From 8ed1a1ed6015429e7d0662dce3913911b0253b6b Mon Sep 17 00:00:00 2001 From: erjenkin Date: Tue, 1 Sep 2020 11:53:52 -0400 Subject: [PATCH] updated to not include system drives --- CHANGELOG.md | 1 + .../AuditSettingRule.Integration.tests.ps1 | 2 +- Tests/Unit/Module/AuditSettingRule.tests.ps1 | 2 +- .../Convert/AuditSettingRule.Convert.psm1 | 2 +- .../Processed/WindowsClient-10-1.21.xml | 2 +- .../Processed/WindowsClient-10-1.23.xml | 2 +- .../WindowsServer-2012R2-DC-2.19.xml | 478 +++++++++--------- .../WindowsServer-2012R2-DC-2.21.xml | 4 +- .../WindowsServer-2012R2-MS-2.17.xml | 4 +- .../WindowsServer-2012R2-MS-2.19.xml | 4 +- .../Processed/WindowsServer-2016-DC-1.10.xml | 248 ++++----- .../Processed/WindowsServer-2016-DC-1.12.xml | 4 +- .../Processed/WindowsServer-2016-MS-1.10.xml | 184 +++---- .../Processed/WindowsServer-2016-MS-1.12.xml | 4 +- .../Processed/WindowsServer-2019-DC-1.3.xml | 236 ++++----- .../Processed/WindowsServer-2019-DC-1.5.xml | 4 +- .../Processed/WindowsServer-2019-MS-1.3.xml | 178 +++---- .../Processed/WindowsServer-2019-MS-1.5.xml | 4 +- 18 files changed, 682 insertions(+), 681 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 91370506a..dce34d2e1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ * Fixed: Removed Windows Server 2016 DC/MS R1V9 from processed STIGs folder * Fixed [#718](https://github.com/microsoft/PowerStig/issues/718): Allow application of applicable user rights assignments for non-domain and disconnected systems * Fixed [#731](https://github.com/microsoft/PowerStig/issues/731): Update Windows 10 Client Org Default Setting For Rule V-63405 to "15" +* Fixed [#735](https://github.com/microsoft/PowerStig/issues/735): Rule V-63353 won't reach desired state if system partition is Fat32 ## [4.4.2] - 2020-07-06 diff --git a/Tests/Integration/Module/AuditSettingRule.Integration.tests.ps1 b/Tests/Integration/Module/AuditSettingRule.Integration.tests.ps1 index 49572c71c..2b8676382 100644 --- a/Tests/Integration/Module/AuditSettingRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/AuditSettingRule.Integration.tests.ps1 @@ -6,7 +6,7 @@ try { $rulesToTest = @( @{ - query = "SELECT * FROM Win32_Volume WHERE DriveType = '3'" + query = "SELECT * FROM Win32_Volume WHERE DriveType = '3' AND SystemVolume != 'True'" property = 'FileSystem' desiredvalue = 'NTFS|ReFS' operator = '-match' diff --git a/Tests/Unit/Module/AuditSettingRule.tests.ps1 b/Tests/Unit/Module/AuditSettingRule.tests.ps1 index a8d6799ae..e9f89ab3a 100644 --- a/Tests/Unit/Module/AuditSettingRule.tests.ps1 +++ b/Tests/Unit/Module/AuditSettingRule.tests.ps1 @@ -8,7 +8,7 @@ try #region Test Setup $testRuleList = @( @{ - Query = "SELECT * FROM Win32_Volume WHERE DriveType = '3'" + Query = "SELECT * FROM Win32_Volume WHERE DriveType = '3' AND SystemVolume != 'True'" Property = 'FileSystem' DesiredValue = 'NTFS|ReFS' Operator = '-match' diff --git a/source/Module/Rule.AuditSetting/Convert/AuditSettingRule.Convert.psm1 b/source/Module/Rule.AuditSetting/Convert/AuditSettingRule.Convert.psm1 index ae1bcee11..24751fdf4 100644 --- a/source/Module/Rule.AuditSetting/Convert/AuditSettingRule.Convert.psm1 +++ b/source/Module/Rule.AuditSetting/Convert/AuditSettingRule.Convert.psm1 @@ -67,7 +67,7 @@ class AuditSettingRuleConvert : AuditSettingRule {$PSItem -Match "Disk Management"} { Write-Verbose "[$($MyInvocation.MyCommand.Name)] File System Type" - $this.Query = "SELECT * FROM Win32_Volume WHERE DriveType = '3'" + $this.Query = "SELECT * FROM Win32_Volume WHERE DriveType = '3' AND SystemVolume != 'True'" $this.Property = 'FileSystem' $this.Operator = '-match' if ($PSItem -Match "Cluster Share Volumes") diff --git a/source/StigData/Processed/WindowsClient-10-1.21.xml b/source/StigData/Processed/WindowsClient-10-1.21.xml index 5a50da7a7..5da9bcc9e 100644 --- a/source/StigData/Processed/WindowsClient-10-1.21.xml +++ b/source/StigData/Processed/WindowsClient-10-1.21.xml @@ -1025,7 +1025,7 @@ v1809 (Build 17763) False FileSystem - SELECT * FROM Win32_Volume WHERE DriveType = '3' + SELECT * FROM Win32_Volume WHERE DriveType = '3' AND SystemVolume != 'True' Run "Computer Management". Navigate to Storage >> Disk Management. diff --git a/source/StigData/Processed/WindowsClient-10-1.23.xml b/source/StigData/Processed/WindowsClient-10-1.23.xml index 8c7f1559e..b5ff793ea 100644 --- a/source/StigData/Processed/WindowsClient-10-1.23.xml +++ b/source/StigData/Processed/WindowsClient-10-1.23.xml @@ -1024,7 +1024,7 @@ v1809 (Build 17763) False FileSystem - SELECT * FROM Win32_Volume WHERE DriveType = '3' + SELECT * FROM Win32_Volume WHERE DriveType = '3' AND SystemVolume != 'True' Run "Computer Management". Navigate to Storage >> Disk Management. diff --git a/source/StigData/Processed/WindowsServer-2012R2-DC-2.19.xml b/source/StigData/Processed/WindowsServer-2012R2-DC-2.19.xml index 6b4b5ef78..f2dbb2f00 100644 --- a/source/StigData/Processed/WindowsServer-2012R2-DC-2.19.xml +++ b/source/StigData/Processed/WindowsServer-2012R2-DC-2.19.xml @@ -135,7 +135,7 @@ If the value for "Store password using reversible encryption" is not set to "Dis Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". -Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). Right click on the "Default Domain Policy". Select Edit. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. @@ -153,7 +153,7 @@ If the "Enforce user logon restrictions" is not set to "Enabled", this is a find Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". -Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). Right click on the "Default Domain Policy". Select Edit. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. @@ -171,7 +171,7 @@ If the value for "Maximum lifetime for service ticket" is 0 or greater than 600 Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". -Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). Right click on the "Default Domain Policy". Select Edit. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. @@ -189,7 +189,7 @@ If the value for "Maximum lifetime for user ticket" is 0 or greater than 10 hour Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". -Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). Right click on the "Default Domain Policy". Select Edit. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. @@ -207,7 +207,7 @@ If the "Maximum lifetime for user ticket renewal" is greater than 7 days, this i Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". -Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). Right click on the "Default Domain Policy". Select Edit. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. @@ -241,7 +241,7 @@ Credential validation records events related to validation tests on credentials False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -262,7 +262,7 @@ Credential validation records events related to validation tests on credentials False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -283,7 +283,7 @@ Computer Account Management records events such as creating, changing, deleting, False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -304,7 +304,7 @@ Other Account Management Events records events such as the access of a password False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -325,7 +325,7 @@ Security Group Management records events such as creating, deleting, or changing False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -346,7 +346,7 @@ User Account Management records events such as creating, changing, deleting, ren False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -367,7 +367,7 @@ User Account Management records events such as creating, changing, deleting, ren False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -388,7 +388,7 @@ Process Creation records events related to the creation of a process and the sou False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -409,7 +409,7 @@ Logoff records user logoffs. If this is an interactive logoff, it is recorded o False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -430,7 +430,7 @@ Logon records user logons. If this is an interactive logon, it is recorded on t False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -451,7 +451,7 @@ Logon records user logons. If this is an interactive logon, it is recorded on t False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -472,7 +472,7 @@ Special Logon records special logons which have administrative privileges and ca False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -493,7 +493,7 @@ Audit Policy Change records events related to changes in audit policy.</VulnD False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -514,7 +514,7 @@ Audit Policy Change records events related to changes in audit policy.</VulnD False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -535,7 +535,7 @@ Authentication Policy Change records events related to changes in authentication False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -556,7 +556,7 @@ Sensitive Privilege Use records events related to use of sensitive privileges, s False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -577,7 +577,7 @@ Sensitive Privilege Use records events related to use of sensitive privileges, s False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -598,7 +598,7 @@ IPsec Driver records events related to the IPSec Driver such as dropped packets. False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -619,7 +619,7 @@ IPsec Driver records events related to the IPsec Driver such as dropped packets. False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -640,7 +640,7 @@ Security State Change records events related to changes in the security state, s False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -661,7 +661,7 @@ Security System Extension records events related to extension code being loaded False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -682,7 +682,7 @@ System Integrity records events related to violations of integrity to the securi False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -703,7 +703,7 @@ System Integrity records events related to violations of integrity to the securi False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -724,7 +724,7 @@ Audit directory service access records events related to users accessing an Acti False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -745,7 +745,7 @@ Audit directory service access records events related to users accessing an Acti False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -766,7 +766,7 @@ Audit directory service changes records events related to changes made to object False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -787,7 +787,7 @@ Audit directory service changes records events related to changes made to object False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -808,7 +808,7 @@ Removable Storage auditing under Object Access records events related to access False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -831,7 +831,7 @@ Removable Storage auditing under Object Access records events related to access False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -854,7 +854,7 @@ Central Access Policy Staging auditing under Object Access is used to enable the False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -875,7 +875,7 @@ Central Access Policy Staging auditing under Object Access is used to enable the False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -896,7 +896,7 @@ Authorization Policy Change records events related to changes in user rights, su False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -926,7 +926,7 @@ Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*" -Compare the AuditPol settings with the following. +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. @@ -999,7 +999,7 @@ Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*". -Compare the AuditPol settings with the following. +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. @@ -1018,14 +1018,14 @@ System >> Other System Events - Failure Version SELECT * FROM Win32_OperatingSystem - Run "winver.exe". + Run "winver.exe". -If the "About Windows" dialog box does not display -"Microsoft Windows Server +If the "About Windows" dialog box does not display +"Microsoft Windows Server Version 6.2 (Build 9200)" -or greater, this is a finding. - -No preview versions will be used in a production environment. +or greater, this is a finding. + +No preview versions will be used in a production environment. Unsupported Service Packs/Releases: Windows 2012 - any release candidates or versions prior to the initial release. @@ -1039,7 +1039,7 @@ Windows 2012 - any release candidates or versions prior to the initial release.< False FileSystem - SELECT * FROM Win32_Volume WHERE DriveType = '3' + SELECT * FROM Win32_Volume WHERE DriveType = '3' AND SystemVolume != 'True' Open "Computer Management". Select "Disk Management" under "Storage". @@ -1113,7 +1113,7 @@ Copy or enter the lines below to the PowerShell window and enter. (Entering twic if ($lastLogin -eq $null) { $lastLogin = 'Never' } - Write-Host $user.Name $lastLogin $enabled + Write-Host $user.Name $lastLogin $enabled }" This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). @@ -1195,7 +1195,7 @@ For any sites that reference FTP, view the Binding information for IP address an Open a "Command Prompt". -Access the FTP site and review accessible directories with the following commands: +Access the FTP site and review accessible directories with the following commands: Note: Returned results may vary depending on the FTP server software. @@ -1227,13 +1227,13 @@ If the FTP session indicates access to areas of the system other than the specif If there are no printers configured, this is NA.(Exclude Microsoft Print to PDF and Microsoft XPS Document Writer, which do not support sharing.) For each configured printer: -Right click on the printer. -Select "Printer Properties". -Select the "Sharing" tab. -View whether "Share this printer" is checked. +Right click on the printer. +Select "Printer Properties". +Select the "Sharing" tab. +View whether "Share this printer" is checked. -For any printers with "Share this printer" selected: -Select the Security tab. +For any printers with "Share this printer" selected: +Select the Security tab. If any standard user accounts or groups have permissions other than "Print", this is a finding. Standard users will typically be given "Print" permission through the Everyone group. @@ -1255,9 +1255,9 @@ Any accounts that are members of the Backup Operators group, including applicati False False - Determine whether there is a host-based Intrusion Detection System on each server. + Determine whether there is a host-based Intrusion Detection System on each server. -If the HIPS component of HBSS is installed and active on the host and the Alerts of blocked activity are being logged and monitored, this will meet the requirement of this finding. +If the HIPS component of HBSS is installed and active on the host and the Alerts of blocked activity are being logged and monitored, this will meet the requirement of this finding. A HID device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the site ISSO. @@ -1444,7 +1444,7 @@ This does not apply to server-based applications that have a requirement for cer Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled -AutoSize". -Review the User Principal Name (UPN) of user accounts, including administrators. +Review the User Principal Name (UPN) of user accounts, including administrators. Exclude the built-in accounts such as Administrator and Guest. @@ -1454,7 +1454,7 @@ For standard NIPRNET certificates the individual's identifier is in the format o Alt Tokens and other certificates may use a different UPN format than the EDI-PI, which vary by organization. Verify these with the organization. -NIPRNET Example: +NIPRNET Example: Name - User Principal Name User1 - 1234567890@mil @@ -1478,7 +1478,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter -If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. +If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -1553,18 +1553,18 @@ For Active Directory (AD), the Group Policy objects require special attention. Verify the permissions on Group Policy objects. Open "Group Policy Management". (Available from various menus or run "gpmc.msc".) -Navigate to "Group Policy Objects" in the domain being reviewed (Forest > Domains > Domain). +Navigate to "Group Policy Objects" in the domain being reviewed (Forest > Domains > Domain). -For each Group Policy object: +For each Group Policy object: Select the Group Policy object item in the left pane. Select the Delegation tab in the right pane. Select the Advanced button. -If any standard user accounts or groups have greater than Allow permissions of Read and Apply group policy, this is a finding. +If any standard user accounts or groups have greater than Allow permissions of Read and Apply group policy, this is a finding. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. -The default permissions noted below meet this requirement. +The default permissions noted below meet this requirement. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next Advanced button, selecting the desired Permission entry, and the Edit button. @@ -1650,9 +1650,9 @@ ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO. - <VulnDiscussion>Operating system backup is a critical step in maintaining data assurance and availability. + <VulnDiscussion>Operating system backup is a critical step in maintaining data assurance and availability. -Information system and security-related documentation contains information pertaining to system configuration and security settings. +Information system and security-related documentation contains information pertaining to system configuration and security settings. Backups shall be consistent with organizational recovery time and recovery point objectives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -1707,9 +1707,9 @@ NSI Verify servers are located in controlled access areas that are accessible only to authorized personnel. If systems are not adequately protected, this is a finding. - <VulnDiscussion>Operating system backup is a critical step in maintaining data assurance and availability. + <VulnDiscussion>Operating system backup is a critical step in maintaining data assurance and availability. -System-level information includes system-state information, operating system and application software, and licenses. +System-level information includes system-state information, operating system and application software, and licenses. Backups must be consistent with organizational recovery time and recovery point objectives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -1724,20 +1724,20 @@ Backups must be consistent with organizational recovery time and recovery point False False - Verify the local system boots directly into Windows. + Verify the local system boots directly into Windows. Open Control Panel. Select "System". Select the "Advanced System Settings" link. Select the "Advanced" tab. -Click the "Startup and Recovery" Settings button. +Click the "Startup and Recovery" Settings button. If the drop-down list box "Default operating system:" shows any operating system other than Windows Server 2012, this is a finding. <VulnDiscussion>An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify required security restrictions on that machine and make it vulnerable to attack. -System administrators must log on to systems only using accounts with the minimum level of authority necessary. +System administrators must log on to systems only using accounts with the minimum level of authority necessary. Standard user accounts must not be members of the built-in Administrators group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -1898,7 +1898,7 @@ BUILTIN\Administrators:(I)(F) Do not use File Explorer to attempt to view permissions of the NTDS folder. Accessing the folder through File Explorer will change the permissions on the folder. - <VulnDiscussion>When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data. + <VulnDiscussion>When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data. The directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent preventing the directory service from acquiring more space for directory or audit data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>DCSP-1</IAControls> @@ -1916,7 +1916,7 @@ Ignore all system shares (e.g., Windows NETLOGON, SYSVOL, and administrative sha If user shares are located on the same logical partition as the directory server data files, this is a finding. - <VulnDiscussion>Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts increasing the attack surface of the computer. + <VulnDiscussion>Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts increasing the attack surface of the computer. Some applications require the addition of privileged accounts providing potential sources of compromise. Some applications (such as MS Exchange) may require the use of network ports or services conflicting with the directory server. In this case, non-standard ports might be selected and this could interfere with intrusion detection or prevention services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>DCSP-1</IAControls> @@ -1928,7 +1928,7 @@ Run "services.msc" to display the Services console. Determine if any running services are application components. -Examples of services indicating the presence of applications are: +Examples of services indicating the presence of applications are: -DHCP Server for DHCP server -IIS Admin Service for IIS web server -Microsoft Exchange System Attendant for Exchange @@ -1943,7 +1943,7 @@ Determine if any additional server roles are installed. A basic domain controll -DNS Server -File and Storage Services -If any roles not requiring installation on a domain controller are installed, this is a finding. +If any roles not requiring installation on a domain controller are installed, this is a finding. Supplemental Notes: A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements. @@ -1981,7 +1981,7 @@ If the "PasswordLastSet" date is greater than one year old, this is a finding. <VulnDiscussion>Allowing anonymous access to the root DSE data on a directory server provides potential attackers with a number of details about the configuration and data contents of a directory. For example, the namingContexts attribute indicates the directory space contained in the directory; the supportedLDAPVersion attribute indicates which versions of the LDAP protocol the server supports; and the supportedSASLMechanisms attribute indicates the names of supported authentication mechanisms. An attacker with this information may be able to select more precisely targeted attack tools or higher value targets.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance>The following network controls allow the finding severity to be downgraded to not a finding since these measures lower the risk associated with anonymous access. -Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. +Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address.</SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECAN-1, ECCD-1, ECCD-2</IAControls> @@ -2007,7 +2007,7 @@ Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON' <VulnDiscussion>To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If other means of controlling access (such as, network restrictions) are compromised, there may be nothing else to protect the confidentiality of sensitive directory data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance>The following network controls allow the finding severity to be downgraded to a CAT II since these measures lower the risk associated with anonymous access. -Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. +Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address.</SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECAN-1, ECCD-1, ECCD-2</IAControls> @@ -2056,11 +2056,11 @@ In the right pane, examine the Issued By field for the certificate to determine If the Issued By field of the PKI certificate being used by the domain controller does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, this is a finding. -There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: +There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. -DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE. +DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE. http://iase.disa.mil/pki-pke/function_pages/tools.html @@ -2078,7 +2078,7 @@ At the "ldap policy:" prompt, enter "connections". At the "server connections:" prompt, enter "connect to server [host-name]". (Where [host-name] is the computer name of the domain controller.) At the "server connections:" prompt, enter "q". -At the "ldap policy:" prompt, enter "show values". +At the "ldap policy:" prompt, enter "show values". If the value for MaxConnIdleTime is greater than 300 (the value for five minutes) or it is not specified, this is a finding. @@ -2089,7 +2089,7 @@ Alternately, Dsquery can be used to display MaxConnIdleTime: Open an elevated command prompt. Enter the following command (on a single line). -dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits +dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil). @@ -2127,7 +2127,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter -If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. +If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -2195,7 +2195,7 @@ Technical means such as application whitelisting can be used to enforce the poli The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. -Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. +Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding. @@ -2205,7 +2205,7 @@ If accounts with administrative privileges are not prevented from using applicat False False - Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. + Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding. @@ -2280,7 +2280,7 @@ If the "Password Last Set" date is more than one year old, this is a finding.Determine if a process to back up log data to a different system or media than the system being audited has been implemented. If it has not, this is a finding. - <VulnDiscussion>Operating system backup is a critical step in maintaining data assurance and availability. + <VulnDiscussion>Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. @@ -2300,7 +2300,7 @@ Backups shall be consistent with organizational recovery time and recovery point Verify the organization has an automated process to install security-related software updates. If it does not, this is a finding. - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes Group Policy objects. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -2311,9 +2311,9 @@ For Active Directory (AD), there are a number of critical object types in the do Open "Group Policy Management". (Available from various menus, or run "gpmc.msc".) -Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). +Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). -For each Group Policy object: +For each Group Policy object: Select the Group Policy Object item in the left pane. @@ -2346,7 +2346,7 @@ Inherited from - Parent Object Applies to - Descendant Organization Unit Objects - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Domain object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECAR-1, ECAR-2, ECAR-3</IAControls> @@ -2399,7 +2399,7 @@ Applies to - This object only (Access - Special = Permissions: Write all properties, Modify permissions, Modify owner) - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Infrastructure object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECAR-1, ECAR-2, ECAR-3</IAControls> @@ -2437,7 +2437,7 @@ Access - (blank) Inherited from - (CN of domain) - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Domain Controller OU object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECAR-1, ECAR-2, ECAR-3</IAControls> @@ -2484,7 +2484,7 @@ Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the AdminSDHolder object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECAR-1, ECAR-2, ECAR-3</IAControls> @@ -2525,7 +2525,7 @@ Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the RID Manager$ object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECAR-1, ECAR-2, ECAR-3</IAControls> @@ -2660,7 +2660,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter -If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. +If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -3263,7 +3263,7 @@ The SYSVOL directory contains public files (to the domain) such as policies and Open a command prompt. Run "net share". -Make note of the directory location of the SYSVOL share. +Make note of the directory location of the SYSVOL share. By default this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level. @@ -3275,38 +3275,38 @@ Click Advanced. If any standard user accounts or groups have greater than read & execute permissions, this is a finding. The default permissions noted below meet this requirement. -Type - Allow +Type - Allow Principal - Authenticated Users Access - Read & execute Inherited from - None Applies to - This folder, subfolder and files -Type - Allow +Type - Allow Principal - Server Operators Access - Read & execute Inherited from - None Applies to - This folder, subfolder and files -Type - Allow +Type - Allow Principal - Administrators Access - Special Inherited from - None Applies to - This folder only (Access - Special - Basic Permissions: all selected except Full control) -Type - Allow +Type - Allow Principal - CREATOR OWNER Access - Full control Inherited from - None Applies to - Subfolders and files only -Type - Allow +Type - Allow Principal - Administrators Access - Full control Inherited from - None Applies to - Subfolders and files only -Type - Allow +Type - Allow Principal - SYSTEM Access - Full control Inherited from - None @@ -3329,7 +3329,7 @@ NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M,WDAC,WO) CREATOR OWNER:(OI)(CI)(IO)(F) -(RX) - Read & execute +(RX) - Read & execute Run "icacls /help" to view definitions of other permission codes. @@ -3529,7 +3529,7 @@ Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab, and the "Advanced" button. Default Permissions: -\Program Files +\Program Files Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to @@ -3862,7 +3862,7 @@ Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES - Read & Execute If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ShutdownWithoutLogon @@ -3883,7 +3883,7 @@ Value: 0 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeText @@ -3953,7 +3953,7 @@ Value: 4 (or less) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous @@ -3974,7 +3974,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableForcedLogoff @@ -4037,7 +4037,7 @@ Value: 0 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\ Value Name: AddPrinterDrivers @@ -4079,7 +4079,7 @@ Value: 5 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableCAD @@ -4100,9 +4100,9 @@ Value: 0 '{0}' -match '1|2' If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ - + Value Name: SCRemoveOption Value Type: REG_SZ @@ -4123,7 +4123,7 @@ If configuring this on servers causes issues such as terminating users' remote s If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature @@ -4190,7 +4190,7 @@ If the value for "Domain Member: Digitally encrypt or sign secure channel data ( If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange @@ -4211,7 +4211,7 @@ Value: 0 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature @@ -4232,7 +4232,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: AllocateDASD @@ -4253,7 +4253,7 @@ Value: 0 '{0}' -ge '14' If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: PasswordExpiryWarning @@ -4274,7 +4274,7 @@ Value: 14 (or greater) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Session Manager\ Value Name: ProtectionMode @@ -4337,7 +4337,7 @@ Value: 0x000000ff (255) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: NullSessionPipes @@ -4362,7 +4362,7 @@ Legitimate applications may add entries to this registry value. If an applicatio If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\ Value Name: Machine @@ -4370,8 +4370,8 @@ Value Name: Machine Value Type: REG_MULTI_SZ Value: see below -System\CurrentControlSet\Control\ProductOptions -System\CurrentControlSet\Control\Server Applications +System\CurrentControlSet\Control\ProductOptions +System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions. @@ -4391,7 +4391,7 @@ Legitimate applications may add entries to this registry value. If an applicati If the following registry value does exist and is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: NullSessionShares @@ -4413,12 +4413,12 @@ Value: (Blank) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fAllowToGetHelp - -Type: REG_DWORD + +Type: REG_DWORD Value: 0 0 fAllowToGetHelp @@ -4434,7 +4434,7 @@ Value: 0 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse @@ -4455,7 +4455,7 @@ Value: 1 '{0}' -le '30' -and '{0}' -gt '0' If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge @@ -4476,14 +4476,14 @@ Value: 30 (or less, but not 0) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value Type: REG_DWORD Value: 1 - + This setting may prevent a system from being joined to a domain if not configured consistently between systems. 1 RequireStrongKey @@ -4499,7 +4499,7 @@ This setting may prevent a system from being joined to a domain if not configure If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous @@ -4520,7 +4520,7 @@ Value: 0 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: ForceGuest @@ -4541,7 +4541,7 @@ Value: 0 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash @@ -4562,7 +4562,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity @@ -4583,7 +4583,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec @@ -4611,7 +4611,7 @@ Value Name: Enabled Value Type: REG_DWORD Value: 1 - + Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS, or the browser will not be able to connect to a secure site. 1 Enabled @@ -4627,7 +4627,7 @@ Warning: Clients with this setting enabled will not be able to communicate via d If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Session Manager\Kernel\ Value Name: ObCaseInsensitive @@ -4646,14 +4646,14 @@ Value: 1 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services False - If the following registry value does not exist or is not configured as specified, this is a finding: + If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ -Value Name: fSingleSessionPerUser +Value Name: fSingleSessionPerUser -Type: REG_DWORD +Type: REG_DWORD Value: 1 1 fSingleSessionPerUser @@ -4797,7 +4797,7 @@ Value: 0 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Session Manager\ Value Name: SafeDllSearchMode @@ -4839,7 +4839,7 @@ Value: 1 HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer False - If the following registry value does not exist or is not configured as specified, this is a finding: + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ @@ -4862,7 +4862,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec @@ -4885,7 +4885,7 @@ Value: 0x20080000 (537395200) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Eventlog\Security\ Value Name: WarningLevel @@ -4906,7 +4906,7 @@ Value: 90 (or less) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: DisableIPSourceRouting @@ -4927,7 +4927,7 @@ Value: 2 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableICMPRedirect @@ -4948,7 +4948,7 @@ Value: 0 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: PerformRouterDiscovery @@ -4969,7 +4969,7 @@ Value: 0 '{0}' -le '300000' If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: KeepAliveTime @@ -5011,7 +5011,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\NTDS\Parameters\ Value Name: LDAPServerIntegrity @@ -5032,7 +5032,7 @@ Value: 2 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RefusePasswordChange @@ -5074,7 +5074,7 @@ Value: 3 (or less) '{0}' -le '5' If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: ScreenSaverGracePeriod @@ -5095,7 +5095,7 @@ Value: 5 (or less) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\ Value Name: Machine @@ -5130,7 +5130,7 @@ Legitimate applications may add entries to this registry value. If an applicatio If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Session Manager\Subsystems\ Value Name: Optional @@ -5194,7 +5194,7 @@ Value: 0 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal @@ -5215,7 +5215,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature @@ -5236,7 +5236,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature @@ -5257,7 +5257,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess @@ -5345,7 +5345,7 @@ If another time synchronization tool is used, review the available configuration If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DontDisplayLastUserName @@ -5367,7 +5367,7 @@ This setting prevents the system from setting up a default system access control If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: AuditBaseObjects @@ -5379,7 +5379,7 @@ Value: 0 Dword - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. This setting prevents the system from generating audit events for every file backed up or restored, which could fill the security log in Windows, making it difficult to identify actual issues.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5389,7 +5389,7 @@ This setting prevents the system from generating audit events for every file bac If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: FullPrivilegeAuditing @@ -5401,7 +5401,7 @@ Value: 0 Binary - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. This setting allows administrators to enable more precise auditing capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5411,7 +5411,7 @@ This setting allows administrators to enable more precise auditing capabilities. If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy @@ -5432,7 +5432,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\IPSEC\ Value Name: NoDefaultExempt @@ -5455,7 +5455,7 @@ Value: 3 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken @@ -5478,7 +5478,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorAdmin @@ -5504,7 +5504,7 @@ Value: 4 (Prompt for consent) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser @@ -5527,7 +5527,7 @@ Value: 0 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection @@ -5550,7 +5550,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths @@ -5573,7 +5573,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA @@ -5596,7 +5596,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: PromptOnSecureDesktop @@ -5619,7 +5619,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization @@ -5694,7 +5694,7 @@ Value: 1 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents the client computer from printing over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5716,7 +5716,7 @@ Value: 1 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents the computer from downloading print driver packages over HTTP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5738,7 +5738,7 @@ Value: 1 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents Windows from searching Windows Update for device drivers when no local drivers for a device are present.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5886,7 +5886,7 @@ Value: 1 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents unhandled file associations from using the Microsoft Web service to find an application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -6013,7 +6013,7 @@ Value: 1 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents users from being presented with Privacy and Installation options on first use of Windows Media Player, which could enable some communication with the vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -6321,7 +6321,7 @@ Value: 0 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents an error report from being sent when a generic device driver is installed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -6343,7 +6343,7 @@ Value: 1 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents users from being prompted to search Windows Update for device drivers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -6365,7 +6365,7 @@ Value: 1 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents errors in handwriting recognition on tablet PCs from being reported to Microsoft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -6471,7 +6471,7 @@ Value: 0 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This check verifies that Windows Media DRM will be prevented from accessing the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -6525,7 +6525,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle @@ -6544,7 +6544,7 @@ Value: 0 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services False - If the following registry value does not exist or is not configured as specified, this is a finding: + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ @@ -6565,7 +6565,7 @@ Value: 1 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services False - If the following registry value does not exist or is not configured as specified, this is a finding: + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ @@ -6586,7 +6586,7 @@ Value: 1 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services False - If the following registry value does not exist or is not configured as specified, this is a finding: + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ @@ -6607,7 +6607,7 @@ Value: 1 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services False - If the following registry value does not exist or is not configured as specified, this is a finding: + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ @@ -6632,7 +6632,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ValidateAdminCodeSignatures @@ -6644,7 +6644,7 @@ Value: 0 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting ensures the Windows Customer Experience Improvement Program is disabled so information is not passed to the vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -6666,7 +6666,7 @@ Value: 0 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting ensures the Windows Help Experience Improvement Program is disabled to prevent information from being passed to the vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -6688,7 +6688,7 @@ Value: 1 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting ensures users cannot provide ratings feedback to Microsoft for Help content.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -6903,7 +6903,7 @@ Value: Enabled String - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting will prevent Windows from searching Windows Update for point and print drivers. Only the local driver store and server driver cache will be searched.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -6925,7 +6925,7 @@ Value: 1 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting will prevent Windows from retrieving device metadata from the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -6947,7 +6947,7 @@ Value: 1 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting will prevent the system from searching Windows Update for device drivers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -6969,7 +6969,7 @@ Value: 0 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents the MSDT from communicating with and sending collected data to Microsoft, the default support provider.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -6991,7 +6991,7 @@ Value: 0 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents users from searching troubleshooting content on Microsoft servers. Only local content will be available.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -7013,7 +7013,7 @@ Value: 0 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents responsiveness events from being aggregated and sent to Microsoft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -7035,7 +7035,7 @@ Value: 0 Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting will prevent the Program Inventory from collecting data about a system and sending the information to Microsoft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -7129,7 +7129,7 @@ Value: 1 If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM @@ -7150,7 +7150,7 @@ Value: 1 '{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$' If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeCaption @@ -7158,7 +7158,7 @@ Value Name: LegalNoticeCaption Value Type: REG_SZ Value: See message title options below -"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or a site-defined equivalent. +"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or a site-defined equivalent. If a site-defined title is used, it can in no case contravene or modify the language of the banner text required in V-1089. @@ -7344,7 +7344,7 @@ Value: 0x00008000 (32768) (or greater) Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting will prevent Windows from sending an error report to Microsoft when a device driver requests additional software during installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -7405,8 +7405,8 @@ Type: REG_SZ Value: 1 Applications requiring continuous, real-time screen display (e.g., network management products) require the following and must be documented with the ISSO: - --The logon session does not have administrator rights. + +-The logon session does not have administrator rights. -The display station (e.g., keyboard, monitor, etc.) is located in a controlled access area. 1 ScreenSaveActive @@ -7947,7 +7947,7 @@ Value: 1 '{0}' -le '900' -and '{0}' -gt '0' If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs @@ -8008,7 +8008,7 @@ Value: 1 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services False - If the following registry value does not exist or is not configured as specified, this is a finding: + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ @@ -8033,7 +8033,7 @@ Value: 1 Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ Value Name: NoLockScreenSlideshow @@ -8058,7 +8058,7 @@ Enabling "Include command line data for process creation events" will record the Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ Value Name: ProcessCreationIncludeCmdLine_Enabled @@ -8081,7 +8081,7 @@ Value: 0x00000001 (1) Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: DontDisplayNetworkSelectionUI @@ -8104,7 +8104,7 @@ Value: 1 Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Value Name: MSAOptional @@ -8127,7 +8127,7 @@ Value: 1 Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableAutomaticRestartSignOn @@ -8229,7 +8229,7 @@ PowerShell 5.x supports script block logging. PowerShell 4.0 with the addition o If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging @@ -8237,7 +8237,7 @@ Value Name: EnableScriptBlockLogging Value Type: REG_DWORD Value: 0x00000001 (1) -PowerShell 4.0 requires the installation of patch KB3000850 on Windows 2012 R2 or KB3119938 on Windows 2012. +PowerShell 4.0 requires the installation of patch KB3000850 on Windows 2012 R2 or KB3119938 on Windows 2012. If the patch is not installed on systems with PowerShell 4.0, this is a finding. @@ -8350,7 +8350,7 @@ If there is no anti-virus solution installed on the system, this is a finding. Run "services.msc" to display the Services console. -Verify the Startup Type for the following Windows services: +Verify the Startup Type for the following Windows services: - Active Directory Domain Services - DFS Replication - DNS Client @@ -8358,7 +8358,7 @@ Verify the Startup Type for the following Windows services: - Group Policy Client - Intersite Messaging - Kerberos Key Distribution Center -- NetLogon +- NetLogon - Windows Time (not required if another time synchronization tool is implemented to start automatically) If the Startup Type for any of these services is not Automatic, this is a finding. @@ -8375,7 +8375,7 @@ If the Startup Type for any of these services is not Automatic, this is a findin Run "services.msc" to display the Services console. -Verify the Startup Type for the following Windows services: +Verify the Startup Type for the following Windows services: - Active Directory Domain Services - DFS Replication - DNS Client @@ -8383,7 +8383,7 @@ Verify the Startup Type for the following Windows services: - Group Policy Client - Intersite Messaging - Kerberos Key Distribution Center -- NetLogon +- NetLogon - Windows Time (not required if another time synchronization tool is implemented to start automatically) If the Startup Type for any of these services is not Automatic, this is a finding. @@ -8400,7 +8400,7 @@ If the Startup Type for any of these services is not Automatic, this is a findin Run "services.msc" to display the Services console. -Verify the Startup Type for the following Windows services: +Verify the Startup Type for the following Windows services: - Active Directory Domain Services - DFS Replication - DNS Client @@ -8408,7 +8408,7 @@ Verify the Startup Type for the following Windows services: - Group Policy Client - Intersite Messaging - Kerberos Key Distribution Center -- NetLogon +- NetLogon - Windows Time (not required if another time synchronization tool is implemented to start automatically) If the Startup Type for any of these services is not Automatic, this is a finding. @@ -8425,7 +8425,7 @@ If the Startup Type for any of these services is not Automatic, this is a findin Run "services.msc" to display the Services console. -Verify the Startup Type for the following Windows services: +Verify the Startup Type for the following Windows services: - Active Directory Domain Services - DFS Replication - DNS Client @@ -8433,7 +8433,7 @@ Verify the Startup Type for the following Windows services: - Group Policy Client - Intersite Messaging - Kerberos Key Distribution Center -- NetLogon +- NetLogon - Windows Time (not required if another time synchronization tool is implemented to start automatically) If the Startup Type for any of these services is not Automatic, this is a finding. @@ -8450,7 +8450,7 @@ If the Startup Type for any of these services is not Automatic, this is a findin Run "services.msc" to display the Services console. -Verify the Startup Type for the following Windows services: +Verify the Startup Type for the following Windows services: - Active Directory Domain Services - DFS Replication - DNS Client @@ -8458,7 +8458,7 @@ Verify the Startup Type for the following Windows services: - Group Policy Client - Intersite Messaging - Kerberos Key Distribution Center -- NetLogon +- NetLogon - Windows Time (not required if another time synchronization tool is implemented to start automatically) If the Startup Type for any of these services is not Automatic, this is a finding. @@ -8475,7 +8475,7 @@ If the Startup Type for any of these services is not Automatic, this is a findin Run "services.msc" to display the Services console. -Verify the Startup Type for the following Windows services: +Verify the Startup Type for the following Windows services: - Active Directory Domain Services - DFS Replication - DNS Client @@ -8483,7 +8483,7 @@ Verify the Startup Type for the following Windows services: - Group Policy Client - Intersite Messaging - Kerberos Key Distribution Center -- NetLogon +- NetLogon - Windows Time (not required if another time synchronization tool is implemented to start automatically) If the Startup Type for any of these services is not Automatic, this is a finding. @@ -8500,7 +8500,7 @@ If the Startup Type for any of these services is not Automatic, this is a findin Run "services.msc" to display the Services console. -Verify the Startup Type for the following Windows services: +Verify the Startup Type for the following Windows services: - Active Directory Domain Services - DFS Replication - DNS Client @@ -8508,7 +8508,7 @@ Verify the Startup Type for the following Windows services: - Group Policy Client - Intersite Messaging - Kerberos Key Distribution Center -- NetLogon +- NetLogon - Windows Time (not required if another time synchronization tool is implemented to start automatically) If the Startup Type for any of these services is not Automatic, this is a finding. @@ -8525,7 +8525,7 @@ If the Startup Type for any of these services is not Automatic, this is a findin Run "services.msc" to display the Services console. -Verify the Startup Type for the following Windows services: +Verify the Startup Type for the following Windows services: - Active Directory Domain Services - DFS Replication - DNS Client @@ -8533,7 +8533,7 @@ Verify the Startup Type for the following Windows services: - Group Policy Client - Intersite Messaging - Kerberos Key Distribution Center -- NetLogon +- NetLogon - Windows Time (not required if another time synchronization tool is implemented to start automatically) If the Startup Type for any of these services is not Automatic, this is a finding. @@ -8550,7 +8550,7 @@ If the Startup Type for any of these services is not Automatic, this is a findin Run "services.msc" to display the Services console. -Verify the Startup Type for the following Windows services: +Verify the Startup Type for the following Windows services: - Active Directory Domain Services - DFS Replication - DNS Client @@ -8558,7 +8558,7 @@ Verify the Startup Type for the following Windows services: - Group Policy Client - Intersite Messaging - Kerberos Key Distribution Center -- NetLogon +- NetLogon - Windows Time (not required if another time synchronization tool is implemented to start automatically) If the Startup Type for any of these services is not Automatic, this is a finding. @@ -8627,7 +8627,7 @@ If the "Microsoft FTP Service" (Service name: FTPSVC) is installed and not disab False False - Verify the Peer Network Identity Manager (p2pimsvc) service is not installed or is disabled. + Verify the Peer Network Identity Manager (p2pimsvc) service is not installed or is disabled. Run "Services.msc". @@ -8645,7 +8645,7 @@ Peer Networking Identity Manager (p2pimsvc) False False - Verify the Simple TCP/IP (simptcp) service is not installed or is disabled. + Verify the Simple TCP/IP (simptcp) service is not installed or is disabled. Run "Services.msc". @@ -8663,7 +8663,7 @@ Simple TCP/IP Services (simptcp) False False - Verify the Telnet (tlntsvr) service is not installed or is disabled. + Verify the Telnet (tlntsvr) service is not installed or is disabled. Run "Services.msc". @@ -8695,7 +8695,7 @@ Telnet (tlntsvr) False False - Verify the Smart Card Removal Policy service is configured to "Automatic". + Verify the Smart Card Removal Policy service is configured to "Automatic". Run "Services.msc". @@ -8754,7 +8754,7 @@ The application account must meet requirements for application account passwords SeDenyNetworkLogonRight <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -The "Deny access to this computer from the network" user right defines the accounts that are prevented from logging on from the network. +The "Deny access to this computer from the network" user right defines the accounts that are prevented from logging on from the network. The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Deny access to this computer from the network @@ -9061,7 +9061,7 @@ Systems that have the Hyper-V role will also have "Virtual Machines" given this SeDenyBatchLogonRight <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -The "Deny log on as a batch job" user right defines accounts that are prevented from logging on to the system as a batch job, such as Task Scheduler. +The "Deny log on as a batch job" user right defines accounts that are prevented from logging on to the system as a batch job, such as Task Scheduler. The Guests group must be assigned to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Deny log on as a batch job @@ -9084,7 +9084,7 @@ Guests Group SeDenyServiceLogonRight <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -The "Deny log on as a service" user right defines accounts that are denied log on as a service. +The "Deny log on as a service" user right defines accounts that are denied log on as a service. Incorrect configurations could prevent services from starting and result in a DoS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Deny log on as a service @@ -9105,7 +9105,7 @@ If any accounts or groups are defined for the "Deny log on as a service" user ri SeDenyInteractiveLogonRight <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -The "Deny log on locally" user right defines accounts that are prevented from logging on interactively. +The "Deny log on locally" user right defines accounts that are prevented from logging on interactively. The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Deny log on locally diff --git a/source/StigData/Processed/WindowsServer-2012R2-DC-2.21.xml b/source/StigData/Processed/WindowsServer-2012R2-DC-2.21.xml index 81a23216c..a68036344 100644 --- a/source/StigData/Processed/WindowsServer-2012R2-DC-2.21.xml +++ b/source/StigData/Processed/WindowsServer-2012R2-DC-2.21.xml @@ -1039,7 +1039,7 @@ Windows 2012 - any release candidates or versions prior to the initial release.< False FileSystem - SELECT * FROM Win32_Volume WHERE DriveType = '3' + SELECT * FROM Win32_Volume WHERE DriveType = '3' AND SystemVolume != 'True' Open "Computer Management". Select "Disk Management" under "Storage". @@ -3531,7 +3531,7 @@ Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab, and the "Advanced" button. Default Permissions: -\Program Files +\Program Files Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to diff --git a/source/StigData/Processed/WindowsServer-2012R2-MS-2.17.xml b/source/StigData/Processed/WindowsServer-2012R2-MS-2.17.xml index e633f899f..0c7b0951d 100644 --- a/source/StigData/Processed/WindowsServer-2012R2-MS-2.17.xml +++ b/source/StigData/Processed/WindowsServer-2012R2-MS-2.17.xml @@ -844,7 +844,7 @@ Windows 2012 - any release candidates or versions prior to the initial release.< False FileSystem - SELECT * FROM Win32_Volume WHERE DriveType = '3' + SELECT * FROM Win32_Volume WHERE DriveType = '3' AND SystemVolume != 'True' Open "Computer Management". Select "Disk Management" under "Storage". @@ -2535,7 +2535,7 @@ Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab, and the "Advanced" button. Default Permissions: -\Program Files +\Program Files Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to diff --git a/source/StigData/Processed/WindowsServer-2012R2-MS-2.19.xml b/source/StigData/Processed/WindowsServer-2012R2-MS-2.19.xml index cd2c6ca29..6ce87800c 100644 --- a/source/StigData/Processed/WindowsServer-2012R2-MS-2.19.xml +++ b/source/StigData/Processed/WindowsServer-2012R2-MS-2.19.xml @@ -844,7 +844,7 @@ Windows 2012 - any release candidates or versions prior to the initial release.< False FileSystem - SELECT * FROM Win32_Volume WHERE DriveType = '3' + SELECT * FROM Win32_Volume WHERE DriveType = '3' AND SystemVolume != 'True' Open "Computer Management". Select "Disk Management" under "Storage". @@ -2537,7 +2537,7 @@ Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab, and the "Advanced" button. Default Permissions: -\Program Files +\Program Files Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to diff --git a/source/StigData/Processed/WindowsServer-2016-DC-1.10.xml b/source/StigData/Processed/WindowsServer-2016-DC-1.10.xml index 33bdb852e..88e12d17d 100644 --- a/source/StigData/Processed/WindowsServer-2016-DC-1.10.xml +++ b/source/StigData/Processed/WindowsServer-2016-DC-1.10.xml @@ -16,7 +16,7 @@ Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". -Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". @@ -42,7 +42,7 @@ Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". -Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". @@ -95,7 +95,7 @@ Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). - + Right-click on the "Default Domain Policy". Select "Edit". @@ -121,7 +121,7 @@ Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). - + Right-click on the "Default Domain Policy". Select "Edit". @@ -310,7 +310,7 @@ Credential Validation records events related to validation tests on credentials False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -335,7 +335,7 @@ Credential Validation records events related to validation tests on credentials False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -364,7 +364,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPO This applies to domain controllers. It is NA for other systems. -Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -391,7 +391,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -418,7 +418,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -445,7 +445,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -472,7 +472,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -497,7 +497,7 @@ Plug and Play activity records events related to the successful connection of ex False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -524,7 +524,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215</VulnDiscussion False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -553,7 +553,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO This applies to domain controllers. It is NA for other systems. -Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -561,7 +561,7 @@ Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*". -Compare the AuditPol settings with the following. +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. @@ -582,7 +582,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO This applies to domain controllers. It is NA for other systems. -Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -590,7 +590,7 @@ Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*". -Compare the AuditPol settings with the following. +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. @@ -611,7 +611,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO This applies to domain controllers. It is NA for other systems. -Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -619,7 +619,7 @@ Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*". -Compare the AuditPol settings with the following. +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. @@ -640,7 +640,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO This applies to domain controllers. It is NA for other systems. -Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -648,7 +648,7 @@ Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*". -Compare the AuditPol settings with the following. +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. @@ -667,7 +667,7 @@ Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -675,7 +675,7 @@ Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*" -Compare the AuditPol settings with the following. +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. @@ -694,7 +694,7 @@ Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -717,7 +717,7 @@ Audit Group Membership records information related to the group membership of a False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -725,7 +725,7 @@ Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*" -Compare the AuditPol settings with the following. +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. @@ -744,7 +744,7 @@ Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -771,7 +771,7 @@ Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -798,7 +798,7 @@ Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -825,7 +825,7 @@ Satisfies: SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -850,7 +850,7 @@ Removable Storage auditing under Object Access records events related to access False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -877,7 +877,7 @@ Removable Storage auditing under Object Access records events related to access False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -906,7 +906,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -933,7 +933,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -960,7 +960,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -987,7 +987,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -1014,7 +1014,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -1041,7 +1041,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -1068,7 +1068,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -1095,7 +1095,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -1122,7 +1122,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -1149,7 +1149,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -1157,7 +1157,7 @@ Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*". -Compare the AuditPol settings with the following. +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. @@ -1176,7 +1176,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -1203,7 +1203,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -1230,7 +1230,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -1257,7 +1257,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -1351,7 +1351,7 @@ Preview versions must not be used in a production environment. False FileSystem - SELECT * FROM Win32_Volume WHERE DriveType = '3' + SELECT * FROM Win32_Volume WHERE DriveType = '3' AND SystemVolume != 'True' Open "Computer Management". Select "Disk Management" under "Storage". @@ -1382,9 +1382,9 @@ If unapproved shared accounts exist, this is a finding. False False - Determine whether there is a HIDS or HIPS on each server. + Determine whether there is a HIDS or HIPS on each server. -If the HIPS component of HBSS is installed and active on the host and the alerts of blocked activity are being logged and monitored, this meets the requirement. +If the HIPS component of HBSS is installed and active on the host and the alerts of blocked activity are being logged and monitored, this meets the requirement. A HIDS device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the ISSO. @@ -1402,11 +1402,11 @@ If there are no printers configured, this is NA. (Exclude Microsoft Print to PDF For each printer: -Right-click on the printer. +Right-click on the printer. -Select "Printer Properties". +Select "Printer Properties". -Select the "Sharing" tab. +Select the "Sharing" tab. If "Share this printer" is checked, select the "Security" tab. @@ -1443,7 +1443,7 @@ Copy or enter the lines below to the PowerShell window and enter. (Entering twic if ($lastLogin -eq $null) { $lastLogin = 'Never' } - Write-Host $user.Name $lastLogin $enabled + Write-Host $user.Name $lastLogin $enabled }" This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). @@ -1529,7 +1529,7 @@ If any standard user accounts or groups have "Allow" permissions greater than "R Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. -The default permissions noted below satisfy this requirement. +The default permissions noted below satisfy this requirement. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next "Advanced" button, the desired Permission entry, and the "Edit" button. @@ -1639,7 +1639,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter -If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. +If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -1741,14 +1741,14 @@ If the mappings are to certificates issued by a CA authorized by the Component's False False - Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. + Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding. <VulnDiscussion>An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify required security restrictions on that machine and make it vulnerable to attack. -System administrators must log on to systems using only accounts with the minimum level of authority necessary. +System administrators must log on to systems using only accounts with the minimum level of authority necessary. Standard user accounts must not be members of the built-in Administrators group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -2287,7 +2287,7 @@ If detailed permissions include any Create, Delete, Modify, or Write Permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions - <VulnDiscussion>When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data. + <VulnDiscussion>When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data. The directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent preventing the directory service from acquiring more space for directory or audit data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -2313,7 +2313,7 @@ Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative shares ending i If user shares are located on the same logical partition as the directory server data files, this is a finding. - <VulnDiscussion>Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts, increasing the attack surface of the computer. + <VulnDiscussion>Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts, increasing the attack surface of the computer. Some applications require the addition of privileged accounts, providing potential sources of compromise. Some applications (such as Microsoft Exchange) may require the use of network ports or services conflicting with the directory server. In this case, non-standard ports might be selected, and this could interfere with intrusion detection or prevention services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -2336,7 +2336,7 @@ Determine if any additional server roles are installed. A basic domain controlle - DNS Server - File and Storage Services -If any roles not requiring installation on a domain controller are installed, this is a finding. +If any roles not requiring installation on a domain controller are installed, this is a finding. A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements. @@ -2381,7 +2381,7 @@ If attribute data is displayed, anonymous access is enabled to the domain naming The following network controls allow the finding severity to be downgraded to a CAT II since these measures lower the risk associated with anonymous access. -Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. +Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address. @@ -2406,7 +2406,7 @@ At the "server connections:" prompt, enter "connect to server [host-name]" At the "server connections:" prompt, enter "q". -At the "ldap policy:" prompt, enter "show values". +At the "ldap policy:" prompt, enter "show values". If the value for MaxConnIdleTime is greater than "300" (5 minutes) or is not specified, this is a finding. @@ -2417,14 +2417,14 @@ Alternately, Dsquery can be used to display MaxConnIdleTime: Open "Command Prompt (Admin)". Enter the following command (on a single line). -dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits +dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil). If the results do not specify a "MaxConnIdleTime" or it has a value greater than "300" (5 minutes), this is a finding. - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes Group Policy objects. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. @@ -2475,7 +2475,7 @@ Inherited from - Parent Object Applies to - Descendant Organization Unit Objects - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Domain object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. @@ -2538,7 +2538,7 @@ Applies to - This object only (Access - Special = Permissions: Write all properties, Modify permissions, Modify owner) - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Infrastructure object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. @@ -2585,7 +2585,7 @@ Access - (blank) Inherited from - (CN of domain) - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Domain Controller OU object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. @@ -2642,7 +2642,7 @@ Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the AdminSDHolder object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. @@ -2693,7 +2693,7 @@ Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the RID Manager$ object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. @@ -2756,7 +2756,7 @@ If it has not, this is a finding. False False - Verify the audit records, at a minimum, are off-loaded for interconnected systems in real time and off-loaded for standalone systems weekly. + Verify the audit records, at a minimum, are off-loaded for interconnected systems in real time and off-loaded for standalone systems weekly. If they are not, this is a finding. @@ -2776,7 +2776,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter -If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. +If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -2844,7 +2844,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter -If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. +If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -2946,7 +2946,7 @@ If the "Issued By" field of the PKI certificate being used by the domain control If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding. -There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: +There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. @@ -2991,7 +2991,7 @@ If any user accounts, including administrators, do not have "Smart card is requi False False - Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled. + Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled. Run "System Information". @@ -3376,7 +3376,7 @@ Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab, and the "Advanced" button. Default permissions: -\Program Files +\Program Files Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to @@ -3795,7 +3795,7 @@ Make note of the directory location of the SYSVOL share. By default, this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level. -If any standard user accounts or groups have greater than "Read & execute" permissions, this is a finding. +If any standard user accounts or groups have greater than "Read & execute" permissions, this is a finding. The default permissions noted below meet this requirement. @@ -3816,7 +3816,7 @@ NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M,WDAC,WO) CREATOR OWNER:(OI)(CI)(IO)(F) -(RX) - Read & execute +(RX) - Read & execute Run "icacls /help" to view definitions of other permission codes. @@ -4100,11 +4100,11 @@ Value: 0x00000000 (0) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization False - Verify the registry value below. + Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ Value Name: NoLockScreenSlideshow @@ -4167,7 +4167,7 @@ Value: 0x00000002 (2) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: DisableIPSourceRouting @@ -4188,7 +4188,7 @@ Value: 0x00000002 (2) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableICMPRedirect @@ -4287,7 +4287,7 @@ Enabling "Include command line data for process creation events" will record the If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ Value Name: ProcessCreationIncludeCmdLine_Enabled @@ -4385,7 +4385,7 @@ Value: 0x00000000 (0) Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. This setting prevents the computer from downloading print driver packages over HTTP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -4440,7 +4440,7 @@ Value: 0x00000001 (1) Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: DontDisplayNetworkSelectionUI @@ -5030,7 +5030,7 @@ Value: 0x00000000 (0) (or if the Value Name does not exist) Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableAutomaticRestartSignOn @@ -5053,7 +5053,7 @@ Enabling PowerShell script block logging will record detailed information from t If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging @@ -5206,7 +5206,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse @@ -5218,7 +5218,7 @@ Value: 0x00000001 (1) Dword - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. This setting allows administrators to enable more precise auditing capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5228,7 +5228,7 @@ This setting allows administrators to enable more precise auditing capabilities. If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy @@ -5253,7 +5253,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ Value Name: LDAPServerIntegrity @@ -5276,7 +5276,7 @@ Value: 0x00000002 (2) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RefusePasswordChange @@ -5299,7 +5299,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal @@ -5366,7 +5366,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange @@ -5389,7 +5389,7 @@ Value: 0x00000000 (0) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge @@ -5412,14 +5412,14 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value Type: REG_DWORD Value: 0x00000001 (1) - + This setting may prevent a system from being joined to a domain if not configured consistently between systems. 1 RequireStrongKey @@ -5435,7 +5435,7 @@ This setting may prevent a system from being joined to a domain if not configure '{0}' -le '900' -and '{0}' -gt '0' If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs @@ -5458,7 +5458,7 @@ Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPO If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeText @@ -5507,7 +5507,7 @@ Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion '{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$' If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeCaption @@ -5515,7 +5515,7 @@ Value Name: LegalNoticeCaption Value Type: REG_SZ Value: See message title options below -"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. +"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN16-SO-000150. @@ -5536,7 +5536,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature @@ -5559,7 +5559,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature @@ -5603,7 +5603,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature @@ -5626,7 +5626,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature @@ -5647,7 +5647,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM @@ -5668,7 +5668,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous @@ -5689,7 +5689,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous @@ -5710,7 +5710,7 @@ Value: 0x00000000 (0) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess @@ -5817,7 +5817,7 @@ Value: 0x7ffffff8 (2147483640) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash @@ -5859,7 +5859,7 @@ Value: 0x00000005 (5) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity @@ -5880,7 +5880,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec @@ -5901,7 +5901,7 @@ Value: 0x20080000 (537395200) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec @@ -5958,7 +5958,7 @@ Value Name: Enabled Value Type: REG_DWORD Value: 0x00000001 (1) - + Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS; otherwise. the browser will not be able to connect to a secure site. 1 Enabled @@ -5974,7 +5974,7 @@ Clients with this setting enabled will not be able to communicate via digitally If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\ Value Name: ProtectionMode @@ -5999,7 +5999,7 @@ Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken @@ -6022,7 +6022,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle @@ -6071,7 +6071,7 @@ Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser @@ -6094,7 +6094,7 @@ Value: 0x00000000 (0) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection @@ -6117,7 +6117,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths @@ -6142,7 +6142,7 @@ Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA @@ -6165,7 +6165,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization @@ -6213,9 +6213,9 @@ Value: 0x00000002 (2) (or if the Value Name does not exist) '{0}' -match '1|2' If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ - + Value Name: scremoveoption Value Type: REG_SZ diff --git a/source/StigData/Processed/WindowsServer-2016-DC-1.12.xml b/source/StigData/Processed/WindowsServer-2016-DC-1.12.xml index 6bf6aca4d..58cf047e6 100644 --- a/source/StigData/Processed/WindowsServer-2016-DC-1.12.xml +++ b/source/StigData/Processed/WindowsServer-2016-DC-1.12.xml @@ -1351,7 +1351,7 @@ Preview versions must not be used in a production environment. False FileSystem - SELECT * FROM Win32_Volume WHERE DriveType = '3' + SELECT * FROM Win32_Volume WHERE DriveType = '3' AND SystemVolume != 'True' Open "Computer Management". Select "Disk Management" under "Storage". @@ -3377,7 +3377,7 @@ Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab, and the "Advanced" button. Default permissions: -\Program Files +\Program Files Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to diff --git a/source/StigData/Processed/WindowsServer-2016-MS-1.10.xml b/source/StigData/Processed/WindowsServer-2016-MS-1.10.xml index 9a19e14f0..09e433d85 100644 --- a/source/StigData/Processed/WindowsServer-2016-MS-1.10.xml +++ b/source/StigData/Processed/WindowsServer-2016-MS-1.10.xml @@ -180,7 +180,7 @@ Credential Validation records events related to validation tests on credentials False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -205,7 +205,7 @@ Credential Validation records events related to validation tests on credentials False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -232,7 +232,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -259,7 +259,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -286,7 +286,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -313,7 +313,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -338,7 +338,7 @@ Plug and Play activity records events related to the successful connection of ex False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -365,7 +365,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215</VulnDiscussion False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -392,7 +392,7 @@ Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -400,7 +400,7 @@ Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*" -Compare the AuditPol settings with the following. +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. @@ -419,7 +419,7 @@ Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -442,7 +442,7 @@ Audit Group Membership records information related to the group membership of a False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -450,7 +450,7 @@ Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*" -Compare the AuditPol settings with the following. +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. @@ -469,7 +469,7 @@ Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -496,7 +496,7 @@ Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -523,7 +523,7 @@ Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -550,7 +550,7 @@ Satisfies: SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -575,7 +575,7 @@ Removable Storage auditing under Object Access records events related to access False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -602,7 +602,7 @@ Removable Storage auditing under Object Access records events related to access False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -631,7 +631,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -658,7 +658,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -685,7 +685,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -712,7 +712,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -739,7 +739,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -766,7 +766,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -793,7 +793,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -820,7 +820,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -847,7 +847,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -874,7 +874,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -882,7 +882,7 @@ Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*". -Compare the AuditPol settings with the following. +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. @@ -901,7 +901,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -928,7 +928,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -955,7 +955,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -982,7 +982,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -1076,7 +1076,7 @@ Preview versions must not be used in a production environment. False FileSystem - SELECT * FROM Win32_Volume WHERE DriveType = '3' + SELECT * FROM Win32_Volume WHERE DriveType = '3' AND SystemVolume != 'True' Open "Computer Management". Select "Disk Management" under "Storage". @@ -1107,9 +1107,9 @@ If unapproved shared accounts exist, this is a finding. False False - Determine whether there is a HIDS or HIPS on each server. + Determine whether there is a HIDS or HIPS on each server. -If the HIPS component of HBSS is installed and active on the host and the alerts of blocked activity are being logged and monitored, this meets the requirement. +If the HIPS component of HBSS is installed and active on the host and the alerts of blocked activity are being logged and monitored, this meets the requirement. A HIDS device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the ISSO. @@ -1127,11 +1127,11 @@ If there are no printers configured, this is NA. (Exclude Microsoft Print to PDF For each printer: -Right-click on the printer. +Right-click on the printer. -Select "Printer Properties". +Select "Printer Properties". -Select the "Sharing" tab. +Select the "Sharing" tab. If "Share this printer" is checked, select the "Security" tab. @@ -1168,7 +1168,7 @@ Copy or enter the lines below to the PowerShell window and enter. (Entering twic if ($lastLogin -eq $null) { $lastLogin = 'Never' } - Write-Host $user.Name $lastLogin $enabled + Write-Host $user.Name $lastLogin $enabled }" This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). @@ -1238,7 +1238,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter -If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. +If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -1310,7 +1310,7 @@ Valid to: Friday, June 14, 2041 False False - Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. + Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding. @@ -1784,7 +1784,7 @@ If it has not, this is a finding. False False - Verify the audit records, at a minimum, are off-loaded for interconnected systems in real time and off-loaded for standalone systems weekly. + Verify the audit records, at a minimum, are off-loaded for interconnected systems in real time and off-loaded for standalone systems weekly. If they are not, this is a finding. @@ -1804,7 +1804,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter -If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. +If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -1872,7 +1872,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter -If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. +If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -1920,7 +1920,7 @@ Valid: Friday, September 27, 2019 False False - Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled. + Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled. Run "System Information". @@ -2289,7 +2289,7 @@ Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab, and the "Advanced" button. Default permissions: -\Program Files +\Program Files Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to @@ -2895,11 +2895,11 @@ Value: 0x00000000 (0) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization False - Verify the registry value below. + Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ Value Name: NoLockScreenSlideshow @@ -2989,7 +2989,7 @@ Value: 0x00000002 (2) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: DisableIPSourceRouting @@ -3010,7 +3010,7 @@ Value: 0x00000002 (2) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableICMPRedirect @@ -3109,7 +3109,7 @@ Enabling "Include command line data for process creation events" will record the If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ Value Name: ProcessCreationIncludeCmdLine_Enabled @@ -3251,7 +3251,7 @@ Value: 0x00000000 (0) Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. This setting prevents the computer from downloading print driver packages over HTTP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3306,7 +3306,7 @@ Value: 0x00000001 (1) Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: DontDisplayNetworkSelectionUI @@ -3942,7 +3942,7 @@ Value: 0x00000000 (0) (or if the Value Name does not exist) Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableAutomaticRestartSignOn @@ -3965,7 +3965,7 @@ Enabling PowerShell script block logging will record detailed information from t If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging @@ -4118,7 +4118,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse @@ -4130,7 +4130,7 @@ Value: 0x00000001 (1) Dword - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. This setting allows administrators to enable more precise auditing capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -4140,7 +4140,7 @@ This setting allows administrators to enable more precise auditing capabilities. If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy @@ -4163,7 +4163,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal @@ -4230,7 +4230,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange @@ -4253,7 +4253,7 @@ Value: 0x00000000 (0) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge @@ -4276,14 +4276,14 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value Type: REG_DWORD Value: 0x00000001 (1) - + This setting may prevent a system from being joined to a domain if not configured consistently between systems. 1 RequireStrongKey @@ -4299,7 +4299,7 @@ This setting may prevent a system from being joined to a domain if not configure '{0}' -le '900' -and '{0}' -gt '0' If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs @@ -4322,7 +4322,7 @@ Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPO If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeText @@ -4371,7 +4371,7 @@ Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion '{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$' If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeCaption @@ -4379,7 +4379,7 @@ Value Name: LegalNoticeCaption Value Type: REG_SZ Value: See message title options below -"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. +"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN16-SO-000150. @@ -4423,7 +4423,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature @@ -4446,7 +4446,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature @@ -4490,7 +4490,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature @@ -4513,7 +4513,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature @@ -4534,7 +4534,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM @@ -4555,7 +4555,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous @@ -4576,7 +4576,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous @@ -4597,7 +4597,7 @@ Value: 0x00000000 (0) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess @@ -4727,7 +4727,7 @@ Value: 0x7ffffff8 (2147483640) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash @@ -4769,7 +4769,7 @@ Value: 0x00000005 (5) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity @@ -4790,7 +4790,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec @@ -4811,7 +4811,7 @@ Value: 0x20080000 (537395200) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec @@ -4868,7 +4868,7 @@ Value Name: Enabled Value Type: REG_DWORD Value: 0x00000001 (1) - + Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS; otherwise. the browser will not be able to connect to a secure site. 1 Enabled @@ -4884,7 +4884,7 @@ Clients with this setting enabled will not be able to communicate via digitally If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\ Value Name: ProtectionMode @@ -4909,7 +4909,7 @@ Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken @@ -4932,7 +4932,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle @@ -4981,7 +4981,7 @@ Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser @@ -5004,7 +5004,7 @@ Value: 0x00000000 (0) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection @@ -5027,7 +5027,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths @@ -5052,7 +5052,7 @@ Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA @@ -5075,7 +5075,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization @@ -5123,9 +5123,9 @@ Value: 0x00000002 (2) (or if the Value Name does not exist) '{0}' -match '1|2' If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ - + Value Name: scremoveoption Value Type: REG_SZ diff --git a/source/StigData/Processed/WindowsServer-2016-MS-1.12.xml b/source/StigData/Processed/WindowsServer-2016-MS-1.12.xml index ec9b773a0..69d64a80a 100644 --- a/source/StigData/Processed/WindowsServer-2016-MS-1.12.xml +++ b/source/StigData/Processed/WindowsServer-2016-MS-1.12.xml @@ -1076,7 +1076,7 @@ Preview versions must not be used in a production environment. False FileSystem - SELECT * FROM Win32_Volume WHERE DriveType = '3' + SELECT * FROM Win32_Volume WHERE DriveType = '3' AND SystemVolume != 'True' Open "Computer Management". Select "Disk Management" under "Storage". @@ -2290,7 +2290,7 @@ Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab, and the "Advanced" button. Default permissions: -\Program Files +\Program Files Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to diff --git a/source/StigData/Processed/WindowsServer-2019-DC-1.3.xml b/source/StigData/Processed/WindowsServer-2019-DC-1.3.xml index 38f98ec06..5430b86b5 100644 --- a/source/StigData/Processed/WindowsServer-2019-DC-1.3.xml +++ b/source/StigData/Processed/WindowsServer-2019-DC-1.3.xml @@ -16,7 +16,7 @@ Verify the following is configured in the Default Domain Policy: Open "Group Policy Management". -Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". @@ -42,7 +42,7 @@ Verify the following is configured in the Default Domain Policy: Open "Group Policy Management". -Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". @@ -95,7 +95,7 @@ Verify the following is configured in the Default Domain Policy: Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). - + Right-click on the "Default Domain Policy". Select "Edit". @@ -121,7 +121,7 @@ Verify the following is configured in the Default Domain Policy: Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). - + Right-click on the "Default Domain Policy". Select "Edit". @@ -313,7 +313,7 @@ Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -340,7 +340,7 @@ Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -367,7 +367,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -394,7 +394,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -421,7 +421,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -450,7 +450,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPO This applies to domain controllers. It is NA for other systems. -Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -477,7 +477,7 @@ Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -504,7 +504,7 @@ Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -531,7 +531,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -558,7 +558,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215</VulnDiscussion False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -585,7 +585,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -612,7 +612,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -639,7 +639,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -666,7 +666,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -693,7 +693,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -720,7 +720,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -747,7 +747,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -774,7 +774,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -801,7 +801,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -828,7 +828,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -855,7 +855,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -882,7 +882,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -909,7 +909,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -936,7 +936,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -965,7 +965,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO This applies to domain controllers. It is NA for other systems. -Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -994,7 +994,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO This applies to domain controllers. It is NA for other systems. -Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1023,7 +1023,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO This applies to domain controllers. It is NA for other systems. -Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1052,7 +1052,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO This applies to domain controllers. It is NA for other systems. -Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1077,7 +1077,7 @@ Credential Validation records events related to validation tests on credentials False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1102,7 +1102,7 @@ Credential Validation records events related to validation tests on credentials False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1127,7 +1127,7 @@ Plug and Play activity records events related to the successful connection of ex False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1152,7 +1152,7 @@ Audit Group Membership records information related to the group membership of a False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1179,7 +1179,7 @@ Satisfies: SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1254,7 +1254,7 @@ Removable Storage auditing under Object Access records events related to access False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1281,7 +1281,7 @@ Removable Storage auditing under Object Access records events related to access False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1310,7 +1310,7 @@ Satisfies: SRG-OS-000472-GPOS-00217, SRG-OS-000480-GPOS-00227</VulnDiscussion False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1336,7 +1336,7 @@ Logon/Logoff >> Logoff - Success False FileSystem - SELECT * FROM Win32_Volume WHERE DriveType = '3' + SELECT * FROM Win32_Volume WHERE DriveType = '3' AND SystemVolume != 'True' Open "Computer Management". Select "Disk Management" under "Storage". @@ -1399,7 +1399,7 @@ If any standard user accounts or groups have "Allow" permissions greater than "R Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. -The default permissions noted below satisfy this requirement. +The default permissions noted below satisfy this requirement. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next "Advanced" button, the desired Permission entry, and the "Edit" button. @@ -1483,9 +1483,9 @@ If an OU with improper permissions does not include identification and authentic False False - Determine whether there is a HIDS or HIPS on each server. + Determine whether there is a HIDS or HIPS on each server. -If the HIPS component of HBSS is installed and active on the host and the alerts of blocked activity are being logged and monitored, this meets the requirement. +If the HIPS component of HBSS is installed and active on the host and the alerts of blocked activity are being logged and monitored, this meets the requirement. A HIDS device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the ISSO. @@ -1554,7 +1554,7 @@ Copy or enter the lines below to the PowerShell window and enter. (Entering twic if ($lastLogin -eq $null) { $lastLogin = 'Never' } - Write-Host $user.Name $lastLogin $enabled + Write-Host $user.Name $lastLogin $enabled }" This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). @@ -1619,7 +1619,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter -If the following certificate "Subject" and "Thumbprint" information is not displayed, this is a finding. +If the following certificate "Subject" and "Thumbprint" information is not displayed, this is a finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -1787,11 +1787,11 @@ If there are no printers configured, this is NA. (Exclude Microsoft Print to PDF For each printer: -Select the printer and "Manage". +Select the printer and "Manage". -Select "Printer Properties". +Select "Printer Properties". -Select the "Sharing" tab. +Select the "Sharing" tab. If "Share this printer" is checked, select the "Security" tab. @@ -1804,7 +1804,7 @@ The default is for the "Everyone" group to be given "Print" permission. <VulnDiscussion>An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify required security restrictions on that machine and make it vulnerable to attack. -System administrators must log on to systems using only accounts with the minimum level of authority necessary. +System administrators must log on to systems using only accounts with the minimum level of authority necessary. Standard user accounts must not be members of the built-in Administrators group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -1919,7 +1919,7 @@ If detailed permissions include any Create, Delete, Modify, or Write Permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes Group Policy objects. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. @@ -1970,7 +1970,7 @@ Inherited from - Parent Object Applies to - Descendant Organization Unit Objects - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Domain object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. @@ -2033,7 +2033,7 @@ Applies to - This object only (Access - Special = Permissions: Write all properties, Modify permissions, Modify owner) - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Infrastructure object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. @@ -2081,7 +2081,7 @@ Access - (blank) Inherited from - (CN of domain) - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Domain Controller OU object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. @@ -2138,7 +2138,7 @@ Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the AdminSDHolder object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. @@ -2189,7 +2189,7 @@ Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the RID Manager$ object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. @@ -2252,7 +2252,7 @@ If it has not, this is a finding. False False - Verify the audit records, at a minimum, are off-loaded for interconnected systems in real time and off-loaded for standalone systems weekly. + Verify the audit records, at a minimum, are off-loaded for interconnected systems in real time and off-loaded for standalone systems weekly. If they are not, this is a finding. @@ -2363,7 +2363,7 @@ The password must be changed twice to effectively remove the password history. C False False - This requirement is applicable to domain controllers; it is NA for other systems. + This requirement is applicable to domain controllers; it is NA for other systems. Open "Windows PowerShell". @@ -2449,7 +2449,7 @@ Under "System Summary", if "BIOS Mode" does not display "UEFI", this is a findin False False - Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled. + Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled. Run "System Information". @@ -2496,7 +2496,7 @@ If attribute data is displayed, anonymous access is enabled to the domain naming The following network controls allow the finding severity to be downgraded to a CAT II since these measures lower the risk associated with anonymous access. -Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. +Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address. @@ -2506,7 +2506,7 @@ Premise firewall or host restrictions prevent access to ports 389, 636, 3268, an False False - Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. + Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding. @@ -2547,7 +2547,7 @@ Implementation guidance for AppLocker is available in the NSA paper "Application https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - <VulnDiscussion>Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts, increasing the attack surface of the computer. + <VulnDiscussion>Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts, increasing the attack surface of the computer. Some applications require the addition of privileged accounts, providing potential sources of compromise. Some applications (such as Microsoft Exchange) may require the use of network ports or services conflicting with the directory server. In this case, non-standard ports might be selected, and this could interfere with intrusion detection or prevention services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -2570,7 +2570,7 @@ Determine if any additional server roles are installed. A basic domain controlle - DNS Server - File and Storage Services -If any roles not requiring installation on a domain controller are installed, this is a finding. +If any roles not requiring installation on a domain controller are installed, this is a finding. A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements. @@ -2764,7 +2764,7 @@ If the "Issued By" field of the PKI certificate being used by the domain control If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding. -There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: +There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. @@ -2788,7 +2788,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter -If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. +If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -2861,7 +2861,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter -If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. +If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -2934,7 +2934,7 @@ At the "server connections:" prompt, enter "connect to server [host-name]" At the "server connections:" prompt, enter "q". -At the "ldap policy:" prompt, enter "show values". +At the "ldap policy:" prompt, enter "show values". If the value for MaxConnIdleTime is greater than "300" (5 minutes) or is not specified, this is a finding. @@ -2945,7 +2945,7 @@ Alternately, Dsquery can be used to display MaxConnIdleTime: Open "Command Prompt (Admin)". Enter the following command (on a single line). -dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits +dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil). @@ -2990,7 +2990,7 @@ Select the "Security" tab. If the permissions have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding. - <VulnDiscussion>When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data. + <VulnDiscussion>When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data. The directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent preventing the directory service from acquiring more space for directory or audit data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3379,7 +3379,7 @@ Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab, and the "Advanced" button. Default permissions: -\Program Files +\Program Files Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to @@ -3804,7 +3804,7 @@ Make note of the directory location of the SYSVOL share. By default, this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level. -If any standard user accounts or groups have greater than "Read & execute" permissions, this is a finding. +If any standard user accounts or groups have greater than "Read & execute" permissions, this is a finding. The default permissions noted below meet this requirement: @@ -3824,7 +3824,7 @@ NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) CREATOR OWNER:(OI)(CI)(IO)(F) -(RX) - Read & execute +(RX) - Read & execute Run "icacls /help" to view definitions of other permission codes. @@ -6548,7 +6548,7 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPO '{0}' -le '900' -and '{0}' -gt '0' If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs @@ -6617,7 +6617,7 @@ Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPO If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeText @@ -6666,7 +6666,7 @@ Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion '{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$' If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeCaption @@ -6674,7 +6674,7 @@ Value Name: LegalNoticeCaption Value Type: REG_SZ Value: See message title options below -"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. +"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN19-SO-000150. @@ -6684,7 +6684,7 @@ Automated tools may only search for the titles defined above. If an organization String - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. This setting allows administrators to enable more precise auditing capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -6694,7 +6694,7 @@ This setting allows administrators to enable more precise auditing capabilities. If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy @@ -6717,7 +6717,7 @@ Enabling "Include command line data for process creation events" will record the If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ Value Name: ProcessCreationIncludeCmdLine_Enabled @@ -6740,7 +6740,7 @@ Enabling PowerShell script block logging will record detailed information from t If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging @@ -6893,7 +6893,7 @@ Value: 0x00000002 (2) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: DisableIPSourceRouting @@ -6914,7 +6914,7 @@ Value: 0x00000002 (2) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableICMPRedirect @@ -7289,7 +7289,7 @@ Value: 0x00000000 (0) (or if the Value Name does not exist) Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableAutomaticRestartSignOn @@ -7312,7 +7312,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RefusePasswordChange @@ -7333,7 +7333,7 @@ Value: 0x00000000 (0) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse @@ -7356,7 +7356,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge @@ -7377,9 +7377,9 @@ Value: 0x0000001e (30) (or less, but not 0) '{0}' -match '1|2' If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ - + Value Name: scremoveoption Value Type: REG_SZ @@ -7400,7 +7400,7 @@ If configuring this on servers causes issues, such as terminating users' remote If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM @@ -7421,7 +7421,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous @@ -7526,7 +7526,7 @@ Value: 0x00000005 (5) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity @@ -7547,7 +7547,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec @@ -7568,7 +7568,7 @@ Value: 0x20080000 (537395200) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec @@ -7589,7 +7589,7 @@ Value: 0x20080000 (537395200) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\ Value Name: ProtectionMode @@ -7744,11 +7744,11 @@ Value: 0x00000004 (4) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization False - Verify the registry value below. + Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ Value Name: NoLockScreenSlideshow @@ -7781,7 +7781,7 @@ Value: 0x00000000 (0) Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. This setting prevents the computer from downloading print driver packages over HTTP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -7836,7 +7836,7 @@ Value: 0x00000001 (1) Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: DontDisplayNetworkSelectionUI @@ -8024,7 +8024,7 @@ Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken @@ -8049,7 +8049,7 @@ Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser @@ -8074,7 +8074,7 @@ Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA @@ -8095,7 +8095,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange @@ -8116,7 +8116,7 @@ Value: 0x00000000 (0) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash @@ -8324,7 +8324,7 @@ Value Name: Enabled Value Type: REG_DWORD Value: 0x00000001 (1) - + Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS; otherwise. the browser will not be able to connect to a secure site. 1 Enabled @@ -8363,7 +8363,7 @@ Value: 0x00000000 (0) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle @@ -8410,7 +8410,7 @@ Value: 0x00000002 (2) (Prompt for consent on the secure desktop) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection @@ -8433,7 +8433,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths @@ -8456,7 +8456,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization @@ -8498,7 +8498,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous @@ -8519,7 +8519,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess @@ -8565,7 +8565,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ Value Name: LDAPServerIntegrity @@ -8588,7 +8588,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal @@ -8657,14 +8657,14 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value Type: REG_DWORD Value: 0x00000001 (1) - + This setting may prevent a system from being joined to a domain if not configured consistently between systems. 1 RequireStrongKey @@ -8682,7 +8682,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature @@ -8705,7 +8705,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature @@ -8728,7 +8728,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature @@ -8751,7 +8751,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature diff --git a/source/StigData/Processed/WindowsServer-2019-DC-1.5.xml b/source/StigData/Processed/WindowsServer-2019-DC-1.5.xml index 358bf78d9..a0f4b6e19 100644 --- a/source/StigData/Processed/WindowsServer-2019-DC-1.5.xml +++ b/source/StigData/Processed/WindowsServer-2019-DC-1.5.xml @@ -1336,7 +1336,7 @@ Logon/Logoff >> Logoff - Success False FileSystem - SELECT * FROM Win32_Volume WHERE DriveType = '3' + SELECT * FROM Win32_Volume WHERE DriveType = '3' AND SystemVolume != 'True' Open "Computer Management". Select "Disk Management" under "Storage". @@ -3379,7 +3379,7 @@ Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab, and the "Advanced" button. Default permissions: -\Program Files +\Program Files Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to diff --git a/source/StigData/Processed/WindowsServer-2019-MS-1.3.xml b/source/StigData/Processed/WindowsServer-2019-MS-1.3.xml index bfd663999..72b674b07 100644 --- a/source/StigData/Processed/WindowsServer-2019-MS-1.3.xml +++ b/source/StigData/Processed/WindowsServer-2019-MS-1.3.xml @@ -183,7 +183,7 @@ Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -210,7 +210,7 @@ Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -237,7 +237,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -264,7 +264,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -291,7 +291,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -318,7 +318,7 @@ Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -345,7 +345,7 @@ Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -372,7 +372,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -399,7 +399,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215</VulnDiscussion False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -426,7 +426,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -453,7 +453,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -480,7 +480,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -507,7 +507,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -534,7 +534,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -561,7 +561,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -588,7 +588,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -615,7 +615,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -642,7 +642,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -669,7 +669,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -696,7 +696,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -723,7 +723,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -750,7 +750,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -777,7 +777,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -802,7 +802,7 @@ Credential Validation records events related to validation tests on credentials False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -827,7 +827,7 @@ Credential Validation records events related to validation tests on credentials False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -852,7 +852,7 @@ Plug and Play activity records events related to the successful connection of ex False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -877,7 +877,7 @@ Audit Group Membership records information related to the group membership of a False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -904,7 +904,7 @@ Satisfies: SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPO False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -979,7 +979,7 @@ Removable Storage auditing under Object Access records events related to access False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1006,7 +1006,7 @@ Removable Storage auditing under Object Access records events related to access False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1035,7 +1035,7 @@ Satisfies: SRG-OS-000472-GPOS-00217, SRG-OS-000480-GPOS-00227</VulnDiscussion False False - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -1061,7 +1061,7 @@ Logon/Logoff >> Logoff - Success False FileSystem - SELECT * FROM Win32_Volume WHERE DriveType = '3' + SELECT * FROM Win32_Volume WHERE DriveType = '3' AND SystemVolume != 'True' Open "Computer Management". Select "Disk Management" under "Storage". @@ -1098,9 +1098,9 @@ Preview versions must not be used in a production environment. False False - Determine whether there is a HIDS or HIPS on each server. + Determine whether there is a HIDS or HIPS on each server. -If the HIPS component of HBSS is installed and active on the host and the alerts of blocked activity are being logged and monitored, this meets the requirement. +If the HIPS component of HBSS is installed and active on the host and the alerts of blocked activity are being logged and monitored, this meets the requirement. A HIDS device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the ISSO. @@ -1169,7 +1169,7 @@ Copy or enter the lines below to the PowerShell window and enter. (Entering twic if ($lastLogin -eq $null) { $lastLogin = 'Never' } - Write-Host $user.Name $lastLogin $enabled + Write-Host $user.Name $lastLogin $enabled }" This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). @@ -1203,7 +1203,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter -If the following certificate "Subject" and "Thumbprint" information is not displayed, this is a finding. +If the following certificate "Subject" and "Thumbprint" information is not displayed, this is a finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -1355,11 +1355,11 @@ If there are no printers configured, this is NA. (Exclude Microsoft Print to PDF For each printer: -Select the printer and "Manage". +Select the printer and "Manage". -Select "Printer Properties". +Select "Printer Properties". -Select the "Sharing" tab. +Select the "Sharing" tab. If "Share this printer" is checked, select the "Security" tab. @@ -1415,7 +1415,7 @@ If it has not, this is a finding. False False - Verify the audit records, at a minimum, are off-loaded for interconnected systems in real time and off-loaded for standalone systems weekly. + Verify the audit records, at a minimum, are off-loaded for interconnected systems in real time and off-loaded for standalone systems weekly. If they are not, this is a finding. @@ -1596,7 +1596,7 @@ Under "System Summary", if "BIOS Mode" does not display "UEFI", this is a findin False False - Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled. + Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled. Run "System Information". @@ -1614,7 +1614,7 @@ If a value of "True" is not returned, this is a finding. False False - Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. + Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding. @@ -1762,7 +1762,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter -If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. +If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -1835,7 +1835,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter -If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. +If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. @@ -2289,7 +2289,7 @@ Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab, and the "Advanced" button. Default permissions: -\Program Files +\Program Files Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to @@ -5341,7 +5341,7 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPO '{0}' -le '900' -and '{0}' -gt '0' If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs @@ -5433,7 +5433,7 @@ Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPO If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeText @@ -5482,7 +5482,7 @@ Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion '{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$' If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeCaption @@ -5490,7 +5490,7 @@ Value Name: LegalNoticeCaption Value Type: REG_SZ Value: See message title options below -"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. +"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN19-SO-000150. @@ -5500,7 +5500,7 @@ Automated tools may only search for the titles defined above. If an organization String - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. This setting allows administrators to enable more precise auditing capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present @@ -5510,7 +5510,7 @@ This setting allows administrators to enable more precise auditing capabilities. If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy @@ -5533,7 +5533,7 @@ Enabling "Include command line data for process creation events" will record the If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ Value Name: ProcessCreationIncludeCmdLine_Enabled @@ -5556,7 +5556,7 @@ Enabling PowerShell script block logging will record detailed information from t If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging @@ -5709,7 +5709,7 @@ Value: 0x00000002 (2) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: DisableIPSourceRouting @@ -5730,7 +5730,7 @@ Value: 0x00000002 (2) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableICMPRedirect @@ -6105,7 +6105,7 @@ Value: 0x00000000 (0) (or if the Value Name does not exist) Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableAutomaticRestartSignOn @@ -6193,7 +6193,7 @@ https://docs.microsoft.com/en-us/windows/security/identity-protection/credential If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse @@ -6216,7 +6216,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge @@ -6237,9 +6237,9 @@ Value: 0x0000001e (30) (or less, but not 0) '{0}' -match '1|2' If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ - + Value Name: scremoveoption Value Type: REG_SZ @@ -6260,7 +6260,7 @@ If configuring this on servers causes issues, such as terminating users' remote If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM @@ -6281,7 +6281,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous @@ -6386,7 +6386,7 @@ Value: 0x00000005 (5) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity @@ -6407,7 +6407,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec @@ -6428,7 +6428,7 @@ Value: 0x20080000 (537395200) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec @@ -6449,7 +6449,7 @@ Value: 0x20080000 (537395200) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\ Value Name: ProtectionMode @@ -6604,11 +6604,11 @@ Value: 0x00000004 (4) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization False - Verify the registry value below. + Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ Value Name: NoLockScreenSlideshow @@ -6641,7 +6641,7 @@ Value: 0x00000000 (0) Dword - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. This setting prevents the computer from downloading print driver packages over HTTP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -6696,7 +6696,7 @@ Value: 0x00000001 (1) Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: DontDisplayNetworkSelectionUI @@ -6907,7 +6907,7 @@ Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken @@ -6932,7 +6932,7 @@ Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser @@ -6957,7 +6957,7 @@ Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA @@ -7001,7 +7001,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange @@ -7022,7 +7022,7 @@ Value: 0x00000000 (0) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash @@ -7230,7 +7230,7 @@ Value Name: Enabled Value Type: REG_DWORD Value: 0x00000001 (1) - + Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS; otherwise. the browser will not be able to connect to a secure site. 1 Enabled @@ -7296,7 +7296,7 @@ This setting may cause issues with some network scanning tools if local administ If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle @@ -7343,7 +7343,7 @@ Value: 0x00000002 (2) (Prompt for consent on the secure desktop) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection @@ -7366,7 +7366,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths @@ -7389,7 +7389,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization @@ -7431,7 +7431,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous @@ -7452,7 +7452,7 @@ Value: 0x00000001 (1) If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess @@ -7496,7 +7496,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal @@ -7565,14 +7565,14 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value Type: REG_DWORD Value: 0x00000001 (1) - + This setting may prevent a system from being joined to a domain if not configured consistently between systems. 1 RequireStrongKey @@ -7590,7 +7590,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature @@ -7613,7 +7613,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature @@ -7636,7 +7636,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature @@ -7659,7 +7659,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature diff --git a/source/StigData/Processed/WindowsServer-2019-MS-1.5.xml b/source/StigData/Processed/WindowsServer-2019-MS-1.5.xml index ee2645892..cc064b5cb 100644 --- a/source/StigData/Processed/WindowsServer-2019-MS-1.5.xml +++ b/source/StigData/Processed/WindowsServer-2019-MS-1.5.xml @@ -1061,7 +1061,7 @@ Logon/Logoff >> Logoff - Success False FileSystem - SELECT * FROM Win32_Volume WHERE DriveType = '3' + SELECT * FROM Win32_Volume WHERE DriveType = '3' AND SystemVolume != 'True' Open "Computer Management". Select "Disk Management" under "Storage". @@ -2289,7 +2289,7 @@ Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab, and the "Advanced" button. Default permissions: -\Program Files +\Program Files Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to