 | WN22-00-000040 | CAT II | Windows Server 2022 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. | — |
| V-254242 | WN22-00-000050 | CAT II | Windows Server 2022 manually managed application account passwords must be at least 14 characters in length. | — |
| V-254243 | WN22-00-000060 | CAT II | Windows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. | — |
| V-254244 | WN22-00-000070 | CAT II | Windows Server 2022 shared user accounts must not be permitted. | — |
| V-254245 | WN22-00-000080 | CAT II | Windows Server 2022 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | — |
| V-254246 | WN22-00-000090 | CAT II | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | — |
| V-254247 | WN22-00-000100 | CAT II | Windows Server 2022 must be maintained at a supported servicing level. | — |
| V-254248 | WN22-00-000110 | CAT II | Windows Server 2022 must use an antivirus program. | — |
| V-254249 | WN22-00-000120 | CAT II | Windows Server 2022 must have a host-based intrusion detection or prevention system. | — |
| V-254251 | WN22-00-000140 | CAT II | Windows Server 2022 permissions for the system drive root directory (usually C:\) must conform to minimum requirements. | — |
| V-254252 | WN22-00-000150 | CAT II | Windows Server 2022 permissions for program file directories must conform to minimum requirements. | — |
| V-254253 | WN22-00-000160 | CAT II | Windows Server 2022 permissions for the Windows installation directory must conform to minimum requirements. | — |
| V-254254 | WN22-00-000170 | CAT II | Windows Server 2022 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | — |
| V-254256 | WN22-00-000190 | CAT II | Windows Server 2022 outdated or unused accounts must be removed or disabled. | — |
| V-254257 | WN22-00-000200 | CAT II | Windows Server 2022 accounts must require passwords. | — |
| V-254258 | WN22-00-000210 | CAT II | Windows Server 2022 passwords must be configured to expire. | — |
| V-254259 | WN22-00-000220 | CAT II | Windows Server 2022 system files must be monitored for unauthorized changes. | — |
| V-254260 | WN22-00-000230 | CAT II | Windows Server 2022 nonsystem-created file shares must limit access to groups that require it. | — |
| V-254261 | WN22-00-000240 | CAT II | Windows Server 2022 must have software certificate installation files removed. | — |
| V-254263 | WN22-00-000260 | CAT II | Windows Server 2022 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. | — |
| V-254264 | WN22-00-000270 | CAT II | Windows Server 2022 must have the roles and features required by the system documented. | — |
| V-254265 | WN22-00-000280 | CAT II | Windows Server 2022 must have a host-based firewall installed and enabled. | — |
| V-254266 | WN22-00-000290 | CAT II | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Endpoint Security Solution (ESS) is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | — |
| V-254267 | WN22-00-000300 | CAT II | Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours. | — |
| V-254268 | WN22-00-000310 | CAT II | Windows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. | — |
| V-254269 | WN22-00-000320 | CAT II | Windows Server 2022 must not have the Fax Server role installed. | — |
| V-254270 | WN22-00-000330 | CAT II | Windows Server 2022 must not have the Microsoft FTP service installed unless required by the organization. | — |
| V-254271 | WN22-00-000340 | CAT II | Windows Server 2022 must not have the Peer Name Resolution Protocol installed. | — |
| V-254272 | WN22-00-000350 | CAT II | Windows Server 2022 must not have Simple TCP/IP Services installed. | — |
| V-254273 | WN22-00-000360 | CAT II | Windows Server 2022 must not have the Telnet Client installed. | — |
| V-254274 | WN22-00-000370 | CAT II | Windows Server 2022 must not have the TFTP Client installed. | — |
| V-254275 | WN22-00-000380 | CAT II | Windows Server 2022 must not the Server Message Block (SMB) v1 protocol installed. | — |
| V-254276 | WN22-00-000390 | CAT II | Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server. | — |
| V-254277 | WN22-00-000400 | CAT II | Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client. | — |
| V-254278 | WN22-00-000410 | CAT II | Windows Server 2022 must not have Windows PowerShell 2.0 installed. | — |
| V-254279 | WN22-00-000420 | CAT II | Windows Server 2022 FTP servers must be configured to prevent anonymous logons. | — |
| V-254280 | WN22-00-000430 | CAT II | Windows Server 2022 FTP servers must be configured to prevent access to the system drive. | — |
| V-254282 | WN22-00-000450 | CAT II | Windows Server 2022 must have orphaned security identifiers (SIDs) removed from user rights. | — |
| V-254283 | WN22-00-000460 | CAT II | Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. | — |
| V-254284 | WN22-00-000470 | CAT II | Windows Server 2022 must have Secure Boot enabled. | — |
| V-254285 | WN22-AC-000010 | CAT II | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | — |
| V-254286 | WN22-AC-000020 | CAT II | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | — |
| V-254287 | WN22-AC-000030 | CAT II | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | — |
| V-254288 | WN22-AC-000040 | CAT II | Windows Server 2022 password history must be configured to 24 passwords remembered. | — |
| V-254289 | WN22-AC-000050 | CAT II | Windows Server 2022 maximum password age must be configured to 60 days or less. | — |
| V-254290 | WN22-AC-000060 | CAT II | Windows Server 2022 minimum password age must be configured to at least one day. | — |
| V-254291 | WN22-AC-000070 | CAT II | Windows Server 2022 minimum password length must be configured to 14 characters. | — |
| V-254292 | WN22-AC-000080 | CAT II | Windows Server 2022 must have the built-in Windows password complexity policy enabled. | — |
| V-254294 | WN22-AU-000010 | CAT II | Windows Server 2022 audit records must be backed up to a different system or media than the system being audited. | — |
| V-254295 | WN22-AU-000020 | CAT II | Windows Server 2022 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly. | — |
| V-254296 | WN22-AU-000030 | CAT II | Windows Server 2022 permissions for the Application event log must prevent access by nonprivileged accounts. | — |
| V-254297 | WN22-AU-000040 | CAT II | Windows Server 2022 permissions for the Security event log must prevent access by nonprivileged accounts. | — |
| V-254298 | WN22-AU-000050 | CAT II | Windows Server 2022 permissions for the System event log must prevent access by nonprivileged accounts. | — |
| V-254299 | WN22-AU-000060 | CAT II | Windows Server 2022 Event Viewer must be protected from unauthorized modification and deletion. | — |
| V-254300 | WN22-AU-000070 | CAT II | Windows Server 2022 must be configured to audit Account Logon - Credential Validation successes. | — |
| V-254301 | WN22-AU-000080 | CAT II | Windows Server 2022 must be configured to audit Account Logon - Credential Validation failures. | — |
| V-254302 | WN22-AU-000090 | CAT II | Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes. | — |
| V-254303 | WN22-AU-000100 | CAT II | Windows Server 2022 must be configured to audit Account Management - Security Group Management successes. | — |
| V-254304 | WN22-AU-000110 | CAT II | Windows Server 2022 must be configured to audit Account Management - User Account Management successes. | — |
| V-254305 | WN22-AU-000120 | CAT II | Windows Server 2022 must be configured to audit Account Management - User Account Management failures. | — |
| V-254306 | WN22-AU-000130 | CAT II | Windows Server 2022 must be configured to audit Detailed Tracking - Plug and Play Events successes. | — |
| V-254307 | WN22-AU-000140 | CAT II | Windows Server 2022 must be configured to audit Detailed Tracking - Process Creation successes. | — |
| V-254309 | WN22-AU-000160 | CAT II | Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout failures. | — |
| V-254310 | WN22-AU-000170 | CAT II | Windows Server 2022 must be configured to audit Logon/Logoff - Group Membership successes. | — |
| V-254311 | WN22-AU-000180 | CAT II | Windows Server 2022 must be configured to audit logoff successes. | — |
| V-254312 | WN22-AU-000190 | CAT II | Windows Server 2022 must be configured to audit logon successes. | — |
| V-254313 | WN22-AU-000200 | CAT II | Windows Server 2022 must be configured to audit logon failures. | — |
| V-254314 | WN22-AU-000210 | CAT II | Windows Server 2022 must be configured to audit Logon/Logoff - Special Logon successes. | — |
| V-254315 | WN22-AU-000220 | CAT II | Windows Server 2022 must be configured to audit Object Access - Other Object Access Events successes. | — |
| V-254316 | WN22-AU-000230 | CAT II | Windows Server 2022 must be configured to audit Object Access - Other Object Access Events failures. | — |
| V-254317 | WN22-AU-000240 | CAT II | Windows Server 2022 must be configured to audit Object Access - Removable Storage successes. | — |
| V-254318 | WN22-AU-000250 | CAT II | Windows Server 2022 must be configured to audit Object Access - Removable Storage failures. | — |
| V-254319 | WN22-AU-000260 | CAT II | Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change successes. | — |
| V-254320 | WN22-AU-000270 | CAT II | Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change failures. | — |
| V-254321 | WN22-AU-000280 | CAT II | Windows Server 2022 must be configured to audit Policy Change - Authentication Policy Change successes. | — |
| V-254322 | WN22-AU-000290 | CAT II | Windows Server 2022 must be configured to audit Policy Change - Authorization Policy Change successes. | — |
| V-254323 | WN22-AU-000300 | CAT II | Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use successes. | — |
| V-254324 | WN22-AU-000310 | CAT II | Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use failures. | — |
| V-254325 | WN22-AU-000320 | CAT II | Windows Server 2022 must be configured to audit System - IPsec Driver successes. | — |
| V-254326 | WN22-AU-000330 | CAT II | Windows Server 2022 must be configured to audit System - IPsec Driver failures. | — |
| V-254327 | WN22-AU-000340 | CAT II | Windows Server 2022 must be configured to audit System - Other System Events successes. | — |
| V-254328 | WN22-AU-000350 | CAT II | Windows Server 2022 must be configured to audit System - Other System Events failures. | — |
| V-254329 | WN22-AU-000360 | CAT II | Windows Server 2022 must be configured to audit System - Security State Change successes. | — |
| V-254330 | WN22-AU-000370 | CAT II | Windows Server 2022 must be configured to audit System - Security System Extension successes. | — |
| V-254331 | WN22-AU-000380 | CAT II | Windows Server 2022 must be configured to audit System - System Integrity successes. | — |
| V-254332 | WN22-AU-000390 | CAT II | Windows Server 2022 must be configured to audit System - System Integrity failures. | — |
| V-278942 | WN22-AU-000581 | CAT II | Windows Server 2022 must be configured to audit file system failures. | — |
| V-278943 | WN22-AU-000582 | CAT II | Windows Server 2022 must be configured to audit file system successes. | — |
| V-278944 | WN22-AU-000583 | CAT II | Windows Server 2022 must be configured to audit handle manipulation failures. | — |
| V-278945 | WN22-AU-000584 | CAT II | Windows Server 2022 must be configured to audit handle manipulation successes. | — |
| V-278946 | WN22-AU-000585 | CAT II | Windows Server 2022 must be configured to audit registry failures. | — |
| V-278947 | WN22-AU-000586 | CAT II | Windows Server 2022 must be configured to audit registry successes. | — |
| V-278948 | WN22-AU-000587 | CAT II | Windows Server 2022 must be configured to audit sensitive privilege use successes. | — |
| V-278949 | WN22-AU-000588 | CAT II | Windows Server 2022 must be configured to audit sensitive privilege use failures. | — |
| V-254333 | WN22-CC-000010 | CAT II | Windows Server 2022 must prevent the display of slide shows on the lock screen. | — |
| V-254334 | WN22-CC-000020 | CAT II | Windows Server 2022 must have WDigest Authentication disabled. | — |
| V-254339 | WN22-CC-000070 | CAT II | Windows Server 2022 insecure logons to an SMB server must be disabled. | — |
| V-254340 | WN22-CC-000080 | CAT II | Windows Server 2022 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares. | — |
| V-254341 | WN22-CC-000090 | CAT II | Windows Server 2022 command line data must be included in process creation events. | — |
| V-254342 | WN22-CC-000100 | CAT II | Windows Server 2022 must be configured to enable Remote host allows delegation of nonexportable credentials. | — |
| V-254343 | WN22-CC-000110 | CAT II | Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. | — |
| V-254344 | WN22-CC-000130 | CAT II | Windows Server 2022 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. | — |
| V-254345 | WN22-CC-000140 | CAT II | Windows Server 2022 group policy objects must be reprocessed even if they have not changed. | — |
| V-254346 | WN22-CC-000150 | CAT II | Windows Server 2022 downloading print driver packages over HTTP must be turned off. | — |
| V-254347 | WN22-CC-000160 | CAT II | Windows Server 2022 printing over HTTP must be turned off. | — |
| V-254348 | WN22-CC-000170 | CAT II | Windows Server 2022 network selection user interface (UI) must not be displayed on the logon screen. | — |
| V-254349 | WN22-CC-000180 | CAT II | Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (on battery). | — |
| V-254350 | WN22-CC-000190 | CAT II | Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (plugged in). | — |
| V-254355 | WN22-CC-000240 | CAT II | Windows Server 2022 administrator accounts must not be enumerated during elevation. | — |
| V-254356 | WN22-CC-000250 | CAT II | Windows Server 2022 Diagnostic Data must be configured to send "required diagnostic data" or "optional diagnostic data". | — |
| V-254358 | WN22-CC-000270 | CAT II | Windows Server 2022 Application event log size must be configured to 32768 KB or greater. | — |
| V-254359 | WN22-CC-000280 | CAT II | Windows Server 2022 Security event log size must be configured to 196608 KB or greater. | — |
| V-254360 | WN22-CC-000290 | CAT II | Windows Server 2022 System event log size must be configured to 32768 KB or greater. | — |
| V-254361 | WN22-CC-000300 | CAT II | Windows Server 2022 Microsoft Defender antivirus SmartScreen must be enabled. | — |
| V-254362 | WN22-CC-000310 | CAT II | Windows Server 2022 Explorer Data Execution Prevention must be enabled. | — |
| V-254364 | WN22-CC-000330 | CAT II | Windows Server 2022 File Explorer shell protocol must run in protected mode. | — |
| V-254365 | WN22-CC-000340 | CAT II | Windows Server 2022 must not save passwords in the Remote Desktop Client. | — |
| V-254366 | WN22-CC-000350 | CAT II | Windows Server 2022 Remote Desktop Services must prevent drive redirection. | — |
| V-254367 | WN22-CC-000360 | CAT II | Windows Server 2022 Remote Desktop Services must always prompt a client for passwords upon connection. | — |
| V-254368 | WN22-CC-000370 | CAT II | Windows Server 2022 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications. | — |
| V-254369 | WN22-CC-000380 | CAT II | Windows Server 2022 Remote Desktop Services must be configured with the client connection encryption set to High Level. | — |
| V-254370 | WN22-CC-000390 | CAT II | Windows Server 2022 must prevent attachments from being downloaded from RSS feeds. | — |
| V-254371 | WN22-CC-000400 | CAT II | Windows Server 2022 must disable Basic authentication for RSS feeds over HTTP. | — |
| V-254372 | WN22-CC-000410 | CAT II | Windows Server 2022 must prevent Indexing of encrypted files. | — |
| V-254373 | WN22-CC-000420 | CAT II | Windows Server 2022 must prevent users from changing installation options. | — |
| V-254375 | WN22-CC-000440 | CAT II | Windows Server 2022 users must be notified if a web-based program attempts to install software. | — |
| V-254376 | WN22-CC-000450 | CAT II | Windows Server 2022 must disable automatically signing in the last interactive user after a system-initiated restart. | — |
| V-254377 | WN22-CC-000460 | CAT II | Windows Server 2022 PowerShell script block logging must be enabled. | — |
| V-254379 | WN22-CC-000480 | CAT II | Windows Server 2022 Windows Remote Management (WinRM) client must not allow unencrypted traffic. | — |
| V-254380 | WN22-CC-000490 | CAT II | Windows Server 2022 Windows Remote Management (WinRM) client must not use Digest authentication. | — |
| V-254382 | WN22-CC-000510 | CAT II | Windows Server 2022 Windows Remote Management (WinRM) service must not allow unencrypted traffic. | — |
| V-254383 | WN22-CC-000520 | CAT II | Windows Server 2022 Windows Remote Management (WinRM) service must not store RunAs credentials. | — |
| V-254384 | WN22-CC-000530 | CAT II | Windows Server 2022 must have PowerShell Transcription enabled. | — |
| V-254386 | WN22-DC-000020 | CAT II | Windows Server 2022 Kerberos user logon restrictions must be enforced. | — |
| V-254387 | WN22-DC-000030 | CAT II | Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. | — |
| V-254388 | WN22-DC-000040 | CAT II | Windows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less. | — |
| V-254389 | WN22-DC-000050 | CAT II | Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less. | — |
| V-254390 | WN22-DC-000060 | CAT II | Windows Server 2022 computer clock synchronization tolerance must be limited to five minutes or less. | — |
| V-254396 | WN22-DC-000120 | CAT II | Windows Server 2022 data files owned by users must be on a different logical partition from the directory server data files. | — |
| V-254397 | WN22-DC-000130 | CAT II | Windows Server 2022 domain controllers must run on a machine dedicated to that function. | — |
| V-254398 | WN22-DC-000140 | CAT II | Windows Server 2022 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data. | — |
| V-254401 | WN22-DC-000170 | CAT II | Windows Server 2022 Active Directory Group Policy objects must be configured with proper audit settings. | — |
| V-254402 | WN22-DC-000180 | CAT II | Windows Server 2022 Active Directory Domain object must be configured with proper audit settings. | — |
| V-254403 | WN22-DC-000190 | CAT II | Windows Server 2022 Active Directory Infrastructure object must be configured with proper audit settings. | — |
| V-254404 | WN22-DC-000200 | CAT II | Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings. | — |
| V-254405 | WN22-DC-000210 | CAT II | Windows Server 2022 Active Directory AdminSDHolder object must be configured with proper audit settings. | — |
| V-254406 | WN22-DC-000220 | CAT II | Windows Server 2022 Active Directory RID Manager$ object must be configured with proper audit settings. | — |
| V-254407 | WN22-DC-000230 | CAT II | Windows Server 2022 must be configured to audit Account Management - Computer Account Management successes. | — |
| V-254408 | WN22-DC-000240 | CAT II | Windows Server 2022 must be configured to audit DS Access - Directory Service Access successes. | — |
| V-254409 | WN22-DC-000250 | CAT II | Windows Server 2022 must be configured to audit DS Access - Directory Service Access failures. | — |
| V-254410 | WN22-DC-000260 | CAT II | Windows Server 2022 must be configured to audit DS Access - Directory Service Changes successes. | — |
| V-254412 | WN22-DC-000280 | CAT II | Windows Server 2022 domain controllers must have a PKI server certificate. | — |
| V-254415 | WN22-DC-000310 | CAT II | Windows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication. | — |
| V-254416 | WN22-DC-000320 | CAT II | Windows Server 2022 domain controllers must require LDAP access signing. | — |
| V-254417 | WN22-DC-000330 | CAT II | Windows Server 2022 domain controllers must be configured to allow reset of machine account passwords. | — |
| V-254418 | WN22-DC-000340 | CAT II | Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers. | — |
| V-254419 | WN22-DC-000350 | CAT II | Windows Server 2022 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers. | — |
| V-254420 | WN22-DC-000360 | CAT II | Windows Server 2022 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers. | — |
| V-254421 | WN22-DC-000370 | CAT II | Windows Server 2022 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access. | — |
| V-254422 | WN22-DC-000380 | CAT II | Windows Server 2022 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access. | — |
| V-254423 | WN22-DC-000390 | CAT II | Windows Server 2022 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers. | — |
| V-254424 | WN22-DC-000400 | CAT II | Windows Server 2022 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access. | — |
| V-271426 | WN22-DC-000405 | CAT II | Windows Server 2022 must be configured for certificate-based authentication for domain controllers. | — |
| V-271427 | WN22-DC-000406 | CAT II | Windows Server 2022 must be configured for name-based strong mappings for certificates. | — |
| V-254425 | WN22-DC-000410 | CAT II | Windows Server 2022 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access. | — |
| V-254426 | WN22-DC-000420 | CAT II | Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers. | — |
| V-254427 | WN22-DC-000430 | CAT II | The password for the krbtgt account on a domain must be reset at least every 180 days. | — |
| V-254429 | WN22-MS-000020 | CAT II | Windows Server 2022 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers. | — |
| V-254430 | WN22-MS-000030 | CAT II | Windows Server 2022 local users on domain-joined member servers must not be enumerated. | — |
| V-254431 | WN22-MS-000040 | CAT II | Windows Server 2022 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone or nondomain-joined systems. | — |
| V-254432 | WN22-MS-000050 | CAT II | Windows Server 2022 must limit the caching of logon credentials to four or less on domain-joined member servers. | — |
| V-254433 | WN22-MS-000060 | CAT II | Windows Server 2022 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems. | — |
| V-254434 | WN22-MS-000070 | CAT II | Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone or nondomain-joined systems. | — |
| V-254435 | WN22-MS-000080 | CAT II | Windows Server 2022 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems. | — |
| V-254436 | WN22-MS-000090 | CAT II | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems. | — |
| V-254437 | WN22-MS-000100 | CAT II | Windows Server 2022 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right. | — |
| V-254438 | WN22-MS-000110 | CAT II | Windows Server 2022 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems. | — |
| V-254439 | WN22-MS-000120 | CAT II | Windows Server 2022 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems. | — |
| V-254440 | WN22-MS-000130 | CAT II | Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems. | — |
| V-254442 | WN22-PK-000010 | CAT II | Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. | — |
| V-254443 | WN22-PK-000020 | CAT II | Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems. | — |
| V-254444 | WN22-PK-000030 | CAT II | Windows Server 2022 must have the US DOD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems. | — |
| V-254445 | WN22-SO-000010 | CAT II | Windows Server 2022 must have the built-in guest account disabled. | — |
| V-254447 | WN22-SO-000030 | CAT II | Windows Server 2022 built-in administrator account must be renamed. | — |
| V-254448 | WN22-SO-000040 | CAT II | Windows Server 2022 built-in guest account must be renamed. | — |
| V-254449 | WN22-SO-000050 | CAT II | Windows Server 2022 must force audit policy subcategory settings to override audit policy category settings. | — |
| V-254450 | WN22-SO-000060 | CAT II | Windows Server 2022 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled. | — |
| V-254451 | WN22-SO-000070 | CAT II | Windows Server 2022 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to Enabled. | — |
| V-254452 | WN22-SO-000080 | CAT II | Windows Server 2022 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled. | — |
| V-254453 | WN22-SO-000090 | CAT II | Windows Server 2022 computer account password must not be prevented from being reset. | — |
| V-254454 | WN22-SO-000100 | CAT II | Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less. | — |
| V-254455 | WN22-SO-000110 | CAT II | Windows Server 2022 must be configured to require a strong session key. | — |
| V-254456 | WN22-SO-000120 | CAT II | Windows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver. | — |
| V-254457 | WN22-SO-000130 | CAT II | Windows Server 2022 required legal notice must be configured to display before console logon. | — |
| V-254459 | WN22-SO-000150 | CAT II | Windows Server 2022 Smart Card removal option must be configured to Force Logoff or Lock Workstation. | — |
| V-254460 | WN22-SO-000160 | CAT II | Windows Server 2022 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled. | — |
| V-254461 | WN22-SO-000170 | CAT II | Windows Server 2022 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled. | — |
| V-254462 | WN22-SO-000180 | CAT II | Windows Server 2022 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers. | — |
| V-254463 | WN22-SO-000190 | CAT II | Windows Server 2022 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled. | — |
| V-254464 | WN22-SO-000200 | CAT II | Windows Server 2022 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled. | — |
| V-254468 | WN22-SO-000240 | CAT II | Windows Server 2022 must be configured to prevent anonymous users from having the same permissions as the Everyone group. | — |
| V-254470 | WN22-SO-000260 | CAT II | Windows Server 2022 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously. | — |
| V-254471 | WN22-SO-000270 | CAT II | Windows Server 2022 must prevent NTLM from falling back to a Null session. | — |
| V-254472 | WN22-SO-000280 | CAT II | Windows Server 2022 must prevent PKU2U authentication using online identities. | — |
| V-254473 | WN22-SO-000290 | CAT II | Windows Server 2022 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. | — |
| V-254476 | WN22-SO-000320 | CAT II | Windows Server 2022 must be configured to at least negotiate signing for LDAP client signing. | — |
| V-254477 | WN22-SO-000330 | CAT II | Windows Server 2022 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption. | — |
| V-254478 | WN22-SO-000340 | CAT II | Windows Server 2022 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption. | — |
| V-254479 | WN22-SO-000350 | CAT II | Windows Server 2022 users must be required to enter a password to access private keys stored on the computer. | — |
| V-254480 | WN22-SO-000360 | CAT II | Windows Server 2022 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. | — |
| V-254482 | WN22-SO-000380 | CAT II | Windows Server 2022 User Account Control (UAC) approval mode for the built-in Administrator must be enabled. | — |
| V-254483 | WN22-SO-000390 | CAT II | Windows Server 2022 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop. | — |
| V-254484 | WN22-SO-000400 | CAT II | Windows Server 2022 User Account Control (UAC) must, at a minimum, prompt administrators for consent on the secure desktop. | — |
| V-254485 | WN22-SO-000410 | CAT II | Windows Server 2022 User Account Control (UAC) must automatically deny standard user requests for elevation. | — |
| V-254486 | WN22-SO-000420 | CAT II | Windows Server 2022 User Account Control (UAC) must be configured to detect application installations and prompt for elevation. | — |
| V-254487 | WN22-SO-000430 | CAT II | Windows Server 2022 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations. | — |
| V-254488 | WN22-SO-000440 | CAT II | Windows Server 2022 User Account Control (UAC) must run all administrators in Admin Approval Mode, enabling UAC. | — |
| V-254489 | WN22-SO-000450 | CAT II | Windows Server 2022 User Account Control (UAC) must virtualize file and registry write failures to per-user locations. | — |
| V-254490 | WN22-UC-000010 | CAT II | Windows Server 2022 must preserve zone information when saving attachments. | — |
| V-254491 | WN22-UR-000010 | CAT II | Windows Server 2022 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. | — |
| V-254493 | WN22-UR-000030 | CAT II | Windows Server 2022 Allow log on locally user right must only be assigned to the Administrators group. | — |
| V-254494 | WN22-UR-000040 | CAT II | Windows Server 2022 back up files and directories user right must only be assigned to the Administrators group. | — |
| V-254495 | WN22-UR-000050 | CAT II | Windows Server 2022 create a pagefile user right must only be assigned to the Administrators group. | — |
| V-254497 | WN22-UR-000070 | CAT II | Windows Server 2022 create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. | — |
| V-254498 | WN22-UR-000080 | CAT II | Windows Server 2022 create permanent shared objects user right must not be assigned to any groups or accounts. | — |
| V-254499 | WN22-UR-000090 | CAT II | Windows Server 2022 create symbolic links user right must only be assigned to the Administrators group. | — |
| V-254501 | WN22-UR-000110 | CAT II | Windows Server 2022 force shutdown from a remote system user right must only be assigned to the Administrators group. | — |
| V-254502 | WN22-UR-000120 | CAT II | Windows Server 2022 generate security audits user right must only be assigned to Local Service and Network Service. | — |
| V-254503 | WN22-UR-000130 | CAT II | Windows Server 2022 impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. | — |
| V-254504 | WN22-UR-000140 | CAT II | Windows Server 2022 increase scheduling priority: user right must only be assigned to the Administrators group. | — |
| V-254505 | WN22-UR-000150 | CAT II | Windows Server 2022 load and unload device drivers user right must only be assigned to the Administrators group. | — |
| V-254506 | WN22-UR-000160 | CAT II | Windows Server 2022 lock pages in memory user right must not be assigned to any groups or accounts. | — |
| V-254507 | WN22-UR-000170 | CAT II | Windows Server 2022 manage auditing and security log user right must only be assigned to the Administrators group. | — |
| V-254508 | WN22-UR-000180 | CAT II | Windows Server 2022 modify firmware environment values user right must only be assigned to the Administrators group. | — |
| V-254509 | WN22-UR-000190 | CAT II | Windows Server 2022 perform volume maintenance tasks user right must only be assigned to the Administrators group. | — |
| V-254510 | WN22-UR-000200 | CAT II | Windows Server 2022 profile single process user right must only be assigned to the Administrators group. | — |
| V-254511 | WN22-UR-000210 | CAT II | Windows Server 2022 restore files and directories user right must only be assigned to the Administrators group. | — |
| V-254512 | WN22-UR-000220 | CAT II | Windows Server 2022 take ownership of files or other objects user right must only be assigned to the Administrators group. | — |
| V-254255 | WN22-00-000180 | CAT III | Windows Server 2022 nonadministrative accounts or groups must only have print permissions on printer shares. | — |
| V-254281 | WN22-00-000440 | CAT III | The Windows Server 2022 time service must synchronize with an appropriate DOD time source. | — |
| V-254335 | WN22-CC-000030 | CAT III | Windows Server 2022 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing. | — |
| V-254336 | WN22-CC-000040 | CAT III | Windows Server 2022 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing. | — |
| V-254337 | WN22-CC-000050 | CAT III | Windows Server 2022 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes. | — |
| V-254338 | WN22-CC-000060 | CAT III | Windows Server 2022 must be configured to ignore NetBIOS name release requests except from WINS servers. | — |
| V-254351 | WN22-CC-000200 | CAT III | Windows Server 2022 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. | — |
| V-254357 | WN22-CC-000260 | CAT III | Windows Server 2022 Windows Update must not obtain updates from other PCs on the internet. | — |
| V-254363 | WN22-CC-000320 | CAT III | Windows Server 2022 Turning off File Explorer heap termination on corruption must be disabled. | — |
| V-254400 | WN22-DC-000160 | CAT III | Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity. | — |
| V-254458 | WN22-SO-000140 | CAT III | Windows Server 2022 title for legal banner dialog box must be configured with the appropriate text. | — |
| V-254481 | WN22-SO-000370 | CAT III | Windows Server 2022 default permissions of global system objects must be strengthened. | — |
No rules match your search.